Privacy Policy

1. Controller

The controller responsible for processing your personal data within the meaning of the General Data Protection Regulation (GDPR / DSGVO) is:

ABTM Projects GmbH
(operating the platform under the brand name 1Club)
Diehlgasse 33/26, 1050 Wien, Österreich
Commercial register: FN 676680 v, Handelsgericht Wien
UID: ATU83200448
Managing directors: Toni Marence & Andreas Brawisch
E-Mail: privacy@1club.at
Website: 1club.at

2. What Data We Collect

2.1 Account & profile data

When you register, we collect the following data:

• First and last name
• E-mail address
• Date of birth (used to calculate your age for display; minimum age 16)
• Gender (optional; displayed on your profile)
• Password (stored only as a bcrypt hash; we never see the plain text)

Additional optional profile information you may add at any time:

• City / location (text you enter manually — we do not collect your GPS position)
• Profile photo (uploaded via the iOS system photo picker)
• Short bio
• Sports interests and self-assessed skill level per sport (1–5 scale)

2.2 Activity & social data

• Games you create, join, leave, or are invited to
• Attendance history and no-show record
• Waiting-list entries
• Friend connections and pending friend requests
• Communities you belong to or manage
• Guests you invite to games (number of guests; no separate data on guests)

2.3 Communications

• In-app chat messages and image attachments sent inside game chats
• Support tickets and messages you send to our team

2.4 Payment data

For paid games we facilitate payments through Stripe (Stripe Payments Europe, Ltd.). Your card number, CVC, and expiry date are entered directly into Stripe's secure interface and are never transmitted to or stored by 1Club. We only store the Stripe payment-intent ID and booking amount to record that a payment occurred.

Apple Pay is offered as an additional payment method. Apple Pay transactions are processed by Stripe; no card data passes through 1Club servers.

2.5 Technical & device data

• Apple Push Notification Service (APNs) device token — stored to send you booking confirmations, game updates, chat messages, and friend-request notifications
• App version and iOS version (included automatically in API requests for debugging)

We do not use any third-party analytics SDK. We do not track you across other apps or websites.

2.6 Website (1club.at)

Our website is an informational site. It does not use analytics, advertising cookies, or any third-party tracking. The only data processed by the website itself is:

• Server logs: Each request to 1club.at is briefly logged by our hosting provider netcup GmbH (IP address, timestamp, requested URL, user agent) for security and debugging. Logs are deleted after 14 days at the latest.
• Local storage (theme preference): The site stores your light/dark mode choice in your browser's localStorage under the key theme. This is a strictly necessary technical setting (Art. 6(1)(f) GDPR; § 165(3) TKG) and is never sent to our server.

2.7 Feature waitlist

If you choose to be notified when a future feature (e.g. in-app court booking) becomes available, we store your e-mail address for that specific notification only. You may opt out at any time by contacting privacy@1club.at.

3. Device Permissions

The iOS app requests the following system permissions. Each permission is optional unless explicitly stated:

• Camera — used solely to scan payment cards via Stripe's card-scanning feature. Camera frames are processed on-device by the Stripe SDK and are not transmitted to 1Club servers.
• Calendar — used to let you add a game to your personal device calendar when you choose to. We read only the minimum necessary to write a calendar event; we do not read your existing calendar entries.
• Photos — accessed through the iOS system photo picker when you upload a profile picture or send an image in a game chat. The picker runs in a separate process; 1Club does not receive access to your full photo library.
• Push Notifications — used to send you game updates, booking confirmations, chat messages, and friend requests. You can revoke this permission in iOS Settings at any time.

We never request location (GPS) permission. The location shown on game maps is the address manually entered by the organizer.

4. Legal Basis for Processing (Art. 6 GDPR)

• Art. 6(1)(b) GDPR — Performance of a contract: Processing your account data, booking records, payment references, and activity data to provide the 1Club service you have signed up for.
• Art. 6(1)(f) GDPR — Legitimate interest: No-show tracking and booking restrictions to protect other users who rely on confirmed participants; fraud prevention; platform security; debugging and error logging.
• Art. 6(1)(a) GDPR — Consent: Push notifications (you grant or revoke this via the iOS system prompt or Settings).

