Privacy Policy
Last updated · 13 May 2026
This is the hosted version of the privacy policy that the App Store and Play Store require. The in-app version inside the VolleyTube app covers the same ground in app-readable form.
1 · Who we are
VolleyTube is operated by Purpl, based in Sydney, Australia. You can reach us at contact@purpl.au.
2 · What we collect
When you create an account or use VolleyTube, we collect:
- Email address — used to authenticate your account.
- Profile information you provide — display name, @username, avatar, position, club, age, height, weight, spike and block heights, and bio. All optional except display name and username.
- Comments — text you post on match pages.
- Videos — short clips you upload (stored in Supabase Storage) and YouTube links you share.
- Match interactions — set scores you submit, “I was there” attendance, bookmarks, follows.
- Push notification token — your device’s Expo push token, only if you grant the OS-level notification permission.
- Authentication metadata — IP address, user-agent, and Apple or Google identifiers when you use those sign-in methods.
We do not collect: device location, contacts, calendar, IDFA or ad tracking IDs, biometric data, payment information, or anything related to children under 13.
3 · Where your data lives
- Postgres database — Supabase, hosted on AWS in Sydney (
ap-southeast-2). TLS in transit, encryption at rest. - Video storage — Supabase Storage, same region. Files served via signed public URLs (clips are intended to be shared).
- Authentication tokens — encrypted on your device via
expo-secure-store(Keychain on iOS, EncryptedSharedPreferences on Android). - Push subscription tokens — stored in Supabase Postgres, isolated to a
push_subscriptionstable with strict read-self and write-self Row-Level Security policies.
We don’t have offices outside Australia and we don’t ship your data to non-Australian processors except Apple (sign-in only, no profile data) and Google (sign-in only, plus push delivery via Firebase Cloud Messaging on Android).
4 · How we use your data
We only use your data to make VolleyTube work for you:
- Display your profile, comments, and clips on the relevant match pages.
- Personalise your home feed (your team, your matches, your follower activity).
- Send the in-app and push notifications you’ve opted into.
- Send transactional emails (password reset, signup confirmation) via Supabase Auth.
We do not:
- Sell or rent your data to third parties.
- Show advertising in the app.
- Build behavioural or analytics profiles for targeting.
- Use your data to train AI models. We don’t run one.
5 · Who can see what
- Public to all signed-in users — your username, display name, profile fields you’ve filled (avatar, club, position, stats, bio), your comments, your clips, your following and follower counts, your attendance and bookmarks (counts only, not contents).
- Read-only to you — your inbox notifications, your match bookmarks list, your push subscription record.
- Admin-only — moderation reports you submit, the audit log of match score edits, scraper run history.
The above is enforced at the database level via Postgres Row-Level Security — not just in the client.
6 · Your rights
Under the Australian Privacy Act, GDPR (if you’re in the EU), and CCPA (if you’re in California), you have the right to:
- Access your data. Email contact@purpl.au and we’ll send you a JSON dump.
- Correct your data. Edit your profile in-app; for things you can’t edit (e.g. comment history), email us.
- Delete your account and all associated data. In-app: Profile → Settings → Account → Delete account. Or email us. We’ll delete within 30 days; comments may persist as anonymised (with
user_idset to null) so threads stay readable. - Object to processing. Contact us — though for most of what we do, processing is necessary for the service, so we may not be able to comply without you closing your account.
- Portability. JSON export of your data on request.
- Withdraw consent to push notifications via your device settings.
To exercise any of these: contact@purpl.au. We don’t charge a fee; we don’t require ID for most requests.
7 · Data retention
- Active accounts — indefinitely, until you delete.
- Deleted accounts — within 30 days. Comments are anonymised but not deleted (community thread integrity).
- Backup retention — Supabase keeps point-in-time recovery snapshots for 7 days; deletes propagate.
- Auth tokens and sessions — invalidated immediately on sign-out or account delete.
8 · Children under 13
VolleyTube is not directed at children under 13. We don’t knowingly collect personal information from anyone under 13. If you’re a parent and believe your child has signed up, email us and we’ll remove the account.
VolleyTube does scrape and display match data for YSVL U15, U17, and U19 leagues — but that’s tournament-published data, not personal information collected from minors directly.
9 · Third-party processors
| Processor | What they handle | Location |
|---|---|---|
| Supabase Inc. | Postgres, auth, storage, edge functions | AWS ap-southeast-2 (Sydney) |
| Apple Inc. | Sign in with Apple (iOS users) | USA |
| Google LLC | Sign in with Google (optional); FCM push delivery (Android) | USA |
| Expo | Push notification routing | USA |
We’ve reviewed each one’s privacy posture; links to their policies on request.
10 · Security
- Passwords hashed with Supabase Auth’s bcrypt variant.
- All API calls over TLS 1.2+.
- Database access protected by Row-Level Security policies; no client can bypass.
- Service-role keys held only on operator machines, never in the app bundle.
- Regular security audits.
If you find a security issue, please report it to contact@purpl.au with subject SECURITY. We’ll respond within 48 hours.
11 · Changes to this policy
We’ll notify users in-app of material changes. The “Last updated” date at the top of this page reflects the most recent edit.
12 · Contact
Email · contact@purpl.au
For Australian-specific complaints unresolvable via the above: the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
If you’ve read this far: thanks. We try to keep the data we collect to the minimum needed to make the app work, and to be straight with you about what we do with it.