Privacy Policy

1. Personal Data We Collect

1.1 Personal Data Provided by You

We may collect personal data including, but not limited to:

• Full name
• Email address
• Phone number
• Coach profile details (biography, experience, certifications, pricing, availability) — coach app
• Booking information and schedules — coach and courts apps
• Court submissions, saved courts, and favourites — courts app
• Newsletter subscriptions, article reactions, and reader comments — media app
• Communications and messages
• Billing and subscription information (processed via third-party payment providers)

1.2 Personal Data Collected Automatically

When you use the Service, we may automatically collect:

• IP address
• Device and browser information
• Approximate location (when you opt in to location-based court search)
• Usage data, logs, and timestamps
• Cookies and similar tracking technologies

1.3 Personal Data from Third Parties

We may receive personal data from:

• Authentication providers (e.g. Clerk for unified sign-in across the Service)
• Payment processors (e.g. Stripe for subscription billing)
• Google APIs — when you connect your Google account for calendar integration, we receive your Google email address, calendar event data, and free/busy information (see Section 2 for details)
• Meta / Instagram — when a coach or operator connects an Instagram Business account for automation, we receive Instagram messages, comments, mentions, and reactions via the Instagram Graph API and webhooks (see Section 3 for details)
• E-commerce platforms such as Shopify

2. Google API Services — User Data

The PickleBase Platform offers an optional Google Calendar integration that allows coaches to sync their coaching schedules with Google Calendar. This feature uses Google API Services and is subject to the Google API Services User Data Policy, including the Limited Use requirements.

2.1 Google Data We Access

When you connect your Google account, we request access to the following scopes:

• Google email address — to identify the connected Google account and display it in your settings
• Calendar events (read) — to retrieve your free/busy times and prevent double-booking
• Calendar events (write) — to create, update, or cancel coaching session events in your Google Calendar when bookings are confirmed, modified, or cancelled

2.2 How We Use Google Data

Google user data is used solely to:

• Display your connected Google email address in your calendar integration settings
• Query your calendar for busy times so that your coaching availability is accurate
• Create, update, and delete calendar events that correspond to coaching session bookings

We do not use Google user data for advertising, analytics, market research, or any purpose unrelated to providing and improving the calendar sync feature you have enabled.

2.3 How We Store Google Data

• Your Google OAuth refresh token and access token are encrypted at rest using AES-256-GCM encryption and stored in our database. These tokens are used only to maintain your calendar connection.
• Your Google email address is stored in plaintext for display purposes in your settings.
• Calendar event data (event titles, times, busy/free status) is queried in real time from Google and is not permanently stored in our database.

2.4 Google Data Sharing

We do not share, transfer, or disclose Google user data to any third party, except:

• With your explicit consent
• Where necessary for security purposes (e.g. investigating abuse)
• Where required by applicable law, regulation, or legal process
• In connection with a merger, acquisition, or sale of assets, provided the successor agrees to protect Google user data in accordance with this policy

We do not transfer Google user data to advertising platforms, data brokers, information resellers, or any party engaged in surveillance or profiling.

2.5 Limited Use Compliance

The PickleBase Platform's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve the calendar integration feature that is visible and prominent to you as a user.
• We do not allow humans to read your Google user data unless you have given explicit affirmative consent, it is necessary for security purposes, it is required to comply with applicable law, or the data has been aggregated and anonymised for internal operations.
• We do not transfer or sell Google user data to third parties, except as described in Section 2.4 above.

2.6 Revoking Google Access

You may disconnect your Google Calendar integration at any time through your coach dashboard settings. When you disconnect:

• Your stored Google OAuth tokens (refresh token and access token) are permanently deleted from our database.
• Your stored Google email address is removed.
• We will no longer access your Google Calendar data.

You may also revoke access directly from your Google Account permissions page.

3. Meta / Instagram Automation Data

The PickleBase Platform offers an optional Instagram automation feature that allows authorised operators and coaches to connect an Instagram Business or Creator account in order to automate replies to direct messages and comments. This feature uses the Instagram Graph API and is subject to Meta's Platform Terms and Developer Policies.

