Privacy Policy

1. What We Collect

We collect the following categories of information when you use Park Sync:

• Identity information: your name and email address, provided at registration or via Google OAuth.
• Phone number (optional): provided only if you opt in to SMS reservation reminders. Used solely for transactional booking messages on behalf of the Park Operator — never for marketing. See Section 4b for the SMS / TCPA disclosure.
• Reservation history: courts booked, dates, times, amounts paid, and booking status.
• Technical data: IP address, browser type, device information, and server logs collected automatically when you interact with the Service.
• Communications: messages you send to support, including email correspondence.

1b. Sources, Purposes, and Recipients (CPRA § 1798.130)

California law requires that we disclose, at or before the point of collection, the sources from which we collect personal information, the business and commercial purposes for collecting it, and the categories of recipients with whom we disclose it.

• Sources. Directly from you (account registration, booking, support correspondence); from your browser and device (technical data, cookies); from Google (OAuth sign-in); from Stripe (payment metadata); and from Park Operators that invite you to a park tenant (roster or booking-party details).
• Business and commercial purposes. Operating the reservation platform, processing payments, issuing waiver records, sending transactional messages, providing support, securing the Service against fraud and abuse, and meeting legal or accounting obligations. We do not sell or share personal information and we do not use it for cross-context behavioral advertising.
• Recipients. The Park Operator whose tenant you book at; our vetted subprocessors (see the subprocessor register); professional advisors (legal, accounting, insurance) under confidentiality obligations; and government authorities where required by law. We do not disclose personal information to third parties for their own direct-marketing purposes (Cal. Civ. Code § 1798.83, the "Shine the Light" law).

2. Our Role — Controller or Processor

Park Sync wears two hats depending on what data we handle:

• Processor / Service Provider — for data you generate inside a Park Operator's tenant (reservations, waivers, communications to that park). Park Sync acts on the park's documented instructions; the park is the controller. See the Data Processing Addendum for the full processor terms.
• Controller — for data you provide directly to Park Sync outside a park tenant (account creation, billing to Park Operators, marketing opt-ins, product analytics, and support correspondence). This Privacy Policy is the governing document for that processing.

2b. Authentication — Supabase

Identity and session management is handled by Supabase Auth. Park Sync does not use password-based authentication for player or admin accounts; we authenticate exclusively via email magic links or Google OAuth, so no password is ever collected or stored. Supabase processes and stores your identity data on its infrastructure in accordance with its privacy policy. We rely on Supabase as a subprocessor (see Section 3 of the DPA).

3. Payments — Stripe

All payment processing is handled by Stripe. Park Sync does not store full card numbers, CVVs, or other sensitive payment credentials. We receive from Stripe only the information needed to display booking summaries and process refunds: payment intent IDs, amounts, currency, and status.

Park Operators who onboard as Stripe Connect accounts are subject to Stripe's additional identity verification requirements. That data is collected and held by Stripe, not Park Sync.

4. Cookies and Similar Technologies

We use strictly necessary cookies and browser storage to operate the Service:

• Session cookies set by Supabase to keep you signed in (HttpOnly, Secure, SameSite=Lax).
• CSRF tokens and short-lived cookies used by Stripe Checkout for payment authorization.
• Error-monitoring cookies set by Sentry to correlate client-side errors with server traces. Not used for advertising or cross-site tracking.
• Hosting cookies set by Vercel for deployment routing and edge-region affinity.

We do not use advertising cookies, third-party tracking pixels, or cross-site analytics cookies that profile you across other websites. We honor the Global Privacy Control (GPC) signal where applicable, and honor browser "Do Not Track" signals as equivalent to a CPRA "Do Not Sell or Share" request (we already do neither). You can disable cookies in your browser settings, but doing so will prevent you from staying logged in to the Service.

