Privacy Policy

This Privacy Policy explains how BESTPLAY STUDIO YAZILIM ANONİM ŞİRKETİ (“Bestplay Studio”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects personal data across our website and all products we operate.

This policy covers our website at bestplay.studio and the following products: Bestplay AI, GAFFER, MP App, Coaching App, and Boost My Legacy. Product-specific practices are described in Section 6.

1. Data controller and contact

The data controller for personal data processed under this policy is BESTPLAY STUDIO YAZILIM ANONİM ŞİRKETİ, registered at Maslak Mahallesi, Anka Sokak, Mashattan B4, No: 2 B/4, İç Kapı No: 71, Sarıyer, Istanbul, Türkiye.

For any privacy request, including access, correction, deletion, portability, or objection, contact privacy@bestplay.studio.

2. What data we collect

We collect only what we need to operate our products and run the business.

• Identity data — name, username, or display name you provide when you create an account.
• Contact data — email address, and optionally phone number or physical address when you provide it.
• Account data — credentials (hashed), preferences, and account activity.
• Payment data — payment is processed by third-party providers (Lemon Squeezy, Paddle, Apple, Google). We do not store your full card details. We store transaction identifiers, last four digits of the card, billing country, and subscription status.
• Usage data — how you interact with our products: pages viewed, features used, timestamps, device type, operating system, language, crash reports, and approximate geolocation (city level) derived from IP.
• Technical data — IP address, browser type, device identifiers, and log files.
• Content you create — data you create or upload to a product (e.g. training plans in MP App, match inputs in GAFFER, revenue entries in Bestplay AI).

We do not knowingly collect personal data from children under the age of 13 (or the age of digital consent where you live).

3. How we use data

We process your data for the following purposes, based on the legal grounds listed.

Purpose	Legal basis (GDPR)	Legal basis (KVKK)
Provide and operate our products	Contract	Contract performance (Art. 5/2-c)
Process payments and manage subscriptions	Contract	Contract performance (Art. 5/2-c)
Communicate with you about your account	Contract / Legitimate interest	Contract / Legitimate interest (Art. 5/2-f)
Improve and troubleshoot our products	Legitimate interest	Legitimate interest (Art. 5/2-f)
Send marketing communications	Consent	Explicit consent (Art. 5/1)
Comply with legal obligations	Legal obligation	Legal obligation (Art. 5/2-ç)
Protect against fraud and abuse	Legitimate interest	Legitimate interest (Art. 5/2-f)

You may withdraw consent for marketing at any time by using the unsubscribe link in any email or writing to privacy@bestplay.studio.

4. Sharing and processors

We do not sell your personal data. We share data only with processors that help us deliver our services, under data-processing agreements. Categories of processors include:

• Cloud hosting (Cloudflare, AWS, or similar)
• Payment processing (Lemon Squeezy, Paddle, Apple, Google)
• Email delivery (a transactional email provider)
• Analytics (privacy-friendly analytics such as Plausible)
• Customer support tooling

Some processors may be located outside Türkiye or the EEA. When we transfer personal data internationally, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and, for KVKK-regulated transfers, we obtain explicit consent or rely on legal bases under Article 9 of Law No. 6698.

We may also disclose data when required by law, court order, or to protect the rights, property, or safety of Bestplay Studio, our users, or others.

5. Data retention

We retain personal data only as long as necessary for the purposes described here, plus the retention periods required by Turkish tax, commercial, and data-protection laws. Typical retention windows:

• Active account data — for the duration of your account
• Payment and invoice records — 10 years, as required by Turkish Commercial Code and tax regulations
• Log and usage data — 12 months
• Marketing consent records — until withdrawal plus the minimum legal retention period
• Backups — rolling 90-day retention

When retention expires, data is deleted or anonymized.

6. Per-product data practices

6.1 Bestplay AI

A B2B SaaS for clubs and federations. Processes business data (revenue records, membership lists, sponsorship data) uploaded by authorized account users. The data subjects are the club’s own members and business contacts; the club is the controller for that data, and Bestplay Studio acts as processor. Payment is by invoice or Lemon Squeezy. Data is stored in encrypted cloud storage. Export and deletion are available to account admins on request.

6.2 GAFFER

A B2C live-match second-screen app for sports fans. Collects account data, match-interaction data (your in-app predictions and scores), and device data for crash diagnostics. No location data is collected beyond city-level inferred from IP. Payment is through Apple In-App Purchase or Google Play Billing; we do not receive your card details. Subscription status is synced from the store.

6.3 MP App

An athlete management platform for athletes, coaches, and academies. Processes training records, performance notes, schedules, and messaging between coaches and athletes. Access is controlled by the organization; messaging content is stored encrypted. Health-related observations you add are treated as sensitive and retained only while your account is active.

6.4 Coaching App

A coach certification platform with academic accreditation partners. Processes enrollment data, coursework, assessment results, and certification status. Where accreditation bodies require record retention, we retain records for the period they specify and inform you of that period before enrollment.

6.5 Boost My Legacy

A platform for athletes to build a post-career brand. Processes profile content, media you upload, brand preferences, and, where applicable, business contact details for partnerships. Content you designate as public is published to your profile; private content is never shared without your consent.

7. Your rights

Depending on where you live, you have the following rights:

• Access — a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — delete your data (subject to legal retention)
• Restriction — limit processing in specific circumstances
• Portability — receive your data in a portable format
• Objection — object to certain processing, including marketing
• Withdraw consent — where processing is based on consent
• Complaint — file a complaint with your data-protection authority. In Türkiye, this is the Personal Data Protection Authority (KVKK — Kişisel Verileri Koruma Kurumu, kvkk.gov.tr). In the EEA, your local supervisory authority.

To exercise a right, email privacy@bestplay.studio. We respond within 30 days (KVKK) / one month (GDPR). We may extend by two months for complex requests and will tell you why.

8. Account and data deletion

You can request deletion of your account and associated personal data at any time.

• In-app: most products include an “Delete account” option in Settings. Where it is present, using it starts an immediate deletion flow.
• By email: send a deletion request from the email address associated with your account to privacy@bestplay.studio. We will verify your identity and process the request within 30 days.
• Web: visit the Support page and follow the “Delete my account” instructions.

Data we are legally required to retain (e.g. invoice records for tax purposes) is retained for the statutory period and then deleted.

9. Security

We apply appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest for sensitive data, role-based access control, audit logging, principle-of-least-privilege for personnel access, and periodic security reviews. No system is perfectly secure — if we become aware of a breach affecting your data, we will notify affected users and the KVKK and other relevant authorities within the timelines required by law.

10. Cookies and similar technologies

Our website uses only strictly-necessary cookies and privacy-friendly analytics that do not require consent under GDPR or KVKK. We do not use cross-site tracking cookies. Our apps use device identifiers for authentication and crash diagnostics only.

11. International users

If you access our products from outside Türkiye, your data may be processed in Türkiye or in other countries where our processors operate. We apply protections appropriate to the region where the data subject lives.

12. Children’s privacy

Our products are not directed at children under 13 (or the age of digital consent where you live). If we learn we have collected data from a child below that age without parental consent, we delete it promptly. Guardians who believe their child has provided us with personal data may contact privacy@bestplay.studio.

13. Changes to this policy

We may update this policy. We post material changes here and, where appropriate, notify account holders by email. The “Last updated” date at the top of this page reflects the most recent change.

14. Contact

• Privacy and data requests: privacy@bestplay.studio
• Legal matters: legal@bestplay.studio
• General: hello@bestplay.studio