Last Updated: January 7, 2025

Welcome to Jazba ("Jazba Sports"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our services, including:

Our website at jazbaapp.com
Our mobile application (Jazba) for iOS and Android
Our admin dashboard for organizers and administrators
Our backend API services

By using our Services, you agree to the collection and use of information as described in this policy. If you have questions, contact us at marhabacodes@gmail.com.

Summary of Key Points

What data do we collect? Account information (name, email, phone), authentication data (passwords, tokens), profile data (player/team info, images), activity logs, and device information.

How do we use your data? To provide our sports management platform, authenticate users, display public profiles, enable team/event features, ensure security, and improve our services.

Do we share your data? Only with other users as part of the platform's functionality (public profiles, team rosters, event participation) and service providers who help us operate.

How do we protect your data? Password hashing, encrypted tokens, session management, rate limiting, and account lockout protection.

What are your rights? Access, correct, or delete your data. Request account deletion at any time.

Table of Contents

1. Information We Collect

2. How We Use Your Information

3. Authentication and Security

4. Information Sharing and Visibility

5. Social Login (Google Sign-In)

6. Data Retention

7. Data Security Measures

8. Your Privacy Rights

9. Mobile App Permissions

10. Cookies and Tracking

11. Children's Privacy

12. Updates to This Policy

13. Contact Us

1. Information We Collect

Account Information:

Full name
Email address
Phone number (optional)
Password (stored as a secure hash, never in plain text)
Profile picture
City/location

Player Profile Data:

Playing position (e.g., goalkeeper, defender, forward)
Preferred game formats (5-a-side, 7-a-side, 11-a-side)
Team affiliations and membership history
Match statistics and performance data

Team and Event Data:

Team names, logos, and descriptions
Event/tournament details you create or join
Fixture schedules and match results
Challenge requests and responses

Authentication and Session Data:

Access tokens (short-lived, 30 minutes)
Refresh tokens (long-lived, 30 days, stored as secure hashes)
Session identifiers
Last activity timestamps
Failed login attempt counts
Account lockout status

Verification Data:

One-Time Passwords (OTPs) for email verification and password reset (stored as hashes, expire after 10 minutes)
Email verification status

Technical and Log Data:

IP addresses
Device information and browser type
Request timestamps and URLs
Error logs for debugging

2. How We Use Your Information

We use your information to:

Provide our services: Create and manage your account, display your player/team profiles, facilitate team memberships, organize events and fixtures.
Authenticate and secure: Verify your identity, manage login sessions, detect unauthorized access, prevent fraud.
Enable communication: Send team invites, challenge requests, event notifications, and important account updates.
Improve our platform: Analyze usage patterns, fix bugs, develop new features.
Ensure safety: Enforce our terms, investigate violations, protect users from abuse.

3. Authentication and Security

Our platform implements several security measures:

Password Security: Passwords are hashed using bcrypt with secure salt rounds. We never store plain-text passwords. Minimum requirements: 6 characters, uppercase, lowercase, number.
Token-Based Authentication: We use JWT tokens with short-lived access tokens (30 minutes) and longer-lived refresh tokens (30 days) with automatic rotation.
Session Management: Sessions are tracked server-side. You can log out from all devices. Inactive sessions expire automatically.
Account Lockout: After multiple failed login attempts, accounts are temporarily locked to prevent brute-force attacks.
Rate Limiting: API requests are rate-limited to prevent abuse. Authentication endpoints have stricter limits.
Token Reuse Detection: If a refresh token is reused (potential token theft), all sessions for that user are invalidated.

4. Information Sharing and Visibility

Public Information:

The following information is visible to other users of the platform:

Your player profile (name, position, city, profile picture)
Teams you belong to (if the team is published)
Events and fixtures you participate in
Match results and statistics

Private Information:

The following is NOT shared with other users:

Email address
Phone number
Password
Authentication tokens
Account security settings

Admin Access:

Platform administrators can view user accounts, teams, and events for moderation purposes. Admins can block accounts, restrict content visibility, and manage platform integrity. Admin actions are logged.

Third-Party Sharing:

We do not sell your personal information. We may share data with:

Cloud hosting providers (to store and serve data)
Image hosting services (for profile pictures and team logos)
Email service providers (for verification and notifications)
Law enforcement (if required by valid legal process)

5. Social Login (Google Sign-In)

You can register and log in using your Google account. When you do, we receive:

Your Google account ID
Email address
Display name
Profile picture URL

We use this information to create or link your Jazba account. We do not access your Google contacts, calendar, or other Google services. Google Sign-In accounts are automatically verified (no email OTP required).

6. Data Retention

Account Data: Retained while your account is active. Deleted upon account deletion request.
Authentication Tokens: Access tokens expire after 30 minutes. Refresh tokens expire after 30 days or upon logout.
OTPs: Expire after 10 minutes and are deleted automatically.
Session Data: Cleared on logout or after inactivity timeout.
Logs: Security and error logs may be retained for up to 90 days for debugging and security analysis.
Blocked Accounts: If your account is blocked for violations, we may retain minimal identifying information to prevent re-registration.

7. Data Security Measures

We implement industry-standard security practices:

HTTPS encryption for all data in transit
Secure password hashing (bcrypt)
Token-based authentication with rotation
CORS restrictions to prevent unauthorized API access
Security headers (Helmet.js) to prevent common attacks
Rate limiting to prevent abuse
Input validation to prevent injection attacks

While we take security seriously, no system is 100% secure. We encourage you to use a strong, unique password and enable any additional security features we offer.

8. Your Privacy Rights

You have the right to:

Access: Request a copy of the personal data we hold about you.
Correct: Update inaccurate or incomplete information in your profile.
Delete: Request deletion of your account and associated data. Visit the delete-user page or contact us.
Logout Everywhere: Invalidate all active sessions from your account settings.
Withdraw Consent: Stop using our services at any time.

To exercise these rights, contact us at marhabacodes@gmail.com.

9. Mobile App Permissions

Our mobile app may request the following permissions:

Camera: To take profile pictures or team logos.
Photo Library: To select existing images for your profile.
Push Notifications: To receive team invites, challenge notifications, and match updates. You can disable this anytime.
Location (optional): To find nearby teams or events. Only used when you explicitly enable it.

All permissions are optional and can be managed in your device settings.

10. Cookies and Tracking

Our web services use cookies and local storage for:

Authentication (storing tokens securely)
Session management
Remembering your preferences

We do not use third-party tracking cookies for advertising purposes. We do not currently respond to Do-Not-Track browser signals as there is no universal standard.

11. Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that we have collected data from a child under 13, we will delete it promptly. Parents or guardians who believe their child has provided us with personal information should contact us.

12. Updates to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by updating the "Last Updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or your data, contact us:

Email: marhabacodes@gmail.com

Website: jazbaapp.com

Mailing Address:
Jazba (Jazba Sports)
G-13, Islamabad
Islamabad Capital Territory
Pakistan, 44100