Privacy Policy
Effective date: 2026-06-03 Last updated: 2026-06-07
This Privacy Policy explains how By Way ofLiving (“ofLiving”, “we”, “us”, or “our”), a company registered in the Kingdom of Saudi Arabia, collects, uses, shares, and retains personal data in connection with the ofSports application (the “Service”).
This Policy is issued in accordance with the Personal Data Protection Law of the Kingdom of Saudi Arabia (PDPL) and its Implementing Regulations.
By using the Service you confirm that you have read this Policy, understand it, and consent to the processing of your personal data as described — including the transfer of your personal data outside the Kingdom of Saudi Arabia as described in Section 6.
1. Who we are and how to contact us
Data controller: By Way ofLiving Registered address: 8127 3 - Al Jamiah Dist. 34257 - 4285 Contact for privacy inquiries (data access, correction, deletion, complaints): ofliving.app@gmail.com
You may also lodge a complaint with the Saudi Data & AI Authority (SDAIA), the supervisory authority under PDPL.
2. Personal data we collect
We collect only the personal data we need to operate the Service. The categories below describe the data we collect and where it comes from.
2.1 Data you provide to create and use your account
- Email address (for one-time-code authentication)
- Username, display name, biography (≤ 280 characters)
- Profile photograph (optional; stored in our Service’s image storage)
- Date of birth (required at signup; used to verify the 18+ minimum age requirement and not displayed publicly)
- Gender (set at signup; immutable)
- Tennis skill rating (NTRP), self-assessed
- Preferred court area (free-text label, e.g., a neighborhood name)
- Geographic coordinates (latitude and longitude — collected only when you explicitly tap “Use my location” and grant browser geolocation permission; used to compute distance to other Users)
- Color theme preference (UI setting)
- Default availability preferences (skill range, distance, audience, post duration) — used to fill fields you don’t specify in a post prompt
2.2 Data you generate by using the Service
- Availability posts — including the full natural-language text of the prompt you type, the time window we extract from it, filter preferences, and any court name / court location / Google Places identifier you select
- Match requests you send or receive
- Chat messages (auto-deleted after 7 days — see Section 7)
- Match outcome reports you submit after games, including: did-you-play status, match-quality rating, sportsmanship rating about your partner, would-play-again flag, perceived play style of your partner, and an optional free-text note (≤ 1,000 characters)
- Reports you submit about other Users (reason and an optional free-text details field, ≤ 1,000 characters)
- Self-presentation tags (attitude / play style / intent), match-preference tags, and an optional “about me” free text (≤ 500 characters)
- Friendships (canonical pairs) and blocks (asymmetric)
- Community memberships (which communities you have joined via a join code, and when)
- Derived ranking values (
a_tag_weights,b_tag_values) computed by our AI matchmaker from your activity — see Section 3
2.3 Data we collect automatically
- IP address (incidental to all HTTP requests)
- Device and browser information (from request headers)
- Authentication session cookies (HTTP-only, secure, set by our authentication provider, required for the Service to recognize you between requests)
- Realtime connection metadata (when the app is open, your client subscribes to real-time updates; the subscription connection includes incidental network metadata)
- Push notification token (a device identifier issued by the Apple Push Notification service (APNs) and obtained through Expo; recorded only if you grant notification permission on the mobile app, and used solely to deliver push notifications to your device)
2.4 Data we receive from other Users about you
- Other Users may report you, block you, or submit a match outcome that names you (always as their partner, not by your account ID being attached to the note text). Reports and outcome notes are written by other Users in free text; the content is provided by them, but the fact of receiving it is part of the data we hold about you.
We do not collect: payment information, phone numbers, government identifiers, health records, biometric data, racial or ethnic data, religious beliefs, political opinions, or any other special-category personal data.
The Service is for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, contact ofliving.app@gmail.com.
