PartnerUp
Features Plans For Coaches For Owners FAQ Get Early Access
Get Early Access

Legal

Privacy Policy

Last updated: 2026-05-29 · Applicable to: Philippines (Data Privacy Act) + European Economic Area & United Kingdom (GDPR / UK GDPR)

Contents

  1. At a glance
  2. Who we are
  3. What we collect
  4. Why we collect it
  5. Who we share with
  6. Advertising & third-party ads
  7. International transfers
  8. How long we keep it
  9. Your rights
  10. Exercising your rights
  11. Cookies & tracking
  12. Children's privacy
  13. Security
  14. Data breaches
  15. Automated decisions
  16. Changes to this policy
  17. Complaints

Coverage

This Privacy Policy is structured to comply simultaneously with the Philippine Data Privacy Act of 2012 (RA 10173), the EU General Data Protection Regulation and UK GDPR. Rights and obligations are mapped to both frameworks throughout the document. If your jurisdiction is not covered explicitly, the GDPR provisions apply as our default standard.

01At a glance

The short version. Each point links to the detailed section below.

We collect

Account, profile, location, payment, usage, communications, and content you upload. Details →

We don't sell data

We never sell your personal data. Free accounts may see third-party ads (Google AdMob in the app, Google AdSense on the web), which use an advertising identifier; Premium has no ads. Advertising →

Your rights are real

Access, correct, delete, port, restrict, object, withdraw consent — same response time across DPA + GDPR. Rights →

We keep data only as long as needed

Account data lives while your account is active + a short post-deletion retention. Specific retention per category. Retention →

Data leaves the Philippines

Some processors (Lemon Squeezy, Firebase, RevenueCat) operate from outside PH. We use Standard Contractual Clauses for international transfers. Transfers →

Questions or complaints

Email dpo@partnerupsports.com. You can also complain to the NPC (PH) or your local Data Protection Authority (EU/UK). Complaints →

02Who we are

The data controller (under GDPR Art. 4(7)) and Personal Information Controller (under DPA §3(h)) responsible for processing your personal data is:

PartnerUp Sports
Registered as a Philippine sole proprietorship under the BMBE program.
Data Protection Officer: dpo@partnerupsports.com

The registered business address is available on request via the DPO email above and will be published here once BIR registration is finalized.

03What we collect

We collect only what we need to operate the platform and deliver the services you sign up for. Categories below; specific data points listed in the data table.

Category
What's in it
Account
Email address, password (stored as a hash, never plain text), display name, date of birth, profile photo (optional).
Profile
Preferred sport, skill level, position, playing style, availability, location preference, any tags or fields you choose to add.
Location
City-level or precise location, depending on the permission you grant your device. Used to surface nearby partners, coaches, and machines. You can disable precise location from your device settings; the feed degrades to city-level matching.
Payment
Subscription tier, transaction history, payment status. We do not store card details — those are handled by Lemon Squeezy as our merchant of record and never reach our servers. For each order we do receive and store: your email address; the Lemon Squeezy customer, order, subscription and invoice IDs; which plan you bought (product and variant, by name and ID); the amount and currency you paid, and any refund of it; your billing country; and the PartnerUp account the order is linked to. While an order is still being resolved we also keep a copy of the Lemon Squeezy webhook payload for it, so that a failed lookup can be retried without charging you twice.
Usage
Pages viewed, features used, swipes and matches, bookings made, time spent in the app. Used for product improvement and aggregate analytics.
Communications
Messages between users (1-on-1 chats, group chats), support emails, in-app notifications you receive.
Content
Photos, recap notes, reviews, comments, and any other content you upload to the platform.
Coach verification
For coaches only: government-issued ID, coaching certifications, governing-body registration, insurance details. Processed via Google Cloud Vision OCR.
Machine listings
For machine owners only: machine make/model/photos, location, hourly rate, availability calendar, owner ID for verification.
Technical
IP address, device type, browser, OS, app version, crash reports, push-notification token (if you opt into notifications). Used for security and debugging.
Advertising
For free-tier users only, when ads are enabled: a device advertising identifier (IDFA on iOS, Google Advertising ID / GAID on Android, or the equivalent web identifier), plus coarse location (country/region), device and app information, and ad-interaction data, collected and shared with our advertising provider (Google AdMob in the app, Google AdSense on the web) to serve ads and limit how often you see them. Premium subscribers see no ads. See Advertising & third-party ads.

04Why we collect it (legal bases)

Under GDPR Art. 6, every processing activity needs a legal basis. Under DPA §12, processing needs to be based on consent, contract, legal obligation, vital interest, public function, or legitimate interest. Our processing maps to these as follows:

What we do
Legal basis
Create your account, deliver the subscription you purchased
Contract (GDPR Art. 6(1)(b) / DPA §12(b)) — we can't provide the service without this.
Process payments & renewals
Contract + legal obligation (tax records) (GDPR Art. 6(1)(b), 6(1)(c) / DPA §12(b), 12(c)).
Surface nearby partners/coaches/machines
Contract + legitimate interest in delivering a useful feed (GDPR Art. 6(1)(b), 6(1)(f) / DPA §12(b), 12(f)). You can disable precise location at any time.
Send transactional emails (receipts, renewal reminders, security)
Contract + legal obligation (GDPR Art. 6(1)(b), 6(1)(c)).
Send marketing emails or push notifications
Consent (GDPR Art. 6(1)(a) / DPA §12(a)). Opt-in only; you can withdraw consent at any time from Settings → Notifications without affecting your subscription.
Product analytics & improvement
Legitimate interest (GDPR Art. 6(1)(f) / DPA §12(f)). We use minimal first-party analytics for product improvement. You may object at any time.
Show ads to free-tier users
Consent for personalized ads and access to the advertising identifier (GDPR Art. 6(1)(a) / DPA §12(a)); legitimate interest in funding a free tier for non-personalized ads where the law allows (GDPR Art. 6(1)(f)). Ads are shown to free accounts only and never to Premium subscribers. In the EEA/UK, ads are off by default in v1 (we do not yet operate a certified consent platform there). You can remove ads entirely by subscribing to Premium.
Fraud prevention, security, abuse detection
Legitimate interest + legal obligation where applicable (GDPR Art. 6(1)(c), 6(1)(f)).
Coach verification (ID, certifications)
Contract + legitimate interest in user safety (GDPR Art. 6(1)(b), 6(1)(f)).
Comply with court orders, law enforcement requests, tax authorities
Legal obligation (GDPR Art. 6(1)(c) / DPA §12(c)).

05Who we share with (processors)

We never sell your personal data. We share it only with the third-party processors we need to run the platform. Each is bound by a data processing agreement; each is listed below.

Processor
Purpose · location
Lemon Squeezy
Payment processing & merchant of record. Stores card details, processes charges, collects + remits VAT/sales tax. United States.
Google Firebase
Authentication, database (Firestore), serverless functions, file storage. Operated by Google Cloud Platform; data hosted in Google's selected regions (typically multi-region).
RevenueCat
Cross-platform subscription state management. United States. Receives subscription metadata only (tier, renewal date, status). Active.
Google Cloud Vision
OCR for coach credential verification. United States. Receives only the documents you upload during verification; deleted after processing.
Google Maps
Map display, venue location features. United States. Receives city or coordinate data for the locations you view; does not link to your account.
MailerSend
Transactional email delivery (receipts, renewal reminders, booking confirmations). Estonia / European Union.
Vercel
Web hosting for partnerupsports.com and app.partnerupsports.com. United States. Receives technical request data (IP, user agent) for serving pages; does not access your account data.
Expo
Mobile push notification delivery (once mobile app ships). United States. Receives only device tokens + notification payloads.
Google AdMob / AdSense
Third-party advertising network. United States. For free-tier users only, when ads are enabled: receives your advertising identifier (IDFA/GAID/web equivalent), coarse location (country/region), device/app information, and ad-interaction signals to serve and frequency-cap ads. Google acts as an independent controller for this data under its own policies; see How Google uses information from sites or apps that use our services. Not used for Premium subscribers, and off by default in the EEA/UK in v1.

We do not sell your personal data, and we do not share it with data brokers. Free-tier users may be shown third-party ads served by Google AdMob (in the app) and Google AdSense (on the web), as described in the Advertising & third-party ads section below; Premium subscribers see no ads.

Country detection (your IP address)

On your first visit to this website we work out a two-letter country code (for example PH) from the IP address your browser connects with. We use it, first-party, in a few ways — including: to show prices in your local currency; to apply the EEA/UK advertising rule described in 05a (the code is how we know to switch ads off for visitors in those regions); to decide whether the purchase button is available in your country (we only open checkout in markets we have launched in); and to show you the country-specific count of remaining founder spots on the Early Access page. This list is illustrative rather than a hard limit, but every such use is first-party — none of them sends your IP address or your country to any third party.

This lookup runs on our own endpoint (/api/geo), on the Vercel network that is already serving you this page — Vercel is listed in the table above and necessarily receives your IP address to deliver the site at all. The country code is derived from that same connection and only the two-letter code is returned to your browser, where it is stored in local storage (see Cookies & tracking). Our endpoint keeps no record of it beyond the ordinary request logs our host already keeps to serve the site. Your IP address is not sent to any third-party geolocation service.

It runs before you answer the cookie banner, because it is first-party and because it is the thing that tells us whether you are somewhere we must not show you ads. If it cannot work out your country, we do not guess: we show Philippine prices (our home market), we leave advertising off, and the purchase button stays closed — you are pointed at the waitlist instead. You can always set your country yourself from the flag menu in the site header.

05aAdvertising & third-party ads

PartnerUp shows third-party ads to free-tier accounts only. Premium subscribers never see ads. Our advertising partner is Google — AdMob inside the mobile app and AdSense on the web. When ads are enabled for you, the following applies:

  • Advertising identifiers. Ads use a device advertising identifier — the IDFA on iOS, the Google Advertising ID (GAID) on Android, and the equivalent identifier on the web. This identifier, your coarse location (country/region), and device/app and ad-interaction data are shared with Google to select ads and to limit how often you see the same ad.
  • Consent & tracking choices. On iOS, we ask for your permission through Apple's App Tracking Transparency prompt before using the IDFA for cross-app tracking; if you decline, you still see ads, but they are non-personalized. On all platforms, where personalized advertising is not permitted we request non-personalized ads instead. You can reset or limit your advertising identifier from your device or browser settings at any time.
  • EEA / UK. In v1 we do not operate a certified consent management platform for ad personalization in the EEA and UK, so ads are turned off entirely for users we detect in those regions.
  • Labeling & controls. Every ad is clearly marked with a visible “Sponsored” / “Ad” label and, where the format supports it, Google's AdChoices icon, which links to Google's ad-settings and opt-out controls. Ads in the swipe feed are view-only — swiping one away never books a session or records a match.
  • Google as an independent controller. For the advertising data described here, Google processes information under its own privacy policy and acts as an independent controller. See Google's Advertising and How Google uses information from sites or apps that use our services.
  • Remove ads. Subscribing to Premium removes all ads and the associated advertising-identifier sharing.

We do not use this advertising data to build a profile of you for our own marketing, and we do not combine it with the account or content data described elsewhere in this policy.

06International transfers

Most of our processors operate outside the Philippines, the EEA, and the UK. For users in the Philippines, the DPA requires that international transfers be subject to comparable protection. For users in the EEA / UK, GDPR Chapter V requires an adequate transfer mechanism.

We rely on the following mechanisms, depending on the processor:

  • Standard Contractual Clauses (SCCs) — under GDPR Art. 46(2)(c) / UK IDTA, executed with each US-based processor (Lemon Squeezy, RevenueCat, Vercel, Google Cloud, Expo).
  • Adequacy decisions where they exist (the EU has issued adequacy for the UK and several other jurisdictions; we use these where applicable).
  • EU-US Data Privacy Framework certification where a processor is certified.

For Philippine users specifically, NPC Circular 16-02 (and successor circulars) requires us to ensure that the foreign processor offers protection comparable to the DPA. The SCCs we execute include DPA-compliant terms in addition to GDPR terms.

07How long we keep it

We keep your data only as long as we need to for the purpose it was collected, plus a short post-deletion window for legal and operational reasons.

