Legal
Privacy Policy
Last updated: 2026-05-29 · Applicable to: Philippines (Data Privacy Act) + European Economic Area & United Kingdom (GDPR / UK GDPR)
01At a glance
The short version. Each point links to the detailed section below.
We collect
Account, profile, location, payment, usage, communications, and content you upload. Details →
We don't sell data
We never sell your personal data. Free accounts may see third-party ads (Google AdMob in the app, Google AdSense on the web), which use an advertising identifier; Premium has no ads. Advertising →
Your rights are real
Access, correct, delete, port, restrict, object, withdraw consent — same response time across DPA + GDPR. Rights →
We keep data only as long as needed
Account data lives while your account is active + a short post-deletion retention. Specific retention per category. Retention →
Data leaves the Philippines
Some processors (Lemon Squeezy, Firebase, RevenueCat) operate from outside PH. We use Standard Contractual Clauses for international transfers. Transfers →
Questions or complaints
Email dpo@partnerupsports.com. You can also complain to the NPC (PH) or your local Data Protection Authority (EU/UK). Complaints →
02Who we are
The data controller (under GDPR Art. 4(7)) and Personal Information Controller (under DPA §3(h)) responsible for processing your personal data is:
PartnerUp Sports
Registered as a Philippine sole proprietorship under the BMBE program.
Data Protection Officer: dpo@partnerupsports.com
The registered business address is available on request via the DPO email above and will be published here once BIR registration is finalized.
03What we collect
We collect only what we need to operate the platform and deliver the services you sign up for. Categories below; specific data points listed in the data table.
04Why we collect it (legal bases)
Under GDPR Art. 6, every processing activity needs a legal basis. Under DPA §12, processing needs to be based on consent, contract, legal obligation, vital interest, public function, or legitimate interest. Our processing maps to these as follows:
05Who we share with (processors)
We never sell your personal data. We share it only with the third-party processors we need to run the platform. Each is bound by a data processing agreement; each is listed below.
We do not sell your personal data, and we do not share it with data brokers. Free-tier users may be shown third-party ads served by Google AdMob (in the app) and Google AdSense (on the web), as described in the Advertising & third-party ads section below; Premium subscribers see no ads.
Country detection (your IP address)
On your first visit to this website we work out a two-letter country code (for example PH) from the IP address your browser connects with. We use it, first-party, in a few ways — including: to show prices in your local currency; to apply the EEA/UK advertising rule described in 05a (the code is how we know to switch ads off for visitors in those regions); to decide whether the purchase button is available in your country (we only open checkout in markets we have launched in); and to show you the country-specific count of remaining founder spots on the Early Access page. This list is illustrative rather than a hard limit, but every such use is first-party — none of them sends your IP address or your country to any third party.
This lookup runs on our own endpoint (/api/geo), on the Vercel network that is already serving you this page — Vercel is listed in the table above and necessarily receives your IP address to deliver the site at all. The country code is derived from that same connection and only the two-letter code is returned to your browser, where it is stored in local storage (see Cookies & tracking). Our endpoint keeps no record of it beyond the ordinary request logs our host already keeps to serve the site. Your IP address is not sent to any third-party geolocation service.
It runs before you answer the cookie banner, because it is first-party and because it is the thing that tells us whether you are somewhere we must not show you ads. If it cannot work out your country, we do not guess: we show Philippine prices (our home market), we leave advertising off, and the purchase button stays closed — you are pointed at the waitlist instead. You can always set your country yourself from the flag menu in the site header.
05aAdvertising & third-party ads
PartnerUp shows third-party ads to free-tier accounts only. Premium subscribers never see ads. Our advertising partner is Google — AdMob inside the mobile app and AdSense on the web. When ads are enabled for you, the following applies:
- Advertising identifiers. Ads use a device advertising identifier — the IDFA on iOS, the Google Advertising ID (GAID) on Android, and the equivalent identifier on the web. This identifier, your coarse location (country/region), and device/app and ad-interaction data are shared with Google to select ads and to limit how often you see the same ad.
- Consent & tracking choices. On iOS, we ask for your permission through Apple's App Tracking Transparency prompt before using the IDFA for cross-app tracking; if you decline, you still see ads, but they are non-personalized. On all platforms, where personalized advertising is not permitted we request non-personalized ads instead. You can reset or limit your advertising identifier from your device or browser settings at any time.
- EEA / UK. In v1 we do not operate a certified consent management platform for ad personalization in the EEA and UK, so ads are turned off entirely for users we detect in those regions.
