1. Controller and contact

PLAI OÜ ("PLAI", "we", "us") is an Estonian private limited company and the data controller for personal data processed through the PLAI mobile and web applications and the website at plai.live (the "Service"). For any privacy question, request, or complaint, including exercising your rights under the EU General Data Protection Regulation (GDPR), contact us at help@plai.live. We have not appointed a Data Protection Officer because we are not required to under GDPR Article 37; privacy requests are handled by PLAI at the email above. This Privacy Policy applies to all users of the Service, including players, coaches, and businesses.

2. Categories of personal data we process

Depending on how you use the Service, we process the following categories of personal data:

• Identity and account data: name, email address, password (hashed), phone number (if provided), date of birth (for age verification and age-appropriate content), profile photo, gender (optional), language preference.
• Profile and sport data: sports you play, skill level, ratings, ELO, match history, partners, follows, posts, stories, comments, reactions, reposts, mentions, and other social content you create.
• Location data: approximate location derived from device or IP for nearby search; precise location only when you grant permission to use location-based features (for example, finding nearby activities, check-in to a venue).
• Booking and transaction data: activities you book, slots you reserve, attendance, cancellations, reschedules, refunds, business or coach you transacted with, and the platform fee component.
• Payment data: handled by Stripe; we receive only limited tokenized payment metadata (last 4 digits, brand, country, payment status). PLAI never sees or stores full card numbers.
• Communications: direct and group messages, voice messages, photos and video you upload, reports you submit, support emails, and content moderation decisions related to your account.
• Device and technical data: IP address, device type, operating system, app version, language and timezone, push notification tokens, crash logs, and diagnostic information needed to operate the Service.
• First-party usage telemetry: in-app events (screen views, taps, conversion steps), processed on infrastructure we control. We attempt to redact common PII patterns (emails, phone numbers, card numbers) before storage.
• Coach and business data (if applicable): legal name, business registration, tax identifiers, payout details, Stripe Connect account identifiers, KYC status returned by Stripe, and any business profile content you publish.

3. Purposes and legal bases for processing

We process personal data only for the purposes and legal bases described below (GDPR Article 6):

• Account creation and operation of the Service (legal basis: performance of a contract, Article 6(1)(b)).
• Booking, payment processing, refunds, payouts to coaches and businesses through Stripe Connect, and platform-fee collection (legal basis: performance of a contract, Article 6(1)(b)).
• Communications: direct messages, group chats, voice notes, comments, posts, ratings, reviews, and reports you submit (legal basis: performance of a contract, Article 6(1)(b)).
• Safety, fraud prevention, content moderation, abuse handling, and enforcement of our Terms of Use (legal basis: legitimate interests, Article 6(1)(f), and where applicable legal obligation, Article 6(1)(c)).
• Service improvement, analytics, debugging, performance monitoring, and crash diagnostics using first-party telemetry (legal basis: legitimate interests, Article 6(1)(f)).
• Push and email notifications related to your activities, bookings, messages, and account (legal basis: performance of a contract, Article 6(1)(b)).
• Marketing communications you have explicitly opted into (legal basis: consent, Article 6(1)(a)). You can withdraw consent at any time without affecting prior processing.
• Compliance with legal obligations, including tax, accounting, anti-money-laundering, and responses to lawful requests (legal basis: legal obligation, Article 6(1)(c)).

4. Recipients and international transfers

We do not sell personal data. We share personal data only with the categories of recipients listed below, and only as needed to operate the Service. Where data is transferred outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses and the recipient's certifications and security commitments as appropriate safeguards under GDPR Chapter V.

• Supabase (database, authentication, storage, edge functions): infrastructure provider for the Service. Hosted in EU regions where available; please contact us for the current region.
• Stripe, Inc. and Stripe Payments Europe (payments and Stripe Connect): processes payments, refunds, and payouts to coaches and businesses. Stripe is established in the EU and the United States. Transfers to the US rely on Standard Contractual Clauses.
• Vercel, Inc. (web hosting and edge delivery for the website and APIs). Vercel is established in the United States. Transfers rely on Standard Contractual Clauses.
• Mapbox, Inc. (map tiles, search, geocoding for the in-app map). Mapbox is established in the United States. Transfers rely on Standard Contractual Clauses.
• Apple, Inc. and Google LLC (push notifications via APNs and FCM, app store delivery, sign-in with Apple or Google when you choose those methods).
• Email delivery providers we use to send transactional email (account, booking, password reset). Current providers are listed on request at help@plai.live.
• Other users of the Service, where you choose to publish content, post a comment, send a message, book with a coach or business, or appear on a leaderboard.
• Law enforcement, regulators, or other authorities, where required by applicable law or to protect the rights, safety, or property of PLAI, our users, or the public.
• Successors in interest, in the context of a merger, acquisition, reorganization, or sale of assets, subject to equivalent privacy commitments.