3. How and why we use your personal data
We process your personal data for the following purposes:
| Purpose | Personal data involved | Legal basis (PDPL) |
|---|---|---|
| Creating and maintaining your account | Email, profile fields, DOB | Performance of a contract (these Terms) |
| Matching you with other tennis players | Profile fields, location, availability posts, traits, preferences | Performance of a contract |
| Parsing your natural-language availability prompts | Full prompt text + your NTRP and defaults (sent to our AI provider — see Section 5) | Performance of a contract; your consent |
| Ranking matches based on your past match outcomes and your partners’ close-out notes about you (the “AI matchmaker”) | Match outcome notes (yours, and those written about you by others) sent to our AI provider; derived numeric values stored on your profile | Performance of a contract; legitimate interest in improving the Service; your consent |
| Communicating with you (in-app notification dots, and push notifications on the mobile app) | Display name, account email, communication metadata, push notification token + notification content (e.g. “X asked to play”, message previews) | Performance of a contract |
| Enabling chat between matched Users | Chat message content (7-day retention) | Performance of a contract |
| Safety, abuse prevention, and content moderation | Reports filed about you; match outcomes flagged for review; account activity | Compliance with legal obligations; legitimate interest in user safety |
| Account deletion (when you request it) | All of the above, removed per Section 7 | Performance of a contract; compliance with legal obligations |
| Operational debugging and Service improvement | Aggregate / non-personal logs; AI ingest logs (30-day retention, internal-only) | Legitimate interest in operating and improving the Service |
| Enforcing our Terms of Service and protecting our legal rights | As needed | Legitimate interest; compliance with legal obligations |
We do not use your personal data for behavioral advertising, automated decision-making with legal effect, or any purpose not listed above.
3.1 Visibility to other Users
Because the Service is a matchmaking platform, some of your profile information is visible to other signed-in Users — for example when they receive a request from you, browse potential matches, or open your profile from your avatar. This visible information is: your username, display name, profile photo, biography, NTRP rating, gender (unless you leave it undisclosed), the month and year you joined, and your count of completed matches. A User you are connected with may also see whether the two of you are friends or members of the same community, and how many matches the two of you have played together. Free-text close-out notes are never shown to other Users (Section 4.2), and Users you have blocked — or who have blocked you — cannot see your profile.
4. AI processing — explicit disclosure
Two features of the Service involve sending your personal data to a third-party Artificial Intelligence (AI) provider, Anthropic, PBC (United States). We disclose this here because it is not obvious from using the Service:
4.1 Intent parsing
When you submit a natural-language availability prompt (for example, “tennis at Riverside tomorrow 4-6pm”), the complete prompt text is sent to Anthropic together with your tennis skill level (NTRP) and your default preferences, so that Anthropic’s language model can extract a structured availability intent. The extracted result is stored against your post. We do not send your name, email address, or precise location coordinates in this call.
4.2 Matchmaker AI
Our matchmaker computes numeric ranking values that influence the order in which Users appear to one another. These values are computed by sending close-out notes (the free-text notes you and other Users write after matches) to Anthropic for analysis:
- A-side computation: the close-out notes you have written about other Users are sent to Anthropic to compute your viewer-side ranking weights.
- B-side computation: the close-out notes other Users have written about you are sent to Anthropic to compute candidate-side values stored on your profile.
The raw notes are sent to Anthropic only at the moment of computation; the resulting numeric values (not the raw notes) are stored against the relevant User profile. Other Users never see the raw notes you wrote about them, and you never see the raw notes that others wrote about you — only the influence of those notes on ranking, never the text.
As of the effective date of this Policy, Anthropic’s commercial API terms provide that customer API content is not used to train Anthropic’s models by default. Anthropic’s terms may change; we are not in a position to guarantee Anthropic’s processing practices and we encourage you to review Anthropic’s then-current commercial terms if this is material to you.
We retain operational logs of these AI calls for 30 days for debugging; those logs are accessible only to our operational staff and are not used for any other purpose.
5. Sharing your personal data with third parties
We share personal data only with the categories of recipients listed below, only to the extent necessary for the purposes listed in Section 3. We do not sell your personal data.
| Recipient | What they receive | Why |
|---|---|---|
| Supabase, Inc. (United States) | Database records, authentication events, profile photos, real-time event data | Hosted database, authentication, storage, and real-time infrastructure |
| Anthropic, PBC (United States) | Intent-parser prompts; matchmaker close-out notes (as described in Section 4) | AI-powered prompt parsing and matchmaker ranking |
| Google LLC (United States / global infrastructure) | Search-query text as you type in the court-location field (after a 3-character threshold); user-selected place’s formatted address and place ID | Google Places Autocomplete for court selection |
| Vercel, Inc. (United States / global edge) | All HTTP traffic to the Service (request URLs, headers, IP) | Application hosting and edge runtime |
| 650 Industries, Inc. (Expo) (United States) | Your device’s push notification token and the content of push notifications (e.g. “X asked to play”, message previews) | Relaying push notifications to your device via the Expo Push service |
| Apple Inc. (United States) | Your device’s push token and push notification content | Delivering push notifications to your iOS device via the Apple Push Notification service (APNs) |
| Competent governmental authorities and courts | As required | Compliance with applicable law, valid legal process, or to protect our legal rights |
| Professional advisors (e.g., legal counsel, accountants), in confidence | As required | Legitimate interest in operating and protecting the business |
| A successor in the event of a corporate transaction (merger, acquisition, asset sale, restructuring) | As required by the transaction | Legitimate interest |
We do not share your personal data with any other third party for any other purpose.
6. Transferring your personal data outside the Kingdom of Saudi Arabia
By using the Service, you acknowledge and explicitly consent to the transfer of your personal data to, storage in, and processing in countries outside the Kingdom of Saudi Arabia, including the United States. This consent is the legal basis for the cross-border transfers described in this Section, under PDPL Article 29.
The Service relies on infrastructure providers located in the United States. As a result, your personal data is transferred to, stored in, and processed in the United States by Supabase, Anthropic, Google, Vercel, Expo (650 Industries), and Apple.
The United States is not currently on the SDAIA list of jurisdictions providing an adequate level of personal data protection. We take reasonable steps to ensure that each provider applies appropriate technical and organizational security measures (encryption in transit, access controls, audit logging).
7. How long we keep your personal data
| Category | Retention |
|---|---|
| Profile, posts, friendships, communities | Until you delete your account |
| Chat messages | 7 days from the message timestamp, then automatically deleted by a scheduled job |
| Match outcome reports | Until you delete your account (or as needed for safety / abuse investigations) |
| Reports about other Users | Until you delete your account, then anonymized to preserve a complaint trail for the reported User’s history (the report content is kept; your account ID is removed) |
| Auth session cookies | Until the session expires or you sign out |
| Push notification token | Until you sign out, the token is replaced, or you delete your account (the token is re-recorded on each sign-in) |
| Operational AI ingest logs | 30 days, then automatically deleted by a scheduled job |
| Backups | Routine backups retained for a short rolling window (typically up to 30 days) for disaster recovery |
When you delete your account, your profile and your generated content are removed promptly from our active systems. Some records may persist briefly in backups or where their retention is required by law (for example, to defend against legal claims or to comply with anti-fraud rules).
8. Your rights under PDPL
The PDPL gives you the following rights with respect to your personal data:
- Right to be informed — the existence of this Policy fulfills this right.
- Right of access — you may request a copy of the personal data we hold about you.
- Right of correction — you may correct inaccurate or incomplete personal data, either directly through the Service or by contacting us.
- Right of erasure (account deletion) — you may delete your account directly from the profile screen at any time, which removes the data described in Section 7.
- Right to object or restrict processing — you may object to processing based on legitimate interest by contacting us.
- Right to withdraw consent — you may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
- Right to data portability — you may request a structured copy of the data you have provided to us.
- Right to complain — you may lodge a complaint with SDAIA.
To exercise any of these rights, contact ofliving.app@gmail.com. We will respond within thirty (30) days of receiving a valid request, in accordance with PDPL Article 4.
9. Security
We apply reasonable technical and organizational measures to protect your personal data, including:
- Encryption in transit (HTTPS / TLS) for all traffic between your device and the Service;
- Row-level security in our database, so that personal data is accessible only to authorized callers (you, in most cases);
- Strict access controls for operational staff;
- Automatic deletion of chat content and operational logs on the schedules described in Section 7;
- Service-role escalations logged and used only for legitimate purposes (account deletion, ops triage, AI matchmaker recomputes).
No system is completely secure, and no transmission of data over the internet can be guaranteed to be entirely secure. We cannot guarantee absolute security of your personal data, and any transmission is at your own risk. If we become aware of a personal data breach affecting your data, we will notify you and the relevant supervisory authority as required by PDPL.
10. Cookies and similar technologies
We use a single category of cookies: authentication cookies (HTTP-only, secure, set by Supabase) that are strictly necessary for the Service to recognize you between requests. We do not use cookies for advertising or analytics.
11. Children’s data
The Service is not directed at, and we do not knowingly collect personal data from, anyone under the age of eighteen (18). The 18+ minimum is enforced at account creation by date-of-birth verification. If we become aware that we have inadvertently collected personal data from a minor, we will delete it.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this Policy reflects the most recent revision. Material changes will be communicated by reasonable means (in-app notice, email to the address associated with your account). Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the revised Policy.
13. Language
This Privacy Policy is drafted in English. If a translation into another language is provided, the English version controls in case of any conflict. (Note: a Saudi Arabic version may be issued in the future; the controlling-language clause will be reviewed at that time.)
14. Contact
For privacy inquiries, including requests to exercise the rights in Section 8, contact us at:
ofliving.app@gmail.com By Way ofLiving 8127 3 - Al Jamiah Dist. 34257 - 4285