Privacy Policy
Last updated: 23 April 2026This policy describes how Paak collects, uses and protects the personal data processed on paak.club and within the Paak application. It is written in compliance with the Swiss Federal Act on Data Protection (FADP, revised version in force since 1 September 2023) and, where applicable, the European General Data Protection Regulation (GDPR — EU Regulation 2016/679).
1. Controller
Emmara by Cyrille Barraud, Swiss sole proprietorship (UID CHE-309.503.616), St. Alban-Anlage 25, 4052 Basel, Switzerland.
For any question related to personal data: contact@paak.club.
2. Who this applies to: visitor, app user, or club member
Three distinct situations must be distinguished:
- Visitors of paak.club (marketing site) — you browse our public pages or fill in a contact form. Your data is processed by Paak.
- Paak app users (club directors, coaches, staff) — you have created an account and manage a club. Your account data is processed by Paak.
- Members of clubs managed in Paak (members, parents, minors) — your data has been entered by the club that registered you. In this case the club is the controller and Paak acts only as a processor (art. 9 FADP / art. 28 GDPR). For any question about your rights, contact your club first.
3. Data we collect
3.1 Visitors of paak.club
- Contact form / waitlist — first name, last name, email, declared role, club. Legal basis: consent (art. 6 FADP; art. 6(1)(a) GDPR).
- Technical data — truncated IP address, browser type, pages viewed, via our self-hosted Matomo instance. Only collected if you accept analytics cookies.
3.2 App users (admin / staff accounts)
- Authentication credentials (email, Hanko session), first and last name, role in the club.
- Billing data if you upgrade to a paid plan (billing email and name).
- Minimal technical logs required for operation and security (access logs, connection history, failed attempts).
3.3 Data entered by clubs in the app
Clubs enter in Paak the data they need to manage their activity: member details, licences, fees, coaching, attendance, equipment. Paak hosts and secures this data on behalf of the club, without exploiting its content.
4. Purposes
- Provide the Paak service and associated support.
- Process payments and issue invoices.
- Send operational communications (registration confirmation, payment reminders, security alerts).
- Improve the product through aggregated statistics (only with analytics-cookie consent).
- Comply with our legal obligations (accounting, requests from competent authorities).
5. Legal bases (GDPR) / grounds of justification (FADP)
- Contract performance — user accounts, billing, service operation.
- Consent — analytics cookies, voluntary contact forms, marketing communications.
- Legitimate interest — service security, fraud prevention, functional improvement.
- Legal obligation — accounting retention, responses to authorities, FIJAISV compliance (art. L.212-9 French Sports Code) for concerned clubs.
6. Processors and recipients
We rely on European processors to deliver the service. No data is transferred outside the European Union or Switzerland.
| Provider | Role | Country |
|---|---|---|
| OVHcloud | Application and database hosting | France (EU) |
| Hanko | Authentication (passkeys, sessions) | Germany (EU) |
| Mollie | Online payments (fees, equipment, subscriptions) | Netherlands (EU) |
| Brevo (ex-Sendinblue) | Transactional emails and newsletters | France (EU) |
| Matomo (self-hosted) | Website analytics — on our own OVH server | France (EU) |
Data-processing agreements (DPA, art. 28 GDPR / art. 9 FADP) are in place with each of these providers.
7. Retention
- User account — throughout the duration of use, then up to 90 days after termination before final deletion.
- Billing data — 10 years (Swiss accounting obligation, art. 958f CO).
- Waitlists and contact requests — up to 2 years after the last exchange, unless you unsubscribe.
- Member data managed by a club — for as long as the club retains it. Deletion requests go through the club.
- Technical security logs — 12 months maximum.
8. Your rights
Under the FADP and the GDPR, you have the following rights:
- Access — obtain a copy of your personal data.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your data (subject to legal obligations).
- Restriction — temporarily suspend a contested processing activity.
- Objection — refuse processing based on legitimate interest or marketing.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time, with no retroactive effect.
To exercise these rights on data managed by your club, address your club first (Paak acts as processor in that case). For data we process as controller (website, admin account, billing), write to contact@paak.club. We answer within 30 days.
9. Supervisory authority
You have the right to lodge a complaint:
- with the Swiss Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern — edoeb.admin.ch (for Swiss residents);
- or with the data protection authority of your EU country of residence (e.g. the CNIL in France — cnil.fr).
10. Security
Data is encrypted in transit (TLS 1.2+), user passwords are replaced by passkeys (Hanko, passwordless authentication), database backups are encrypted. Administrator access is logged and protected by strong authentication.
11. International transfers
No data is transferred to a third country. The entire infrastructure is hosted in the European Union, with exclusively European processors. Switzerland benefits from an adequacy decision from the European Commission, ensuring equivalent protection in both directions.
12. Changes to this policy
We may update this policy to reflect legal or technical developments. The last update date appears at the top of this document. Material changes will be notified by email to active users.