Privacy Policy

Your Tennis Bracket respects the privacy of its users and provides this website for entertainment purposes and for the personal, non-commercial use of its users.

This privacy policy sets out the privacy policies and practices regarding the personal data that we collect from our users at https://www.yourtennisbracket.com and related services. As this website is operated from the Federal Republic of Germany, German privacy laws, including the General Data Protection Regulation (GDPR), apply.

With the following privacy policy, we would like to inform you about the types of personal data (hereinafter also referred to as "data") we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites and in mobile applications (hereinafter collectively referred to as "online offering").

Last updated: November 2025

1. Controller

Name: Martin Mecha

Address: Singapurstrasse 4, 20457 Hamburg, Deutschland

E-Mail: hello@yourtennisbracket.com

Telephone: Upon request

Imprint: www.yourtennisbracket.com/imprint

2. Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing:

All data is stored securely in our database hosted on Neon (PostgreSQL) and processed in accordance with GDPR requirements.

3. Legal Basis for Processing

Below you will find an overview of the legal bases of the GDPR on which we process personal data:

• Article 6 para. 1 sentence 1 lit. a GDPR (Consent): The data subject has given consent to the processing of personal data relating to him or her for a specific purpose or multiple specific purposes.
• Article 6 para. 1 sentence 1 lit. b GDPR (Contract Performance): The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures.
• Article 6 para. 1 sentence 1 lit. f GDPR (Legitimate Interests): The processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not override those interests.

We process your data on the basis of:

• Your consent during account creation and use of our service
• Contractual necessity for the provision of the tennis prediction and ranking service
• Legitimate interests in maintaining and improving our platform

Legitimate Interests for IP Addresses and Logfiles:

• Ensuring security and stability of our platform by preventing and detecting fraud, misuse, and cyberattacks
• Protecting users' data and accounts from unauthorized access
• Fulfilling our legal obligations and defending against legal claims
• Analyzing and improving the performance of our services

We have carefully balanced our interests against your privacy rights and have limited this processing to what is strictly necessary. IP addresses are pseudonymized where possible and stored only for the duration specified in this policy (maximum 90 days unless extended for evidentiary purposes).

4. Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and extent of threats to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk:

• Securing confidentiality, integrity and availability of data
• Controlling physical and electronic access to data
• Implementing procedures to exercise data subject rights
• Securing online connections via TLS/SSL encryption technology (HTTPS)
• Secure storage of passwords via bcrypt hashing
• Regular security updates and monitoring
• Access controls and authentication mechanisms
• Backup and disaster recovery procedures

Securing Online Connections: To protect user data transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt information transmitted between the website and the user's browser, protecting data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards.

5. Cookies and Tracking

We use the following essential cookies that are strictly necessary for the functionality of the service:

• Session Authentication Cookie (NextAuth.js): Stores your encrypted session token to keep you logged in. This cookie is set when you sign in and is automatically deleted when you log out or after the session expires.

These essential cookies cannot be deactivated as they are required for the core functionality of user authentication and session management. They are session-based and are automatically deleted when you log out.

We currently do not use any non-essential cookies, tracking scripts, or analytics tools. This means we do not use services such as Google Analytics, Facebook Pixel, or similar tracking technologies.

In the future, we may introduce advertising, sponsored content, or marketing emails. If we do so, you will be notified and can opt out via your profile settings.

6. Data Sharing with Third Parties

We share your personal data with the following third-party providers:

• Neon (Database Hosting): Your data is securely stored in a PostgreSQL database hosted by Neon. Neon acts as a data processor under the GDPR.
• Resend (Email Service): We use Resend to send transactional emails (welcome messages, password reset, tournament reminders). Your email address and name are shared with Resend exclusively for this purpose.
• Vercel (Hosting): Our website and API are hosted on Vercel. Vercel may process your IP address and technical data for hosting purposes.

We do not sell your data to third parties.

7. Data Transfers to Third Countries

Some of our service providers are located outside the European Economic Area (EEA), including:

• Neon: May process data in the United States and other locations
• Resend: May process data in the United States
• Vercel: May process data in the United States and other locations

To ensure adequate protection of your personal data when transferred to third countries, we have implemented the following safeguards:

• Standard Contractual Clauses (SCCs): We have concluded EU-standard contractual clauses with all third-country service providers. These clauses provide legally binding commitments to comply with European data protection standards.
• Data Processing Agreements: All service providers have entered into data processing agreements that strictly limit their use of your data to the purposes we specify.
• Security Measures: All transfers are subject to our service providers' comprehensive security measures, including encryption, access controls, and regular security audits.

Please note that data transfers to the United States may be subject to local surveillance laws and government access requests. While we have taken all reasonable measures to protect your data, we cannot guarantee absolute protection against governmental access in these jurisdictions. All service providers are contractually bound to notify us of any government requests for your data where legally permitted.

