PRIVACY POLICY

1. About This Policy

BALLERS.AU ("we", "us", "our") operates an online platform that enables basketball clubs and associations to manage trial registrations, team allocations, player communications, court bookings, and venue management. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using our platform or submitting a registration form, you acknowledge that you have read this policy and consent to the practices described in it. If you are submitting information on behalf of a child, you confirm that you are the child's parent or legal guardian, or are otherwise authorised to provide that information.

2. What Information We Collect

We collect personal information that is reasonably necessary to operate the platform and provide our services. This includes:

• Player information: full name, date of birth, age, gender, school, and previous club or experience.
• Parent / guardian information: full name, email address, and mobile phone number.
• Registration data: trial session selected, registration status, payment status, grading preferences, and volunteer interest.
• Consent records: records of the consents you provided at the time of registration.
• Club information: club name, contact details, and portal login credentials (for club administrators).
• Court booking data: court bookings made by clubs including court name, date, start and end times, duration, division or age group, booking notes, and the club that made the booking. See Section 2a for details.
• Venue manager data: venue manager login credentials (username and hashed password), session tokens, and portal activity. See Section 2b for details.
• Billing and payment data: Stripe customer identifiers, subscription identifiers, and payment intent identifiers linked to your club account. See Section 2c for details.
• Usage data: standard server logs including IP addresses, browser type, and pages visited, collected automatically when you use the platform.

We do not collect sensitive information (as defined in the Privacy Act) such as health or medical information through the standard registration form. If a club separately requests medical or welfare notes, that information is provided voluntarily and is subject to this policy.

2a. Court Booking Data

When a club makes a court booking through the platform, we collect and store the following information:

• The club that made the booking and the user account that created it.
• The venue, court, date, start time, end time, and duration of the booking.
• The division, age group, or program associated with the booking (if provided).
• Any notes attached to the booking by the club or venue manager.
• The booking type (club booking, open courts, or venue block).
• Whether the booking is part of a recurring series and the series parameters.
• Cancellation records including the date and reason for cancellation (if applicable).

Court booking data is visible to the club that made the booking, venue managers at the relevant venue, and BALLERS.AU administrators. Booking data (excluding personal information) may be included in monthly usage reports and CSV exports generated by venue managers for billing and operational purposes.

We retain court booking records for a minimum of 7 years to support billing disputes, audit requirements, and financial record-keeping obligations.

2b. Venue Manager Data

Venue managers who access the Venue Manager Portal are assigned credential-based login accounts (separate from Manus OAuth). We collect and store:

• Username chosen at account creation.
• A one-way hashed version of the password (we never store passwords in plain text).
• The venue the account is associated with.
• Session tokens (stored as signed JWTs in browser cookies) that expire after 7 days (or 30 days if "Remember Me" is selected).
• Audit records of blocks, court updates, and credential changes made through the portal.

Venue manager credentials are created and managed by BALLERS.AU administrators. Venue managers may change their own password at any time through the Security tab in the Venue Manager Portal. If you believe your credentials have been compromised, contact us immediately at [email protected].

2c. Billing and Payment Data

All payment processing is handled by Stripe, Inc. We do not store full card numbers, CVV codes, or card expiry dates on our servers. We store only the following Stripe identifiers, which are necessary to manage your subscription and court hire billing:

• Stripe Customer ID — links your club account to your Stripe customer record.
• Stripe Subscription ID — tracks your active platform subscription.
• Stripe Payment Intent IDs — used to track individual payment transactions for dispute resolution.
• Stripe Invoice IDs — used to track monthly court hire invoices.

Court hire usage is reported to Stripe as metered billing units throughout the month. Invoices are auto-generated by Stripe at the end of each billing period based on hours booked. You can view your billing history and manage your payment method directly in the Stripe Customer Portal, accessible from your Club Portal settings.

Stripe's collection and use of your payment information is governed by Stripe's Privacy Policy. Stripe is certified to the PCI Data Security Standard (PCI DSS).

We retain billing identifiers and court hire usage records for a minimum of 7 years to comply with Australian financial record-keeping requirements.

3. Why We Collect It (Purpose of Collection)

We collect personal information for the following primary purposes:

• Processing and managing trial registrations on behalf of participating clubs.
• Facilitating player check-in, grading, team allocation, and session planning.
• Communicating with parents and guardians about registration status, trial outcomes, team offers, and waitlist notices.
• Enabling clubs to manage their own player data through the club portal.
• Managing court bookings, venue availability, and scheduling on behalf of clubs and venues.
• Generating monthly court hire invoices and processing platform subscription billing via Stripe.
• Providing venue managers with access to booking data for operational and billing purposes.
• Processing payments where a registration fee or court hire charge applies.
• Sending operational and administrative communications related to the trial, program, or billing.
• Improving the platform and ensuring its security and integrity.

Where you have provided optional marketing consent, we may also use your contact details to send information about future programs, camps, events, and merchandise from BALLERS.AU and participating clubs. You may withdraw this consent at any time by contacting us at the address below.

