Privacy Policy

This Privacy Policy explains how Courtly(“Courtly”, “we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use our website and services for discovering, booking, and managing courts, open play, and tournaments.

We are committed to protecting your privacy in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (“NPC”). By using Courtly, you acknowledge that you have read and understood this Policy.

1. Who we are

Courtly operates the Courtly platform and acts as the personal information controller for the data described in this Policy. If you have any questions, requests, or complaints about your personal data, you can reach us through our Contact page.

2. Who this Policy covers

This Policy applies to:

• Players who create an account to book courts, join open play, or register for tournaments;
• Guests who make a booking without creating an account; and
• Venue staff and administrators who use Courtly to manage their venues.

Venue administrators are also bound by a separate agreement governing their use of the platform. This Policy concerns personal data; it does not replace any contract you may have with us.

3. Personal data we collect

We collect the following categories of personal data:

• Account and profile data: your first and last name, email address, birthdate, Philippine mobile number, password (stored only as a secure hash that we cannot read), and, if you provide it, your DUPR or skill rating for open play.
• Booking data: the courts, dates, and times you book, the number of players, your booking notes, and your booking history. For guest bookings made without an account, we collect the name, email address, and mobile number you provide for that booking.
• Payment proof: when you pay a venue manually via GCash or Maya, you upload a screenshot or image of your payment as proof. These images, along with any reference number you supply, are stored securely and shared only with the relevant venue and our staff for verification.
• User-generated content: reviews you leave for courts, and messages or comments you post in open play sessions.
• Communications: messages you send through our Contact form, and the delivery status of transactional emails we send you (for example, whether a confirmation email was delivered or bounced).
• Notifications: the in-app notifications we generate for your bookings and activity.
• Technical and session data: a session cookie that keeps you signed in. We do not use advertising, analytics, or tracking cookies, and we do not perform device fingerprinting.

We do not collect or store credit or debit card numbers. Payments are made directly to venues through GCash or Maya, and we only receive the proof image and reference details you submit.

4. How we use your data and our legal bases

Under the Data Privacy Act, we process your personal data on one or more of the following bases:

• Performance of a service/contract — to create and manage your account, process and confirm your bookings, hold slots while you complete payment, enable reschedules and cancellations, and operate open play and tournaments.
• Your consent — for activities you opt into, such as posting reviews or providing your skill rating. You may withdraw consent at any time, without affecting processing already carried out.
• Our legitimate interests — to secure the platform, prevent fraud and abuse, moderate flagged content, respond to your inquiries, and improve our services, in a manner that does not override your fundamental rights.
• Compliance with legal obligations — to keep records we are required to retain and to respond to lawful requests.

5. Cookies

Courtly uses a single session cookie to keep you securely signed in as you move between pages. This cookie is strictly necessary for the service to function. We do not use cookies for advertising, third-party analytics, or cross-site tracking.

6. How we share your data

We share personal data only as needed to operate the service:

• Venues you book with:when you make a booking, the venue’s staff and administrators can see the booking details and the contact information and payment proof you provided, so they can confirm and manage your reservation.
• Service providers (sub-processors) who process data on our behalf under appropriate safeguards:
  • Supabase — hosts our database, authentication, and file storage.
  • Resend — delivers our transactional emails (for example, booking and account confirmations).
  • Vercel — hosts and serves the Courtly application.
  • Google Maps — displays venue locations and maps.
• Legal and safety disclosures: where required by law, court order, or lawful request, or to protect the rights, safety, and property of Courtly, our users, or the public.

We do not sell your personal data, and we do not share it for third-party advertising.

7. Cross-border transfers

Some of our service providers may store or process data on servers located outside the Philippines. Where this occurs, we take reasonable steps, as required by Section 21 of the Data Privacy Act, to ensure your personal data continues to be protected to a comparable standard, including through the contractual and security commitments of these providers.

8. Data retention

We keep your personal data only for as long as necessary for the purposes described in this Policy, including the period needed to operate your account, complete and support your bookings, resolve disputes, and comply with our legal and record-keeping obligations. Booking and financial records (including payment proofs) may be retained for longer where required for accounting, tax, or legal purposes. When data is no longer needed, we take steps to securely delete or anonymize it.

9. How we protect your data

We apply organizational and technical safeguards appropriate to the data we hold, including:

• encrypted connections (HTTPS) between your device and our services;
• row-level access controls so users can only access the data they are entitled to;
• private storage for sensitive files such as payment proofs, accessible only through short-lived, signed links;
• restricted, privileged access keys that are never exposed to your browser.

No method of transmission or storage is completely secure, but we work to protect your data and to address any incident in accordance with applicable law.

10. Your rights as a data subject

Under the Data Privacy Act of 2012, you have the right to:

• Be informed about how your personal data is collected and processed;
• Access the personal data we hold about you;
• Rectify inaccurate or outdated personal data;
• Object to or withdraw consent for certain processing;
• Erasure or blocking of your personal data under the conditions allowed by law;
• Data portability — to obtain a copy of certain data in an electronic format;
• Damages for violations of your rights; and
• File a complaint with the National Privacy Commission.

To exercise any of these rights, please contact us through our Contact page. You can update much of your profile information directly in your account settings. Account deletion is currently handled on request — send us a message and we will process it, subject to any records we are required to keep. We may need to verify your identity before acting on a request.

11. Children and minors

Courtly is intended for users who are at least 18 years old. We do not knowingly collect personal data from minors without the consent of a parent or guardian. If you believe a minor has provided us personal data, please contact us so we can take appropriate action.

12. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above. Significant changes will be communicated where appropriate. Your continued use of Courtly after an update means you accept the revised Policy.

13. Contact us

If you have questions about this Policy or how we handle your personal data, or if you wish to exercise your rights, please reach us through our Contact page.