Category
Retention period
Active account data
As long as your account is active.
After account deletion
30 days (allows you to restore an accidentally deleted account), then permanent deletion from production systems within a further 60 days. Backups containing your data are overwritten on rolling cycles within 12 months.
Payment & tax records
10 years (Philippine tax law requires retention of financial records). Card details are held by Lemon Squeezy as our merchant of record and never reach us. We keep the order record described in §03 above: your email address, the Lemon Squeezy customer, order, subscription and invoice IDs, which plan you bought, the amount and currency you paid and any refund of it, your billing country, and the PartnerUp account the order is linked to.
Support communications
3 years from last contact.
Aggregate / anonymised analytics
Retained indefinitely. By definition, this data does not identify individuals.
Coach verification documents
Deleted within 30 days of verification completion. Only the verified status flag is retained on the account.
Security & abuse logs
12 months.

08Your rights

The DPA, GDPR, and UK GDPR each give you a set of rights over your personal data. We honour the union of these rights regardless of your jurisdiction. You can exercise any of them by writing to dpo@partnerupsports.com.

Right to be informed

You have the right to know what we collect, why, and how we use it. That's what this Privacy Policy is for.

Right of access

You can request a copy of the personal data we hold about you. We will respond within 30 days (DPA standard) / one month (GDPR Art. 12) of receiving a verifiable request.

Right to rectification

You can correct inaccurate or incomplete data at any time from your account settings. For data you can't edit yourself, email us.

Right to erasure ("right to be forgotten")

You can request deletion of your account and personal data. We will delete from production systems within 30 days of confirming the request, except where we are required by law to retain certain data (e.g. tax records under PH law).

Right to restrict processing

You can request that we stop processing your data for specific purposes (e.g. analytics) while keeping your account active.

Right to data portability

You can request a machine-readable export of the personal data you have provided to us (JSON or CSV). We will deliver within 30 days.

Right to object

You can object to processing based on legitimate interest (e.g. analytics, certain fraud-prevention measures). Where the objection is upheld, we stop that processing.

Right to withdraw consent

Where processing is based on consent (e.g. marketing emails, push notifications), you can withdraw consent at any time without affecting your subscription. Withdrawal does not invalidate processing that occurred before the withdrawal.

Right to lodge a complaint

See §16 below.

Right not to be subject to automated decisions

See §14 below. In practice we do not make any decisions that produce legal effects on you using only automated processing.

09Exercising your rights

Email dpo@partnerupsports.com from the email address associated with your account. For requests where account-email verification is insufficient (e.g. you've lost access), we may ask for additional identity verification before we can act on the request — this is required by both DPA §16 and GDPR Art. 12(6).

Standard response time: 30 days. For complex or numerous requests we may extend this by up to two further months, with notice.

We do not charge for responding to rights requests, except where requests are manifestly unfounded or excessive (e.g. repeated identical requests), as permitted by GDPR Art. 12(5).

10Cookies & tracking

We use only the cookies necessary to operate the platform, plus — for free-tier users when ads are enabled — the advertising cookies and identifiers Google sets to serve ads (see Advertising & third-party ads). Premium subscribers see no ads and no advertising cookies.

  • Session & authentication cookies — first-party. Required to keep you signed in. Cleared on logout.
  • Preference cookies — first-party. Remember your settings (theme, language, location preference).
  • Local storage — first-party, not a cookie and never sent to anyone. On this website we keep your cookie choice; the country shown in the header (whether you picked it or we detected it); the country code we derive from your IP as described in Country detection, together with a little caching for that lookup so we do not repeat it on every page (including when it was last checked); on the Early Access page, the plan audience and level you select there; and, if we notice you may be in a different country and offer to switch the header to it, a country-switch suggestion you dismissed — kept only so we do not ask again for that country. That is the full set. Clearing your browser storage for this site removes all of it, and the cookie banner will ask again.
  • Analytics — our provider is Vercel Web Analytics, which is cookieless and privacy-friendly: it records aggregate page views without setting tracking cookies or a cross-site identifier, and without collecting personally identifying information. It loads only after you opt in via the cookie banner. You can change your choice any time from cookie settings.
  • Advertising (Google AdSense / AdMob) — third-party, free-tier only. When ads are enabled, Google may set cookies and read a device advertising identifier to serve and frequency-cap ads. These load only for free accounts in regions where ads are turned on (off by default in the EEA/UK in v1), and never for Premium subscribers. Manage or opt out via Google's Ad Settings and your device or browser advertising controls.