4. Who We Share It With

We do not sell personal information. We may share personal information with:

• Participating clubs: the club you register with receives the player and parent information you submit in order to administer the trial. Each club is responsible for handling that information in accordance with applicable privacy laws.
• Venue managers: venue managers at BALLERS.AU managed venues can see the club name, division, booking times, and notes for all bookings at their venue. They do not have access to player or parent personal information.
• Service providers: third-party providers that help us operate the platform, including cloud hosting, database, email delivery, and payment processing services. These providers are bound by confidentiality obligations and are only permitted to use personal information to provide services to us.
• Stripe, Inc.: for processing registration fees, court hire charges, and platform subscription billing. Stripe's privacy policy applies to information you provide during checkout. We share only the minimum information necessary (name, email, club ID) to create and manage your Stripe customer record.
• Law enforcement or regulators: where required or permitted by law, including in response to a court order, subpoena, or regulatory request.

5. Overseas Disclosure

Some of our service providers host or process data on servers located outside Australia, including in the United States and Singapore. Stripe, Inc. is headquartered in the United States and processes payment data globally. By using our platform, you consent to your personal information being transferred to and processed in these countries. We take reasonable steps to ensure that overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles, including through contractual obligations. However, you acknowledge that once information is disclosed to an overseas recipient, we may not be able to ensure that the recipient complies with Australian privacy law, and APP 8.1 may not apply in those circumstances.

6. How Long We Keep It

Our data retention practices by category are as follows:

• Trial registration data: deleted or de-identified within 90 days after the relevant trial or program ends, unless a longer period is required by law or for an active dispute.
• Club portal account data: retained for the duration of the club's active subscription. Upon account termination, deleted or de-identified within 30 days.
• Court booking records: retained for a minimum of 7 years to support billing disputes, audit requirements, and financial record-keeping obligations.
• Billing and payment identifiers (Stripe IDs): retained for a minimum of 7 years in accordance with Australian financial record-keeping requirements.
• Venue manager credentials: retained while the venue manager account is active. Deleted within 30 days of account deactivation.
• Server and usage logs: retained for up to 90 days for security monitoring and platform improvement purposes.

We may retain data for longer than the periods above if required by law, needed to resolve an active dispute or legal claim, or needed for an ongoing safeguarding or welfare matter.

7. Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. These steps include:

• Encrypted data transmission (TLS/HTTPS) for all platform traffic.
• One-way hashed password storage (bcrypt) for venue manager credentials — passwords are never stored in plain text.
• Signed JWT session tokens with configurable expiry (7 days standard, 30 days with Remember Me).
• Role-based access controls — club admins, venue managers, regional admins, and platform admins each have distinct access levels.
• Stripe PCI DSS compliance for all payment card data.
• Regular security reviews and access audits.

However, no internet transmission is completely secure, and we cannot guarantee the security of information transmitted to or from our platform. If you suspect a security incident, contact us immediately at [email protected].

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you or your child.
• Correct inaccurate, out-of-date, or incomplete information.
• Request deletion of personal information we hold, subject to our legal obligations (including financial record-keeping requirements) and legitimate operational needs.
• Withdraw consent to marketing communications at any time.
• Request a copy of your court booking history or billing records held by BALLERS.AU.
• Complain about a breach of the Australian Privacy Principles.

To exercise any of these rights, email our Privacy Officer at [email protected]. We will acknowledge your request within 5 business days and provide a substantive response within 30 days of receipt, in accordance with our obligations under the Privacy Act 1988 (APP 12 and APP 13). If we are unable to meet this timeframe we will notify you in writing of the delay and the reason.

9. Club and Venue Manager Responsibilities

Each participating club that accesses player and parent information through the BALLERS.AU platform is independently responsible for handling that information in compliance with the Privacy Act 1988 and any other applicable laws. BALLERS.AU provides the platform as a service and is not responsible for how individual clubs use, store, or disclose the personal information they access.

Venue managers who access booking data through the Venue Manager Portal are responsible for:

• Keeping their login credentials confidential and not sharing them with unauthorised persons.
• Using booking export data (CSV) only for internal billing and operational purposes.
• Notifying BALLERS.AU immediately of any suspected unauthorised access to their portal account.

10. Cookies and Session Tokens

We use browser cookies to maintain authenticated sessions on the platform. Specifically:

• Club portal sessions: managed via Manus OAuth. Session cookies are set on successful login and expire after the configured session period.
• Venue manager sessions: managed via a signed JWT cookie (venue_session). This cookie expires after 7 days (or 30 days if "Remember Me" is selected at login). It contains only the venue ID and username — no sensitive personal information.

We do not use third-party advertising cookies or tracking pixels. Standard analytics may be collected to monitor platform performance and usage patterns.

11. Complaints

If you believe we have breached the Australian Privacy Principles or the Privacy Act, please contact us in the first instance at [email protected]. We will investigate your complaint and respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The current version will always be available at ballers.au/privacy. We will notify registered club administrators of material changes by email. Continued use of the platform after a change constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related enquiries, data access requests, correction requests, or complaints, contact our Privacy Officer:

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC):