1. Information We Collect

We collect the following categories of information:

Important: LookApex does NOT have a chat or messaging feature. Users cannot communicate with each other through the app. We do not collect, store, or process any direct messages or communications between users.

1.1 Information You Provide

Account information: Email address, password (encrypted)
Profile information: Display name, nickname, height, weight, playing position
Verification data: Birth year (for age verification)
Content: Court check-ins, respect interactions, profile photos

1.2 Information Collected Automatically

Device information: Device type, operating system, browser type
Usage data: Features used, time spent, interaction patterns
Log data: IP address, access times, referring URLs
Device identifiers: Fingerprint data for fraud prevention

1.3 Location Data

We collect precise geolocation data ONLY when you actively initiate a check-in to a court. We do NOT collect background location data or track your movements outside of explicit check-in actions.

1A. Complete Data Inventory

In compliance with GDPR Article 30 (Records of Processing Activities), we provide a complete inventory of all personal data we collect, store, and process:

PROFILE DATA (profiles table)

Data Field	Purpose	Legal Basis	Retention
email	Account identification, communication	Contract	Until account deletion + 30 days
first_name, last_name	Profile display	Consent	Until account deletion + 30 days
nickname	Alternative display name	Consent	Until account deletion + 30 days
height_cm, weight_kg	Player statistics (optional)	Consent	Until account deletion + 30 days
birth_year	Age verification (COPPA/GDPR compliance)	Legal Obligation	Until account deletion + 30 days
date_of_birth	Full birthdate for minors (parental consent)	Legal Obligation	Until account deletion + 30 days
country, city	Location preferences, finding nearby courts	Consent	Until account deletion + 30 days
jersey_number, colors, pattern	Customization preferences	Consent	Until account deletion + 30 days
sponsor, support_local_address	"Support Local" feature - user-provided business name and address (generates Google Maps link)	Consent	Until account deletion + 30 days
terms_accepted_at	Legal proof of consent	Legal Obligation	7 years (legal requirement)
privacy_policy_version	Track which version user agreed to	Legal Obligation	7 years (legal requirement)

SECURITY DATA (user_security table)

Data Field	Purpose	Legal Basis	Retention
registration_ip	Fraud prevention, rate limiting	Legitimate Interest	30 days
registration_fingerprint	Detect multi-account abuse	Legitimate Interest	30 days
registration_user_agent	Bot detection	Legitimate Interest	30 days
turnstile_token	Bot/human verification (Cloudflare Turnstile)	Legitimate Interest	Not stored (verified at registration only)
last_sign_in_ip	Security (detect unauthorized access)	Legitimate Interest	30 days
last_sign_in_at	Account activity monitoring	Legitimate Interest	Until account deletion
sign_in_count	Usage statistics	Legitimate Interest	Until account deletion
spam_score	Automated spam detection	Legitimate Interest	Until account deletion

CHECK-IN DATA (check_ins table)

Data Field	Purpose	Legal Basis	Retention
court_id	Link check-in to court	Contract	Until account deletion + 30 days
checked_in_at	Timestamp of check-in	Contract	Until account deletion + 30 days
checked_out_at	Timestamp of check-out	Contract	Until account deletion + 30 days
verified (boolean)	GPS verification status	Consent	Until account deletion + 30 days

CONTENT MODERATION DATA (content_warnings table)

When our automated moderation system detects inappropriate content, we record the following data to enforce our community guidelines and the three-strike warning system:

Data Field	Purpose	Legal Basis	Retention
user_id	Link warning to user account	Legitimate Interest	Until account deletion + 30 days
warning_type	Type of violation detected (e.g., "bad_words")	Legitimate Interest	Until account deletion + 30 days
context	Where violation occurred (e.g., "court_name", "report_details")	Legitimate Interest	Until account deletion + 30 days
triggered_words	Words that triggered the filter (for audit/appeal purposes)	Legitimate Interest	Until account deletion + 30 days
created_at	Timestamp of violation	Legitimate Interest	Until account deletion + 30 days

Why We Collect This Data: This information is necessary to enforce our community guidelines, implement the three-strike warning system, and provide evidence in case of appeals. We do not store the full content that was blocked - only the specific words that triggered the moderation filter and the context in which they appeared.

PARENTAL CONSENT DATA (for users under 16)

Data Field	Purpose	Legal Basis	Retention
parent_email	Contact parent/guardian	Legal Obligation	Until child reaches 18 + 5 years
consent_given_at	Proof of consent timestamp	Legal Obligation	Until child reaches 18 + 5 years
consent_ip	Verify consent authenticity	Legal Obligation	Until child reaches 18 + 5 years
consent_items	Specific items consented to	Legal Obligation	Until child reaches 18 + 5 years

DATA WE DO NOT COLLECT

Background location data (we only collect location at moment of check-in)
Contact lists or address books
Private messages or chat content (we don't have messaging)
Financial or payment information
Health data beyond optional height/weight
Biometric data (facial recognition, fingerprints)
Social media account access
Call logs, SMS, or phone data

2. How We Use Your Information

We process your personal data for the following purposes:

2.1 Service Provision

Create and maintain your account
Enable court check-ins and player discovery
Display your activity to other users (as per your privacy settings)
Process and respond to your requests

2.2 Safety & Security

Verify user identity and prevent fraud
Detect and prevent spam, abuse, and malicious activity
Enforce our Terms of Service and community guidelines
Protect the safety of our users and third parties

2.3 Legal Compliance

Comply with applicable laws, regulations, and legal processes
Respond to valid legal requests from public authorities
Protect our legal rights and defend against legal claims

3. Location Data

IMPORTANT: We collect location data ONLY when you explicitly check in to a court. We do NOT track your location in the background, continuously, or at any other time.

3.1 Geolocation Verification

When you check in to a court, we use your device's GPS/geolocation to verify that you are within proximity of the court location. This verification helps maintain the accuracy and integrity of our community data.

3.2 Verified vs. Unverified Check-ins

Verified check-ins: Location confirmed within required distance from court
Unverified check-ins: Location could not be confirmed (geolocation denied or unavailable)

3.3 Your Controls

You can check in without granting location access (check-in will be unverified)
Unverified check-ins do not count towards community statistics
You can enable/disable location access at any time through your device settings
Location data is only collected at the moment of check-in, not continuously

4. Data Sharing

WE DO NOT SELL YOUR PERSONAL INFORMATION. We will never sell, rent, or lease your personal data to third parties for their marketing purposes.

4.1 Public Information

Certain information is publicly visible to other users based on your privacy settings:

Display name and profile photo
Court check-ins (if public)
Player statistics and badges

4.2 Service Providers

We may share data with trusted service providers who assist in operating our service:

Cloud infrastructure providers (hosting, storage, database)
Email service providers (for notifications and transactional emails)
Security providers (bot protection, fraud prevention)

4.3 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

4.4 Administrative Access

Our authorized administrators may access user data through secure administrative tools for the purposes of: content moderation, user support, investigating reported violations, enforcing our Terms of Service, and maintaining platform integrity. Administrative access is limited to authorized personnel only and is logged for accountability.

5. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

Right of Access (Art. 15): Request a copy of your personal data
Right to Rectification (Art. 16): Correct inaccurate or incomplete data
Right to Erasure (Art. 17): Delete your data ("right to be forgotten")
Right to Restrict Processing (Art. 18): Limit how we use your data
Right to Data Portability (Art. 20): Export your data in machine-readable format
Right to Object (Art. 21): Object to certain processing activities
Right to Withdraw Consent (Art. 7): Withdraw consent at any time
Right to Lodge a Complaint: File a complaint with your local data protection authority

You can exercise these rights directly in the app under Profile → Privacy & Data, or by contacting us at privacy@lookapex.com.

6. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: What personal information we collect, use, and share
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt out of the "sale" of personal information (we do not sell data)
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@lookapex.comwith the subject line "CCPA Request". We will verify your identity before processing your request.

7. Children's Privacy

MINIMUM AGE: Users must be at least 16 years old to use this Service. Users under 16 require verified parental consent.

We take the privacy of children seriously and comply with COPPA (US), GDPR (EU), and ZZPL (Serbia) regulations.

7.1 Age Verification

We collect birth year during registration to verify that users meet our minimum age requirement of 16 years. This is the strictest standard that complies with all applicable regulations globally.

7.2 Parental Consent Process

If a user is under 16 years old, the following parental consent process applies:

During registration, the user enters their birth year
If under 16, the user must provide a parent/guardian's email address
We send a verification email to the parent/guardian
The parent must click the link and confirm they consent to:
- The child creating an account
- Location sharing when checking in to courts
- Collection of activity data (check-ins, respects)
The account is activated only after parental approval

7.3 Parental Rights

Review the child's personal information
Request deletion of the child's data
Withdraw consent at any time (resulting in account deactivation)
Refuse further collection or use of the child's information

7.4 What We Store

Parental consent records include: parent's email, consent timestamp, IP address at time of consent, and specific items consented to. These records are maintained as required by law.

8. Consent & Withdrawal

8.1 How We Obtain Consent

We obtain your consent through clear affirmative actions:

Checking the "I agree" box during registration
Clicking "Create Account" after reviewing terms
Granting location permission when prompted

8.2 Withdrawing Consent

You may withdraw your consent at any time by:

Adjusting your privacy settings in the app
Deleting your account
Contacting us at privacy@lookapex.com

Note that withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service
Legitimate Interests (Art. 6(1)(f)): Fraud prevention, security, service improvement
Consent (Art. 6(1)(a)): Location data collection, marketing communications
Legal Obligation (Art. 6(1)(c)): Compliance with laws, responding to legal requests

10. International Data Transfers

Your personal data may be transferred to and processed in countries outside of your residence. When we transfer data internationally, we ensure appropriate safeguards are in place.

10.1 Primary Data Location

Your personal data is primarily stored on Supabase servers located in the European Union (Germany and Netherlands). Data only leaves the EU when necessary for specific services (email delivery, security services) and is protected by the safeguards listed below.

10.2 Safeguards for Non-EU Transfers

When we transfer personal data outside the European Economic Area, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (2021 version) with all third-party processors that handle data outside the EEA, including Cloudflare and Resend.
Data Processing Agreements (DPAs): All processors have signed Data Processing Agreements that comply with GDPR Article 28 requirements.
EU-US Data Privacy Framework: Some of our processors (Cloudflare) participate in the EU-US Data Privacy Framework, providing additional safeguards for transatlantic transfers.
Transfer Impact Assessments (TIAs): We conduct assessments to ensure that transfers to third countries provide adequate protection for your data.

11. Third-Party Services

We use the following third-party services that may process your data:

11.1 Infrastructure & Security

Supabase: Database and authentication (EU servers - Germany/Netherlands)
Cloudflare: Content delivery, DDoS protection, and security services
Cloudflare Pages: Web application hosting

11.2 Cloudflare Turnstile (Bot Protection)

We use Cloudflare Turnstile to protect our registration and login forms from automated bot attacks. Turnstile is a privacy-focused CAPTCHA alternative that does not require you to solve puzzles or identify images.

What Turnstile Collects:

Browser type and version
Screen resolution and timezone
Mouse movements and keyboard patterns (behavioral analysis)
Browser features and capabilities
IP address (for risk assessment)

How Turnstile Works:

Runs invisibly in the background - no user interaction required
Analyzes browser behavior to distinguish humans from bots
Generates a one-time token that we verify server-side
We do NOT store Turnstile data - only the verification result (pass/fail)

Privacy Note: Cloudflare Turnstile is designed to be privacy-preserving. It does not use cookies for tracking, does not collect personally identifiable information, and data is processed in accordance with Cloudflare's Privacy Policy. Cloudflare is GDPR-compliant and has signed the EU-US Data Privacy Framework.

11.3 Maps & Location

MapLibre GL: Map rendering library (open source, no data sent to third parties)
OpenStreetMap/OpenFreeMap: Map tile data (no personal data shared)
Nominatim: Address search and geocoding (IP address may be logged by service)

11.4 Email Services

Resend: Transactional emails (parental consent, password reset)

11.5 Analytics & Crash Reporting (Mobile App Only)

Our Android mobile application uses Firebase Analytics and Firebase Crashlytics to help us understand app usage and improve stability. These services are only active in the native mobile app — the web version does not use any analytics.

Firebase Analytics collects:

App opens and session duration
Screen views and navigation patterns
Custom events (e.g., court check-in, court added) — no personal content
Device model, OS version, and app version
Country/region (derived from IP, IP is not stored)
Android Advertising ID (for analytics attribution only — not used for ad targeting)

Firebase Crashlytics collects:

Crash reports and stack traces
Device state at time of crash (memory, battery, orientation)
Crashlytics installation UUID (anonymous identifier)

Privacy Note: Firebase Analytics data is aggregated and anonymized. We use a pseudonymous user ID (your Supabase user ID) to correlate events, but Firebase does not receive your name, email, or other personal information. Google is the data processor for Firebase services and is GDPR-compliant. See Firebase Privacy Information.

11.6 Client-Side Security Tools

FingerprintJS: Browser fingerprinting for fraud prevention and multi-account detection. Runs entirely in your browser - no data is sent to third parties. This is an open-source library that generates a unique identifier based on your browser characteristics to help us detect suspicious activity.

Each third-party service has its own privacy policy. We encourage you to review them:

12. Data Security

We implement industry-standard security measures to protect your data:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Secure password hashing (bcrypt)
Regular security audits and penetration testing
Access controls and employee training
Incident response procedures

Important: No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

13. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods

Account data: Duration of account + 30 days after deletion
Check-in history: Duration of account + 30 days after deletion
Parental consent records: 5 years after child reaches adulthood (as required by law)
Legal compliance records: As required by applicable law

After you delete your account, your personal data is permanently removed from our active systems within 30 days. Backup copies may persist for an additional period before being permanently deleted.

Backups & Data Recovery

We maintain backups of platform data for operational purposes, disaster recovery, and service continuity. These backups are created at our discretion and are retained for internal use only.

Important: We do NOT guarantee the ability to restore individual user data upon request. Backups are not a recovery service for user actions.

If you delete your account or data, it may not be recoverable
We are not responsible for data loss due to user error or technical failures
Backups may be incomplete, corrupted, or unavailable
You are responsible for maintaining your own copies of critical data

14. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Service. Below is a complete list of cookies we use.

Essential Cookies

Required for the Service to function. These cannot be disabled without breaking core functionality.

Cookie Name	Purpose	Duration
sb-*-auth-token	Authentication session management	7 days
sb-*-auth-token.0	Refresh token for session renewal	7 days

Local Storage

We use browser local storage (not cookies) to save your language preference. This data never leaves your device.

Do Not Track

We honor Do Not Track (DNT) signals. Our web version does not use analytics or tracking cookies. Our mobile app uses Firebase Analytics for app improvement — you can opt out by disabling "Usage & diagnostics" in your Android device settings.

Privacy Notice: We do NOT use analytics cookies, advertising cookies, or third-party tracking cookies on our website. The only cookies we use are essential for authentication. Our mobile app uses Firebase Analytics (no cookies) for usage statistics.

15. Changes to This Privacy Policy & Re-Consent

We may update this Privacy Policy from time to time. Depending on the nature of the changes, different notification and consent procedures apply.

Types of Changes

Non-Material Changes

Minor updates that do not affect your rights (e.g., clarifications, typo fixes, formatting changes).

Notification: We will display an informational banner in the app. You can dismiss it and continue using the Service.

Your action: No explicit acceptance required. Continued use of the Service constitutes your acknowledgment of the changes.

Material Changes

Significant updates that affect your rights, data usage, or legal obligations (e.g., new data collection practices, changes to data sharing, new legal bases).

Notification: We will send you an email notification and display a blocking modal in the app. You must review and accept the changes to continue using the Service.

Your action:

Users aged 16+: You must click "I Accept" in the app to continue using the Service.
Users under 16 (with parental consent): Your parent/guardian will receive a new consent email. They must provide a fresh parental consent code for you to continue using the Service.

If you do not accept: You will not be able to continue using the Service. You may request account deletion and data export via privacy@lookapex.com.

How You Will Be Notified

Posting the updated Privacy Policy on this page
Updating the "Last updated" date and version number at the top
Sending an email notification (for material changes)
Displaying a prominent notice or modal in the app

Version History

All previous versions of this Privacy Policy are archived and available upon request. Contact us at privacy@lookapex.com to request historical versions.

Questions? If you have any questions about policy updates or the re-consent process, contact us at privacy@lookapex.com.

16. Contact Us & Data Protection Officer

Privacy Inquiries

For questions about this Privacy Policy, data protection, or to exercise your rights under GDPR/CCPA, contact us at: privacy@lookapex.com

Mailing Address

LookApex
Privacy Team
Belgrade, Serbia

Supervisory Authority

If you are located in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority. In Serbia, this is the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti).

18. Automated Decision-Making

We use automated systems to enforce our community guidelines and maintain platform integrity.

18.1 Automated Content Moderation

Our moderation system automatically detects prohibited content (profanity, spam, inappropriate language) and prevents it from being submitted. Repeated violations trigger automatic warnings and, after three violations, automatic account suspension.

18.2 Fraud Detection

We use automated systems to detect suspicious activity, including multiple account creation from the same device, bot-like behavior, and other patterns indicative of abuse.

Note: These automated systems help maintain a safe environment for all users. While we strive for accuracy, automated systems may occasionally produce errors. If you believe an automated action was taken in error, you may contact us at support@lookapex.com for review. However, we reserve the right to make final determinations regarding content moderation and account status at our sole discretion.

GDPR Notice: Under GDPR Article 22, you have the right to information about automated decision-making that significantly affects you. The above disclosure satisfies this requirement. You may contact privacy@lookapex.com with questions about our automated systems.

19. GDPR Compliance Status

Below is our GDPR compliance checklist showing how we meet each requirement:

✓

Lawfulness, Fairness, Transparency (Art. 5(1)(a))

We clearly explain what data we collect and why. Legal bases are documented for each data type.

✓

Purpose Limitation (Art. 5(1)(b))

Data collected for specific, explicit purposes only. We don't use data for other purposes.

✓

Data Minimization (Art. 5(1)(c))

We only collect essential data. Most profile fields are optional. No background location tracking.

✓

Accuracy (Art. 5(1)(d))

Users can update their profile anytime. Edit profile available in-app.

✓

Storage Limitation (Art. 5(1)(e))

Defined retention periods for all data types. Automatic deletion after account removal.

✓

Integrity & Confidentiality (Art. 5(1)(f))

TLS 1.3 encryption, bcrypt password hashing, Row Level Security in database.

✓

Valid Consent (Art. 7)

Clear checkbox during registration. Must actively agree. Can withdraw anytime.

✓

Children's Data (Art. 8)

Minimum age 16 (strictest standard). Parental consent required for under-16.

✓

Data Subject Rights (Art. 15-22)

Access, rectification, erasure, portability available in-app under Profile → Privacy & Data.

✓

Records of Processing (Art. 30)

Complete data inventory documented in section 1A above.

✓

Data Protection by Design (Art. 25)

Privacy-first architecture. Location only on explicit action. Optional fields.

✓

Data Protection Officer (Art. 37-39)

DPO contactable at dpo@lookapex.com

✓

International Transfers (Art. 44-49)

Primary servers in EU (Germany/Netherlands). SCCs with non-EU providers.

✓

Breach Notification (Art. 33-34)

Incident response procedures in place. 72-hour notification commitment.

How We Verify Compliance

Regular internal privacy audits
Database schema review for data minimization
Access logging and monitoring
Employee privacy training
Third-party security assessments (planned)