SporvioSporvio

Sporvio Privacy Policy

Last Updated: 2026-06-17

Who We Are (Data Controller)

The Sporvio service ("Sporvio", the "Service") is currently operated by 1001588189 Ontario Inc. (operating as Sporvio), incorporated in Ontario, Canada.

  • Operator / Data Controller: 1001588189 Ontario Inc. (operating as Sporvio)
  • Contact: admin@sporvio.com
  • Privacy Officer: We have designated a Privacy Officer who is accountable for our compliance with this policy and applicable privacy laws, reachable at admin@sporvio.com.

This policy explains what personal information we collect, why, how we share it, how long we keep it, and the choices and rights you have.

1. Information We Collect

1.1 Information You Provide

  • Account: Email; password (stored only in hashed form, never in plaintext).
  • Profile: Nickname, avatar, bio, sport levels, date of birth, city/region, and gender. Gender and certain profile fields are optional. We collect date of birth to confirm you meet our minimum age (see Children's Privacy).
  • Optional contact: Phone number, WeChat ID.
  • User content: Content you create on the Service — posts, comments, chat/direct messages, and photos you upload.
  • Competitive records: Match results, ratings, and win/loss history generated when you record matches or participate in ranked play.
  • Payment: We do not collect, store, process, or transfer payment information. Sporvio does not process payments (see the Terms of Service for how club balances work).

Photos and avatars. We treat photos and avatars you upload as ordinary user content. We do NOT use facial recognition, do NOT create or store biometric identifiers or face templates/embeddings from your photos, and do NOT use your images to identify or verify you. If we ever introduce any feature that processes biometric information, we will obtain any consent required by law (including Illinois BIPA and Quebec Law 25) and update this policy first.

1.2 Information We Collect Automatically

  • Usage data: Features used, taps, and session activity, to operate and improve the Service.
  • Device information: Device model, operating system version, and IP address (used for security and fraud prevention).
  • Crash and diagnostic logs: We may collect crash and diagnostic logs to fix problems and improve stability. We may also use analytics to understand usage and improve the product; we do not use analytics for advertising.

1.3 Permissions and Device Data

We only access the following with your permission, and you can change these permissions at any time in your device settings:

  • Push notifications: With your permission we collect a device push token (via the Apple Push Notification service and Expo) so we can send you the notifications you enable.
  • Photos and camera: With your permission we access your photo library and camera so you can upload images. We only access the specific items you select.
  • Location: We do not currently collect your location. If we later add map or venue features (for example, using Google Places), we will request permission and update this policy before doing so.

1.4 Sign-in Providers (Planned)

Today, sign-in is by email and password only. If and when we add Apple or Google Sign-in and you choose to use it, we will receive only the limited information that provider is authorized to share (such as email and name), and we will update this policy before enabling it. These options are not yet available. If you sign in with Apple and choose Hide My Email, we will use Apple's private relay email address and will not attempt to obtain your real email.

2. How We Use Information

  • Provide the Service: Create and operate your account, posts, clubs, events, chats, and follow/block/report features.
  • Improve the Service: Understand how the Service is used, fix bugs, and develop new features. If we introduce personalized recommendations of clubs, events, and players, we will not use your data for cross-context behavioral advertising.
  • Security and fraud prevention.
  • Customer support.
  • Legal compliance.

We map specific data to specific purposes, including: date of birth to verify you are old enough to use the Service; city to surface nearby clubs and events; optional gender for profile display and matching; device push token to deliver the notifications you enable; and photos only as content you choose to post.

Consent (PIPEDA)

We collect, use, and disclose your personal information with your consent. By creating an account and using the Service, you consent to the collection and use described in this policy. Where information is sensitive or used for a new purpose, we seek your express consent (for example, device permissions). Some information is optional; if you choose not to provide it, certain features may be unavailable, but this will not affect your ability to use the core Service.

Legal Bases for Processing (where the GDPR applies)

Where the GDPR applies to you, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)): Creating and operating your account and providing core features.
  • Legitimate interests (Art. 6(1)(f)): Security and fraud prevention, IP/security logging, improving the product, and (if introduced) basic recommendations. You can object to processing based on legitimate interests (see Your Rights).
  • Consent (Art. 6(1)(a)): Push notifications, camera/photo-library access, optional phone/WeChat, and any future location features.
  • Legal obligation (Art. 6(1)(c)): Complying with applicable law.