5. How We Use Your Data

• Provide, operate, and improve the 1Club platform
• Show your profile to other users in the context of games you participate in or create
• Display friends' activity in the Friends section of Communities (only if you enable this in Settings → Privacy)
• Process bookings and payments, and issue booking confirmations
• Enforce the no-show policy (tracking attendance and issuing warnings or temporary booking restrictions)
• Send push notifications, transactional e-mails (booking confirmations, email verification), and account security alerts
• Respond to your support requests
• Detect and prevent fraud and abuse

6. Data Sharing

We do not sell your personal data. We share data only as follows:

• Other 1Club users: Your display name, profile photo, city, sports & skill levels, and (if you choose) your bio are visible to users viewing your profile. Non-friends see a restricted version. Participants in a game you join can see that you are attending.
• Stripe Payments Europe, Ltd. (payment processor): We transmit your booking amount and a reference ID. Stripe processes card and Apple Pay data under their own privacy policy and is certified under the EU–US Data Privacy Framework.
• Apple Inc. (push notifications via APNs): Your APNs device token is used to route push notifications. Apple processes this under their privacy policy.
• netcup GmbH (hosting & infrastructure): Our backend (api.1club.at) and databases run on virtual private servers hosted by netcup GmbH, located in Vienna, Austria. All data remains within the EEA. netcup acts as a data processor under a GDPR-compliant data processing agreement.
• Resend Inc. (transactional email): Booking confirmations, email verification, and password-reset emails are delivered via Resend's API. Your e-mail address is transmitted to Resend solely for the purpose of routing the message. Resend is a US-based company; transfers are covered by Standard Contractual Clauses (Art. 46 GDPR).
• Law enforcement: Where required by applicable law or a valid legal order.

7. International Data Transfers

Stripe, Apple, and Resend are US-based companies. Data transfers to them are covered by Standard Contractual Clauses (Art. 46 GDPR) and, in the case of Stripe, additionally by the EU–US Data Privacy Framework. All other processing — including our hosting infrastructure operated by netcup GmbH — takes place in Vienna, Austria, within the European Economic Area.

8. Retention Periods

• Account & profile data: Retained for the lifetime of your account. Deleted within 30 days of a verified account deletion request.
• Booking & payment records: Retained for 7 years to comply with Austrian accounting law (§ 212 UGB).
• Chat messages: Retained while the associated game or support ticket is open; support tickets are closed after 90 days of inactivity.
• Push notification tokens: Deleted when you log out or uninstall the app, or when Apple invalidates the token.
• Server logs (website): Maximum 14 days.
• Feature waitlist e-mails: Deleted after the notification is sent or after the feature is cancelled.

9. Data Security

• All data in transit is encrypted via TLS 1.2+
• Passwords are stored as bcrypt hashes
• Authentication uses short-lived JWT access tokens; refresh tokens are stored in the iOS Keychain
• Access to production systems is restricted to authorised personnel
• Payment card data is handled exclusively by Stripe's PCI-DSS-compliant infrastructure

10. Your Rights (Art. 15–22 GDPR)

You have the right to:

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Rectification (Art. 16): Correct inaccurate or incomplete data — most profile data can be edited directly in the app.
• Erasure (Art. 17): Request deletion of your account and personal data, subject to legal retention obligations.
• Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Objection (Art. 21): Object to processing based on legitimate interest (Art. 6(1)(f)).
• Withdraw consent (Art. 7(3)): Withdraw consent for push notifications at any time via iOS Settings — this does not affect the lawfulness of prior processing.

To exercise any of these rights, contact privacy@1club.at. We will respond within 30 days.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with the Austrian data protection supervisory authority:

Datenschutzbehörde
Barichgasse 40–42, 1030 Wien
www.dsb.gv.at
E-Mail: dsb@dsb.gv.at

12. Minimum Age

1Club is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If we become aware that a user is under 16, we will delete their account and associated data promptly.

13. Changes to This Policy

We may update this Privacy Policy when our practices change or when required by law. Material changes will be communicated via a push notification or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

For any privacy-related questions or requests:
E-Mail: privacy@1club.at
Address: ABTM Projects GmbH, Diehlgasse 33/26, 1050 Wien, Österreich