Dubai Basketball Club Privacy Policy

1. Introduction

Dubai Basketball Club (“we“, “us“, or “our“) operates the Dubai Basketball Club mobile application and related services (collectively, the “Services“). We respect your privacy and are committed to protecting your personal data. We are committed to protecting the personal data of our users and to processing it lawfully, fairly, and transparently.

This Policy explains, in clear terms, how and why we collect, use, disclose, retain, and safeguard personal data when delivering our Services. In particular, the app functions as a central platform for membership management, community engagement through forums and messaging, participation in live and digital events, ticketing and access control, merchandising and exclusive digital content, as well as gamification features and digital rewards where offered.

This Policy is drafted in light of the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021 – “PDPL”), applicable free-zone rules (e.g., DIFC/ADGM) and, where relevant, the EU General Data Protection Regulation (Regulation (EU) 2016/679 – ‘GDPR’). We also respect and apply privacy requirements under other data protection regimes worldwide where our users are based.

See “Legal context” at top for links to official guidance: uaelegislation.gov.ae UAE

2. Data Controller & Contact Details

• Data Controller / Company: Dubai Basketball Club, a company incorporated under the laws of UAE, with registered address: City Walk, Dubai, United Arab Emirates.
• Privacy Contact: Data Protection Officer, email: [email protected], website: www.dubaibasketball.com.

If you have privacy questions, wish to exercise your rights or file a complaint, please contact us at [email protected].

3. Scope

This Policy governs all personal data that we process in connection with the Services, irrespective of the channel through which the data is collected, including the mobile application, any associated website, and communications by email, telephone or offline interactions during events and at physical venues.

If you are located in the European Union, the GDPR applies in addition to the PDPL; if you are in other jurisdictions, we will apply the protections required by local law and, in case of conflict among norms, we will adopt the approach that ensures the higher level of protection for the user’s rights without compromising the lawful provision of the Services.

4. Definitions

For the purposes of this Policy:

• Personal Data: any information relating to an identified or identifiable natural person.
• Processing: any operation performed on personal data (collection, storage, use, disclosure, deletion).
• Data Controller: person/entity deciding purposes and means of processing.
• Data Processor: entity processing personal data on controller’s instruction.
• Data Subject / User: natural person whose personal data is processed.

These definitions follow the PDPL and GDPR to promote consistency and legal certainty across jurisdictions.

5. Personal Data We Collect

In operating the app, we collect data that is necessary to create and maintain your account and to provide the features you choose to use.

More precisely, we may collect, for example, the following categories of personal data:

Account & identity data

• Full name, email address, mobile phone, date of birth (where provided), profile photo, username.

Contact & transactional data

• Billing address, payment card metadata (tokenized by payment provider), purchase history, invoices.

Technical & device data

• IP address, device ID, operating system, browser, mobile carrier, app version, crash logs, unique advertising identifiers (IDFA/GAID).

Location data

• Precise or approximate geolocation where you allow location access.

Usage data

• In-app activity, pages/screens visited, preferences, messages you send (user-generated content).

Communications

• Support tickets, emails, feedback, call recordings (where relevant and lawful).

Sensitive data

• We generally do not request sensitive personal data (health, religion, race, biometric) unless strictly necessary. If you provide sensitive data, we will process it only with explicit consent and specific safeguards.

Membership and event data (e.g., registration for tournaments, attendance at live events, ticket preferences). User-generated content (photos, videos, chat messages, posts). We do not process biometric or health data unless explicitly required and only with your consent.

6. How we collect personal data

We collect personal data directly from you when you create an account, register for events, purchase services or merchandise, interact with other members, or contact our support team. We also collect certain information automatically through software development kits (SDKs), analytics tools and server logs that help us maintain the stability and security of the app and improve performance.

In some cases, we obtain information from third parties, for example from payment service providers who tokenize your payment card details, from social login providers where you choose to authenticate using those services, and from identity-verification or anti-fraud partners where required to comply with law or to protect the security of the platform.

7. Processing purposes & lawful bases

We process personal data only when we have a valid legal basis and for purposes that we clearly explain to our users. Each purpose identifies the lawful basis under PDPL, GDPR (where applicable), or other relevant law. For example, processing necessary for the performance of a contract (Art. 6(1)(b) GDPR / Art. 4(1)(a) PDPL), consent (Art. 6(1)(a) GDPR / Art. 4(1)(b) PDPL), or compliance with legal obligations (Art. 6(1)(c) GDPR / Art. 4(1)(c) PDPL).