8. Provision of Online Offering and Web Hosting

Vercel: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA; Legal basis: Legitimate interests (Article 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.vercel.com; Privacy policy: https://vercel.com/legal/privacy-policy. Data processing agreement: Provided by the service provider.

Collection of Access Data and Logfiles: Access to our online offering is logged in the form of so-called "server logfiles". Server logfiles may include the address and name of the retrieved web pages and files, date and time of retrieval, transferred data volumes, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and normally IP addresses and the requesting provider. Server logfiles can be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server load and stability.

Deletion of Data: Logfile information is stored for a maximum of 90 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the incident is finally resolved.

Email Transmission: The web hosting services we use also include sending emails via Resend. For these purposes, the addresses of recipients and senders as well as other information regarding email transmission (e.g., the providers involved) and the contents of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. Please note that emails are generally not sent encrypted on the Internet. As a rule, emails are encrypted in transit, but (unless a so-called end-to-end encryption procedure is used) not on the servers from which they are sent and received. We therefore cannot assume any responsibility for the transmission path of emails between the sender and reception on our server.

9. Registration, Login and User Account

Users can create a user account. As part of the registration process, users are provided with the required information and this information is processed for the purpose of providing the user account based on contractual fulfillment. The processed data includes in particular login information (username, password, and an email address).

In the context of using our registration and login functions as well as using the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of users in protection against misuse and other unauthorized use. This data is generally not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users can be informed by email about processes that are relevant to their user account, such as technical changes.

Types of Data Processed: Account data, contact data, content data, usage data, log data

Affected Persons: Users

Purposes: Provision of contractual services and fulfillment of contractual obligations; security measures; provision of our online offering

Legal Basis: Contract performance and pre-contractual inquiries (Article 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Article 6 para. 1 sentence 1 lit. f GDPR)

10. Newsletter and Electronic Notifications

We send newsletters, emails and other electronic notifications (hereinafter "Newsletter") exclusively with the consent of recipients or based on a legal basis. If the contents of the newsletter are specified during registration, these contents are decisive for the consent of users. To subscribe to our newsletter, it is usually sufficient to provide your email address.

Resend: Email transmission services; Service provider: Resend, Inc., USA; Legal basis: Legitimate interests (Article 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.resend.com; Privacy policy: https://resend.com/legal/privacy-policy.

Objection (Opt-Out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consents, or object to further receipt. You can find a link to cancel the newsletter at the end of each newsletter or use one of the contact options provided above, preferably email.

Deletion and Restriction: We may store unsubscribed email addresses for up to 1 year based on our legitimate interests before deleting them to prove that consent was previously given and to defend against potential claims. The processing of this data is limited to the purpose of potentially defending against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time.

11. Storage Duration and Deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are revoked or there are no further legal bases for processing. This affects cases where the original purpose of processing no longer applies or the data is no longer needed.

We only store your personal data for as long as is necessary for the purposes specified in this privacy policy:

• Account Data: Until you delete your account or request deletion
• Predictions and Rankings: Stored for up to 7 years after account deletion or your request, as required for historical record-keeping, user analytics, and potential legal claims. You can request earlier deletion at any time.
• Session Data: Deleted when you log out or after the session expires
• Log Data: Deleted after a maximum of 90 days
• Newsletter Data: Up to 1 year after unsubscription for proof purposes

You can request deletion of your account and all associated data at any time via your profile settings or by contacting us directly.

12. Your Rights under GDPR

As a data subject under the GDPR, you have various rights, particularly arising from Article 15 to 21 GDPR:

• Right of Access (Article 15 GDPR): You have the right to obtain confirmation as to whether or not your personal data are being processed, and to obtain access to your personal data and other information and copies of the data in accordance with legal provisions.
• Right to Rectification (Article 16 GDPR): You have the right to request completion of your personal data or rectification of your incorrect personal data in accordance with legal provisions.
• Right to Erasure and Restriction of Processing (Article 17, 18 GDPR): You have the right to request that your personal data be deleted immediately in accordance with legal provisions, or alternatively, to request a restriction of data processing in accordance with legal provisions.
• Right to Data Portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller in accordance with legal provisions.
• Right to Object (Article 21 GDPR): You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation, where processing is based on Article 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing.
• Right to Withdraw Consent (Article 7 Para. 3 GDPR): You have the right to withdraw consents granted at any time.
• Right to Lodge a Complaint (Article 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, workplace or place of the alleged violation, if you consider that the processing of your personal data violates the GDPR.

To exercise any of these rights, please contact us at hello@yourtennisbracket.com or use your profile settings where available.

13. Changes to this Privacy Policy

We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require an action on your part (e.g., consent) or any other individual notification.

14. Contact

If you have questions about this privacy policy or our data processing practices, please contact us:

Email: hello@yourtennisbracket.com

Address: Martin Mecha, Singapurstrasse 4, 20457 Hamburg, Deutschland