- Labeling & controls. Every ad is clearly marked with a visible “Sponsored” / “Ad” label and, where the format supports it, Google's AdChoices icon, which links to Google's ad-settings and opt-out controls. Ads in the swipe feed are view-only — swiping one away never books a session or records a match.
- Google as an independent controller. For the advertising data described here, Google processes information under its own privacy policy and acts as an independent controller. See Google's Advertising and How Google uses information from sites or apps that use our services.
- Remove ads. Subscribing to Premium removes all ads and the associated advertising-identifier sharing.
We do not use this advertising data to build a profile of you for our own marketing, and we do not combine it with the account or content data described elsewhere in this policy.
06International transfers
Most of our processors operate outside the Philippines, the EEA, and the UK. For users in the Philippines, the DPA requires that international transfers be subject to comparable protection. For users in the EEA / UK, GDPR Chapter V requires an adequate transfer mechanism.
We rely on the following mechanisms, depending on the processor:
- Standard Contractual Clauses (SCCs) — under GDPR Art. 46(2)(c) / UK IDTA, executed with each US-based processor (Lemon Squeezy, RevenueCat, Vercel, Google Cloud, Expo).
- Adequacy decisions where they exist (the EU has issued adequacy for the UK and several other jurisdictions; we use these where applicable).
- EU-US Data Privacy Framework certification where a processor is certified.
For Philippine users specifically, NPC Circular 16-02 (and successor circulars) requires us to ensure that the foreign processor offers protection comparable to the DPA. The SCCs we execute include DPA-compliant terms in addition to GDPR terms.
07How long we keep it
We keep your data only as long as we need to for the purpose it was collected, plus a short post-deletion window for legal and operational reasons.
08Your rights
The DPA, GDPR, and UK GDPR each give you a set of rights over your personal data. We honour the union of these rights regardless of your jurisdiction. You can exercise any of them by writing to dpo@partnerupsports.com.
Right to be informed
You have the right to know what we collect, why, and how we use it. That's what this Privacy Policy is for.
Right of access
You can request a copy of the personal data we hold about you. We will respond within 30 days (DPA standard) / one month (GDPR Art. 12) of receiving a verifiable request.
Right to rectification
You can correct inaccurate or incomplete data at any time from your account settings. For data you can't edit yourself, email us.
Right to erasure ("right to be forgotten")
You can request deletion of your account and personal data. We will delete from production systems within 30 days of confirming the request, except where we are required by law to retain certain data (e.g. tax records under PH law).
Right to restrict processing
You can request that we stop processing your data for specific purposes (e.g. analytics) while keeping your account active.
Right to data portability
You can request a machine-readable export of the personal data you have provided to us (JSON or CSV). We will deliver within 30 days.
Right to object
You can object to processing based on legitimate interest (e.g. analytics, certain fraud-prevention measures). Where the objection is upheld, we stop that processing.
Right to withdraw consent
Where processing is based on consent (e.g. marketing emails, push notifications), you can withdraw consent at any time without affecting your subscription. Withdrawal does not invalidate processing that occurred before the withdrawal.
Right to lodge a complaint
See §16 below.
Right not to be subject to automated decisions
See §14 below. In practice we do not make any decisions that produce legal effects on you using only automated processing.
09Exercising your rights
Email dpo@partnerupsports.com from the email address associated with your account. For requests where account-email verification is insufficient (e.g. you've lost access), we may ask for additional identity verification before we can act on the request — this is required by both DPA §16 and GDPR Art. 12(6).
Standard response time: 30 days. For complex or numerous requests we may extend this by up to two further months, with notice.
We do not charge for responding to rights requests, except where requests are manifestly unfounded or excessive (e.g. repeated identical requests), as permitted by GDPR Art. 12(5).
10Cookies & tracking
We use only the cookies necessary to operate the platform, plus — for free-tier users when ads are enabled — the advertising cookies and identifiers Google sets to serve ads (see Advertising & third-party ads). Premium subscribers see no ads and no advertising cookies.
- Session & authentication cookies — first-party. Required to keep you signed in. Cleared on logout.
- Preference cookies — first-party. Remember your settings (theme, language, location preference).
- Local storage — first-party, not a cookie and never sent to anyone. On this website we keep your cookie choice; the country shown in the header (whether you picked it or we detected it); the country code we derive from your IP as described in Country detection, together with a little caching for that lookup so we do not repeat it on every page (including when it was last checked); on the Early Access page, the plan audience and level you select there; and, if we notice you may be in a different country and offer to switch the header to it, a country-switch suggestion you dismissed — kept only so we do not ask again for that country. That is the full set. Clearing your browser storage for this site removes all of it, and the cookie banner will ask again.