Personalization

We may use basic profiling to recommend clubs, events, and players based on signals such as sport, level, city, and who you follow. This is not solely-automated decision-making that produces legal or similarly significant effects. You can object to or limit it via settings or by contacting support. (We will revisit this disclosure if we introduce machine-learning recommendations.)

Electronic Communications

We send service-related messages (security, account, and notifications you enable) as part of operating the Service. We will send promotional or marketing emails or pushes only where permitted under Canada's Anti-Spam Legislation (CASL) — generally with your consent — and every such message will identify us and include an easy way to unsubscribe.

3. How We Share Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. Because we do not sell or share, we do not provide a "Do Not Sell or Share My Personal Information" link; if this ever changes, we will update this policy and provide the required opt-out. We share information only as follows:

  • Other users: Content you post (posts, comments, photos, and profile fields) is visible to other users and may be public depending on where you post it and your settings. Your nickname, avatar, and sport levels are visible to others. Direct messages are visible to the recipient(s). If you opt in to public leaderboards (for example, by enabling ladder_public), your competitive records — including ratings, rankings, and win/loss history — become visible to other users on the applicable leaderboards. This visibility is off by default and you can turn it off at any time.
  • Service providers / contractors: Our backend provider Supabase (hosted on AWS) processes personal information on our behalf, under contract, solely to provide services to us, and is contractually restricted from using it for any other purpose. Expo and Apple (APNs) receive a device push token to deliver push notifications. We may use analytics or error-monitoring tools to improve the product; we do not name a specific provider until one is in use. If we add maps/location (Google) or Apple/Google Sign-in in the future, we will update this list. Our service providers are contractually required to protect your data with the same or equivalent safeguards described in this policy and to use it only to provide services to us. These disclosures do not constitute a "sale" or "share" under the CCPA/CPRA.
  • Legal and safety: When required by law or a valid government/court request, or to protect the rights, safety, and property of Sporvio, our users, or the public.
  • Enforcement: To investigate or address violations of our Terms.

We may access and review user content, including reported messages, where necessary to investigate reports, enforce our Terms, protect safety, or comply with the law.

Current sub-processors (as of June 2026): Supabase Inc. (database/backend hosting; on AWS) — Canada/US; Amazon Web Services — Canada/US; Expo (push token delivery); Apple Inc. (APNs). We will update this list before engaging a new sub-processor for analytics, error monitoring, maps/location, or sign-in.

Analytics and crash reporting. When we begin using a specific analytics or crash-reporting provider, we will name it here and, where required, provide a way to opt out. Our analytics are used only to operate and improve the Service and never for advertising or cross-context behavioral tracking.

4. Your Rights and Choices

Depending on where you live, you may have some or all of the following rights. You can exercise them in-app or by emailing admin@sporvio.com.

  • Access: Request access to the personal information we hold about you and how it has been used or disclosed.
  • Rectification / Correction: Edit your profile in-app, or ask us to correct inaccurate or incomplete information.
  • Erasure / Deletion: Permanently delete your account and personal data from within the app (Me → Settings → Account → Delete account). This is a full account deletion, not a deactivation. We delete or anonymize your personal data within 30 days, except where retention is required by law, for fraud/abuse prevention, to resolve disputes or enforce our Terms, or in routine backups (purged on the backup cycle). Content others have already received (for example, messages in their inbox) or aggregated/anonymized data may persist. You can also request account and data deletion without the app by emailing admin@sporvio.com, or via the account-deletion page at https://www.sporvio.com/delete-account. We verify your identity against the account on file before deleting.
  • Restriction: Ask us to restrict processing in certain circumstances.
  • Data Portability / Export: Request a copy of your data in a portable format (admin@sporvio.com).
  • Object: Object to processing based on legitimate interests, including recommendations/profiling.
  • Withdraw Consent: You may withdraw consent to our collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice — including by turning off device permissions (push, photo library, camera) or deleting your account. Withdrawing consent does not affect processing already carried out, and withdrawing some consents may mean we can no longer provide parts of the Service.
  • Automated decisions: We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.
  • Right to Lodge a Complaint: You may complain to a supervisory authority. In Canada, that is the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca; you may also contact your local data protection authority.

