Legal
Privacy Policy
Last updated: 29 April 2026
This page is a translation provided for convenience. The legally binding version is the German original at /de/datenschutz and /de/impressum.
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other data-protection provisions is:
- Company:
- Lukas List
- Address:
- Am alten Marktplatz 3, 35423 Lich, Deutschland
- Email:
- privacy@courtly.social
- Website:
- https://courtly.social
For questions regarding the processing of your personal data please contact the email address listed above.
2. Data Collected and Purposes of Processing
2.1 Account data (registered users)
On registration we collect: name, email address and optionally a profile picture. Passwords are stored exclusively as a cryptographic hash (scrypt) — never in plain text.
- Legal basis:
- Art. 6 (1) (b) GDPR (performance of a contract)
- Retention:
- Until the account is deleted on request
2.2 Booking data (guests without account)
For guest bookings we collect: name, email address, phone number (optional) as well as booking details (date, time, court, price).
- Legal basis:
- Art. 6 (1) (b) GDPR (performance of a contract)
- Retention:
- 90 days after the booking date, then pseudonymised
2.3 Session data
To secure login we store technically necessary session information including IP address and browser identifier (user agent). The session cookie expires after 7 days; the database record is then permanently deleted as part of a daily automated purge (no later than 90 days after expiry).
- Legal basis:
- Art. 6 (1) (f) GDPR (legitimate interest: IT security)
- Retention:
- Cookie: 7 days; database record: max. 90 days after session expiry
2.4 Payment data
Payments are processed via Stripe. We only store the Stripe customer ID and booking status — no card data. Full payment processing is handled by Stripe.
- Legal basis:
- Art. 6 (1) (b) GDPR (performance of a contract)
- Retention:
- 10 years pursuant to § 147 AO (statutory tax retention)
2.5 Usage analytics (only with consent)
Only if you accept the analytics cookies do we collect pseudonymised usage data (pages visited, clicks, device category) for product improvement via PostHog. No personal data (name, email) is sent to PostHog. Events are linked to your internal user ID — a randomly generated identifier not derived from personal data — from which PostHog cannot infer your identity.
- Legal basis:
- Art. 6 (1) (a) GDPR (consent)
- Withdrawal:
- At any time via the cookie settings (banner bottom right)
3. Cookies
We use only technically necessary cookies for authentication (session cookie) plus optional analytics cookies. Your consent choice is stored in a cookie (courtly-cookie-consent, lifetime: 1 year).
| Cookie | Purpose | Duration | Category |
|---|---|---|---|
| better-auth.session_token | Authentication (login session) | Session / 7 days | Necessary |
| courtly-cookie-consent | Stores your cookie preference | 1 year | Necessary |
| ph_* | PostHog usage analytics (pseudonymous) | 1 year | Analytics (opt-in) |
| sentryReplaySession | Sentry Session Replay for error diagnosis | Session | Analytics (opt-in) |
You can withdraw or adjust your consent for optional cookies at any time via the cookie banner (bottom right).
4. Disclosure to Third Parties
We share your data with third parties only where necessary for performance of a contract or where you have consented. All processors are bound by data-processing agreements (DPAs / AVV).
4.1 PostHog (usage analytics)
- Provider:
- PostHog Inc., 965 Mission St. Suite 550, San Francisco, CA 94103, USA
- Purpose:
- Pseudonymised usage analytics
- Data processing:
- Exclusively on EU servers (Frankfurt, Germany)
- Data transmitted:
- Pseudonymous user ID (SHA-256 hash), page views, events — no email, no name
- Legal basis:
- Art. 6 (1) (a) GDPR (consent)
- DPA (AVV):
- Concluded under Art. 28 GDPR
- Third-country transfer:
- PostHog Inc. is based in the USA. Transfer is based on EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR. Data processing takes place exclusively on EU servers.