5. Retention, security, and automated decision-making

We retain personal data only for as long as necessary for the purposes described in this Policy and to comply with our legal obligations. Account, profile, and content data is retained while your account is active and deleted within a reasonable timeframe after you delete your account, subject to the 7-day cancellation window described at plai.live/settings. Booking and payment records are retained as required by applicable tax and accounting law (typically up to 7 years in Estonia). First-party analytics events are retained for a limited window (currently up to 90 days from collection). Backups are rotated on a regular schedule and overwritten in the ordinary course. We apply technical and organizational safeguards appropriate to the risk, including encryption in transit (TLS), encryption at rest where supported by our infrastructure providers, role-based access controls, row-level security on the database, audit logging, and a least-privilege internal access policy. No security measure is perfect; we ask that you also protect your account credentials. PLAI does not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on you (GDPR Article 22). We do not run advertising profiles, behavioral scoring, or automated eligibility decisions on user data.

6. Cookies, tracking, and analytics

We use cookies, similar technologies, and first-party in-app usage telemetry to operate and improve PLAI. Below is a summary of what we use.

We do not currently use third-party advertising trackers, cross-site advertising IDs, or behavioral profiling. If we ever introduce a third-party analytics or advertising service that materially changes processing, we will update this Policy and, where required, seek your consent.

You can manage cookie preferences through your browser or device settings. Disabling essential cookies may make the Service unusable. You can also limit ad-tracking identifiers (such as Apple's App Tracking Transparency or Google's Advertising ID) through your device settings; PLAI does not currently request the App Tracking Transparency permission.

7. Your rights and how to exercise them

Subject to applicable law, you have the following rights under the GDPR. You can exercise any of them by contacting help@plai.live from the email address associated with your PLAI account, or for erasure, via plai.live/settings. We respond without undue delay and at the latest within one month of receiving your request, as required by GDPR Article 12(3). Providing personal data is generally a condition of using the Service: if you do not provide the data marked as required at sign-up (such as email and date of birth), we cannot create or operate your account.

• Right of access (Article 15): obtain confirmation of whether we process your personal data and a copy of that data.
• Right to rectification (Article 16): have inaccurate personal data corrected and incomplete data completed; most fields can be edited directly in the in-app Settings.
• Right to erasure (Article 17): request deletion of your account and personal data. Submit a request via plai.live/settings; we honor the request within the legal timeframe (generally within 30 days), subject to the 7-day cancellation window and any retention required by law.
• Right to restrict processing (Article 18): request that we limit how we process your data in specific situations (for example, while a rectification or objection is being assessed).
• Right to data portability (Article 20): receive personal data you have provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
• Right to object (Article 21): object to processing based on our legitimate interests, including profiling for those purposes. We will stop the processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent (Article 7): where processing is based on consent (for example, marketing communications), you can withdraw consent at any time. Withdrawal does not affect prior processing.
• Right to lodge a complaint with a supervisory authority (Article 77): if you believe we have not handled your data lawfully. Our lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI), info@aki.ee, https://www.aki.ee/en. You may also contact the supervisory authority in your EU country of residence.

8. Children, changes, and contact

PLAI is not directed to children under 13 (or under the minimum digital-consent age in your country, where higher). We do not knowingly collect personal data from children below that age; if you believe we have, please contact us so we can delete the data. We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our practices. Material changes will be notified through the Service or by email where appropriate, and the "Last updated" date above will be revised. Continued use of the Service after an update means you have read the revised Policy. For any privacy question, request, or complaint, including questions about international transfers and our reliance on Standard Contractual Clauses, write to PLAI OÜ at help@plai.live