4b. SMS Reservation Reminders

If you provide a mobile phone number and opt in, Park Sync may send you transactional text messages about your reservations — booking confirmations, check-in reminders, and cancellations. We use Twilio as the messaging carrier. See the subprocessor register.

No marketing. Park Sync does not send promotional, advertising, or broadcast text messages and does not rent or sell phone numbers. SMS is used only for transactional messages tied to a reservation you created.

Consent and opt-out. Consent is captured at the time you provide your number and is recorded (timestamp, IP address, user agent) for compliance with the federal Telephone Consumer Protection Act (TCPA, 47 U.S.C. § 227) and applicable California consumer-protection law. Message and data rates from your carrier may apply. You can revoke consent at any time by replying STOP to any message or by emailing privacy@parksync.net; reply HELP for support. Revocation takes effect on receipt; you may still receive a single confirmation of the opt-out. After revocation, you will need to opt in again before we can send further messages.

5. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access a copy of the personal data we hold about you.
• Correct inaccurate or incomplete personal data.
• Delete your account and associated personal data (subject to retention requirements below).
• Export your reservation history in a portable format.
• Object to or restrict certain processing of your data.

To exercise any of these rights, email hello@parksync.net. We will respond within 45 days of a verified request, extendable once by an additional 45 days where reasonably necessary and with notice to you.

6. Data Retention

We retain personal data only for as long as needed to provide the Service or to meet legal and accounting obligations:

When retention periods expire, data is deleted or de-identified. Financial records are retained even if you delete your account because of applicable tax and accounting law.

7. Your California Privacy Rights (CCPA / CPRA)

Park Sync does not sell and does not share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California Civil Code §1798.140. We have not sold or shared personal information in the preceding 12 months.

As a California resident, you have the right to:

• Know what personal information we collect, use, and disclose about you.
• Request access to the specific pieces of personal information we hold about you.
• Correct inaccurate personal information.
• Delete personal information we collected from you, subject to certain exceptions (including the 7-year financial-records retention described above).
• Obtain a portable copy of your personal information.
• Limit the use and disclosure of sensitive personal information.
• Non-discrimination — we will not deny, charge differently, or provide a different level of service because you exercised any of these rights.

To exercise any California privacy right, email privacy@parksync.net with the subject line "California Privacy Request". We will verify your identity using the email address associated with your account and respond within 45 days (extendable once by 45 additional days if necessary, with notice to you). You may designate an authorized agent to make a request on your behalf; we may require the agent to demonstrate written authorization from you.

Sensitive Personal Information (SPI)

CPRA defines certain data categories as "Sensitive Personal Information." The only SPI categories Park Sync may collect in the course of providing the Service are:

• Account-access credentials — specifically, the OAuth session token issued by Supabase Auth after a successful sign-in. Park Sync does not use password-based authentication; single-use magic-link tokens delivered by email are consumed on first use and are not retained after redemption.
• Precise geolocation (only when a Park Operator has opted in to map-based search and the player has granted browser geolocation permission). Otherwise we use only approximate city-level location derived from IP.

We do not collect government IDs, racial or ethnic origin, religious beliefs, union membership, genetic or biometric data, or health information about players through the Service. We do not use or disclose SPI for any purpose other than operating the Service on behalf of Park Operators. You have the right to limit our use of SPI by emailing privacy@parksync.net; because we already limit SPI use to Service operation, exercising this right will not change how we handle your data, but we will confirm the limit in writing.

Automated decision-making and profiling. Park Sync does not make decisions about you that produce legal or similarly significant effects through automated profiling, and does not engage in automated individual decision-making within the meaning of Article 22 of the GDPR / UK GDPR. AI features (see Section 8) are administrator-facing only and are not used to evaluate, rank, score, profile, or restrict players.

8. AI-Assisted Admin Features

Park Sync uses large-language-model (LLM) inference, routed through the Vercel AI Gateway, to assist park administrators with support-ticket drafts, daily activity digests, and runbook Q&A. AI features are administrator-facing only — no AI inference runs on player-visible flows (booking, waiver acceptance, checkout).

