A privacy policy is the most honest document a tennis website publishes. Not because companies want it to be — because regulators force the disclosure, and the lawyers who write it have more to lose from understatement than from candor. The marketing copy will tell you a string is "arm-friendly." The privacy policy tells you, in flat language, exactly what happens to your email address after you sign up for a stringing guide. The trick is reading it as a map of incentives rather than a legal shield. That is what this piece is for: to translate the document TennisCompanion.org and sites like it ask you to accept, into the consequences it describes.
We have read enough of these to know the genre. The structure is nearly always the same, and once you see the scaffold, the document stops being intimidating.
What personal data does a tennis website actually collect
In plain terms: two buckets. Data you hand over on purpose, and data your browser leaks automatically.
The first bucket is what you type into a form. An email address for a newsletter or account. A name and shipping address if there is a store. A password, stored as a hash rather than plain text on any competently run site. Sometimes a racquet or string preference you save to a profile. This is the data you can see yourself giving.
The second bucket is the one that surprises people. Your IP address, which approximates your location to a city or region. Your browser type and version, screen resolution, operating system, and the page you arrived from. The pages you visit, in what order, and how long you stay. None of this requires you to type anything. It arrives the moment you load the page, and most of it is logged by default.
That second bucket is where the real questions live.
How the data gets collected, in order
Walk through a single page load, because the sequence matters more than the categories.
First, your browser sends a request to the site's server. That request carries your IP address and a "user agent" string describing your device. The server writes this to a log before it sends a single byte back. This is unavoidable; it is how the web works. A web server cannot answer you without knowing where to send the answer.
Second, the page comes back with instructions to set cookies — small text files stored in your browser. A session cookie keeps you logged in as you move between pages and disappears when you close the tab. A persistent cookie stays on your device and is read again on your next visit; this is the mechanism that remembers your settings and, less innocently, recognizes you over time.
Third — and this is the step the policy buries — the page often loads scripts from other companies. An analytics provider like Google Analytics. An ad network. A social embed. Each of those scripts can set its own cookies and send its own copy of your visit data to a server you have no relationship with. The site invited them in; you were not asked at that granularity.
The cookie taxonomy, translated
The policy will sort cookies into categories. Here is what each one means in consequence rather than definition:
- Strictly necessary: without these, the cart empties and the login fails. You cannot opt out and still use the service.
- Functional / preference: these remember your dark mode, your language, your dismissed banner. Convenience, not surveillance.
- Analytics: these count you. Aggregated, ideally, but tied to a pseudonymous ID that can persist across sessions.
- Advertising / targeting: these build a profile to decide which ads follow you. This is the category that leaves the building.
The first two are about you using the site. The last two are largely about the site, and its partners, using you.
Where the data goes after collection
First-party data stays with the company you visited. Third-party data is the part worth slowing down for. When a tennis site runs an ad network's script, your visit becomes a data point in a profile that network maintains across thousands of unrelated sites. That is how a search for an overgrip can surface racquet ads on a news site an hour later. The mechanism is not magic and not a microphone; it is a shared cookie or device identifier read by the same network in both places.
Policies describe this with the phrase "we may share with third parties." The word "may" is doing a great deal of work. It does not mean the sharing is hypothetical. It means the company reserves the right, and typically exercises it through whatever advertising and analytics vendors it has integrated. If you want to know what actually happens, the cookie list — often a separate, less-polished page — is more truthful than the prose.
Your rights, depending on where you are
This part is well-established law, not interpretation, and it varies by jurisdiction.
Under the EU's GDPR, you have the right to access the data held about you, to correct it, to have it deleted ("right to erasure"), to restrict processing, and to take your data elsewhere (portability). Consent for non-essential cookies must be explicit and as easy to withdraw as to give. That is why the banners exist, and why a compliant banner has a "reject all" button that takes no more clicks than "accept all."
Under California's CCPA/CPRA, you have the right to know what is collected, to delete it, and to opt out of the "sale" or "sharing" of personal information — a definition broad enough to cover much ad-targeting data exchange. The "Do Not Sell or Share My Personal Information" link is the statutory expression of that right.
Outside those frameworks, your rights depend on local law and the company's voluntary policy. Many sites extend GDPR-style controls to everyone because maintaining two systems is harder than one. That is a business decision, not a guarantee.
How long it's kept
Retention is where honest uncertainty starts. Policies tend to say data is kept "as long as necessary" — a phrase that means whatever the company decides. Server logs are often purged in weeks to months. Account data persists until you delete the account, and sometimes after, in backups. Analytics records may be anonymized and retained for years. The truthful summary is that retention periods are frequently stated vaguely because the company has not committed to a hard number, and the law in most places does not force one. The data on real-world deletion practices is thinner than the confidence with which "we delete when no longer needed" is asserted.
A short audit, before you accept
When a policy lands in front of you, four questions answer most of it:
| Question | Where to look |
|---|---|
| What do they collect without asking? | "Usage data" / "automatically collected" section |
| Who else gets it? | "Third parties," "advertising," vendor/cookie list |
| Can I say no and still use the site? | Cookie banner — is "reject all" one click? |
| How do I get my data out or deleted? | "Your rights" section, contact email |
If the cookie banner makes "reject all" harder than "accept all," that is the most useful thing the page will ever tell you about the company behind it.
Verdict. That your browser leaks the second bucket of data automatically is well-established and unavoidable. That third-party ad cookies build cross-site profiles is well-established. That "as long as necessary" reliably means soon is folk wisdom — believe the number only when they print one.
Read the policy as a confession, not a contract.