Privacy Policy

Effective 19 Apr 2026

This Privacy Policy explains what information Citraka, Inc. ("Citraka", "we") collects when you use SmasHaven, how we use it, who we share it with, and the controls you have. Citraka is the data controller. SmasHaven is a product of Citraka.

1. Information we collect

What you give us

• Account: name, email address, password (stored only as a salted hash — we never see your plaintext password), your self-declared role (player, coach, or both), skill level, and handedness.
• Profile: an optional profile picture URL or image you upload.
• Content you post: meetup descriptions, forum posts, ratings, flags, and any pictures you upload for courts, coaches, or shops.
• Meetup & match data: meetups you organize or join, match results you log, and the resulting rating history.
• Claims: if you claim a business listing (court / coach / shop), the contact email used for verification.

What we collect automatically

• Device push tokens: when you grant notification permission, your device sends an Expo push token which we store so we can notify you about meetups, matches, and messages.
• Usage & telemetry events: named events (e.g. search.open, meetup.join) tied to your user id and a small, PII-free properties bag. Used to measure feature usage and improve the product.
• Security logs: audit events for security- sensitive actions (login, logout, password change). Email addresses and IP addresses in these logs are redacted with a keyed hash so an engineer can correlate events without seeing your real email or IP.

What we do not collect

• We do not collect precise location; SmasHaven has no GPS permission.
• We do not collect health data, biometrics, or government identifiers.
• We do not sell personal information. Ever.
• We do not run third-party ad trackers.

2. How we use information

We use the information we collect to:

• operate SmasHaven — show your meetups, ratings, matches, and messages;
• authenticate you and keep your account secure;
• send notifications you've opted into;
• measure feature usage via anonymous-ish event counts so we can improve the product;
• detect and prevent fraud, abuse, and violations of our Terms;
• comply with law when we have to.

3. Who we share information with

We share information only with:

• Other users, as part of the product — roster listings show your display name and initials; meetup organizers see joiners; forum posts display your name.
• Expo (by Expo Inc.), a push-notification relay. Titles and bodies you receive as push notifications pass through Expo's infrastructure. We do not include emails, phone numbers, or health data in push payloads.
• Infrastructure providers that host our servers (currently: Amazon Web Services). These providers process data on our instructions under contract.
• Law enforcement, when we're legally compelled or in good faith believe we must to protect users' safety. We'll push back on overbroad requests.

We do not sell, rent, or trade your personal information to any third party for marketing, profiling, or advertising purposes.

4. Analytics & feature flags

SmasHaven uses first-party analytics — Citraka runs the event pipeline on its own servers. Events are named actions (search.open, place.rate) tied to your numeric user id. Event property bags are capped at 5 KB and are schema-enforced to reject PII-shaped keys (email, phone, address). We use these events to decide which features work and ramp the ones that do.

You can see the admin view of what's collected at yourhost/dashboard (admin users only).

Feature flags control which parts of the product are visible to which cohort. Flag status per user is derived from a keyed hash of your user id — the same user gets a stable experience day-to-day without us storing a per-user flag table.

5. How we protect information

• Passwords are stored only as bcrypt salted hashes.
• Access tokens are short-lived JWTs signed with RS256; only the user-service holds the private key.
• Refresh tokens are rotated on every use; reuse triggers full family revocation (a log-the-user-out signal).
• Cookie-based refresh is HttpOnly + SameSite=Strict + CSRF double-submit.
• All service-to-service traffic runs in a private Docker network in dev, and over TLS in production.

No system is perfectly secure. We do our best; you should use a unique, strong password and keep your device locked.

6. How long we keep information

• Account data: until you delete your account.
• Refresh tokens: until they expire (30 days) or you revoke them.
• Telemetry events: rolling 13 months.
• Audit logs: rolling 13 months. PII fields in audit logs are already redacted at write time.

7. Your rights & choices

Regardless of where you live, you can:

• update most profile data from the Profile sheet in-app;
• revoke individual device sessions from the Sessions list;
• log out of every device at once from the "Revoke all sessions" button;
• mute notifications via your device's OS settings;
• write to [email protected] to request a copy of your data or to delete your account.

If you're in the EU/EEA, UK, Brazil, or California you have additional rights under GDPR, UK-GDPR, LGPD, and CCPA — access, rectification, erasure, portability, restriction, and objection. Reach out to the same email and we'll honour the request within the applicable window (30 days under GDPR; 45 days under CCPA).

8. Children

SmasHaven is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have, email [email protected] and we'll delete the account.

9. Cookies

The mobile app uses no cookies. The web admin dashboard uses a single session cookie for authentication and a CSRF cookie on the refresh path. Both are strictly necessary and do not track you across sites.

10. International transfers

Citraka is based in the United States. If you use SmasHaven from outside the US, your information will be transferred to and processed in the US. Where required, we rely on standard contractual clauses to protect the transfer.

11. Changes

We may update this Privacy Policy. Material changes will be surfaced in-app. The "Effective" date at the top of this document always reflects the current version.

12. Contact

Privacy questions or requests: [email protected]