Privacy Policy
How PadelBot collects, uses, stores, and protects customer data.
Effective: June 18, 20261. Who we are
PadelBot is a Venue intelligence platform for sports venues (padel, cricket, and football courts). When you message a venue that uses PadelBot, you are interacting with software operated by us on behalf of that venue. This policy explains what data we collect from you, how it is used, where it is stored, and the choices you have.
For the purposes of this policy:
- "Venue" means the sports facility you are booking with (e.g., the padel club whose WhatsApp number you messaged).
- "PadelBot", "we", and "us" refer to the operators of the PadelBot service.
- "You" means a customer who messages a venue using the PadelBot booking bot.
2. What we collect
From your WhatsApp messages
- Your WhatsApp phone number
- Your name (only when you share it during a booking)
- The content of messages you exchange with the bot or venue staff, so the bot can remember context across a conversation
- WhatsApp message metadata provided by Meta (timestamp, message ID, delivery status)
From your bookings
- Sport, court, date, time, duration, and price of each booking
- Whether a booking was confirmed, cancelled, or amended
- Any notes added by venue staff against your booking
What we do not collect
- We do not collect payment card or bank details — payments happen at the venue, not through PadelBot.
- We do not collect your address, ID number, or date of birth.
- We do not track your location.
- We do not use cookies or analytics tracking for customers messaging the bot. (The venue-staff dashboard uses a session cookie purely for login.)
3. How we use your data
- To complete the booking you are requesting (finding an available court at the requested time, confirming the reservation, sending a confirmation message)
- To send you reminders ahead of your booking and let you confirm or cancel it
- To allow venue staff to identify you and assist if you need a manual change
- To improve the bot's accuracy by reviewing transcripts where the bot misunderstood something (only by the small operations team that maintains the service)
- To operate the venue's dashboard reports (e.g., total bookings, revenue, popular times) — these reports use aggregated counts, not your individual messages
We do not sell, rent, or share your data with advertisers or third-party marketing services. We do not use your data to train AI models — see Section 5 for how we use AI providers.
4. Where your data is stored
Your data is stored across a small set of carefully chosen service providers. Each is used for one specific purpose:
| Provider | Purpose | What they see |
|---|---|---|
| Supabase | Primary database (PostgreSQL) | Your bookings, your messages, your phone number and name |
| Cloudflare | Hosting and request routing | Request metadata (IP for the WhatsApp servers — not yours directly), in-memory message processing |
| Meta (WhatsApp) | Message delivery | All messages between you and the venue, governed by WhatsApp's own privacy policy |
| Google (Gemini API) | Natural-language understanding | The text of your messages, sent in real time so the bot can understand them. See Section 5. |
| Langfuse | Operational tracing for the bot | Transcripts of conversations and bot decisions, used by our operations team to debug issues |
| Resend | Operator alert emails | Alert emails sent to our operations team when something goes wrong — these contain message excerpts but are not customer-facing |
These providers are primarily hosted in the United States and Europe. By using PadelBot you understand your data may be processed outside of Pakistan in jurisdictions with different data protection laws.
5. Use of AI providers
PadelBot uses Google's Gemini API to understand and respond to your messages in natural language. When you send a message, its text is sent to Google over an encrypted connection so Gemini can interpret it and produce a reply.
We use Google's paid API tier, under which Google's published policy states that the contents of paid API requests are not used to train or improve Google's models. Google retains request payloads only for short operational windows (caching, abuse detection, billing) and not for any other purpose.
We do not send your data to any other third-party AI service.
6. Who can see your data
- Venue staff at the venue you are booking with, via the venue's own dashboard login. They can see your name, phone number, bookings, and the conversation history with you.
- The PadelBot operations team — a small group responsible for keeping the service running. We access conversation data only when investigating an issue.
- Sub-processors listed in Section 4, only to the extent needed for their specific purpose.
We do not share your data with advertisers, data brokers, or any party for marketing purposes.
7. How long we keep your data
- Bookings are kept indefinitely so the venue can produce historical reports and respond to past-booking questions (e.g., dispute resolution).
- Conversation history is kept indefinitely by default so the bot can remember context across visits. You can ask us to delete it at any time (see Section 8).
- Operational logs and tracing are retained for up to 90 days, after which they are deleted automatically.
8. Your choices and rights
Request deletion of your data
You can ask us to delete your personal data (your conversation history, your name, your phone number, and your past bookings) at any time. To do this, message the venue with the text:
"Please delete my data"
We will remove your record within 7 days. Note that bookings used in venue accounting may be anonymised rather than fully deleted, so the venue's historical revenue reports remain accurate.
Stop using the bot
You can stop messaging the bot at any time. The bot will not message you unless you message first or you have an upcoming booking the venue has set a reminder for. To stop reminders for an upcoming booking, simply reply asking us to cancel.
Correct your information
If your name or any other detail in our system is wrong, message the venue and ask the staff to update it.
9. How we protect your data
- All connections between WhatsApp, our servers, and our sub-processors use HTTPS encryption.
- The database (Supabase) is encrypted at rest using industry-standard AES encryption.
- The venue-staff dashboard is protected by authenticated login. Passwords are stored as salted PBKDF2-SHA256 hashes — we never store plaintext passwords.
- Per-venue access tokens are stored encrypted at rest and used only by that venue's configuration; one venue's bot cannot read another venue's conversations.
- WhatsApp messages between you and Meta's servers are end-to-end encrypted, per WhatsApp's own infrastructure. Messages are decrypted by Meta and then forwarded to PadelBot over HTTPS — at no point is your message available in plaintext outside of the systems described in Section 4.
10. Children
PadelBot is not intended for use by individuals under the age of 13. If a parent or guardian becomes aware that a child under 13 has provided us with information, please contact the venue to have it deleted.
11. Changes to this policy
We may update this policy from time to time — for example, when we add a feature that handles new types of data. The "Effective" date at the top will be updated whenever we do. If a change is material, we will post a notice on the dashboard sign-in page so venue owners are aware.
12. Contact
Questions or requests about this policy can be sent via WhatsApp to the venue you are booking with, or by email to: