Privacy Policy
This Privacy Policy explains how the International Pickleball Teaching Professional Association (“IPTPA”, “we”, “our”, or “us”) collects, uses, shares and protects information about you when you visit iptpa.com, register for an IPTPA certification, complete a workshop, use our member portal, or interact with our online academy. It also explains the choices and rights you have regarding your personal information.
Contents
- Who we are
- Definitions
- Information we collect
- How we use your information
- Lawful bases for processing
- How we share your information
- International data transfers
- How long we keep your information
- Your rights
- California (CPRA) rights
- Marketing communications
- Cookies and similar technologies
- Automated decision-making
- Children's information
- Security
- Data breaches
- Changes to this policy
- How to contact us
1. Who we are
The International Pickleball Teaching Professional Association is a professional certification body founded in 2015. We certify teaching professionals in pickleball worldwide and maintain the global standard for pickleball instruction. For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent regimes, IPTPA is the “data controller” of the personal information described in this policy.
Our registered address is available on request by writing to privacy@iptpa.com. We do not currently designate a Data Protection Officer (we do not meet the GDPR Article 37 mandatory-DPO threshold); privacy enquiries are routed to a named accountability lead within IPTPA leadership.
2. Definitions
- Personal information (or “personal data”): any information that identifies you or could reasonably be used to identify you, such as your name, email address, phone number, certification record, or device identifiers.
- Processing: any action we take with personal information — collecting, storing, using, sharing, deleting, etc.
- Data subject: the individual to whom the personal information relates — that's you.
- Processor: a third party that processes personal information on our behalf, under our instructions and a written agreement (for example, Stripe processes your payment details when you pay for a certification).
- Cookies: small data files stored in your browser. Some are strictly necessary for the site to function; others require your consent. See our separate Cookie Policy.
3. Information we collect
3.1 Information you provide to us
- Account and identity data — full name, email address, password (stored as a one-way bcrypt hash; we cannot recover it), date of birth, gender.
- Contact data — mailing address, city, state or region, country, telephone numbers (home, mobile, work).
- Professional data — club or facility affiliation, years of teaching experience, playing experience, current skill rating, professional motivations.
- Certification application data — reference contacts, employer information, application narrative, signature, signed forms, examination records, and any documentation submitted in support of an application.
- Public profile content (optional) — biography, languages spoken, profile photograph, social-media links, website. You choose whether to publish these on your Find a Coach profile.
- Payment data — we never store full card numbers. Stripe, our payment processor, collects card details directly via their hosted checkout. We retain the Stripe payment intent ID, transaction date, amount, currency, and the product category (e.g. “Level II Fees”).
- Junior Registry data — for members under 18, additionally: parent or guardian name, parent contact email, and parent telephone number. See Section 14 for the parental consent process.
- Correspondence — the content of emails you send us, contact-form submissions, and notes our administrators record on your member file.
3.2 Information we collect automatically
- Device and connection data — IP address (hashed before storage to a salted SHA-256), user-agent string, operating system, browser type, screen resolution.
- Usage data — pages visited, time and date of visit, time spent on each page, referring website, the path you took through our site, errors encountered.
- Cookies and similar technologies — see Section 12 and our Cookie Policy for the complete inventory and your controls.
3.3 Information we receive from third parties
- Stripe: the transaction outcome (succeeded / failed / refunded) and the last four digits of the payment instrument.
- Mailgun: delivery, bounce and complaint events for the transactional emails we send you.
- Public certification verifiers: when an employer or club verifies your IPTPA certification, that interaction is logged.
4. How we use your information
We use your information for the following purposes:
- Deliver the IPTPA programme — create and maintain your account, process certification applications, schedule examinations, record results, issue certificates, manage memberships and renewals.
- Communicate with you — transactional emails (account, payment receipts, exam notifications, certification expiry reminders) and, where you have opted in, marketing emails (newsletters, event invitations).
- Operate the public Find a Coach directory — display your name, certifications, city, country and any optional profile data you have chosen to share, so that prospective students can locate certified instructors.
- Handle payments — process certification fees, dues, and other transactions via Stripe.
- Protect the integrity of the IPTPA certification — detect fraud, deter impersonation, investigate misconduct.
- Comply with legal obligations — retain financial records for tax purposes, respond to lawful requests from competent authorities, handle data-subject rights requests.
- Improve our services — analyse aggregated, de-identified usage statistics to improve site navigation and educational content (only with your consent for non-essential analytics).
5. Lawful bases for processing
Under the GDPR, the UK GDPR and equivalent regimes, we rely on the following lawful bases:
| Lawful basis | When we rely on it |
|---|---|
| Contract | To provide your IPTPA membership, certification programmes, online academy curriculum and the services you have signed up for. |
| Legitimate interest | To maintain the integrity of certifications, prevent fraud, ensure the security of our systems, and to improve our services (always balanced against your rights). |
| Legal obligation | To retain payment, tax and accreditation records, to respond to lawful regulatory requests, and to meet recordkeeping rules in jurisdictions where we operate. |
| Consent | For non-essential cookies, marketing communications, optional public-profile fields, and any processing that we describe as “with your consent”. You may withdraw consent at any time without affecting prior processing. |
| Vital interest / public interest | Only in exceptional circumstances (for example, an emergency involving a minor in the Junior Registry). |
6. How we share your information
We share personal information only with the service providers (“processors”) that make IPTPA work, with certification verifiers where you have requested verification, and where we are legally required to do so. We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
6.1 Service providers
Each processor below is bound by a written Data Processing Agreement under which they may only process your information on our documented instructions.
| Provider | Purpose | Location of processing |
|---|---|---|
| Microsoft Azure | Cloud hosting, database, file storage, identity | United States (DPF certified) |
| Stripe, Inc. | Payment processing | United States (DPF certified) |
| Mailgun (Sinch) | Transactional email delivery | United States (Standard Contractual Clauses) |
| Twilio, Inc. | SMS notifications (where opted in) | United States (DPF certified) |
| Google LLC | Analytics (with consent), Maps, Translate, Workspace | United States (DPF certified) |
| Osano | Cookie consent management | United States |
| Zoom Video Communications | Webinar delivery (for IPTPA events you register for) | United States (DPF certified) |
6.2 Public certification directory
If you are a certified IPTPA professional, the following data is published on our public Find a Coach directory unless you tell us otherwise: name, certifications held, city, state or region, country, and any optional profile content (biography, photo, social media, website) you have chosen to share.
6.3 Legal disclosures
We may disclose personal information when required by law, court order, or government authority, or where we believe in good faith that disclosure is necessary to protect our rights, the safety of our members, or the public.
6.4 Business transfers
If IPTPA is involved in a merger, acquisition, restructuring or asset sale, personal information may be transferred as part of that transaction. The acquiring party will be bound by this Privacy Policy (or notify you of any change before continued processing).
7. International data transfers
IPTPA is hosted on Microsoft Azure infrastructure in the United States. When you access our services from outside the United States, your personal information is transferred to and processed in the United States, and may be transferred to other countries where our processors operate.
We rely on the following safeguards for international transfers:
- The EU-US Data Privacy Framework, the UK Extension and the Swiss-US Framework for transfers to certified US-based processors (Microsoft Azure, Stripe, Google, Twilio, Zoom).
- The European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum) for transfers to processors that are not DPF-certified.
- Encryption in transit (TLS 1.2 or higher) and at rest for all personal information stored in our systems.
8. How long we keep your information
We retain personal information only for as long as is necessary for the purposes for which it was collected, the period required by applicable law, or until you request its deletion (subject to legal-retention obligations).
| Category of data | Retention period | Reason |
|---|---|---|
| Active member account | Duration of the membership | Service delivery |
| Certification records | Indefinitely, as long as the certification remains valid or referenced | Verification of certifications is a core IPTPA service and is expected by employers and members |
| Lapsed (non-renewing) accounts | 3 years from the last activity, then anonymised or deleted | Allows reactivation and historical reporting |
| Payment and tax records | 7 years from the transaction date | Applicable tax and accounting law |
| Email correspondence | 3 years from the last reply | Customer-service quality assurance |
| Cookie consent records | 12 months from the date of consent | Accountability under GDPR Article 7(1) |
| Server logs (hashed IP + access events) | 90 days | Security and abuse investigation |
| Junior Registry profiles | Until age of majority, or earlier on parent/guardian request | Children's data minimisation |
9. Your rights
If you are in the European Economic Area, the United Kingdom, Switzerland, Canada (including Quebec), Brazil, Australia, South Africa, or another jurisdiction with comparable data-protection legislation, you have the rights below. To exercise any of them, email privacy@iptpa.com. We will respond within 30 calendar days (or the period required by your local law, whichever is shorter).
- Right of access — receive a copy of the personal information we hold about you, together with information about how we process it.
- Right of rectification — correct inaccurate or incomplete data. Most fields can also be self-edited inside your member portal under Profile.
- Right of erasure (“right to be forgotten”) — request deletion of your personal information, subject to the retention obligations in Section 8 (we may need to keep certain records to comply with tax or accreditation rules).
- Right of restriction — ask us to limit how we process your data while a complaint or correction request is reviewed.
- Right of portability — receive a copy of your data in a structured, commonly-used, machine-readable format (we provide JSON on request).
- Right to object — object to processing that we base on legitimate interest, including profiling.
- Right to withdraw consent — for any processing based on consent, with effect from the moment you withdraw.
- Right not to be subject to automated decision-making — see Section 13.
- Right to lodge a complaint — with your local supervisory authority. Examples: in Spain, the Agencia Española de Protección de Datos; in the UK, the Information Commissioner's Office; in Ireland (where most EU users may complain in the absence of an establishment elsewhere), the Data Protection Commission; in Canada, the Office of the Privacy Commissioner; in Brazil, the Autoridade Nacional de Proteção de Dados (ANPD).
10. California (CPRA) rights
If you are a California resident, the California Privacy Rights Act gives you the additional rights below. These rights are in addition to (not in place of) the rights in Section 9.
- Right to know what categories of personal information we have collected about you in the past 12 months, the categories of sources, the business purpose, and the categories of third parties with whom we share it.
- Right to delete personal information we have collected (subject to the same exceptions described in Section 8).
- Right to correct inaccurate personal information.
- Right to opt-out of sale or sharing for cross-context behavioural advertising. IPTPA does not sell personal information and does not share it for cross-context behavioural advertising. The “Do Not Sell or Share My Personal Information” link in our footer is offered for completeness and selecting it has no operational effect beyond logging your preference.
- Right to limit use of sensitive personal information — we do not currently process sensitive personal information for any purpose other than to provide our services.
- Right of non-discrimination — we will not deny you services, charge you a different price, or provide a different level of service because you exercised a CPRA right.
To exercise a California-specific right, email privacy@iptpa.com. We may need to verify your identity before responding, typically by confirming information that matches what we already hold about you.
11. Marketing communications
We send three categories of email:
- Transactional emails are sent to deliver the service you have signed up for — account confirmations, payment receipts, password resets, certification renewal reminders, exam notifications. You cannot opt out of these while your account is active because they are necessary for the contract between us.
- Operational announcements are sent when something material changes for all members — a change to this Privacy Policy, a security incident notification, a change to the IPTPA certification programme. You cannot opt out of these.
- Marketing emails — newsletters, event invitations, partner offers — are sent only with your consent and may be unsubscribed from at any time by clicking the “unsubscribe” link in any such email or by emailing privacy@iptpa.com.
12. Cookies and similar technologies
We use cookies, local storage and session storage on iptpa.com. Cookies fall into five categories — strictly necessary, preferences, analytics, functional, and marketing. The strictly necessary category is always active because the site cannot function without it; all other categories require your consent.
You manage your cookie choices through the consent banner that appears on your first visit and via the “Cookie Preferences” link in our footer. See our separate Cookie Policy for the complete inventory.
IPTPA also honours the Global Privacy Control (GPC) signal where your browser sends one: if we receive a GPC signal, we treat it as an opt-out of all non-essential cookies and as an opt-out of “sale or sharing” under the CPRA.
13. Automated decision-making
IPTPA does not use solely-automated decision-making that produces legal effects concerning you or similarly significantly affects you. All certification decisions, examination outcomes and account-status changes involve human review by IPTPA staff.
14. Children's information
The IPTPA Junior Registry is designed for participants aged 4 through 18. We take additional protective steps for users under the legal age of digital consent in their jurisdiction:
- European Union — verifiable parental consent is required for any user under 16 (or under the age set by national law in each Member State, which may be as low as 13).
- United States — in line with the Children's Online Privacy Protection Act (COPPA), verifiable parental consent is required for any user under 13.
- United Kingdom — parental consent is required for any user under 13, in line with the Information Commissioner's Age-Appropriate Design Code.
- Parents or guardians may, at any time, review the data we hold about their child, request correction, or request deletion, by writing to privacy@iptpa.com.
- We never knowingly enrol a child in marketing communications. We do not profile children's data.
15. Security
We take the following technical and organisational measures to protect your information:
- All traffic to and from IPTPA is encrypted in transit using TLS 1.2 or higher.
- Passwords are stored using the bcrypt one-way hashing algorithm with a per-record salt; we cannot recover your password and a reset is the only way to regain access.
- Production databases are accessible only to Azure-resident services and named administrators; direct developer access via personal IP allow-lists has been retired (May 2026).
- Application code is reviewed before deployment; security audits are performed on a quarterly cadence.
- Stripe handles all card data inside their PCI-DSS Level 1 environment; we never see your full card number.
- Mailgun and Twilio messages are sent over authenticated, encrypted channels.
16. Data breaches
In the event of a personal-data breach that creates a risk to your rights or freedoms, we will:
- Notify the relevant supervisory authority (or authorities) within 72 hours of becoming aware, where required by GDPR Article 33 or equivalent law.
- Notify affected individuals directly, without undue delay, where the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34).
- Maintain an internal record of all breaches, regardless of notification threshold, in line with our internal incident-response procedure.
17. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, or applicable law. The “Last updated” date at the top of this page always reflects the version in force.
If a change materially affects your rights, we will notify active members by email and announce the change on this page before it takes effect.
18. How to contact us
For any question, comment, complaint or request regarding this Privacy Policy or your personal information:
- Email privacy@iptpa.com (privacy and data-subject rights requests).
- Email info@iptpa.com (general enquiries).
- Our registered postal address is available on request.
For visitors in the European Union or the European Economic Area, we do not currently maintain an Article 27 representative, on the basis that our targeting of EU residents is incidental and not systematic. If this changes, we will update this section accordingly.