Purpose examples:

• Provide and maintain Services — create accounts, authenticate users, deliver features. (Contract / Legitimate interest)
• Payments & billing — process subscriptions, receipts, refunds. (Contract / Legal obligation)
• Product improvement & analytics — usage analytics, crash reporting. (Legitimate interest / Consent for certain tracking)
• Personalization & recommendations — tailored content and offers. (Legitimate interest / Consent)
• Marketing & communications — newsletters, promotional messages (Consent where required).
• Fraud prevention, security & legal compliance — anti-fraud, AML/KYC (Legal obligation / Legitimate interest).
• Customer support — resolve questions and issues. (Contract / Legitimate interest)

(See Section 8 for a concise table linking activities to legal bases.)

We also process personal data to manage membership programs, organize sporting events, enable community interactions, and provide gamification features or digital rewards. Marketing by third-party partners or sponsors will only be carried out with your separate, explicit consent.

8. Legal basis

When you create an account and sign in on different devices, the processing of identity and device data is necessary to perform the service you requested and to support our legitimate interest in preventing unauthorized access. Payment processing requires the use of billing details and tokenized payment information; this processing is necessary for fulfilling the contract with you and for meeting legal obligations relating to financial record-keeping.

Registering for events and managing membership tiers involves processing event-specific and membership data, which is essential to provide those features and benefits. When we send you newsletters or promotional messages not strictly related to the operation of your account, we do so only after obtaining your consent, which you may withdraw at any time via the app settings or by using the unsubscribe link in each message.

For audience measurement and product improvement, we rely on analytics that may involve cookies or SDKs; where these technologies are not strictly necessary, we ask for your consent and honour your choices. To protect the platform against abuse and to comply with legal and regulatory duties, we may analyze usage and transaction patterns, relying on legitimate interests or legal obligations as the applicable bases.

Table examples:

9. Recipients / Who we share data with

We may share personal data only with parties who need it for legitimate purposes and who are bound by contractual obligations to safeguard it. For example:

• Service providers: cloud hosting, payment processors, analytics, CRM, support platforms (subject to written contracts and security requirements).
• Affiliates / group companies for internal business purposes.
• Law enforcement, regulators or courts when required by law or to protect legal rights.
• Sponsors and commercial partners, but only with your explicit consent;
• IT/maintenance providers, under strict access controls.

All recipients are subject to contractual obligations to protect personal data.

Certain data may be shared with our commercial partners and sponsors solely with your explicit consent. Access granted to IT and platform maintenance providers is strictly limited and subject to contractual safeguards.

10. Cross-border transfers & safeguards

Because we operate globally, personal data may be transferred to and processed in countries outside the UAE. For transfers from the UAE or to/from jurisdictions with different protections we implement – in accordance with PDPL, GDPR (where applicable), or other relevant law – appropriate safeguards (e.g., standard contractual clauses, binding corporate rules, adequacy mechanisms where available) and require recipients to provide adequate protection consistent with applicable law regardless of location.

More precisely, where cloud services hosted in the EU, the US or other jurisdictions are engaged, we assess the legal landscape and apply supplementary measures as needed to protect personal data against unauthorized access.

Certain data may be shared with our commercial partners and sponsors solely with your explicit consent. Access granted to IT and platform maintenance providers is strictly limited and subject to contractual safeguards.

11. Data retention

We retain personal data for as long as necessary to serve the purpose for which it was collected and to comply with legal obligations. Example retention periods:

• Account data: while account is active + 2 years after deactivation (to handle disputes).
• Transactional & payment records: 7 years (or as required by tax/regulatory law).
• Analytics & logs: aggregated or anonymized indefinitely; raw logs: 1 year (or as needed for security).
• Support tickets & correspondence: 3–5 years.
• Membership and event participation data: retained for 5 years after the end of the membership to handle accounting and liability purposes. Usage data may be anonymized and stored indefinitely for statistical analysis.

After the retention period, records are securely deleted or irreversibly anonymized.

12. Security

We implement reasonable technical and organizational measures to protect personal data, including:

• encryption in transit (TLS) and at rest (where feasible),
• access controls and least privilege,
• regular vulnerability testing and security reviews,
• logging and monitoring,
• data minimization and pseudonymization where appropriate.

