This Privacy Policy describes how Handoff Labs (“we”, “us”, “our”) processes personal data when you use the public GridPadel marketing and documentation website (the “Site”), including HTML documentation, landing pages, modals and forms served from our domains (for example gridpadel.com and staging or preview hosts we operate).
This notice does not replace your own privacy policy on a WordPress site where you install the GridPadel theme. When the theme runs on your hosting, you are typically the data controller for your club’s visitors; use the policy templates bundled with the theme and adapt them to your organisation and local law.
1. Data controller and contact
Controller: Handoff Labs (the business name under which we operate the GridPadel Site).
Registered business identifiers (Italy): VAT / Partita IVA IT04249920135; company registration CO-430913 with the Italian Chamber of Commerce Como–Lecco. These details are also shown in the footer of the Site.
Privacy contact: hello@handofflabs.com
For requests regarding access, correction, deletion, restriction, objection, portability or consent withdrawal, email the address above. We may ask proportionate information (for example that you write from the same email you used on a form) to confirm the request is genuine and to avoid unlawful disclosure to third parties.
2. Scope: what this Site is
The Site is informational: it presents the GridPadel product, documentation, waitlist, optional quote requests, optional paid installation checkout, and support entry points. We do not require you to create an account to browse.
3. Categories of personal data we process
Depending on how you use the Site, we may process:
- Identity and contact data: email addresses and any text you type into forms (for example ThemeForest account email, project brief, hosting notes).
- Technical and usage data: IP address, date and time of requests, HTTP referrer where transmitted by your browser, user agent string, page URL at submission, optional fields such as
sourcewhere your browser sends them with a form, and similar server or security logs. - Consent records: timestamp and indication that you accepted the Privacy Policy and Terms where the form requires it (for example waitlist).
- Transaction-related data: if you use optional Stripe Checkout on this Site, we receive payment status, session identifiers and metadata needed to deliver the installation service (not full card numbers — those are processed by Stripe).
- Support chat content: if you use the on-site chat widget, messages you send and technical metadata needed to operate the chat.
4. Sources
We receive personal data (a) directly from you when you submit a form, start checkout or use chat; (b) from your browser or device when you load pages or assets; (c) from our first-party API endpoints that receive form submissions from this Site (hosted on infrastructure we control) before notifications are relayed to email or payment providers; (d) from Stripe in relation to completed or attempted payments you initiate.
5. Purposes, legal bases and (where applicable) legitimate interests
We process data on the following bases under the EU/UK General Data Protection Regulation and aligned regimes:
| Activity | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Waitlist signup | Send launch or product updates you asked for; prove consent. | Consent (6(1)(a)) — you tick the box and submit. |
| Customization quote form | Respond to a commercial enquiry; pre-contract steps. | Consent and/or legitimate interests in answering business requests (6(1)(a)/(f)); where you later contract with us, also contract (6(1)(b)). |
| Optional $49 installation checkout | Perform the paid setup service; accounting and support. | Contract (6(1)(b)); legal obligation for invoicing where applicable (6(1)(c)). |
| Site security, abuse prevention, logging | Protect systems and users; detect fraud and spam. | Legitimate interests (6(1)(f)) — balanced against your rights. |
| Non-essential analytics (only if you accept cookies) | Understand aggregate traffic if you opt in via the cookie banner. | Consent (6(1)(a)) via the banner. |
| Cookie / consent audit log (server) | Immutable-style record of banner or modal choices, IP, User-Agent, policy versions and timestamps for regulatory accountability. | Legal obligation (6(1)(c)) where applicable; legitimate interests (6(1)(f)) in demonstrating compliance. |
| Support chat widget | Provide pre-sales or technical help when you choose to chat. | Legitimate interests (6(1)(f)) in supporting prospective and existing customers. Please do not paste special-category data (for example health information) into chat unless strictly necessary; if you do, you acknowledge we may process it only to handle that conversation. |
ThemeForest / Envato licence verification does not happen on this marketing Site in the same way as on your WordPress install. When you use the GridPadel theme on your own site and enter a purchase code, your site may call Envato’s API as documented in the product documentation. That processing is between you (or your organisation), your users and Envato — see Envato’s privacy information. We do not collect your ThemeForest login password via our marketing forms.
6. Recipients and subprocessors
We use carefully selected service providers. They process data on our instructions (as processors) or as independent controllers where noted:
- Hosting / infrastructure — stores Site files and processes HTTP requests (technical logs).
- Brevo (Sendinblue SAS) or SMTP relay — delivers transactional emails (waitlist notifications, quote alerts, install-related messages). See Brevo’s privacy policy when Brevo is used.
- Stripe, Inc. — payment processing for optional checkout. See Stripe’s privacy policy and regional terms.
- Zammad-based support stack — chat widget script and backend operated for Handoff Labs (for example at support.handofflabs.com) to handle conversations. Technical requests to load the widget may expose IP and user agent to that host.