4.2 Stripe (payment processing)
- Provider:
- Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
- Purpose:
- Payment processing, payouts to clubs (Stripe Connect)
- Data transmitted:
- Name, email, payment information for transactions
- Legal basis:
- Art. 6 (1) (b) GDPR (performance of a contract)
- DPA (AVV):
- Concluded under Art. 28 GDPR
- Privacy policy:
- stripe.com/privacy
For bookings via Stripe Connect, the respective club operators receive transactional data (name, email, booking amount) through their Stripe Connect account. The club operator is an independent controller within the meaning of Art. 4 (7) GDPR and subject to its own data-protection obligations toward bookers.
4.3 Resend (email delivery)
- Provider:
- Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA
- Purpose:
- Transactional emails (booking confirmation, cancellation, invitations)
- Data transmitted:
- Email address, name, booking-related information
- Legal basis:
- Art. 6 (1) (b) GDPR (performance of a contract)
- DPA (AVV):
- Concluded under Art. 28 GDPR
- Third-country transfer:
- Resend, Inc. is based in the USA. Transfer is based on EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR.
4.4 Sentry (error and performance monitoring)
- Provider:
- Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA
- EU hosting:
- Data is processed exclusively in the EU region (ingest.de.sentry.io, Frankfurt am Main)
- Purpose:
- Diagnosis of application errors and performance issues to ensure IT security and availability
- Data transmitted:
- Stack traces, error types, anonymised user ID (no name, no email), URL path without sensitive query parameters, truncated browser/server information
- Legal basis:
- Art. 6 (1) (f) GDPR (legitimate interest: IT security and stability)
- Session Replay:
- Optional and only with consent (Art. 6 (1) (a) GDPR). All text and media are masked before transmission.
- DPA (AVV):
- Concluded under Art. 28 GDPR
- Third-country transfer:
- Where intra-group transfers occur to Sentry, Inc. (USA), they are based on EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR. The ingest servers are located in Germany.
4.5 Hosting infrastructure
- Provider:
- netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany
- Data center:
- Data center Germany (Nuremberg)
- Data processed:
- All application and database data
- Legal basis:
- Art. 6 (1) (b), (f) GDPR (performance of a contract, legitimate interest)
- DPA (AVV):
- Concluded under Art. 28 GDPR
- Note:
- All data remain within the EU/EEA.
5. Your Rights as a Data Subject
Under the GDPR you have the following rights. To exercise them please contact the email address given in section 1:
- Art. 15 – Access:You may at any time request information about the data we hold about you.
- Art. 16 – Rectification:You may have inaccurate personal data corrected.
- Art. 17 – Erasure:You may request the deletion of your data ("right to be forgotten"). We will delete your account and all associated personal data on request — unless statutory retention obligations apply.
- Art. 18 – Restriction:You may request that processing be restricted.
- Art. 20 – Portability:You may request your data in a machine-readable format. Write to us to request a data export.
- Art. 21 – Objection:You may object to processing based on legitimate interests.
- Art. 7 (3) – Withdrawal:Consents granted (e.g. for analytics cookies) may be withdrawn at any time with effect for the future.
You also have the right to lodge a complaint with the competent data-protection supervisory authority.
6. Data Security
Courtly applies the following technical and organisational measures (TOM):
- Encrypted transmission via TLS 1.2+ (HTTPS)
- Password hashing with scrypt (a modern, brute-force-resistant scheme)
- Operation on a dedicated root server at netcup GmbH, data center Nuremberg, Germany
- Database access exclusively via authenticated, encrypted connections
- Role-based access control (only authorised club administrators see club data)
- Regular automated security updates of the infrastructure
7. No Automated Decision-Making
We do not use automated decision-making procedures including profiling within the meaning of Art. 22 GDPR that have legal or similarly significant effects on individuals.
8. Changes to this Privacy Policy
We reserve the right to adapt this privacy policy in response to changes in the legal landscape or in our services. The current version is always available at courtly.social/datenschutz. We will notify registered users by email of material changes.
Last updated: 29 April 2026 · This privacy policy applies to courtly.social and all related subdomain services.