To reduce the likelihood of unauthorized disclosure, we conduct vulnerability assessments and, periodically, independent penetration tests, and we monitor systems to detect anomalous activity. Internal policies regulate how staff handle data, and training is provided to promote a culture of privacy and security.

Two-factor authentication for user accounts, end-to-end encryption for in-app messaging, regular penetration testing, and, where applicable, compliance with recognized certifications (e.g., ISO/IEC 27001).

13. Cookies & tracking technologies

We use cookies and similar technologies for essential operations, analytics and advertising. When required by law, we obtain your consent for non-essential cookies and provide controls to manage cookie preferences (in-app settings or device/browser controls). Example categories:

• Essential cookies: required for login, session continuity.
• Analytics cookies: measure use and improve performance.
• Advertising cookies: provide interest-based ads (only with consent).

We use third-party SDKs (e.g., Google Firebase, Meta SDK) for analytics and app functionality. Users can withdraw consent or manage preferences directly through an in-app privacy dashboard.

Details about the technologies used, their purposes, and their retention parameters are described in our in-app privacy controls. Where advertising features are offered, they are based on your explicit opt-in, and your choice has no impact on access to core functionalities.

14. Children & minors

Our Services are not directed to children under 16. Registration requires verification of age. If minors access certain sections dedicated to youth activities, we will implement parental consent mechanisms and apply additional safeguards. We do not knowingly collect personal data from children under that age. If we learn we have collected such data without consent, we will delete it.

Because PDPL’s position on a specific age threshold is less prescriptive than some other laws, we follow a conservative best practice: parental consent for children under 16. If we become aware that personal data has been collected from a child without the necessary consent, we will take steps to delete that information promptly and to prevent further processing.

Please contact us at [email protected] to request removal.

15. Automated decision-making & profiling

To enhance the user experience, we may use algorithms that analyze activity and preferences to recommend content, events, or features that are likely to be relevant. These forms of profiling are limited to personalization and do not produce legal or similarly significant effects on users.

If at any time we were to deploy solely automated decision-making that significantly affects individuals, we would provide clear notice in advance and ensure the right to obtain human intervention, to express a viewpoint, and to contest the decision, consistent with PDPL and GDPR requirements.

16. Your rights & how to exercise them

Subject to applicable law, you may have the following rights:

• Access: request copy of your personal data.
• Rectification: correct inaccurate data.
• Erasure: request deletion (right to be forgotten), where lawful.
• Restriction: suspend processing under certain conditions.
• Portability: receive data in machine-readable format.
• Objection: object to processing based on legitimate interests or direct marketing.
• Withdraw Consent: where processing is based on consent.

More precisely, under PDPL, GDPR, and other applicable laws, you may have the right to access, rectify, erase, restrict, object, or port your data. If processing is based on consent, you may withdraw it at any time. These rights will be honored globally, regardless of where you reside.

Requests that cannot be completed through self-service controls can be submitted to our privacy contacts: [email protected]. We will respond without undue delay and, in any event, within the timelines established by law—generally within thirty days, with the possibility of a reasonable extension for complex or numerous requests, of which you will be duly informed.

You can manage and update your privacy preferences directly in the app through your account settings.

17. Complaints & supervisory authority

If you are located in the UAE, you may also lodge a complaint with the UAE Data Office or the relevant free-zone authority (ADGM/DIFC). If you are in the EU, you may lodge a complaint with your national Data Protection Authority under the GDPR. Users outside these regions may contact their local regulator or our Privacy Officer, and we will cooperate with relevant authorities worldwide. See local authority websites for filing procedures.

18. Data breach notifications

We maintain an incident response plan. In the event of a personal data breach that is likely to result in risk to individuals’ rights and freedoms, we will notify the relevant supervisory authority and affected data subjects as required by applicable law.

Our incident-response procedures are designed to promptly contain the breach, assess its impact, and implement remedial actions to prevent recurrence.

19. Changes to this policy

We may amend this Policy from time to time to reflect changes in our Services, in applicable laws, or in industry practices. When we make material changes, we will provide prominent notice within the app or by email, and we will update the “Last updated” date at the top of this document. Continuing to use the Services after the effective date of an updated Policy signifies your understanding of and agreement with the revised terms.

20. Contact