- Analytics — our provider is Vercel Web Analytics, which is cookieless and privacy-friendly: it records aggregate page views without setting tracking cookies or a cross-site identifier, and without collecting personally identifying information. It loads only after you opt in via the cookie banner. You can change your choice any time from cookie settings.
- Advertising (Google AdSense / AdMob) — third-party, free-tier only. When ads are enabled, Google may set cookies and read a device advertising identifier to serve and frequency-cap ads. These load only for free accounts in regions where ads are turned on (off by default in the EEA/UK in v1), and never for Premium subscribers. Manage or opt out via Google's Ad Settings and your device or browser advertising controls.
A cookie consent banner (essential-only by default; opt-in for analytics and advertising) is shown to all visitors, satisfying the ePrivacy Directive opt-in expectation for EU/UK users. Analytics and Google AdSense load only after explicit consent, and ads are additionally turned off for visitors we detect in the EEA/UK. Fonts are self-hosted (served from our own domain), so no visitor IP addresses or requests are shared with third-party font providers such as Google Fonts. Country detection is first-party for the same reason — it runs on our own endpoint on our host's network, so no visitor IP address is sent to a third-party geolocation service, before consent or after it (see Country detection). Before you answer the banner, the only request this website makes off its own origin is to our own backend on Google Firebase (listed above): the founder-spot counter on the Early Access page. Analytics and advertising load only if you opt in. The sign-in module — the Firebase SDK, which is fetched from Google's CDN (gstatic.com) and therefore discloses your IP address to Google — is not requested on page load at all: it is fetched only when you actually click a checkout button, and never before.
11Children's privacy
You must be at least 18 to subscribe to any paid PartnerUp tier.
Free-tier accounts may be created from age 13 with verifiable guardian consent under Philippine law. EU/UK users: the GDPR-default age for consent is 16 (with member state lowering to 13); EU/UK users between 13-15 require verifiable parental consent regardless. In the PartnerUp mobile app, a date of birth is collected when an account is created, which is how these age limits are applied. Paid subscriptions require you to be 18 or over, as set out in our Terms.
If we learn that we have collected personal data from a child below the applicable age without verifiable guardian consent, we will delete it as soon as practicable. Contact dpo@partnerupsports.com.
12Security
We take security seriously. Our measures include:
- Encryption in transit (TLS 1.2+) for all client-server communication.
- Encryption at rest for stored data (database-level encryption via Firebase, application-level encryption for sensitive fields).
- Password hashing via Firebase Authentication (not plain text, not reversible).
- Access controls and audit logging for internal access to user data; only personnel who need to access your data for support / abuse-response / fraud-prevention purposes can do so, and access is logged.
- Regular dependency audits and security testing.
No system is perfectly secure. If you suspect your account has been compromised, change your password from Settings → Account and email support@partnerupsports.com right away.
13Data breaches
If we suffer a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the National Privacy Commission of the Philippines within 72 hours of becoming aware (DPA §20(f), NPC Circular 16-03).
- Notify the relevant EU/UK supervisory authority within 72 hours where applicable (GDPR Art. 33).
- Notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (DPA §38, GDPR Art. 34).
The notification will describe the nature of the breach, the categories and approximate number of users affected, the likely consequences, and the measures we are taking.
14Automated decisions & profiling
We use algorithmic ranking to surface relevant partners, coaches, and machines in your feed. This is not "solely automated decision-making" under GDPR Art. 22 because:
- The output (a ranked feed) does not produce legal effects on you or significantly affect you in any legally meaningful way — you choose whether to act on it.
- You can override or ignore the feed at any time; the underlying data (location, skill level, sport preference) is shown openly so you can adjust.
We do not use profiling to deny service, set pricing, or make decisions with legal effects on you.
15Changes to this policy
We may update this Privacy Policy. For material changes (new categories of data, new processors, changed retention periods, changed legal bases), we will notify active users by email at least 30 days before the change takes effect. The "Last updated" date at the top of this document always reflects the most recent change.
16Complaints
You have the right to lodge a complaint with a supervisory authority if you believe we have mishandled your personal data.
For users in the Philippines: the National Privacy Commission — info@privacy.gov.ph, 5th Floor Delegation Building, PICC Complex, Pasay City. The NPC accepts complaints electronically.
For users in the European Economic Area or United Kingdom: your local Data Protection Authority. A list of EU DPAs is maintained by the European Data Protection Board at edpb.europa.eu. UK users may contact the Information Commissioner's Office.
We always prefer to resolve concerns directly first. Email dpo@partnerupsports.com with your concern, and we will respond within 30 days.