We may decline a request only where permitted by law and will explain why. We verify your identity (by matching information to the account/email on file) before fulfilling access, deletion, or correction requests.

Response timing: We respond without undue delay and within one month (30 days) of receipt. For complex or numerous requests we may extend by up to two further months and will tell you within the first month. (California-specific timing is described in the California section below.)

5. Data Storage, Security, and Breach Notification

  • Storage: Data is stored using Supabase (hosted on AWS). See Cross-Border Data Transfer below.
  • Safeguards: We protect your personal information with organizational and technical safeguards appropriate to its sensitivity, including bcrypt password hashing (a strong one-way hash, so we never see your plaintext password), HTTPS/TLS in transit, access controls limiting who on 1001588189 Ontario Inc. (operating as Sporvio) can access user data, and confidentiality obligations for anyone with access.
  • No system is fully secure: While we work to protect your information, no method of transmission or storage is 100% secure.
  • Breach notification: If a breach of security safeguards involving your personal information occurs and creates a real risk of significant harm, we will notify you and report it to the Office of the Privacy Commissioner of Canada as soon as feasible, will keep records of breaches as required by PIPEDA, and (where the GDPR applies) will comply with our notification obligations under Articles 33–34, and we will also notify affected users and any regulators as required by applicable U.S. state data-breach notification laws.

6. Data Retention

We retain personal information only as long as needed to provide the Service and for the purposes described in this policy, or as required by law. General guidance:

  • Account and profile: Retained while your account is active; deleted or anonymized within 30 days of account deletion.
  • Backups: Residual copies in routine backups are purged on the normal backup cycle (typically within ~30–90 days).
  • Server, IP, and security logs: Retained for a limited period for security and fraud prevention, up to 12 months.
  • Crash logs / analytics: Retained for a limited period to diagnose and improve the product, up to 14 months.
  • Chat / direct messages: Retained while your account is active.
  • Legal-hold / fraud records: Retained as required to meet legal obligations, resolve disputes, prevent fraud, or enforce our Terms.

Where we cannot give a fixed period, we use criteria such as legal obligation and legitimate operational need.

7. Cross-Border Data Transfer

Sporvio is based in Canada. We use Supabase (hosted on AWS); your data may be stored or processed in Canada or the United States, and we are migrating primary storage to a Canadian region (Supabase ca-central-1).

  • Canada benefits from an EU adequacy decision for commercial data covered by PIPEDA.
  • Where we transfer data internationally (for example, to the US), we rely on appropriate safeguards such as standard contractual clauses and/or, where a sub-processor is certified, the EU-US Data Privacy Framework. You may request a copy of the relevant safeguards via admin@sporvio.com.
  • While your data is in another country, it is subject to that country's laws and may be accessed by its courts, governments, and law-enforcement or national-security authorities. We remain accountable for your personal information and require our service providers to protect it to a comparable standard.

8. Your Privacy Rights by Region

Canada (PIPEDA) — Home Jurisdiction

We handle your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws. Challenging our compliance: if you have a privacy concern, contact us first at admin@sporvio.com. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca.

Quebec residents have additional rights under Quebec's Law 25, including data portability and the right to contact our designated person responsible for the protection of personal information at admin@sporvio.com, and may complain to the Commission d'accès à l'information du Québec (CAI). Before transferring personal information outside Quebec (for example, to servers in the United States), we conduct a privacy impact assessment as required by Law 25, taking into account the sensitivity of the information, the purposes of its use, the protective measures (including contractual) that would apply, and the legal framework of the destination jurisdiction, and we transfer only where the information would receive adequate protection.

United States — California (CCPA/CPRA)

This section applies to California residents. We do not sell or share personal information.

Categories of personal information we collect, sources, purposes, and recipients:

  • Identifiers (email, nickname, IP address, device identifiers, push token) — collected directly from you and automatically from your device.
  • Customer records (hashed password, optional phone/WeChat) — directly from you.
  • Internet/network activity (usage events, crash/diagnostic logs) — automatically from your device.
  • Geolocation — general/IP-based only; we do not collect precise location.
  • Audio/visual (photos you upload) — directly from you.
  • Professional/sport profile and demographic data (sport levels, city, date of birth/age, optional gender) — directly from you.
  • Inferences (basic recommendations) — derived from the above.