3.1 OAuth Scopes Requested

When you connect an Instagram account for automation, we request the following scopes via Instagram Business Login:

• instagram_business_basic — to identify the connected Instagram account (username, account ID, profile picture)
• instagram_business_manage_messages — to read incoming direct messages and send automated replies
• instagram_business_manage_comments — to read incoming comments and send automated replies

3.2 Webhook Events We Receive

Once connected, Meta delivers the following webhook events to our servers in real time:

• messages — direct messages received by the connected account
• messaging_postbacks — quick-reply or button taps inside DMs
• comments — comments on posts and reels
• live_comments — comments posted during live broadcasts
• mentions — @-mentions in stories and comments
• message_reactions — reactions added or removed on direct messages

3.3 How We Use Meta / Instagram Data

Instagram data is used solely to:

• Trigger and execute the automation workflows that you (the operator) have explicitly configured (e.g. send a DM in reply to a specific keyword)
• Display incoming messages, comments, and events in the operator's automation dashboard so that automation behaviour can be reviewed and audited
• Diagnose webhook delivery, signature verification, and execution failures

We do not use Instagram data for advertising, profiling, market research, or any purpose unrelated to the automation feature you have enabled.

3.4 How We Store Meta / Instagram Data

• The long-lived Instagram OAuth access token is encrypted at rest and stored in our database. It is used only to maintain the connection and execute configured automations.
• The connected Instagram account ID, username, and profile picture URL are stored in plaintext for display purposes.
• Webhook event payloads (message text, comment text, reaction type, sender ID, timestamps) are stored as a transient log to drive automation execution and provide an audit trail. Raw webhook events are retained for up to 90 days, after which they are deleted or anonymised.
• Aggregated, non-identifying counts (e.g. total automation runs in the last 30 days) may be retained beyond 90 days for product analytics.

3.5 Meta / Instagram Data Sharing

We do not share, transfer, or sell Instagram user data to third parties, except:

• With your explicit consent (e.g. when you configure an automation node that forwards a message to a third-party webhook you control)
• Where necessary for security purposes (e.g. investigating abuse, signature verification failures)
• Where required by applicable law, regulation, or legal process
• In connection with a merger, acquisition, or sale of assets, provided the successor agrees to protect Instagram user data in accordance with this policy

3.6 Revoking Instagram Access

You may disconnect your Instagram automation integration at any time from the automation dashboard. When you disconnect:

• Your stored Instagram OAuth access token is permanently deleted from our database.
• The webhook subscription is removed via the Instagram Graph API.
• We will no longer receive webhook events for that account.

You may also revoke access directly from your Instagram account's connected-apps settings on instagram.com/accounts/manage_access.

4. Purpose of Processing Personal Data

In accordance with the PDPA, we process personal data for lawful and relevant purposes, including:

• Creating and managing user accounts across the Service
• Facilitating bookings between coaches and customers, and between courts and players
• Processing payments and subscriptions
• Displaying coach profiles, court listings, and articles
• Delivering newsletters, comments, and reactions in the media app
• Executing operator-configured Instagram automation workflows
• Communicating confirmations, updates, and support responses
• Improving our Service and user experience
• Preventing fraud, misuse, or security threats
• Complying with legal and regulatory requirements

5. Disclosure of Personal Data

We do not sell your personal data.

We may disclose personal data to:

• Service providers and vendors who assist in operating the Service
• Coaches and customers where disclosure is necessary to complete bookings
• Legal or regulatory authorities where required by law
• Successors in the event of a business restructuring, merger, or sale

All third parties are required to protect your personal data and process it only for authorised purposes.

6. Cookies

We use cookies and similar technologies to:

• Enable essential site functionality
• Maintain login sessions
• Analyse usage patterns and improve performance

You may disable cookies via your browser settings, but doing so may limit certain features of the Service.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, or as required under applicable laws and regulations.

When personal data is no longer required, it will be securely deleted or anonymised.

8. Data Security

We take reasonable steps to protect personal data from loss, misuse, unauthorised access, disclosure, alteration, or destruction by implementing appropriate administrative, technical, and physical safeguards.

However, no electronic transmission or storage method is completely secure.

9. Access and Correction of Personal Data

In accordance with the PDPA, you have the right to:

• Request access to your personal data
• Request correction of inaccurate, incomplete, or outdated personal data

Requests may be made by contacting us using the details in Section 14. We may require verification of identity before processing such requests.

10. Withdrawal of Consent

You may withdraw your consent to the processing of your personal data at any time by providing written notice to us. Please note that withdrawal of consent may affect your ability to use certain features of the Service.

11. Personal Data of Minors

The Service is not intended for individuals under the age of 13. We do not knowingly collect personal data from minors without parental or guardian consent.

12. Transfer of Personal Data Outside Malaysia

Your personal data may be transferred to, stored, or processed outside Malaysia. Where such transfers occur, we will take reasonable steps to ensure that the receiving jurisdiction provides a level of protection comparable to the PDPA.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. Continued use of the Service after such changes constitutes acceptance of the revised Privacy Policy.

14. Contact Information

If you have any questions, requests, or complaints regarding this Privacy Policy or our handling of personal data, please contact:

The PickleBase
Email: hello@thepicklebase.com
Website: thepicklebase.com