PROVABack to Prova

Privacy Policy

Last updated: May 2025  ·  Effective: May 2025

Prova Sports Technology LLC (“Prova”, “we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and what rights you have.

This policy applies to all users of the Prova platform worldwide, and has been designed to comply with the EU General Data Protection Regulation (GDPR), the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, “PDPL”), and the UK GDPR.


1. Data Controller

The data controller is Prova Sports Technology LLC, incorporated in the Dubai International Financial Centre (DIFC). If you have any questions about this policy or our data practices, contact us at privacy@prova.sport.


2. Data We Collect

We only collect data that is necessary to provide the Prova service. Here is a summary of what we collect and why:

CategoryDataWhy we collect it
AccountName, email, username, password (hashed), profile photoTo create and maintain your account
Professional profileSport history, career items, credentials, bio, locationTo power your professional profile and search
VerificationDocuments uploaded for tier verification (stored securely)To verify your professional tier status
ContentPosts, comments, messages, storiesTo operate the feed and messaging features
ActivityConnections, follows, likes, applications madeTo operate the social and opportunity features
PaymentsSubscription tier, billing dates (card data handled by Stripe/Telr)To manage subscriptions
TechnicalIP address, browser type, device identifiers, session tokensSecurity, abuse prevention, session management
CommunicationsEmails sent to you (via SendGrid), in-app notificationsTo keep you informed about your account and activity

What we do not collect: We do not collect advertising cookies, cross-site tracking data, social media tracking pixels, or any biometric data. We have no third-party advertising networks on the Platform during Phase 1.


3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract performance— processing necessary to provide you with Prova’s services as described in our Terms and Conditions.
  • Legitimate interests — security monitoring, fraud prevention, improving the Platform, and communicating service updates.
  • Legal obligation — where we are required to process data by applicable law.
  • Consent — for optional features such as marketing emails and non-essential cookies. You may withdraw consent at any time.

4. How We Use Your Data

  • To create and manage your account.
  • To display your professional profile to other users (subject to your privacy settings).
  • To power the social features: feed, connections, follows, messaging.
  • To process verification applications and subscription payments.
  • To send you transactional emails (password resets, notifications, receipts).
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations, including law enforcement requests.
  • To improve the Platform through aggregate, anonymised analytics.

We do not sell your personal data to third parties. We do not use your data to serve advertising from third-party networks (this may change in Phase 3 when the Fan tier opens — we will update this policy and notify you before any change).


5. Third-Party Service Providers

We use the following carefully selected processors to operate the Platform. Each is bound by a data processing agreement:

  • Supabase / PostgreSQL — Database hosting. Data stored in European data centres.
  • Vercel — Application hosting and CDN. Servers in Europe West.
  • Cloudinary — Image and media storage and delivery.
  • SendGrid (Twilio) — Transactional email delivery.
  • Stripe — Global payment processing. Stripe handles all card data. We never see or store your card number.
  • Telr — UAE/GCC payment processing fallback.
  • Google— OAuth sign-in (if you choose to sign in with Google). Google’s privacy policy governs the data they collect.
  • Sentry — Error monitoring. Error reports are anonymised and do not include message content.

We do not share your data with any other third parties without your explicit consent, unless required by law.


6. Data Retention

We retain your personal data for as long as your account is active. When you delete your account:

  • Your profile, posts, and activity data are soft-deleted immediately (hidden from other users).
  • After a 30-day grace period, all data is permanently deleted.
  • Payment records are retained for 7 years as required by UAE financial regulations.
  • Verification documents are retained for 12 months after account deletion for fraud prevention purposes, then destroyed.

7. Cookies and Local Storage

Prova uses only essential technical storage to operate:

  • Session cookie — Set by NextAuth to keep you logged in. This is strictly necessary and cannot be disabled without logging you out.
  • Cookie consent preference — Stored in localStorage (not a cookie) to remember whether you have acknowledged this banner.

We do not set advertising cookies, social tracking pixels, or analytics cookies. No third-party cookies are present on the Platform during Phase 1.


8. International Transfers

Prova is operated from Dubai but uses infrastructure providers with data centres in Europe (primarily EU/EEA). Where personal data is transferred outside the UAE or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by the GDPR.


9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — Request a copy of the data we hold about you.
  • Rectification — Correct inaccurate or incomplete data. You can do this yourself in Settings.
  • Erasure— Request deletion of your account and data. Available in Settings › Account.
  • Portability — Receive your data in a machine-readable format. Request via privacy@prova.sport.
  • Object — Object to certain types of processing, particularly direct marketing.
  • Withdraw consent — Where processing is based on consent, you may withdraw it at any time in Settings.
  • Lodge a complaint — You may complain to your local data protection authority. In the UAE, this is the UAE Data Office. In the EU, contact your national supervisory authority.

To exercise any of these rights, contact us at privacy@prova.sport. We will respond within 30 days.


10. Children’s Privacy

Prova is not directed at children under 13. If you believe a child under 13 has created an account, please contact us immediately at privacy@prova.sport and we will delete the account promptly.

Users aged 13 to 17 require verified parental consent and their profiles are set to private by default.


11. Security

We take the security of your data seriously. Our measures include:

  • Passwords hashed using bcrypt with a cost factor of 12.
  • All data in transit encrypted using TLS 1.2 or higher.
  • Database access restricted to application servers only.
  • Rate limiting on authentication endpoints.
  • EXIF data stripped from uploaded images.
  • Verification documents scanned for malware before storage.
  • Regular security audits and penetration testing.

No system is completely secure. If you discover a security vulnerability, please report it responsibly to security@prova.sport.


12. Changes to This Policy

We may update this Privacy Policy as the Platform evolves or as laws change. We will notify you of material changes by email and by posting a notice on the Platform at least 14 days before the changes take effect.

The date at the top of this page shows when the policy was last updated. We maintain an archive of previous versions available on request.


13. Contact Us

Prova Sports Technology LLC — Data Protection
Dubai International Financial Centre, Dubai, UAE
Email: privacy@prova.sport