The specific data categories transmitted to the LLM provider per feature are:

• Support-ticket drafts: the text of the support ticket and its category. No player payment data or government IDs are sent.
• Daily activity digests: aggregate counts (bookings, cancellations, revenue) and the park identifier. No player-level personal data is sent.
• Runbook Q&A: the administrator question and relevant public runbook excerpts. No customer data is sent.

Park Sync asserts a zero-data-retention flag on every request so the provider does not retain prompt or completion content for training. This protection depends on the provider honoring the flag; the current provider contractually commits to do so under the Vercel AI Gateway zero-retention posture. AI output is clearly labeled as "AI-generated" wherever it appears. See the subprocessor register for the current LLM provider(s).

No Article 22 automated decision-making. Park Sync does not use AI features to take decisions about you that produce legal effects or similarly significantly affect you within the meaning of Article 22 of the GDPR or UK GDPR. AI features never run on player-visible booking, waiver, or checkout flows and are not used to approve, deny, price, rank, or profile players.

9. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent in accordance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506) and its implementing regulations.

Where a Park Operator enables bookings or programs that include minors (for example, a youth pickleball clinic or a junior tennis ladder), the booking adult — the parent or legal guardian — creates the Park Sync account, provides the minor's roster information, and is responsible for providing any consents required under COPPA, CPRA, or applicable state law. Park Operators are contractually required to offer a parent-consent pathway for any minor-directed program.

California minors (under 18). If you are a California resident under 18 and a registered user of the Service, you have the right under California Business and Professions Code § 22581 to request the removal of content you posted to the Service that is visible to other users. To request removal, email privacy@parksync.net with the subject line "Minor Content Removal". Removal does not ensure complete or comprehensive removal of the content from copies or reposts made by other users or third parties.

If you believe we have inadvertently collected personal information from a child under 13 without verifiable parental consent, email privacy@parksync.net and we will promptly delete the information.

10. EEA, UK, and Swiss Users

The Service is currently offered to customers in the United States. Park Sync does not target the European Economic Area, United Kingdom, or Switzerland and does not offer goods or services to individuals located there. Individuals located in those regions who nevertheless create an account acknowledge that their data will be transferred to and processed in the United States.

Where the EU General Data Protection Regulation (GDPR), UK GDPR, or Swiss Federal Act on Data Protection nevertheless applies to a processing activity, the legal bases on which we rely are: (a) performance of a contract with you, (b) our legitimate interests in operating a secure and reliable Service, and (c) your consent where required. For onward transfers of personal data to subprocessors located outside the EEA / UK / Switzerland, Park Sync relies on the European Commission's Standard Contractual Clauses (2021 version), the UK International Data Transfer Addendum, or another approved transfer mechanism, and conducts transfer impact assessments where required. Contact privacy@parksync.net to obtain a copy of the Standard Contractual Clauses or to exercise GDPR data-subject rights (access, rectification, erasure, restriction, portability, objection).

For data-subject requests submitted under the GDPR, UK GDPR, or Swiss FADP, we will respond within 30 days (one month) of a verified request, extendable by up to two additional months where reasonably necessary given the complexity and number of requests, with notice to you under Article 12(3). The 45-day window referenced elsewhere in this policy does not reduce this timeline for GDPR-covered requests.

You have the right to lodge a complaint with your local supervisory authority.

Where a Park Operator is a party to a separately executed Park Sync Data Processing Addendum that includes EU, UK, or Swiss transfer mechanisms (such as the Standard Contractual Clauses, UK International Data Transfer Addendum, or Swiss Addendum), those mechanisms apply to processing under that DPA notwithstanding this Section.

11. Contact

The data controller for this policy is Park Sync, LLC, a Delaware limited liability company qualified to do business in California.

Privacy questions and rights requests: privacy@parksync.net. General contact: hello@parksync.net.