GDPR — Data Handling Summary — RacketMaps

1. Data Controller

RacketMaps, operating at racketmaps.com, is the data controller responsible for processing your personal data as described in this document and our Privacy Policy.

2. What We Store

The following table summarises all categories of data we process:

Data Category	Examples	Legal Basis	Retention
Anonymous Fingerprint	SHA-256 hash (32 chars), IP hash, UA hash, locale	Legitimate Interest	While content exists
Reviews	Rating (1-5), comment text, club reference	Consent	While published; 30 days after removal
Photos	Uploaded images (WebP, max 800KB)	Consent	While published; 30 days after removal
Suggestions	Club edits, court additions, duplicate reports	Consent	While relevant; 90 days after resolution
Email Address	Club ownership claims only	Contract	While claim is active; deleted on request
Analytics	Page views, clicks, session duration (anonymised)	Legitimate Interest	12 months

3. What We Do NOT Store

Raw IP addresses (only hashed, irreversible)
Full user agent strings (only hashed)
Advertising identifiers or tracking pixels
Financial or payment information
Real names or physical addresses of visitors
Third-party cookies for advertising

4. Sub-Processors

Provider	Purpose	Location
Supabase	Database, authentication, file storage	EU / US
Vercel	Application hosting, edge functions	Global (edge)
MapTiler	Map tile rendering	EU
PostHog	Product analytics (anonymised)	EU (eu.posthog.com)
Resend	Transactional email delivery	US

5. International Transfers

Where data is processed outside the EU/EEA (e.g., Vercel edge nodes, Resend), we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

6. Your Rights (DSAR)

Under GDPR Articles 15-22, you may submit a Data Subject Access Request (DSAR) to exercise any of the following rights:

Right of Access (Art. 15) — Obtain a copy of all data we hold about you.
Right to Rectification (Art. 16) — Correct inaccurate or incomplete data.
Right to Erasure (Art. 17) — Request deletion of your data ("right to be forgotten").
Right to Restriction (Art. 18) — Limit processing while a dispute is resolved.
Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format (JSON).
Right to Object (Art. 21) — Object to processing based on legitimate interest.

7. How to Submit a DSAR

Email privacy@racketmaps.com with:

The right you wish to exercise
Enough detail for us to locate your data (e.g., club names you reviewed, approximate dates, email used for a claim)

Because we use anonymous fingerprints rather than accounts, we cannot identify you by name alone. Providing context about your submissions helps us locate the relevant records.

We will respond within 30 calendar days. In complex cases, we may extend this by an additional 60 days with notice.

8. Supervisory Authority

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (DPA).

9. Contact

Privacy inquiries: privacy@racketmaps.com
Data Protection Officer: dpo@racketmaps.com