purpl
VolleyTube

Privacy Policy

Last updated · 13 May 2026

This is the hosted version of the privacy policy that the App Store and Play Store require. The in-app version inside the VolleyTube app covers the same ground in app-readable form.

1 · Who we are

VolleyTube is operated by Purpl, based in Sydney, Australia. You can reach us at contact@purpl.au.

2 · What we collect

When you create an account or use VolleyTube, we collect:

  • Email address — used to authenticate your account.
  • Profile information you provide — display name, @username, avatar, position, club, age, height, weight, spike and block heights, and bio. All optional except display name and username.
  • Comments — text you post on match pages.
  • Videos — short clips you upload (stored in Supabase Storage) and YouTube links you share.
  • Match interactions — set scores you submit, “I was there” attendance, bookmarks, follows.
  • Push notification token — your device’s Expo push token, only if you grant the OS-level notification permission.
  • Authentication metadata — IP address, user-agent, and Apple or Google identifiers when you use those sign-in methods.

We do not collect: device location, contacts, calendar, IDFA or ad tracking IDs, biometric data, payment information, or anything related to children under 13.

3 · Where your data lives

  • Postgres database — Supabase, hosted on AWS in Sydney (ap-southeast-2). TLS in transit, encryption at rest.
  • Video storage — Supabase Storage, same region. Files served via signed public URLs (clips are intended to be shared).
  • Authentication tokens — encrypted on your device via expo-secure-store (Keychain on iOS, EncryptedSharedPreferences on Android).
  • Push subscription tokens — stored in Supabase Postgres, isolated to a push_subscriptions table with strict read-self and write-self Row-Level Security policies.

We don’t have offices outside Australia and we don’t ship your data to non-Australian processors except Apple (sign-in only, no profile data) and Google (sign-in only, plus push delivery via Firebase Cloud Messaging on Android).

4 · How we use your data

We only use your data to make VolleyTube work for you:

  • Display your profile, comments, and clips on the relevant match pages.
  • Personalise your home feed (your team, your matches, your follower activity).
  • Send the in-app and push notifications you’ve opted into.
  • Send transactional emails (password reset, signup confirmation) via Supabase Auth.

We do not:

  • Sell or rent your data to third parties.
  • Show advertising in the app.
  • Build behavioural or analytics profiles for targeting.
  • Use your data to train AI models. We don’t run one.

5 · Who can see what

  • Public to all signed-in users — your username, display name, profile fields you’ve filled (avatar, club, position, stats, bio), your comments, your clips, your following and follower counts, your attendance and bookmarks (counts only, not contents).
  • Read-only to you — your inbox notifications, your match bookmarks list, your push subscription record.
  • Admin-only — moderation reports you submit, the audit log of match score edits, scraper run history.

The above is enforced at the database level via Postgres Row-Level Security — not just in the client.

6 · Your rights

Under the Australian Privacy Act, GDPR (if you’re in the EU), and CCPA (if you’re in California), you have the right to:

  • Access your data. Email contact@purpl.au and we’ll send you a JSON dump.
  • Correct your data. Edit your profile in-app; for things you can’t edit (e.g. comment history), email us.
  • Delete your account and all associated data. In-app: Profile → Settings → Account → Delete account. Or email us. We’ll delete within 30 days; comments may persist as anonymised (with user_id set to null) so threads stay readable.
  • Object to processing. Contact us — though for most of what we do, processing is necessary for the service, so we may not be able to comply without you closing your account.
  • Portability. JSON export of your data on request.
  • Withdraw consent to push notifications via your device settings.

To exercise any of these: contact@purpl.au. We don’t charge a fee; we don’t require ID for most requests.

7 · Data retention

  • Active accounts — indefinitely, until you delete.
  • Deleted accounts — within 30 days. Comments are anonymised but not deleted (community thread integrity).
  • Backup retention — Supabase keeps point-in-time recovery snapshots for 7 days; deletes propagate.
  • Auth tokens and sessions — invalidated immediately on sign-out or account delete.

8 · Children under 13

VolleyTube is not directed at children under 13. We don’t knowingly collect personal information from anyone under 13. If you’re a parent and believe your child has signed up, email us and we’ll remove the account.

VolleyTube does scrape and display match data for YSVL U15, U17, and U19 leagues — but that’s tournament-published data, not personal information collected from minors directly.

9 · Third-party processors

ProcessorWhat they handleLocation
Supabase Inc.Postgres, auth, storage, edge functionsAWS ap-southeast-2 (Sydney)
Apple Inc.Sign in with Apple (iOS users)USA
Google LLCSign in with Google (optional); FCM push delivery (Android)USA
ExpoPush notification routingUSA

We’ve reviewed each one’s privacy posture; links to their policies on request.

10 · Security

  • Passwords hashed with Supabase Auth’s bcrypt variant.
  • All API calls over TLS 1.2+.
  • Database access protected by Row-Level Security policies; no client can bypass.
  • Service-role keys held only on operator machines, never in the app bundle.
  • Regular security audits.

If you find a security issue, please report it to contact@purpl.au with subject SECURITY. We’ll respond within 48 hours.

11 · Changes to this policy

We’ll notify users in-app of material changes. The “Last updated” date at the top of this page reflects the most recent edit.

12 · Contact

Email · contact@purpl.au

For Australian-specific complaints unresolvable via the above: the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.


If you’ve read this far: thanks. We try to keep the data we collect to the minimum needed to make the app work, and to be straight with you about what we do with it.