Privacy Policy

Last updated: 25 May 2026

This Privacy Policy explains how Baddr (“Baddr”, “we”, “us”) collects, uses, shares, and protects personal data when you use the Baddr iOS app or website at baddr.pro. Baddr is a platform that helps badminton clubs coordinate in-person sessions, matches, and membership for their players.

We are committed to protecting your privacy and handling your personal data in accordance with the UK GDPR and the Data Protection Act 2018.

Who we are

Baddr is operated as a sole trader based in the United Kingdom and is registered with the UK Information Commissioner’s Office (ICO) under registration number [ICO REGISTRATION NUMBER]. We are the data controller for personal data processed through the Baddr platform, except where your club acts as the controller in its own right (see “Your club and Baddr” below).

For any privacy questions, requests, or complaints, contact us at hello@baddr.pro.

Your club and Baddr

When you join a club on Baddr, your club decides what information to collect about its members and how to use it to run the club. For that information, your club is the data controller and Baddr is a data processor acting on the club’s instructions. Baddr is the data controller for information about your Baddr account itself (such as your login credentials and device identifiers for push notifications).

Information we collect

We only collect information that is needed to run the service. The specific data collected depends on how you use Baddr:

Account information

  • Name and email address
  • Password (stored as a one-way hash by our authentication provider)
  • Profile photo, if you choose to upload one

Player profile information

If you join a club, your club may ask you to provide some of the following. Most fields are optional:

  • Phone number
  • Date of birth (used by clubs to confirm eligibility for age-category league play)
  • Gender (used for mixed-doubles team selection)
  • Address (used by some clubs for membership administration)
  • Emergency contact details, where clubs request them

Activity and gameplay data

  • Match results, scores, and rating history for games you play at your club
  • Attendance at club sessions, queue position, and practice participation
  • Match availability responses (RSVPs) and team selections
  • Notifications you have received and interacted with

Payment information

When you pay a fee through Baddr (for example a session fee, match fee, visitor fee, or club membership), the payment itself is processed by Stripe. We do not see or store your full card number or CVC. We store a record of the transaction (amount, currency, status, date, what the payment was for) so your club can track what has been paid.

Device and technical data

  • Device push-notification token, if you enable push notifications
  • Approximate location at the country or city level, derived from your IP address, for security and abuse prevention
  • Basic usage analytics (pages visited, referring URL, device type) collected by Vercel Analytics in an aggregated and anonymised form

Baddr does not track your precise GPS location and does not use third-party advertising or tracking SDKs.

How we use your information

We use personal data only for purposes that are necessary to provide the service:

  • To create and authenticate your account
  • To let your club organise sessions, matches, teams, and payments that you have chosen to take part in
  • To send you transactional notifications relating to activity you are involved in (availability requests, team confirmations, payment requests and reminders, match updates, membership renewals)
  • To process payments you have initiated, via Stripe
  • To protect the service from abuse, fraud, and security incidents
  • To comply with our legal obligations

We do not use your personal data for advertising. We do not sell your personal data. We do not send marketing emails or promotional push notifications without your consent.

AI Insights

Baddr includes an AI Insights feature powered by Google Gemini, a large language model provided by Google LLC. AI Insights surfaces contextual summaries and suggestions - for example, a personal season summary for players, or attention flags for club administrators.

No personally identifiable information is sent to Google. Before any data is submitted to the Gemini API, Baddr's servers strip all identifying information and replace it with anonymous placeholders or aggregate statistics. Specifically:

  • Player names are replaced with anonymous tokens (e.g. Player 1, Player 2) before the prompt is constructed. First names are substituted back into the response on Baddr's servers, after the AI has replied, and never leave Baddr.
  • Player season summaries contain only aggregate statistics: number of matches played, win rate, win streak, approximate hours on court, and best partnership win rate. No names, email addresses, dates of birth, or other identifiers are included.
  • Club admin dashboards receive only aggregate club-wide figures: member counts, revenue totals, outstanding payment counts, and expense totals. No individual player data is included.

The data sent to Google Gemini is indistinguishable from anonymised statistical summaries. Google processes this data in accordance with its own terms of service and privacy policy. We do not use AI Insights to make any automated decisions that have legal or similarly significant effects on you.

Legal bases for processing

Under the UK GDPR we rely on the following legal bases:

  • Contract: to provide the Baddr service you have signed up for, including coordinating the club activity you have chosen to participate in and processing your payments.
  • Legitimate interests: to keep the service secure, to prevent abuse, and to improve the product.
  • Consent: to send you push notifications, where the operating system requires explicit permission, and for any optional features you turn on.
  • Legal obligation: to meet our accounting, tax, and regulatory duties.

Who we share data with

We share personal data only with the parties listed below, and only for the purposes described:

  • Your club. Administrators and captains at the club you join can see the information in your player profile and your activity at their club, so they can run the club.
  • Supabase (supabase.com) - provides our database and authentication infrastructure.
  • Stripe (stripe.com) - processes payments, including in-person payments via Stripe Tap to Pay. Stripe acts as an independent data controller for payment data.
  • Resend (resend.com) - sends transactional emails such as invites, payment receipts, and renewal reminders.
  • Apple Push Notification service and, on the web, browser push services - deliver push notifications to your device.
  • Vercel (vercel.com) - hosts the Baddr website and provides anonymised usage analytics.
  • Google LLC (ai.google.dev) - provides the Gemini AI model used for AI Insights. Only anonymised aggregate statistics are sent; no personally identifiable information is included. See the “AI Insights” section above for full details.

We may also disclose information if required by law, to protect our rights, or as part of a business transfer (for example, if Baddr is acquired). We will not sell your personal data.

International transfers

Some of the service providers listed above are based outside the UK and the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Addendum or the EU Standard Contractual Clauses.

How long we keep data

We keep your personal data for as long as your Baddr account is active. If you delete your account, we remove your player profile and personal identifiers within 30 days. We may retain a limited set of records (for example, payment transaction records) for longer where we are legally required to do so, typically up to seven years for accounting purposes. Match results and club activity that have been anonymised no longer identify you.

Children

Badminton clubs often include junior players. Baddr does not allow children under the age of 13 to create their own account. Where a junior is part of a club, their account is created and managed by a parent, guardian, or club administrator acting on the parent’s behalf. If you believe a child has provided us with personal data without appropriate consent, please contact us at hello@baddr.pro and we will delete it.

Your rights

Under UK and EU data protection law you have the right to:

  • Access the personal data we hold about you
  • Ask us to correct information that is wrong
  • Ask us to delete your data (“right to be forgotten”)
  • Object to or restrict certain processing
  • Receive a copy of your data in a portable format
  • Withdraw consent at any time where we rely on consent
  • Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority

You can delete your account and associated personal data at any time from within the Baddr app via Settings → Account → Delete Account, or by emailing hello@baddr.pro.

Security

We use industry-standard technical and organisational measures to protect personal data, including encryption in transit, encrypted database storage, role-based access controls, and audit logging. No system is perfectly secure, but we take our responsibility to protect your data seriously.

Changes to this policy

We may update this Privacy Policy from time to time. If we make a material change we will notify you through the app or by email before it takes effect. The “Last updated” date at the top of this page always reflects the current version.

Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please email us at hello@baddr.pro.