If you're an EU player and your tennis video ends up on a US server, GDPR doesn't disappear — it follows the data. The question is whether the company you uploaded to has a lawful transfer mechanism, what their retention is, and how easy it is to exercise your rights. AceSense's answer to that question is structural: the entire infrastructure is pinned to europe-west1 (Google Cloud's St. Ghislain, Belgium region). Your tennis video doesn't leave the EU during analysis. Your Firestore session record sits in europe-west1. The cloud functions that orchestrate the pipeline run there. This post explains why we made that decision, what it actually means under GDPR, and how it changes the legal math for an EU player choosing between tennis-AI tools.

TL;DR

A tennis video that identifies you = personal data under GDPR.
AceSense's Firestore, Storage, and Cloud Functions are all pinned to europe-west1.
That avoids the EU-to-US transfer question entirely.
GDPR Articles 6 (lawful basis), 13 (transparency), 17 (erasure) all apply and are honored in-app.
Other tennis-AI apps may or may not host in the EU. Check before uploading.

Step 1: your tennis video is personal data

GDPR Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person." A video of you on a court — your face, your gait, your distinctive backhand — clearly fits. The European Data Protection Board has been explicit about video footage being in-scope.

That triggers a stack of obligations on whoever is processing the video:

Article 5 — data must be processed lawfully, transparently, minimally.
Article 6 — there must be a lawful basis (consent, contract, legitimate interest, etc.).
Article 13 — you must be told at the time of collection what's being collected and why.
Article 17 — you have the right to ask for your data to be erased.
Article 32 — security of processing.
Articles 44–49 — restrictions on transferring data outside the EU.

Most amateur players don't read GDPR for fun, so the practical takeaway is: a tennis-analysis app is doing personal-data processing the moment you upload, and the company has obligations whether or not they advertise them.

Step 2: where the data physically sits matters

GDPR doesn't ban EU-to-US data transfer. It requires a lawful mechanism: Standard Contractual Clauses, an adequacy decision, or an explicit derogation. Since the Schrems II ruling in 2020, that mechanism has been complicated for US transfers — the EU-US Data Privacy Framework (the latest iteration) is functional but legally contested.

The simplest way to side-step the entire transfer question is to not transfer. If the data stays in EU data centers, processed by an EU-incorporated entity (or a non-EU entity with EU sub-processors operating under SCCs that exclusively process in-region), the transfer chapter of GDPR doesn't have to come up.

That's the architectural call AceSense made. All three persistence layers are EU-resident:

Firestore database — region pinned to europe-west1.
Firebase Storage (where video uploads land) — bucket pinned to europe-west1.
Cloud Functions — deployed to europe-west1.

The GPU analysis (RunPod) is configured to dispatch to EU regions for EU-uploaded jobs. This isn't theoretical — it's visible in the project's architecture documentation, and the region is configured in code.

Step 3: the lawful basis question

When you upload a video to AceSense, what's the legal grounding?

Article 6(1)(b) — performance of a contract. You're using the service; processing the video is necessary to deliver the analysis you asked for. This covers the core upload-to-report pipeline.
Article 6(1)(a) — consent. Anything beyond the core pipeline (e.g., contributing anonymized data to model improvement) is opt-in.
No legitimate-interest dragnet. We don't fall back on Article 6(1)(f) "legitimate interest" for the model-training case — it's the wrong basis for that workload, and DPAs have been clear about it.

This is the lawful-basis architecture you'd hope for. It's not unique to AceSense, but it's not universal either.

Step 4: who else is in the room?

GDPR cares about all the parties touching your data. AceSense's sub-processor chain:

Google Cloud / Firebase — the underlying platform. Google has a published EU Data Processing Addendum.
RunPod — the GPU compute provider for the analysis pipeline. Job dispatch is region-aware.
Sentry / analytics (if used) — kept minimal and EU-pinned where possible.

Compare that to a tennis-AI app that hosts in the US, uses US analytics, and dispatches GPU work in US regions. None of that is illegal — but it requires more legal work, more user-facing disclosure, and more ways for things to go wrong.

Step 5: your rights, in practice

The rights GDPR grants are only worth what the app's UX makes accessible. Practical answers for AceSense:

Access (Article 15). Email us; we send your data export. Working on a self-serve version.
Erasure (Article 17). Delete from the app — propagates to storage and Firestore. Backup snapshots are flushed within the platform's standard retention window.
Portability (Article 20). Export your sessions as JSON + the original videos.
Objection (Article 21). Opt out of any analytics or model-training participation in app settings.

These rights apply whether you're inside or outside the EU. EU residents just have a more direct enforcement path through their local DPA.

Step 6: what this means for non-EU users

If you're in the UK, the equivalent regime is UK GDPR + the Data Protection Act 2018, broadly aligned. EU-to-UK and UK-to-EU transfers operate under adequacy decisions.

If you're in Switzerland, the FADP applies — also broadly aligned with GDPR.

If you're in the US or Canada, GDPR doesn't cover you directly, but EU hosting still means your video is sitting in a regulatory regime with stronger baseline protections than US state-level laws. Some users prefer that, some don't care. We've heard both.

If you're in Brazil, LGPD is similar to GDPR; data hosted in EU regions is treated as a "trusted" jurisdiction for many purposes.

Why I built it this way

I'm based in Europe. The amateur tennis players I built this for are mostly European clubs and amateur leagues. Hosting an analysis pipeline for those users in Belgium isn't a marketing move — it's the path of least surprise. EU data, EU compute, EU regulators, EU audit trail.

That said, I want to be honest about what isn't automatic:

Sub-processor changes. Cloud providers occasionally shuffle which regions provide certain services. We monitor and disclose changes to the privacy page.
Lawful access requests. EU governments can compel disclosure under EU national-security laws, just as US ones can under FISA. EU hosting reduces the surface area but doesn't eliminate it.
GDPR doesn't automatically mean "safe." Plenty of GDPR-non-compliant companies operate in the EU and plenty of GDPR-compliant ones operate from outside. Hosting region is one signal, not the whole story.

How to verify any tennis-AI app's hosting region

Three steps any user can take:

Read the privacy policy. Search for "data center," "region," "data transfer." If they don't say, that's a signal.
Read the DPO / contact section. EU-targeting apps must have an EU representative under Article 27 if they're not EU-incorporated.
Run a network trace if you're feeling thorough. The IP your upload hits resolves to a specific region; tools like dig, traceroute, or the developer console in your browser surface it. Most users won't do this — but you can.

For AceSense, the answer is europe-west1. For other tools, ask.

EU privacy + your tennis video: how data hosted in europe-west1 changes the math