Privacy Policy

Effective 16 June 2026 · Last updated 16 June 2026

This Privacy Policy explains how Kortpick (“Kortpick”, “we”, “us” or “our”) collects, uses, shares, and protects personal data when you use the Kortpick venue-management products — including the Kortpick website, the Kortpick web dashboard, and the Kortpick Manager mobile app for iOS and Android (together, the “Service”).

Kortpick is a business tool for sports-venue owners, managers, and staff (“Operators”). Through the Service, Operators record and manage bookings made by their own customers (“Venue Customers”). This policy covers personal data of both groups. For Venue Customer data, the Operator is the controller and Kortpick acts as a processor on the Operator’s behalf, as described in section 4.

1. Who we are

The data controller responsible for personal data processed through the Service is:

Kortpick
Dubai
Email: rahil@kortpick.com

2. Personal data we collect

We collect the following categories of data:

  • Operator account data. When an Operator signs up or is invited to a venue, we collect their name, email address, and (optionally) phone number, together with their role and the venue(s) they belong to. Authentication is handled through our identity provider (Supabase Auth); we do not store plain-text passwords.
  • Venue and business data. Venue details, courts, pricing, operating hours, templates, and revenue/occupancy figures that Operators enter to run their venue.
  • Booking and Venue Customer data. Information Operators enter about bookings — typically a customer’s name and phone number, booking date/time, court, price, payment status, and any notes. This data is entered by Operators about their own customers.
  • Camera (QR check-in). The mobile app requests camera access only so staff can scan a booking QR code to check a customer in. The camera is used to read the QR code on-device; we do not take, store, or transmit photos or video.
  • Device and log data. When you use the Service our servers automatically record technical data such as IP address, device/browser type, and timestamps, for security, debugging, and abuse prevention.
  • Authentication tokens. The mobile app stores session tokens securely on your device (using the platform secure keystore) so you stay signed in.

We do not use third-party advertising or cross-app tracking SDKs, and we do not sell personal data. The in-app “Analytics” screen shows an Operator’s own venue business metrics — it is not third-party user tracking.

3. How we use personal data

  • To create and administer Operator accounts and authenticate sign-in.
  • To provide the core Service — managing venues, courts, bookings, customers, and reporting.
  • To enable QR check-in and related operational features.
  • To secure the Service, prevent fraud/abuse, and debug problems.
  • To send service-related communications (for example, account or booking notifications).
  • To comply with legal obligations.

Where required by applicable law, we rely on the following legal bases: performance of a contract (providing the Service), our legitimate interests (securing and improving the Service), consent (for example, device permissions such as the camera), and compliance with legal obligations.

4. Venue Customer data and our role

For data that Operators enter about their Venue Customers (such as booking contact details), the Operator is the data controller and decides why and how that data is used. Kortpick processes that data only to provide the Service to the Operator and according to the Operator’s instructions. If you are a Venue Customer and wish to access, correct, or delete your booking information, please contact the venue you booked with; we will assist that venue as its processor.

5. How we share data

We share personal data only with service providers (sub-processors) who help us operate the Service, under contracts that require them to protect it. These currently include:

  • Supabase — database hosting and user authentication.
  • Vercel — hosting of the Kortpick website and web dashboard.
  • Render — hosting of the Kortpick API.

We may also disclose data where required by law, to enforce our terms, or in connection with a merger, acquisition, or sale of assets (with notice where required). We do not sell personal data.

6. International transfers

Our service providers may process data on servers located outside your country. Where personal data is transferred internationally, we take steps to ensure it remains protected in line with applicable data-protection law.

7. Data retention

We keep personal data for as long as an account or venue is active and as needed to provide the Service, then for any additional period required to meet legal, accounting, or security obligations. When data is no longer needed, we delete or anonymise it. Operators can delete bookings and customer records from within the Service.

8. Security

We use technical and organisational measures to protect personal data, including encryption in transit (HTTPS), secure on-device storage of authentication tokens, access controls, and reputable infrastructure providers. No method of transmission or storage is completely secure, but we work to protect your data and to address any incidents promptly.

9. Your rights

Depending on your location, you may have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • request deletion of your data;
  • object to or restrict certain processing;
  • request a copy of your data in a portable format;
  • withdraw consent (such as the camera permission) at any time via your device settings.

To exercise any of these rights, email us at rahil@kortpick.com. We will respond within the timeframe required by applicable law.

10. Account and data deletion

You can request deletion of your Operator account and associated personal data at any time by emailing rahil@kortpick.com from the address linked to your account, or by contacting us through the in-app support option. We will delete or anonymise your personal data within a reasonable period, except where we are required to retain it to comply with legal obligations or to resolve disputes. Some venue/booking records may be retained by the venue (the controller of that data) for its own legal and accounting purposes.

11. Children

The Service is a business tool intended for venue Operators and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us so we can remove it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you through the Service. Your continued use of the Service after changes take effect means you accept the updated policy.

13. Contact us

If you have any questions about this Privacy Policy or how we handle your data, contact us at rahil@kortpick.com.

This policy is governed by the laws of the United Arab Emirates.