Privacy Policy

Last updated: June 2026

This policy describes what personal information Balls of Duty collects when you book a paintball session through this website, why we collect it, where it is stored, and what control you have over it. We have tried to keep it short and plain. If anything is unclear, contact us using the details at the bottom.

1. Who we are

Balls of Duty is a paintball field operating in Lebanon. The website at ballsofduty.com is owned and operated by us. We are the data controller for any information you submit through this site.

2. What we collect and why

The only place this site collects personal information is the online booking form. We collect the minimum needed to hold a reservation and contact you about it.

Data	Why we need it	Required?
Name	To identify your reservation when you arrive	Yes
Phone number	To confirm the booking or reach you about schedule changes	Yes
Package, format, date, time, player count	To allocate the field and equipment	Yes
Special requests (free text)	To accommodate group requests (birthdays, dietary, etc.)	No
Whish Money payment reference	To match your deposit to the booking	Yes

We never see or store your credit card details, bank account, or Whish Money login. Payment is processed entirely inside Whish Money's own app. We only store the transaction reference number you give us afterwards.

3. What we do NOT collect

No email addresses (the booking flow doesn't ask for one).
No payment card numbers, CVCs, or bank credentials.
No location or GPS data.
No marketing analytics, advertising pixels, or behaviour-tracking cookies. There is no Google Analytics, no Facebook Pixel, no Hotjar, no advertising network on this site.
No profiling, automated decision-making, or targeted advertising.

4. Where your data is stored

Submitted booking data is sent directly from your browser to Google Firebase Firestore (project balls-of-duty), hosted on Google Cloud infrastructure. From there:

Only authenticated Balls of Duty staff accounts can read, edit, or delete bookings. Public visitors can create a new booking but cannot read anyone else's.
A nightly automated backup runs on Netlify and saves a copy of the bookings collection to a private GitHub Gist owned by us. The gist is not public and only the account owner can view it.
Your browser may keep a local copy of recent data in IndexedDB (Firestore's offline cache) so the site works during brief connectivity drops. This is local to your device and is cleared when you clear site data in your browser.

5. Third-party services used by this site

The site uses a small number of third-party services. When you load a page, your browser may contact them and they may see your IP address and basic request metadata. Their privacy policies apply to that interaction.

Google Firebase / Firestore — database and security backend. Privacy
Google reCAPTCHA v3 — invisible bot protection (via Firebase App Check). It runs a risk score in the background using browser signals. Privacy · Terms
Google Fonts — serves the Inter and Rajdhani typefaces. Privacy
unpkg.com and jsDelivr — public CDNs that serve icon and viewer libraries.
Whish Money — handles your payment. We do not see your Whish credentials, only the reference number you give us. whish.money
Netlify — hosts the website and runs the nightly backup job. Privacy
GitHub — stores the encrypted-in-transit private backup gist. Privacy

6. Cookies and local storage

This site does not set any first-party tracking cookies. Two technical mechanisms do touch your browser:

IndexedDB — Firestore stores a small offline cache so the site keeps working briefly without connectivity.
Third-party cookies — Google reCAPTCHA may set its own cookies in your browser to score traffic. We do not control or read them.

You can clear both at any time using your browser's "Clear site data" or "Cookies and other site data" controls.

7. How we protect your data

The site enforces several technical measures, audited against the security checklist for this project:

All traffic to the site and to Firestore runs over HTTPS (TLS).
Firebase App Check with reCAPTCHA v3 blocks scripted bots from posting fake bookings.
Firestore security rules validate every booking submission — required fields, value types, maximum lengths, and numeric ranges — to prevent abuse and oversized payloads.
Booking data is readable only by authenticated staff. The public form can create, never read.
All rendered booking values are HTML-escaped before display (XSS defence).
Application logs are structured JSON and do not include personal information beyond a short anonymous session ID.

8. How long we keep your data

Bookings are retained for our operational records and to honour cancellation, rescheduling, and accounting needs. If you would like a copy of your booking record removed, contact us using the details below and we will delete it from Firestore within a reasonable period (subject to any legal record-keeping obligations).

Nightly backups are kept as revisions of a single private gist, which retains a rolling history typical of GitHub gists.

9. Your rights

Regardless of where you live, you may contact us to:

Ask what booking information we hold about you.
Correct an inaccurate booking record.
Request deletion of a booking record we no longer need.
Object to processing or withdraw consent.

Send the request from the phone number used to make the booking (so we can verify it) and we will respond.

10. Children

Paintball is a contact sport. Minors must be supervised by a parent or guardian who completes the booking on their behalf. We do not knowingly collect data directly from children under 13.

11. Changes to this policy

If we materially change this policy we will update the "Last updated" date at the top. Significant changes will be highlighted on the homepage.

12. Contact

Questions, corrections, or deletion requests:

Phone: +961 81 436 255 · +961 71 615 457
WhatsApp: +961 81 436 255 · +961 71 615 457
Location: Lebanon — Google Maps