Privacy Policy

Effective date: 9 April 2026 · Last updated: 9 April 2026

Sportomic Technologies Private Limited ("Sportomic", "we", "us") operates MapBoost, an internal tool for Sportomic team members to manage Google Business Profile (GBP) content on behalf of sports venues who have authorised us. This page explains what personal data MapBoost collects, how it is used, and the rights you have under the Digital Personal Data Protection Act, 2023 ("DPDP Act").

1. Data Fiduciary

For the purposes of the DPDP Act, Sportomic is the Data Fiduciary. Contact: rahul@sportomic.com.

2. What data we collect

MapBoost processes three distinct categories of personal data:

MapBoost user accounts — name, email, password hash, role, last login timestamp, session IP. These identify Sportomic team members who sign in to the dashboard.
Venue owner data — business name, address, phone, website, venue category, Google Business Profile OAuth token. Collected only after the venue owner explicitly grants access via the Google consent screen.
Reviewer data (via GBP) — reviewer display name, review text, star rating, review timestamp. This data originates from Google Maps; MapBoost reads it via the GBP API solely so that the venue can reply to reviews on their own profile.

3. How we use the data

Display GBP reviews, posts, photos, insights, and performance metrics to authorised Sportomic team members.
Generate AI-drafted review replies and social posts using Google Gemini. Reviewer name, review text, and venue context are included in the prompt; the generated text is shown to the user for review before being posted.
Track tool usage in an audit log (action_log) with user identity, timestamp, action type, and request IP — used for security and compliance review.
Detect GBP profile suspensions and alert the Sportomic team via email.

4. Where data is stored

Application infrastructure runs on Google Cloud Platform, project gen-lang-client-0684682110, region us-central1 (Iowa). Data at rest lives in Cloud SQL PostgreSQL (encrypted by Google). OAuth tokens and application secrets live in Google Secret Manager with IAM-scoped access restricted to the application runtime service account.

Note on data residency: MapBoost is currently deployed in us-central1 because the App Engine region was fixed at project creation. We are aware of the DPDP Act's preference for India-resident processing and plan to migrate to asia-south1 (Mumbai) when we move to a public-facing production project. For the current internal Sportomic-team-only deployment, this is a documented trade-off.

5. Who can see your data

Authorised Sportomic team members with an active MapBoost account (Admin, Manager, or Viewer role).
Google Cloud processors (App Engine, Cloud SQL, Secret Manager, Vertex AI / Gemini, Places API) subject to their own privacy terms.
No third-party data brokers, advertisers, or analytics services.

6. Retention

User accounts — retained while the team member is active. Deactivated accounts keep their row (with is_active=0) for audit continuity; right-to-erasure requests permanently delete the row.
Venue data — retained while the venue owner's GBP consent is active. If consent is withdrawn, all venue-specific rows are deleted within 7 days.
Audit log — retained for 180 days, then purged.
Geo-grid cache — auto-expires after 24 hours.

7. Your rights under the DPDP Act, 2023

As a Data Principal you have the right to:

Request access to the personal data Sportomic holds about you
Request correction of inaccurate or incomplete data
Request erasure of your personal data ("right to be forgotten")
Nominate another individual to exercise these rights on your behalf in the event of death or incapacity
Withdraw consent for processing at any time
File a grievance with Sportomic's Data Protection Officer

To exercise any of these rights, email rahul@sportomic.com with the subject line "DPDP Request — [your right]". We will respond within 30 days.

8. Security

All MapBoost traffic is served over HTTPS (TLS 1.2+).
User passwords are hashed with Werkzeug's PBKDF2-SHA256 (never stored in plaintext).
Session cookies are flagged Secure, HttpOnly, and SameSite=Lax.
All secrets are stored in Google Secret Manager with IAM-restricted access.
Cloud SQL backups run daily and are retained for 7 days.

9. Breach notification

In the event of a personal data breach that is likely to result in risk to Data Principals, Sportomic will notify the Data Protection Board of India and affected individuals within 72 hours of becoming aware of the incident, as required by the DPDP Act.

10. Children's data

MapBoost is a business-to-business tool intended for Sportomic team members and authorised venue owners. We do not knowingly collect data from individuals under 18 years of age.

11. Changes to this policy

We will update this page whenever the policy changes. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced via email to active users.

12. Contact

Sportomic Technologies Private Limited
Email: rahul@sportomic.com
Website: sportomic.com