Privacy Policy

1. About this Policy

This Privacy Policy explains how Pay to Play (“we”, “us”, “our”) collects, uses, discloses, and protects your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using the Pay to Play mobile application (“the App”), you consent to the collection and use of your information as described in this policy.

2. What Personal Information We Collect

2.1 Account and Identity Information

• Full name — provided via Google or Apple sign-in, or entered manually
• Email address — provided by your OAuth sign-in provider (Google or Apple)
• Phone number — if you sign in via SMS/phone authentication
• Profile display name — chosen by you within the App
• Profile photo — uploaded by you or sourced from your sign-in provider

2.2 Payment Information

We use Stripe to process payments. We do not store your full credit card number, expiry date, or CVV. We store only:

• Card brand (e.g. Visa, Mastercard)
• Last four digits of your card number
• Stripe identifiers (Customer ID, PaymentMethod ID, PaymentIntent ID) used to process transactions on your behalf

If you are a session organiser, Stripe may collect additional identity and business information as part of its Know Your Customer (KYC) onboarding process. This information is held by Stripe, not by us.

2.3 Session and Activity Information

• Session details you create or join (title, sport type, venue address, date/time, pricing)
• Your attendance status, waitlist position, and cancellation history
• Whether a cancellation occurred after the cancellation cutoff

2.4 Device and Technical Information

• Expo push notification token — to deliver push notifications to your device
• Device identifier and platform (iOS or Android)
• Error and performance data — if Sentry error tracking is enabled, we may collect crash reports, stack traces, and performance metrics. This may include personal information associated with the error event.

2.5 Notification Records

• A log of notifications sent to you (type, title, body, delivery status)
• Your notification preferences (which categories of notification you have opted in or out of)

3. How We Collect Personal Information

We collect personal information:

• Directly from you — when you create an account, set up your profile, create or join sessions, add a payment method, or adjust notification preferences
• From third-party sign-in providers — Google and Apple provide your name, email, and profile photo during OAuth sign-in
• From Stripe — payment confirmation details and transaction statuses
• Automatically from your device — device tokens for push notifications and, where applicable, error/crash data via Sentry

4. Why We Collect Personal Information

We collect and use your personal information for the following purposes:

Purpose	Information used
Creating and managing your account	Name, email, phone, profile photo
Facilitating session organisation and attendance	Session details, attendance status, waitlist data
Processing payments and pre-authorisations	Stripe identifiers, card display data (brand, last four)
Splitting costs between session attendees	Payment amounts, attendee counts, pricing model
Sending push notifications	Device token, notification preferences
Enforcing cancellation and payment policies	Cancellation timestamps, cutoff status
Improving app stability and fixing bugs	Error reports, crash data, performance metrics
Preventing fraud and ensuring security	Authentication data, transaction logs

We will not use your personal information for purposes other than those outlined above without your consent, unless required or authorised by law.

5. Disclosure of Personal Information

We may disclose your personal information to the following third parties:

5.1 Stripe (Payment Processing)

Stripe, Inc. processes all payments on our behalf. When you add a payment method or make a payment, your payment details are transmitted directly to Stripe. Stripe’s handling of your data is governed by the Stripe Privacy Policy.

5.2 Expo (Push Notifications)

We use Expo’s push notification service to deliver notifications to your device. Your device push token and notification content are transmitted to Expo for delivery. Expo’s handling of your data is governed by the Expo Privacy Policy.

5.3 Sentry (Error Tracking — Optional)

If error tracking is enabled, crash reports and related diagnostic data may be sent to Sentry. Sentry’s handling of your data is governed by the Sentry Privacy Policy.

5.4 Supabase (Infrastructure)

Our backend infrastructure is hosted on Supabase. Your data is stored in Supabase-managed databases and storage. Supabase’s handling of your data is governed by the Supabase Privacy Policy.

5.5 Google and Apple (Authentication)

If you sign in with Google or Apple, authentication tokens are exchanged with the respective provider. Their handling of your data is governed by their respective privacy policies.

5.6 Other Session Participants

When you join a session, other participants (and the session organiser) can see your display name and profile photo. Sessions shared via a share link may expose participant names and avatars to anyone with the link.

5.7 Legal Requirements

We may disclose your personal information if required to do so by law, regulation, or legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Overseas Disclosure

Some of the third-party services we use (Stripe, Expo, Sentry, Supabase) may store or process your data outside of Australia, including in the United States. Where your data is transferred overseas, we take reasonable steps to ensure the overseas recipient handles your information in accordance with the APPs.

7. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These measures include:

• All data transmitted between the App and our servers is encrypted in transit (TLS/HTTPS)
• Database access is controlled by Row Level Security (RLS) policies, ensuring users can only access data they are authorised to view
• Full credit card details are never stored in our database — payment data is handled entirely by Stripe in a PCI DSS-compliant environment
• Authentication is managed by Supabase Auth with industry-standard practices
• Admin access to data is restricted and logged

No method of electronic storage or transmission is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the App’s services. Specifically:

• Account and profile data is retained until you delete your account
• Session and attendance records are retained for record-keeping and dispute resolution purposes
• Payment transaction records are retained as required for financial record-keeping and applicable tax obligations
• Notification logs are retained for operational and debugging purposes
• Device tokens are retained while your account is active and are removed when you delete your account or uninstall the App

When your data is no longer required, we will take reasonable steps to destroy or de-identify it.

9. Your Rights

Under the Australian Privacy Principles, you have the right to:

9.1 Access Your Information

You may request access to the personal information we hold about you. We will respond to your request within a reasonable period (generally within 30 days).

9.2 Correct Your Information

If you believe the personal information we hold about you is inaccurate, incomplete, or out of date, you may request that we correct it. You can update your display name, profile photo, and notification preferences directly within the App.

9.3 Delete Your Information

You may request that we delete your account and associated personal information. Some information may be retained where required by law (e.g. financial transaction records).

9.4 Opt Out of Notifications

You can manage your notification preferences within the App’s settings. You can also disable push notifications at the device level through your device’s system settings.

9.5 Withdraw Consent

Where we rely on your consent to process personal information, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

10. Cookies and Tracking

The App does not use cookies. Where error tracking is enabled via Sentry, diagnostic data is collected automatically during app usage. No advertising trackers or analytics platforms are used within the App.

11. Children’s Privacy

The App is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy within the App or by other reasonable means. The “Last updated” date at the top of this policy indicates when the most recent changes were made.

Your continued use of the App after any changes to this policy constitutes your acceptance of those changes.

13. How to Contact Us

If you have any questions about this Privacy Policy, wish to make a complaint, or would like to exercise any of your rights described above, please contact us at:

14. Definitions