How Rallyo protects your club members' data

Frequently asked questions

What personal data do you store?

Name, email, optional phone, optional profile photo, sport preferences, your playing level per selected sport (for example padel, tennis or pickleball; external ratings such as KNLTB where relevant and Rallyo's internal rating), your event signups and results, and your notification settings. We never store your password in readable form — it's bcrypt-hashed by our auth provider (Supabase).

Who can see which data?

You: your full profile and your own history. Other players in the same event: only your display name and playing level, so pools, brackets and results make sense — not your email, phone, full profile or rating history. Organizers and club admins can see full profiles only for current members of clubs they administer. Members of other clubs: nothing. This is enforced at the database level with row-level security and narrow RPCs, not just in the app. Rallyo staff: only for support or security, always with an audit log.

How do you separate data between clubs?

Rallyo uses row-level security in PostgreSQL — separation is enforced by the database, not by the app. Profiles are self-only by default. Event rosters use a participant summary that returns only name and playing level; club admins use separate authorized functions for members of clubs they administer. Even if we ship a bug in the app, the database simply does not return rows from another club. Internal audit, June 2026: cross-club and same-club profile-bypass attempts are blocked.

Can children under 16 (junior members) use Rallyo?

Yes, but only via a managed account created by an organizer or parent. The account has no email of its own until the child turns 16 or the parent authorizes claiming it. For juniors we collect minimal data: name and level. No phone, no email unless the parent provides one.

Do you store payment data?

No. Rallyo does not accept card payments. For peer payments (e.g. splitting a court fee), we support Tikkie and iDeal links — those are handled by your bank; we only see the amount and the paid/unpaid state.

Where is our data physically stored?

In the EU. Our database runs on Supabase in Ireland. Error logs go to Sentry in Frankfurt and are scrubbed before they are sent. Product analytics goes to PostHog in Frankfurt in cookieless mode, without names, emails, phone numbers, club names, event titles or raw URLs. Transactional email is delivered by Resend. We do not send push notifications and Slack notifications are disabled.

What do you send to Sentry, PostHog and Slack?

Sentry receives only scrubbed error messages, route templates, internal IDs and technical metadata; session replay is off. PostHog receives only allowlisted product events with route templates, internal IDs, booleans, counts and fixed choices such as event formats. Slack receives nothing: the Slack notifier is a launch-time no-op with no network request. Names, emails, phone numbers, club names, event titles, ratings, free text and query strings are not sent to these systems.

Is data encrypted in transit and at rest?

Yes, both. In transit: TLS 1.2+ on every connection, with Strict-Transport-Security max-age 1 year including subdomains, so modern browsers will never connect to Rallyo unencrypted. At rest: Supabase encrypts disk storage with AES-256. Passwords are bcrypt-hashed (cost factor 10).

How do you protect accounts from abuse?

Supabase Auth handles passwords and sessions. hCaptcha is enabled for auth flows to reduce automated abuse. Platform admins must also verify a TOTP authenticator inside Rallyo before they can use platform-admin functionality; server functions enforce this through Supabase's authenticator assurance level (aal2), not just through the UI. Rallyo's Supabase dashboard is also protected with 2FA.

Who hosts it and how secure is the hosting?

The web app runs on Vercel (serverless hosting, automatic TLS). The rallyo.events domain is managed through Cloudflare (DNS registrar). The database is on Supabase, a Y Combinator-backed PostgreSQL-as-a-service used in production by thousands of companies. These providers are SOC 2 Type II compliant.

Which security headers does the app set?

On every response: Content-Security-Policy (prevents XSS), Strict-Transport-Security (forces HTTPS), X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: camera=(), microphone=(), geolocation=() (we never request these), and frame-ancestors 'self' (Rallyo cannot be iframed by other sites — prevents clickjacking).

Do you make backups and how long do you keep them?

Yes. Supabase database backups are enabled. On the current paid Supabase plan this means daily database backups; point-in-time recovery is a separate add-on and we will only claim it once it is explicitly enabled and tested. Deleted account data disappears from backups as those backups expire; we will never restore a backup to recover deleted personal data.

How do I delete my account?

Profile → Privacy → Delete my account. Within seconds: your name becomes Deleted User, your email/phone/avatar are removed, you're withdrawn from all future events, your notification preferences and club memberships are deleted, and your auth credentials are deleted at Supabase. An audit log entry is retained (only your user ID, for compliance). Your match history stays under the anonymised name Deleted User, so your former opponents' and partners' ratings remain consistent.

How do I download my data?

Profile → Privacy → Download my data. You receive a JSON file containing all your profile information, memberships, signups, ratings, match history, partner requests, notification subscriptions, and audit log entries you appear in. You can transfer this file to another padel app without restriction (GDPR Article 20 — data portability).

How do I correct inaccurate data?

For most fields: edit directly in your profile. For your KNLTB rating: only a club admin can adjust it (to prevent abuse). For match results: ask an organizer to make a correction — a revision log is automatically kept.

Can I object to certain processing?

Yes. You can adjust non-transactional email preferences via Profile → Notifications. Object to analytics: we do not use tracking cookies, session recordings or personal properties in PostHog — only cookieless product analytics with internal IDs and technical metadata. Hide your rating history from other members via Profile → Privacy → Hide my match history.

What if I have complaints about your privacy practice?

Email privacy@rallyo.events. If we don't respond within 4 weeks, or you're not satisfied with our response, you can file a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).

What happens in case of a data breach?

We follow the GDPR procedure: 1) Detect within 24 hours via our monitoring (scrubbed Sentry alerts, Supabase audit, anomalous access patterns). 2) Investigate within 48 hours: what data, which users, which clubs. 3) Notify the Dutch DPA within 72 hours (GDPR Art. 33). 4) Inform affected members and clubs within 72 hours, in plain language, with what to do. 5) Post-mortem published on this page within 14 days. To date we have had no notifiable breaches.

Who inside Rallyo can access our data?

Today: only founder Joran Hofman, only for support or security, always with audit log. Platform-admin access requires app-level TOTP MFA and Supabase dashboard access is protected with 2FA. As we grow this becomes a named list of Rallyo staff with least-privilege access and logging on every admin action. We share that list with enterprise clubs on request under NDA.

Which sub-processors do you use?

Supabase (database, auth, file storage — Ireland, DPA). Vercel (application hosting — US/EU, DPA). Cloudflare (DNS registrar — DPA). Sentry (scrubbed error logs and technical metadata — Frankfurt, DPA). PostHog (cookieless product analytics with IDs and route templates — Frankfurt, DPA). Resend (transactional email — DPA). We do not sell or share data with anyone else — no ad networks, no data brokers.

Is the app independently audited?

Our last internal security and privacy audit was 11 June 2026 (a review of code, database policies, profile access, telemetry, admin MFA and data flows). Summary available on request. For enterprise clubs we're willing to commission an external pentest as part of the contract (cost-shared).

Logging — what does Rallyo keep?

Every admin action is recorded in an audit log (who, what, when, on what, optional reason). Club admins can review their own audit log via the admin dashboard. Server logs are structured and redacted: no emails, phone numbers, tokens, cookies, full URLs with query strings or free text. We don't log the content of private messages or member search queries — only actions with legal or security relevance (account changes, rating corrections, member removals, etc.).

What if you go bankrupt?

Honest answer: we're an early-stage startup, that risk exists. Our commitment to clubs: 90 days minimum notice on termination, a full data export in an open format (JSON or CSV) during that period, active help migrating to another solution free of charge, and source-code escrow for enterprise clubs above a contract size threshold. This is in the standard club contract.