Privacy Policy

Last updated: 4 April 2026

This Privacy Policy describes how The Applications Cloud S.L. (“we”, “us”, “our”) processes personal data when you visit our marketing website (padelisto.app and related pages) and when you use the padelisto service as a coach, academy, administrator, or other authorised user (collectively, “Customers”). It also explains how personal data may be processed in connection with end users (for example, players or their parents) who interact with padelisto through messaging channels that our Customers connect to the service, such as WhatsApp or Telegram.

This policy is provided in English. If we publish translations, the English version prevails in case of inconsistency, unless mandatory local law requires otherwise.

We process personal data in accordance with Regulation (EU) 2016/679 (“GDPR”) and applicable national laws in the European Economic Area (“EEA”), including Spanish data protection legislation.

1. Data controller

The data controller responsible for processing personal data described in this policy is:

The Applications Cloud S.L.
Placa la Pau 1, 08960 Sant Just Desvern, Spain
Email: contact@padelisto.app

We have not appointed a Data Protection Officer (“DPO”). For privacy-related requests, please contact us at the email address above.

2. Scope

This policy applies to:

• Visitors of our public marketing website;
• Individuals who contact us (for example, by email or through forms we may provide);
• Customers who register for or use padelisto (including trial access); and
• End users whose personal data is processed when our Customers use padelisto to operate coaching businesses (for example, when a player messages a number or bot connected to padelisto).

Our Customers may process personal data about their own clients as independent controllers, or as processors on our instructions, depending on the scenario. Where our Customer determines the purposes and means of processing (for example, what data they collect about their players), our Customer is responsible for providing appropriate notices to those individuals. padelisto processes such data as needed to provide the service to our Customer.

3. Categories of personal data

Depending on how you interact with us, we may process:

• Identity and account data: name, email address, organisation or academy name, role, and similar account details.
• Contact and communications: messages you send to us, email threads, and support requests.
• Technical and usage data: IP address, device or browser type, approximate location derived from IP, timestamps, diagnostic logs, and service usage events needed to operate and secure the service.
• Integration and messaging data: where our Customers connect messaging channels, we may process identifiers and content necessary to deliver the service (for example, phone numbers or messaging identifiers, profile names as shown in the channel, message content, delivery status, and related metadata).
• Booking, scheduling, and coaching-related data: information our Customers enter or generate in padelisto (for example, trainings, bookings, attendance, balances) in accordance with their use of the product.
• Billing data: if and when billing applies, payment-related information may be processed by us and/or by payment service providers; we generally do not store full card numbers on our own systems when a payment processor handles card data.

4. Purposes and legal bases (GDPR Article 6)

We process personal data on the following legal bases, as applicable:

• Performance of a contract (Art. 6(1)(b)): to provide padelisto, create and administer accounts, deliver features our Customer subscribes to, and communicate about the service.
• Legitimate interests (Art. 6(1)(f)): to secure our systems, prevent abuse and fraud, improve reliability and performance, analyse aggregated usage trends, communicate service and security notices, and defend legal claims. We balance these interests against your rights and, where required, offer opt-outs where appropriate (for example, for certain marketing communications).
• Consent (Art. 6(1)(a)): where we rely on consent (for example, for certain cookies or marketing, if applicable), you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Legal obligation (Art. 6(1)(c)): where processing is necessary to comply with applicable law, including tax, accounting, or regulatory requirements.

5. Cookies and similar technologies (this marketing site)

This static marketing site is designed not to use advertising or analytics cookies. Loading the site may involve technical processing by infrastructure providers and, where we use third-party fonts (for example, Google Fonts), your browser may connect to that provider’s servers. Such processing may generate technical logs on the provider’s side. If we introduce non-essential cookies or similar technologies that require consent under applicable law, we will update this policy and, where required, implement an appropriate consent mechanism.

6. Recipients and subprocessors

We use trusted service providers who process personal data on our behalf under appropriate agreements, including GDPR-compliant data processing terms where required. Categories of recipients include:

• Hosting and infrastructure: cloud hosting and related infrastructure providers used to operate our services and store data.
• Messaging platforms: where Customers connect channels, data is transmitted to and processed by third-party messaging services (for example, Meta for WhatsApp and Telegram for Telegram) under their terms and privacy policies.
• AI inference providers: to power certain automated features, prompts or message content may be transmitted to AI providers (for example, services accessed via OpenRouter or similar aggregation layers, and underlying model providers). Such processing is limited to what is needed to provide the functionality.
• Email and communications: providers used to send transactional or service emails.
• Professional advisers: lawyers, accountants, or auditors where required.

Upon request, we can provide more detail about the nature of subprocessors we use to deliver the service. Third-party providers may change over time; we will update this policy or related documentation as appropriate.

7. International transfers

Where personal data is transferred outside the EEA to countries not covered by an adequacy decision under Article 45 GDPR, we implement appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission (Article 46 GDPR), supplemented by technical and organisational measures as needed. You may request further information about such transfers by contacting us.

8. Retention

We retain personal data only as long as necessary for the purposes described in this policy, including to comply with legal, accounting, or reporting requirements. Criteria used to determine retention include the nature of the data, the risk of harm from unauthorised use or disclosure, whether we can achieve the purposes through other means, and applicable legal requirements. When data is no longer needed, we delete or anonymise it in accordance with our retention practices.

9. Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. No method of transmission or storage is completely secure; we encourage Customers to use strong credentials and follow good security practices.

10. Your rights

Subject to applicable law, you may have the following rights in relation to your personal data:

• Right of access;
• Right to rectification;
• Right to erasure (“right to be forgotten”);
• Right to restriction of processing;
• Right to data portability;
• Right to object to processing based on legitimate interests (including profiling in certain cases);
• Right to withdraw consent where processing is based on consent;
• Right to lodge a complaint with a supervisory authority.

To exercise your rights, contact us at contact@padelisto.app. We may need to verify your identity before fulfilling certain requests.

If you are located in Spain or if Spanish law applies, you may lodge a complaint with the Agencia Española de Protección de Datos (AEPD): www.aepd.es. If you are in another EEA country, you may contact your local supervisory authority.

11. Children

padelisto is intended for use by businesses and adult users managing coaching operations. Where messaging data relates to minors, our Customers are responsible for obtaining any required parental authority and for compliance with applicable child-protection rules. If you believe we have collected personal data from a child in a manner inconsistent with applicable law, please contact us and we will take appropriate steps.

12. Automated decision-making

Certain features may involve automated processing (including AI-assisted responses). We do not make solely automated decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR without a lawful basis and appropriate safeguards; if that changes, we will update this policy.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “Last updated” date. Where changes are material, we will provide additional notice as required by law (for example, by email or in-product notification).

For terms governing use of the Service, see our Terms of Service.

This document is provided for transparency purposes and does not constitute legal advice. If you have questions about how your organisation should comply with privacy obligations when using padelisto, you should consult qualified counsel.