A cookie consent banner (essential-only by default; opt-in for analytics and advertising) is shown to all visitors, satisfying the ePrivacy Directive opt-in expectation for EU/UK users. Analytics and Google AdSense load only after explicit consent, and ads are additionally turned off for visitors we detect in the EEA/UK. Fonts are self-hosted (served from our own domain), so no visitor IP addresses or requests are shared with third-party font providers such as Google Fonts. Country detection is first-party for the same reason — it runs on our own endpoint on our host's network, so no visitor IP address is sent to a third-party geolocation service, before consent or after it (see Country detection). Before you answer the banner, the only request this website makes off its own origin is to our own backend on Google Firebase (listed above): the founder-spot counter on the Early Access page. Analytics and advertising load only if you opt in. The sign-in module — the Firebase SDK, which is fetched from Google's CDN (gstatic.com) and therefore discloses your IP address to Google — is not requested on page load at all: it is fetched only when you actually click a checkout button, and never before.

11Children's privacy

You must be at least 18 to subscribe to any paid PartnerUp tier.

Free-tier accounts may be created from age 13 with verifiable guardian consent under Philippine law. EU/UK users: the GDPR-default age for consent is 16 (with member state lowering to 13); EU/UK users between 13-15 require verifiable parental consent regardless. In the PartnerUp mobile app, a date of birth is collected when an account is created, which is how these age limits are applied. Paid subscriptions require you to be 18 or over, as set out in our Terms.

If we learn that we have collected personal data from a child below the applicable age without verifiable guardian consent, we will delete it as soon as practicable. Contact dpo@partnerupsports.com.

12Security

We take security seriously. Our measures include:

  • Encryption in transit (TLS 1.2+) for all client-server communication.
  • Encryption at rest for stored data (database-level encryption via Firebase, application-level encryption for sensitive fields).
  • Password hashing via Firebase Authentication (not plain text, not reversible).
  • Access controls and audit logging for internal access to user data; only personnel who need to access your data for support / abuse-response / fraud-prevention purposes can do so, and access is logged.
  • Regular dependency audits and security testing.

No system is perfectly secure. If you suspect your account has been compromised, change your password from Settings → Account and email support@partnerupsports.com right away.

13Data breaches

If we suffer a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the National Privacy Commission of the Philippines within 72 hours of becoming aware (DPA §20(f), NPC Circular 16-03).
  • Notify the relevant EU/UK supervisory authority within 72 hours where applicable (GDPR Art. 33).
  • Notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (DPA §38, GDPR Art. 34).

The notification will describe the nature of the breach, the categories and approximate number of users affected, the likely consequences, and the measures we are taking.

14Automated decisions & profiling

We use algorithmic ranking to surface relevant partners, coaches, and machines in your feed. This is not "solely automated decision-making" under GDPR Art. 22 because:

  • The output (a ranked feed) does not produce legal effects on you or significantly affect you in any legally meaningful way — you choose whether to act on it.
  • You can override or ignore the feed at any time; the underlying data (location, skill level, sport preference) is shown openly so you can adjust.

We do not use profiling to deny service, set pricing, or make decisions with legal effects on you.

15Changes to this policy

We may update this Privacy Policy. For material changes (new categories of data, new processors, changed retention periods, changed legal bases), we will notify active users by email at least 30 days before the change takes effect. The "Last updated" date at the top of this document always reflects the most recent change.

16Complaints

You have the right to lodge a complaint with a supervisory authority if you believe we have mishandled your personal data.

For users in the Philippines: the National Privacy Commission — info@privacy.gov.ph, 5th Floor Delegation Building, PICC Complex, Pasay City. The NPC accepts complaints electronically.

For users in the European Economic Area or United Kingdom: your local Data Protection Authority. A list of EU DPAs is maintained by the European Data Protection Board at edpb.europa.eu. UK users may contact the Information Commissioner's Office.

We always prefer to resolve concerns directly first. Email dpo@partnerupsports.com with your concern, and we will respond within 30 days.

PartnerUp

One app to find pickup partners, coaches, and ball machines. Early Access live across the Philippines.

Product

  • Features
  • Plans
  • PartnerUp (Swipe)
  • TrainUp (Coaching)
  • MachineUp (Rentals)

Company

  • About
  • For Coaches
  • For Owners
  • Contact

Legal

  • Privacy
  • Terms

© 2026 PartnerUp Sports. All rights reserved.