Skip to main content

Privacy Policy

Last updated: April 20, 2026

1. Who We Are

Smash ("we", "us", "our") operates the Smash mobile application and web platform at playsmash.io. The Service is provided by Mulham Analytics and AI - FZCO, a company registered in the International Free Zone Authority (IFZA), Dubai Silicon Oasis, United Arab Emirates. We are a club-first padel operating system helping players organize clubs, book courts, track their game, and receive AI-powered coaching from match video.

This policy describes how we collect, use, disclose, and protect your personal data in accordance with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL") and, where relevant, the EU General Data Protection Regulation (GDPR). Where we use the term "personal data," we mean any information relating to an identified or identifiable natural person.

2. Information We Collect

We collect the following categories of personal data:

  • Account information: email address, name, phone number (optional), and avatar.
  • Player profile: handedness, play style, skill ratings, match history, and XP progression.
  • Club data: club memberships, session participation, and tournament results.
  • Social graph: friend requests you send and receive, and the status of each (pending, accepted, rejected, blocked). See §4.2.
  • Contact-permission flags: whether you have opted in to receive WhatsApp session invites from clubmates. See §3.3.
  • Device & usage data: approximate location (when you search for venues), browser type, and interaction analytics.
  • Communication data: WhatsApp phone numbers voluntarily provided for booking coordination and (if you opt in) receiving invites from clubmates.
  • Wearable telemetry (optional): heart rate, motion, GPS, and shot candidates from a paired smartwatch — only if you pair a device. See §6a.
  • Match video & AI coaching data (optional): video you upload of your matches, together with the derived coaching insights (shot tags, technique scores, highlight clips, player-DNA inferences). See §6b.

2.1 Legal basis under PDPL / GDPR

We process each category of personal data on one of the following legal bases, per Article 6 of the UAE PDPL and Article 6 of the GDPR:

  • Consent — video uploads and AI coaching analysis (§6b), wearable telemetry (§6a), marketing communications, and the WhatsApp-invite opt-in (§3.3). Consent is explicit, specific, and revocable at any time.
  • Performance of a contract — account authentication, club membership, session participation, and delivery of features you sign up for.
  • Legitimate interests — abuse detection, security logging, and anonymised analytics used to improve the product. You may object to processing on this basis.
  • Legal obligation — tax, accounting, and regulator requests where applicable.

3. How We Use Your Data

3.1 Core uses

  • To provide and improve the Smash platform and its features.
  • To authenticate your identity and secure your account.
  • To match you with other players and generate skill-based recommendations.
  • To send transactional emails (sign-in links, session invitations).
  • To display nearby venues based on your location.
  • To generate anonymized analytics to improve the product.

3.2 Friendships and the social graph

You can send a friend request to another player. Your name, avatar, and the fact that a request exists are shown to the recipient so they can accept, reject, or ignore it. Friend requests are visible only to the two parties involved — never to clubmates, organisers, or the public. A rejected or unfriended relationship can be re-initiated in the future unless the other party has blocked you.

3.3 WhatsApp invites

Smash never sends WhatsApp messages on your behalf. When a clubmate invites you to a session, the app opens their WhatsApp with a pre-filled message addressed to your phone number — they must still tap Send themselves.

Your phone number is only visible to clubmates for invite purposes if you have explicitly enabled "Allow clubmates to invite me via WhatsApp" on your profile. This setting is off by default. You can disable it at any time from the Profile page; disabling it removes your number from the invite list for all future session views, effective immediately.

Being in a shared club with someone does not, on its own, give them the ability to invite you via WhatsApp. Both conditions must be true: you are in a shared club, and you have opted in.

3.4 Anti-stalking protections

We enforce the following technical and policy protections to prevent abuse of the social features:

  • WhatsApp invite lists exclude anyone who has already RSVP'd to the session, so a clubmate cannot repeatedly re-invite the same person via the app.
  • Any player can block another player (see §3.5). Blocked players cannot see each other's profiles, send friend requests, or appear in each other's invite lists.
  • If you see harassment, use the in-app report flow or email safety@playsmash.io. We review reports within 72 hours and may suspend or terminate accounts that violate our Terms.
  • We log the source and timestamp of every friend request and invite action for our internal abuse-detection systems.

3.5 Blocking

Blocking a player sets the friendship status between you to BLOCKED. The blocked player will not be able to send you a new friend request, will not appear in your clubmate lists, and will not see you in pickup-game rosters you filter by friends. Blocking is silent — the other party is not notified.

4. Data Sharing

4.1 Service providers

We do not sell your personal data. We share data only with:

  • Service providers: hosting (Railway), email (Resend), error monitoring (Sentry), and analytics (PostHog).
  • Other players: your name, avatar, skill rating, and match history are visible to club members. Your phone number is never shown to other players in the UI — it is only used internally to build a click-to-WhatsApp URL when an opt-in clubmate triggers an invite.
  • Third-party APIs: venue search data is exchanged with Google Places and Playtomic to show you nearby courts.

4.2 Social-graph visibility

Your list of accepted friends is visible to you only. The app never displays a third party's friend list to anyone other than themselves. Mutual friendship between two players is not surfaced in the UI except on each party's own Friends tab.

4.3 Cross-border data transfers

Smash is operated from the United Arab Emirates, but some of our infrastructure providers operate outside the UAE. Your personal data may therefore be transferred to, stored in, or processed in the United States, European Union, or other jurisdictions where our sub-processors run their services. Current sub-processors include Railway (hosting, United States), Cloudflare R2 or AWS S3 (object storage, United States), Resend (transactional email, United States), Sentry (error monitoring, United States), PostHog (product analytics, United States), Upstash (caching, global), and the AI-inference providers we use for coaching analysis (see §6b).

Where we transfer personal data outside the UAE, we rely — in order of preference — on:

  • an adequacy decision from the UAE Data Office, where the destination country has been recognised as providing an adequate level of protection;
  • Standard Contractual Clauses (modelled on the EU Commission's 2021 SCCs) signed with the relevant sub-processor; or, where neither applies,
  • your explicit informed consent, with a clear description of the risks, provided before the transfer takes place.

You can request the current list of sub-processors and the transfer mechanism applied to each by emailing privacy@playsmash.io.

5. Data Retention

We retain your account data for as long as your account is active. You can request deletion of your account and all associated data at any time from the Settings page. Upon deletion, your personal data is permanently removed within 30 days, including friendships you participate in (both the records you originated and those where you are the addressee).

When you unfriend someone, the friendship row is deleted immediately. When you reject a friend request, the row is retained in REJECTED state so we can prevent repeat spam without notifying the requester.

6. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your account and data.
  • Export your data in a portable format.
  • Withdraw consent for optional data processing (including WhatsApp-invite opt-in) at any time.
  • Block other players and remove them from your social graph.

To exercise any of these rights, use the Settings page or contact us at privacy@playsmash.io.

6a. Wearable Telemetry (Optional)

Smash stays camera-first. If you choose to pair a compatible Apple Watch, Garmin watch, or other wearable, the paired device can send additional telemetry we use to enrich your session reports. This feature is entirely optional — Smash works identically without a paired wearable.

6a.1 What we collect from a paired device

  • Heart rate (~1 sample per second during active play) — used to render your live and post-session fatigue curve.
  • Heart-rate variability (HRV) — captured post-session as a single recovery indicator.
  • Motion (accelerometer / gyroscope) — streamed as 1-second aggregates (peak acceleration, peak rotation). Raw sample-level data is not stored.
  • GPS coordinates (~1 sample per second) — used for the positional overlay on the court heatmap. Disabled automatically when GPS accuracy is worse than 3 m.
  • Shot candidates — timestamped swing events produced on the watch by an on-device classifier, used to reconcile with camera-detected shots.
  • Device metadata — model, OS version, app version, and last-seen time, for troubleshooting.

6a.2 Why we collect it

To produce accurate live fatigue indicators, richer technique scoring (by blending camera and wrist signals), and a positional overlay for sessions where GPS precision is high enough to be useful. Wearable data supplements — never replaces — the camera-based analysis that powers SmashIQ.

6a.3 Retention

Raw biometric, motion, and GPS samples are retained for 90 days. Aggregate summaries attached to your session record (average and peak heart rate, fatigue index, matched shots, HRV) are retained for the lifetime of the session record under our standard retention policy. You can delete all wearable telemetry for an individual session by deleting that session; you can revoke a paired device from Settings → Paired devices at any time, which stops further collection immediately.

6a.4 Training and research

Your wearable data is notused to train machine-learning models or for aggregate research unless you explicitly opt in. Opt-in is a separate toggle available in Settings → Paired devices; it is off by default. You can opt out at any time, which removes your telemetry from any future training runs.

