Privacy.

Last updated: 2026-05-18. Effective date is the same.

1. Who we are

BadmintonLabs is an independent, non-commercial reference site for badminton equipment. We are not affiliated with Yonex, Li-Ning, Victor, Babolat, Ashaway, or any listed retailer. We are the "controller" of the personal data described on this page.

Contact for any privacy question: privacy@badmintonlabs.com.

2. What we collect — and only when

The site has three layers of data collection. Each one is opt-in or strictly necessary.

Always (everyone, no choice)

• Server access logs — IP address, request path, and timestamp. Used only to operate the site and rate-limit abusive traffic. Sign-in attempts are tracked per-IP for ten minutes to block credential stuffing; that record is auto-deleted after the window expires.

Browser cookies (set on first interaction with these features)

• zip_code — your ZIP, set when you ask for a live-shipping quote. Stored in your browser only; never sent to any third party.
• string_pref — the string you'd want installed when comparing "with stringing" totals. Browser-only.
• bl_session — a long random session token, only set when you sign in. Used to keep you signed in for 30 days.

Account data (only if you sign in)

Sign-in is optional. It uses a magic link emailed to you — no passwords stored. If you create an account we keep:

• Email address — the address you signed in with.
• Display name — optional, up to 40 characters, your choice.
• Gear list — racquets, strings, and grips you mark as owned.
• Restring log — the dates you record having a racquet restrung (used for the 90-day reminder email).
• Favorite players — the BWF pros you "heart" from the directory.

Stock-alert subscriptions (only if you subscribe)

Anyone can subscribe to a back-in-stock email on a sold-out model without creating an account. We store your email plus the product and retailer you're watching, and a random unsubscribe token. Sign-up uses double opt-in — your email won't receive an alert until you click the confirmation link.

3. What we don't do

• No advertising trackers, no Google Analytics, no Meta pixel, no third-party JavaScript that profiles you.
• No selling, renting, or sharing of personal data with marketers.
• No purchasing data from data brokers.
• No use of your data to train any machine-learning model.

4. Where data goes

The only third parties involved in serving you:

• Email service (SMTP provider) — used to send the magic-link sign-in email, stock-alert confirmations, restock alerts, and restring reminders. The provider sees your email address and the contents of those emails.
• Open-Meteo — anonymous weather + altitude lookups for the shuttle-speed calculator. We send latitude / longitude only.
• Zippopotam.us — converts a US ZIP to lat / lon for the same calculator. We send the ZIP only, no other identifier.
• Retailer Shopify endpoints — public product feeds. Our server reads these; your browser only contacts retailers when you click their link to leave our site.
• Cloudflare Web Analytics (if enabled in production) — cookieless aggregate page-view counts. No individual identification.

5. Outbound links

When you click a retailer card you leave our site. From that moment you are subject to the retailer's privacy policy. We have no view into what happens after you leave.

6. How long we keep data

• Access logs & rate-limit records: ten minutes (auto-deleted).
• Browser cookies: until you clear them, or 30 days for bl_session.
• Account data: indefinitely while your account exists, until you delete the account.
• Stock-alert subscriptions: until you unsubscribe, or the alert fires (one-shot).
• Email-send logs (delivery metadata): typical SMTP provider retention, usually 30–90 days.

7. Your rights

Regardless of where you live, we will honor the following requests at any time:

• Access — see everything we have on you.
• Correction — fix anything inaccurate.
• Deletion — wipe your account and all linked data.
• Export — download your data in a portable format.
• Opt-out of email — unsubscribe link is in every alert message; for transactional sign-in emails, deleting the account stops them.

To exercise any of these, email privacy@badmintonlabs.com from the address tied to your account. We'll respond within 30 days.

If you're in the European Union or United Kingdom (GDPR / UK GDPR)

Our lawful basis for processing your data is consent (for accounts and alerts — you opt in) or legitimate interests (for access logs and rate limiting — preventing abuse of a free service). You may withdraw consent any time by deleting your account. You also have the right to lodge a complaint with your national data-protection authority.

If you're in California (CCPA / CPRA)

We do not sell or share personal data as those terms are defined by the CCPA. You have the rights listed above plus the right to non-discrimination for exercising them.

If you're in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other US state laws

The same rights — access, correction, deletion, opt-out of any targeted advertising (we don't do any) — apply. Email the privacy address above to exercise them. You may appeal a denied request to the same address.

8. Security

We hash session tokens before storing them and use HTTPS everywhere in production. Sign-in is magic-link only — no passwords are stored at all. SMTP credentials are environment variables, never committed to source control.

No system is perfectly secure. If you discover a vulnerability, please email security@badmintonlabs.com rather than disclosing it publicly.

9. Children

BadmintonLabs is not directed to children under 13 (or 16 in the EU). We don't knowingly collect data from anyone under that age. If you believe a child has signed up, email the privacy address and we'll delete the account.

10. Changes to this policy

We may update this policy from time to time. Material changes will be called out on this page with a new "Last updated" date. Continued use of the site after a change means you accept the revised terms.

See also: Terms.