- Content delivery / script hosts — for example Google Fonts (Google’s privacy policy) and jQuery CDN when referenced by the Site build; those providers may process IP addresses as part of delivering assets.
We do not sell your personal data and we do not use it for third-party behavioural advertising on this Site as of the effective date above.
Cookie and consent choices — server audit log
When you confirm choices in the cookie banner, the cookie preferences modal, or the small floating control on the Site, your browser sends a request to our first-party API endpoint POST /api/cookie-consent. We store a dedicated record on our infrastructure (SQLite database file on the application server) containing at least: UTC server timestamp, IP address, User-Agent, the Privacy Policy and Cookie Policy version strings presented to you, the action you took (for example accept optional, reject optional, save preferences, or legacy migration), your toggles for optional analytics and marketing, the page URL reported by the browser and an optional client timestamp. This processing exists to meet accountability and evidence requirements under the GDPR (including Article 5(2)) and applicable ePrivacy rules. Legal bases: legal obligation where applicable, and legitimate interests in demonstrating what was consented to or refused. Retention: records are kept for up to thirty-six (36) months unless a longer period is required by law, regulation or competent authority.
7. International transfers
Handoff Labs is established in the European Union (Italy). We and our providers may still process or store data in the EEA, the United Kingdom, the United States and other countries depending on hosting and vendor locations. Where the GDPR applies and personal data is transferred from the EEA/UK to countries not covered by an adequacy decision, we rely on mechanisms such as the EU Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards offered by the provider, as described in their documentation (for example Stripe’s and Brevo’s DPA terms).
8. Retention
- Waitlist and quote emails — kept for as long as needed to fulfil the purpose (typically up to 24 months after your last interaction) unless a longer period is required for legal claims or accounting.
- Stripe payment records — according to tax/accounting rules and Stripe’s retention tools.
- Server and security logs — typically up to 12 months, unless a longer retention is justified by security investigations.
- Support tickets / chat logs — retention per internal support policy, generally limited to what is needed to resolve issues.
9. Your rights (EEA, UK and Switzerland)
Where the GDPR, UK GDPR or revised Swiss Federal Act on Data Protection (FADP) applies, you may have the right to: access, rectification, erasure, restriction, data portability, object to processing based on legitimate interests, and to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal). You may also lodge a complaint with a supervisory authority. EEA authorities are listed via the EDPB; in the UK, the ICO; in Switzerland, the FDPIC; in Italy, the Garante per la protezione dei dati personali.
10. United States — California and other state privacy rights
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended may grant you rights to know, delete and correct personal information, and to opt out of sale or sharing for cross-context behavioural advertising. We do not sell personal information as defined by the CCPA. To exercise rights, contact hello@handofflabs.com. We will not discriminate against you for exercising these rights. You may use an authorised agent where permitted by law; we may require proof of authorisation.
Residents of other US states with comprehensive privacy laws may have similar rights; contact us and we will respond in line with applicable law.
11. Other jurisdictions (Brazil, Canada, Australia)
11.1 Brazil (LGPD)
If Brazilian law applies, we observe the Lei Geral de Proteção de Dados (LGPD) where relevant: legal bases include consent, legitimate interest and contract; you may contact us to confirm existence of processing, access data, correct incomplete inaccurate data, anonymise, block or delete unnecessary data, portability to another provider, information about recipients, information about denial of consent and consequences, and revocation of consent. You may file a complaint with the ANPD.
11.2 Canada (PIPEDA and provincial laws)
If Canadian law applies, we commit to accountability, appropriate safeguards and responding to your access and correction requests in line with the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial private-sector laws (for example in Alberta, British Columbia and Québec). Québec residents may have additional rights under Law 25; contact us for requests.
11.3 Australia
If the Privacy Act 1988 (Cth) applies, we handle personal information in line with the Australian Privacy Principles where relevant, including use and disclosure for the primary purpose of collection, security, and access/correction via our contact email.
12. Security
We implement appropriate technical and organisational measures (including HTTPS for the Site, access restrictions on servers, separation of secrets from code repositories, and rate limiting on public APIs). No online transmission or storage is completely secure; we will notify you and regulators of a personal data breach where legally required.
We have not appointed a Data Protection Officer (DPO) under Article 37 GDPR because we are not currently required to do so; privacy requests are handled by our team at the contact address in section 1.
13. Children
The Site is aimed at adults and businesses in the sports/club sector. It is not directed at children under 16. Do not provide personal data if you are under the age at which you may validly consent in your country without parental permission.
14. Automated decision-making and profiling
We do not use automated decision-making that produces legal or similarly significant effects solely by automated means, and we do not perform behavioural profiling across unrelated third-party sites for advertising purposes on this Site.
15. Changes to this Policy
We may update this Privacy Policy to reflect product, legal or technical changes. We will adjust the effective date at the top. Where changes are material and consent-based processing is affected, we will seek fresh consent where required (for example via the waitlist modal or cookie banner).
16. Contact
Questions about this Policy: hello@handofflabs.com