6a.5 Sharing

Wearable telemetry is visible only to you and (when aggregated into a session summary) to organisers of sessions you participated in — the same people who can see your score and match history today. Raw heart-rate and motion data are never surfaced on public spectator views, leaderboards, or anyone else's profile.

6b. Match Video & AI Coaching (Optional)

Smash offers an optional video-coaching feature. If you choose to record or upload match video, our AI pipeline produces coaching insights — shot tags, technique scores, highlight clips, and player-DNA inferences — that are attached to your session. This feature is entirely optional; Smash's core functionality (clubs, RSVPs, scoring, leaderboards) works without any video upload.

6b.1 Legal basis

Video processing is based on your explicit, specific, revocable consent under Article 6 of the UAE PDPL and Article 6(1)(a) GDPR. We collect this consent separately from the general Terms of Service — you can use every other feature of Smash without consenting to video processing. You can withdraw your consent at any time in Settings → Privacy → Video & AI Coaching; withdrawal stops new processing and triggers deletion of existing raw video within the retention window in §6b.4.

6b.2 What we collect

  • Match video you record in-app or upload, plus the device metadata required to process it (camera model, resolution, frame rate, duration, capture timestamp).
  • Derived coaching dataproduced by our AI pipeline: shot events with timestamps and type labels (drive, bandeja, víbora, etc.), technique scores, court-position inferences, candidate highlight clip timestamps, and player-DNA attributes (handedness, position, play style, favourite shots).
  • Frames extracted for player identification: the first few frames of a video are used to let you assign in-video players to Smash accounts. We do not run general facial recognition, and we do not build a face-biometric template across your videos.

6b.3 How we process it

Your video is uploaded over an encrypted connection (TLS) directly to object storage run by our storage sub-processor (Cloudflare R2, AWS S3, or Backblaze B2 — see the sub-processor list). The raw video is then analysed by our AI-inference pipeline, which may use large-model providers such as OpenAI or Anthropic to generate coaching feedback. Video content is sent to these providers only as needed for inference and is not used by them to train their public models (we configure no-training settings where available).

6b.4 Retention

Raw uploaded video is retained for up to 90 days after a session is finalised, then deleted automatically. The derived coaching data (shot tags, scores, highlight-clip references, player-DNA attributes) is retained for the lifetime of your session record under our standard retention policy. You can delete the video and associated derived data for a single session at any time from the session page. You can also export your derived data in a portable format on request (see §6).

6b.5 Sharing

Uploaded match video is visible, by default, to you and the other players you assign in the video (so each participant can see their own clips and insights). Highlight clips you choose to publish are visible to the audience you select at publish time. We never expose raw video to the public or to parties you have not assigned, and we never share your raw video with third parties except the sub-processors listed in §4.3 for the sole purpose of producing your coaching insights.

6b.6 Training and research

Your video and derived data are notused to train our own machine-learning models, and are not shared with any third party for model training, unless you explicitly opt in via Settings → Privacy → Video & AI Coaching → "Contribute anonymised data to improve Smash's models". This opt-in is off by default, can be withdrawn at any time, and applies only to data captured after you opt in.

6b.7 Other players captured on film

When you record a match, other players on court will appear in the video. You are responsible for ensuring you have their permission before uploading. If another player asks us to remove video in which they appear, we will honour that request within 30 days — either by deleting the video in full or by blurring or cropping their image, at our sole discretion. Requests can be sent to privacy@playsmash.io.

7. Security

We implement industry-standard security measures including encrypted connections (TLS), secure authentication (magic links, JWT), and access controls. No system is 100% secure, but we take reasonable steps to protect your information.

8. Children

Smash is not intended for users under 13 years of age. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this policy from time to time. Significant changes — including any change to how the social graph or contact-sharing features work — will be communicated through the app and via email at least 30 days before taking effect. Continued use of Smash after changes constitutes acceptance.

10. Contact & Complaints

For privacy-related questions, to exercise any right listed in §6, or to request the current sub-processor list, contact us at privacy@playsmash.io. For safety concerns or to report abuse, email safety@playsmash.io.

Our Data Protection Officer can be reached at the same privacy address above. If you believe we have processed your personal data in breach of the PDPL, you have the right to lodge a complaint with the UAE Data Office (the federal supervisory authority established under Federal Decree-Law No. 44 of 2021) in addition to contacting us directly. EU residents retain the right to complain to their local data-protection supervisory authority.