Sources: directly from you; automatically from your device; and (if/when you enable Apple/Google sign-in) from those providers. Business/commercial purposes: to provide and improve the Service, recommendations, security and fraud prevention, support, and legal compliance. Categories of recipients: service providers/contractors (Supabase/AWS; Expo/APNs) and legal/government recipients.

Sensitive Personal Information (SPI): Account log-in credentials (email and password) and the contents of your private direct messages are SPI. We use SPI only to provide and secure the Service and prevent fraud. We do not use or disclose SPI to infer characteristics, so we do not provide a "Limit the Use of My Sensitive Personal Information" link. You may still contact us at admin@sporvio.com.

Your California rights: Right to Know/Access (including for the 12-month period preceding your request), Delete, Correct, Opt-Out of Sale/Sharing, Limit Use/Disclosure of Sensitive PI, and Non-Discrimination. We will not discriminate against you for exercising your rights — we will not deny you the Service, charge different prices, or provide a different level or quality of service. We retain each category of personal information for the periods described in Data Retention.

How to submit a request: Use in-app deletion or email admin@sporvio.com (Sporvio operates primarily online, so email is our designated method). We verify your identity by matching information to the account/email on file before fulfilling a request. You may use an authorized agent with written authorization, and we may still verify your identity. California response timing: we acknowledge receipt within 10 business days and respond within 45 calendar days, extendable by an additional 45 days with notice.

We do not sell or share personal information at all, and in particular we do not sell or share the personal information of any user we know to be under 16.

European Union / United Kingdom

The Service is intended for users in Canada and the United States and is not directed at the EU/UK. If you access it from the EU/UK, you may contact us at admin@sporvio.com, and the GDPR rights and legal bases described in this policy apply to you to the extent the GDPR applies.

China

The Service is offered in Canada and the United States and is not directed to users in mainland China.

9. Cookies and Similar Technologies

  • App: We store a login token on your device to keep you signed in.
  • Website: We use only the storage strictly necessary to keep you signed in and make the site work.
  • We do not use third-party advertising or cross-site tracking cookies.

Do Not Track / Global Privacy Control. Because we do not sell or share personal information and do not use cross-site/cross-context tracking, there is nothing for an opt-out-preference signal to opt out of. If our practices change, we will honor GPC as a valid opt-out and update this policy.

10. Children's Privacy

The Service is not directed to children under 13 (in the United States and Canada), and we do not knowingly collect personal information from children under 13.

  • Age screening: During registration we ask for your date of birth to confirm you meet the minimum age. Accounts indicating an age under 13 are not permitted to register.
  • Parents/guardians: If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at admin@sporvio.com. We will verify the request, delete the child's account and associated personal information promptly, and in any case within 30 days, and respond within 30 days.
  • Teens (13–17): If you are between 13 and 17, you may use the Service only with the knowledge and consent of a parent or legal guardian, who agrees to our Terms on your behalf. By allowing you to register, your parent or legal guardian is deemed to accept our Terms on your behalf and to accept responsibility for your use of the Service. We encourage parents and guardians to be involved in their teen's use of the Service.

11. Accessibility

We are committed to making Sporvio accessible and are working toward conformance with WCAG 2.1 AA and our obligations under the Accessibility for Ontarians with Disabilities Act (AODA). If you encounter an accessibility barrier, contact us at admin@sporvio.com and we will work with you to provide the information or service in a suitable way.

12. Changes to This Policy

We may update this policy from time to time. We will revise the "Last Updated" date above, and material changes will be notified via the app or email. Your continued use of the Service after an update means you accept the revised policy.

13. Contact Us

For privacy questions, to exercise your rights, or to raise a complaint about how we handle your personal information:

  • Email: admin@sporvio.com
  • Privacy Officer: accountable for our compliance, reachable at the email above. If you are not satisfied with our response to a privacy complaint, you may escalate to the Office of the Privacy Commissioner of Canada (or, for Quebec residents, the Commission d'accès à l'information du Québec) as described in Your Privacy Rights by Region.
  • Operator: The Service is currently operated by 1001588189 Ontario Inc. (operating as Sporvio), Ontario, Canada. Reach us at the email above. Registered office: 706-15 Wertheim Ct, Richmond Hill, ON L4B 3H7, Canada.
  • We respond without undue delay and within 30 days (subject to the extensions described above and California-specific timing).