Nextfour — Privacy Policy

Last updated: 7 May 2026

This Privacy Policy explains how Nextfour ("we", "us", "our") collects, uses, stores, and shares your personal data when you use the Nextfour mobile application and related services (the "Service"). Nextfour is operated from the United Kingdom and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Nextfour is a mobile application for racket sport clubs and players, enabling session management, court rotation, social features, and club administration. For any privacy-related enquiry, you can reach us at [email protected].

2. Data we collect

We collect only the data needed to operate the Service:

• Account information — name, email address, and (where you provide them) profile photo, gender, and date of birth.
• Authentication data — when you sign in with Facebook, Google, or Apple, we receive your name, email address, and a unique identifier from the provider.
• Club & session data — clubs you belong to, sessions you join, match results, statistics, pairings, and queue position.
• Subscription status — your subscription tier (Free, Performance, Pro, or Club) is managed by RevenueCat. We do not store payment card details.
• Device information — for terminal/kiosk activations, we store a device name and last-seen timestamp.
• Usage data — basic logs (errors, timestamps) for diagnosing issues.

We do not collect precise location, contacts, photos, microphone, or advertising identifiers.

3. Lawful basis

We process personal data under the following UK GDPR lawful bases:

• Contract — to provide the Service you've signed up for.
• Legitimate interests — to keep the Service secure, prevent abuse, and improve features.
• Consent — for any optional features that require it (e.g. push notifications), which you can withdraw at any time.

4. How we use your data

• To create and manage your account.
• To run live sessions, court rotations, queues, and matches.
• To display your club memberships and social interactions.
• To process subscriptions via RevenueCat.
• To send service-related notifications (e.g. session check-ins).
• To diagnose bugs and maintain the integrity of the Service.

5. Sharing & sub-processors

We share data only with the sub-processors needed to run the Service:

• Supabase — hosts our database and authentication. Data is stored in EU regions where available.
• RevenueCat — handles subscription state.
• Apple, Google, Facebook — authentication providers (only if you choose social sign-in).
• Apple Push Notification Service / Firebase Cloud Messaging — delivery of push notifications.

We do not sell or rent your personal data. We do not share data with advertisers.

6. Other club members

When you join a club or session, certain information (your name, profile picture, statistics, queue position, pairings) is visible to other members of that club or session. This is necessary for the Service to function. Club hosts and deputies may see additional information such as your check-in history within their club.

7. Shadow profiles

Hosts may add "guest" players to a session without those players holding a Nextfour account. These shadow profiles store only a name and (optionally) email and gender so the player can be referenced in the session. Shadow profiles do not have logins, are not used for analytics, and can be deleted at the host's request.

8. Data retention

We retain your data while your account is active. When you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to retain it by law (e.g. financial records). Data retained for legal reasons is restricted from further processing.

9. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data ("right to be forgotten").
• Restrict or object to processing.
• Request a portable copy of your data.
• Withdraw consent at any time, where consent is the lawful basis.
• Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email [email protected]. See also the Account & Data Deletion page.

10. Security

Data is stored encrypted at rest by Supabase and transmitted over HTTPS. Database access is controlled by row-level security policies. We restrict administrative access and do not log raw passwords (authentication is handled by Supabase Auth or social providers).

11. Children

Nextfour is intended for users aged 13 and over. If you believe a child under 13 has created an account, please contact us so we can delete it.

12. International transfers

Where data is transferred outside the UK or EEA (for example to US-based sub-processors), it is protected by the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an equivalent safeguard.

13. Changes to this policy

We may update this policy from time to time. Material changes will be announced in-app or by email. The "Last updated" date at the top reflects the most recent revision.

14. Contact

For any privacy questions or to exercise your rights, contact:
[email protected]