Privacy Policy
Effective date: 2026-05-17 · Operator: Latuvo (operated from Romania) · Contact: [email protected]
This privacy policy explains what data Latuvo collects, why, and what you can do about it. It's written to be read — no legal scaffolding for its own sake. If a section is unclear, write to the email above and we'll fix it.
Who Latuvo is for
Latuvo is a tennis-tracking app for adults. You must be 18 or older to use Latuvo. We do not knowingly collect data from anyone under 18; if we learn that we have, we delete it.
If you're a parent or guardian who believes a minor used Latuvo, write to [email protected] and we'll remove the account and all associated data within 30 days.
What we collect, and why
We collect the minimum data the app needs to work. Each field below lists the legal basis under the GDPR (Regulation (EU) 2016/679) so it's explicit why we hold it.
Account data
| Field | Why we collect it | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Sign-in, password reset, optional notifications | Art. 6(1)(b) — performance of a contract | |
| Display name | Shown to opponents in shared matches | Art. 6(1)(b) |
Handle (e.g. @alex) | Public identifier for player discovery + match invites | Art. 6(1)(b) |
| Date of birth | Enforce the 18+ minimum at signup; compute 220 − age for heart-rate zones on the watch | Art. 6(1)(b) |
| Gender (Male / Female) | Required for fair statistical comparison against peers (cohort segments) and for opponent matching by gender bracket; tennis is structurally M/F at every competitive level | Art. 6(1)(b) |
Tennis activity
| Field | Why we collect it | Lawful basis |
|---|---|---|
| Match results (score, sets, opponent, court, surface, format, date) | The core product — your personal match history and rating | Art. 6(1)(b) |
| Per-match stats (aces, winners, hold %, etc.) | Recap and stats surfaces | Art. 6(1)(b) |
| EOL rating (Glicko-2) | Computed from your matches; powers the tier label and recap | Art. 6(1)(b) |
Health and biometric data (HealthKit)
| Field | Why we collect it | Lawful basis |
|---|---|---|
| Heart-rate samples during a match | HR zones in the post-match recap | Art. 9(2)(a) — explicit consent (via HealthKit permission) |
| Active calories burned during a match | Intensity stat in the recap | Art. 9(2)(a) |
| Distance covered during a match | Pace and distance/point stats in the recap | Art. 9(2)(a) |
Health data lives in HealthKit on your device + on Latuvo's server as match stats. Apple's HealthKit framework controls the per-app permission; you can revoke it at any time in Settings → Health → Sources.
Optional, set later by the user
| Field | Why we collect it | Lawful basis |
|---|---|---|
| Home location (approximate latitude / longitude) | Lets nearby Latuvo players find you in Discovery. Stored only if you opt in. Coordinates are coarse (neighborhood-scale, ~10 km). | Art. 6(1)(a) — consent (per the Discoverable toggle) |
| Preferred contact handle | Free-text field — Instagram, WhatsApp, email, anything. Latuvo never opens or parses it; it's shown to other users on your profile so they can contact you off-platform if they choose. | Art. 6(1)(a) |
| Home club (when you played at a specific venue) | Tagged on a per-match basis — not a global profile field. Helps you and opponents identify where a match took place. | Art. 6(1)(b) |
Device data
| Field | Why we collect it | Lawful basis |
|---|---|---|
| App version, iOS version, device model | Diagnostics + crash reports | Art. 6(1)(f) — legitimate interest in app stability |
| Crash stack traces | Diagnose and fix app crashes | Art. 6(1)(f) |
| Anonymous crash session ID (Crashlytics) | Group crash reports for the same incident | Art. 6(1)(f) |
We do not collect:
- Your IP address as a stored identifier
- Your contacts
- Your photos beyond an optional avatar you set
- Your location continuously or in the background
- Browsing or app-usage data outside Latuvo
- Advertising identifiers (IDFA)
We do not show ads, do behavioural profiling, or build advertising audiences from your data.
How long we keep your data
| Data | Retention |
|---|---|
| Account + match history | While your account exists. Delete the account in Profile → Delete Account; everything is removed within 30 days, with backups purged within a further 30 days (60 days total). |
| HealthKit samples on our server | Same as match history — removed when the parent match is removed. |
| Crash logs | 90 days, then deleted. |
| Email logs (password resets etc.) | 6 months for fraud / abuse defense, then deleted. |
| Aggregated cohort statistics | Indefinitely, but de-identified — your individual contribution is removed when you opt out of cohort sharing or delete your account. Aggregates are gated at N≥20 contributors so a single user cannot be re-identified. |
Who we share data with (sub-processors)
Latuvo uses a small set of vendors to operate. Each has its own privacy practices, listed here so you can audit them.
| Vendor | What they do for Latuvo | What data is involved |
|---|---|---|
| Supabase (database, auth, file storage) | Hosts the Latuvo backend | All account, match, and stat data |
| Apple (App Store, push notifications, HealthKit, sign-in with Apple) | App distribution + optional push + HealthKit + auth | Account creation event, push tokens, HealthKit (on-device only, not transmitted to Apple) |
| Google / Firebase Crashlytics | Crash reports | Crash stack traces, device model, OS version, anonymous session ID. We do not send personal identifiers or match data to Crashlytics. |
We do not share your data with:
- Advertising networks
- Analytics providers (Mixpanel, Amplitude, Segment, Google Analytics, etc.) — we use none of these
- Insurance or health providers
- Tennis federations, ranking systems, or coaching services
We will share data with law enforcement only when required by a valid court order from a Romanian court, or when we determine in good faith that disclosure is needed to prevent imminent harm. We publish a transparency note here if either ever happens.
Your rights
You have the following rights under GDPR (and equivalent provisions in your jurisdiction):
| Right | How to exercise it |
|---|---|
| Access — get a copy of your data | Profile → Export My Data (in-app, JSON download) |
| Rectification — fix incorrect data | Edit Profile in-app; for fields you can't edit (DOB, gender), write to [email protected] |
| Erasure — delete your account | Profile → Delete Account |
| Restriction / objection | Email [email protected] — we'll respond within 30 days |
| Portability | The Export My Data feature is your portability path |
| Complaint to a supervisory authority | You can lodge a complaint with the Romanian DPA (ANSPDCP, dataprotection.ro) or your local EU data protection authority |
International transfers
Latuvo's servers (via Supabase) are hosted in the EU. Crashlytics may transfer crash data to Google's US infrastructure under the EU-US Data Privacy Framework (Google is certified).
Children
Latuvo is for users 18 and older. We don't market to or knowingly collect data from anyone under 18. If you believe a minor has signed up, contact [email protected].
Tracking, cookies, and advertising
Latuvo is an iOS app. We do not:
- Use cookies (we're not a web app)
- Use Apple's IDFA tracking
- Show the App Tracking Transparency prompt (we have nothing to ask permission for)
- Run any third-party analytics SDK beyond Crashlytics (crash diagnostics only)
- Sell or share your data with data brokers
Changes to this policy
We'll update this page if we add a feature that changes what we collect. Material changes will be notified in-app and by email at least 14 days before they take effect. The current version of this policy is always the one published at latuvo.com/privacy.
Contact
- Privacy questions / data requests: [email protected]
- Other questions: [email protected]
- Data protection authority: ANSPDCP (Romania), dataprotection.ro