Privacy Policy

1. Introduction and Scope

Scorecrypt ("we," "our," or "us") is committed to protecting your privacy and the privacy of the minor athletes whose information may be processed through our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our wrestling team management and tournament scoring platform.

Effective Date: May 12, 2026

This policy applies to coaches, administrators, parents/guardians, and other adult users (18+) of Scorecrypt. If you are a minor under 18 years of age, please review our Child-Friendly Privacy Policy which explains our practices in simpler terms. Parents and guardians of children under 13 should also review our COPPA Direct Notice to Parents.

2. Information We Collect

2.1 Account Information

• Name, email address, and password
• Organization or team affiliation
• Role within the platform (coach, administrator, parent, athlete)
• Phone number (optional, for account recovery)

2.2 Athlete Information

• Athlete name, date of birth, and age
• Weight class and competition records
• Team roster information
• Parent/guardian contact information
• State of residence (for jurisdictional compliance)

2.3 Messaging Data

• Message content sent through platform communication features
• Sender and recipient information
• Message timestamps and delivery status
• Safety flag status and moderation outcomes

2.4 Technical Information

• IP address and approximate location
• Device type, browser, and operating system
• Usage patterns and feature interactions
• Session and authentication data

2.5 SafeSport Compliance Data

• Background check completion status (coaches and administrators)
• SafeSport training certification records
• Incident reports and investigation records
• Mandatory reporter submission logs

3. AI Content Moderation Disclosure

3.1 What automated safety monitoring does

3.2 What we do not do with Customer Content

Scorecrypt does not use Customer Content to train, fine-tune, or improve generative AI models for the benefit of any third party or for any purpose unrelated to operating the Service. Specifically:

• We do not sell, rent, or share Customer Content with any third-party AI provider for that provider's model training.
• We do not use Customer Content involving minors for AI model training of any kind.
• Where we use third-party AI providers as part of the Service (for example, classification or moderation models), our agreements with those providers prohibit them from using Customer Content for their own model training, and require deletion of Customer Content from their systems on our instruction.

We may use aggregated, de-identified data derived from the Service to operate, secure, and improve the Service. Aggregated data does not identify any individual user, athlete, parent, coach, or Organization and is not Customer Content. This commitment mirrors Section 7 of our Terms of Service.

4. How We Use Your Information

We use collected information for the following purposes:

4.1 Service Delivery

• Providing team management and tournament scoring features
• Facilitating communication between authorized users
• Processing payments and managing subscriptions
• Sending service-related notifications and updates

4.2 Safety Monitoring

• Analyzing messages for potential safety concerns
• Investigating reported incidents
• Enforcing platform policies and terms of service
• Complying with mandatory reporting obligations

4.3 Legal Compliance

• Meeting COPPA requirements for children under 13
• Responding to law enforcement requests
• Fulfilling SafeSport reporting obligations
• Complying with state-specific privacy laws

5. Parent Visibility Requirements

To comply with child protection requirements and SafeSport guidelines, the following transparency measures are in place for communications involving minor athletes:

• Automatic Parent Inclusion: Parents or guardians are automatically included as recipients on all electronic communications between coaches/staff and their minor children.
• Message Archive Access:Parents may request access to their child's complete message history at any time.
• No Private Adult-Minor Messaging: One-on-one messaging between adults and minors without parent visibility is prohibited by platform design.
• Real-time Notifications: Parents receive notifications when their child receives or sends messages through the platform.

6. Third-Party Data Sharing

We share your information with the following categories of third parties:

7. Data Retention Periods

Retention periods are programmatically enforced and published in full on our Data Retention Schedule. Summary categories include:

• Standard operational data: deleted on a routine schedule after account deactivation (90 days for athlete identifiers, 1 year for date of birth, per the canonical schedule).
• Adult-to-minor messages and attachments: 7 years (Federal SafeSport Act minimum). Flagged or incident-related content: 16 years from review (statute of limitations).
• Mandatory report records: 10 years (state mandatory-reporter statute floor).
• COPPA consent records: 10 years from collection (FTC §312.10 record-keeping rule).
• Audit logs: 7 years, pseudonymized after personal-identifier removal.
• Trial-account data: preserved 30 days after trial expiration to allow paid conversion, then deleted (except records subject to the windows above).

Categories with mandatory legal retention periods are retained even after subscription termination, account closure, or deletion request, except where deletion is required by law. The Data Retention Schedule is the canonical source for the exact rows our systems enforce today.

8. Your Rights

You have the following rights regarding your personal information:

• Right to Access: Request a copy of the personal information we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete information.
• Right to Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Right to Data Portability: Request your data in a structured, commonly used format.
• Right to Withdraw Consent: Withdraw consent for optional data processing at any time.
• Right to Object: Object to certain types of data processing.

Note: Certain data related to safety incidents, mandatory reports, or legal compliance may not be subject to deletion requests.

9. Data Export Procedures

To request an export of your personal data:

1. Log into your Scorecrypt account
2. Navigate to Settings > Privacy > Data Export
3. Select the data categories you wish to export
4. Submit your request

Format: Data is provided in CSV and JSON formats.

Timeline: Export requests are processed within 30 days.

Verification: Identity verification may be required for data export requests.

10. Security Measures

We implement industry-standard security measures to protect your information:

• Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC) limiting data access to authorized personnel
• Authentication: Multi-factor authentication (MFA) available for all accounts
• Monitoring: Continuous security monitoring and audit logging
• Compliance posture: Hosted on SOC 2 Type II-certified infrastructure providers (Vercel and Supabase). Scorecrypt has not itself completed SOC 2 certification.

11. State-Specific Privacy Rights

California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt-out of the sale or sharing of personal information
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information

Note: We do not sell personal information. We do not use personal information for cross-context behavioral advertising.

Other State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights. Please contact us to exercise your state-specific privacy rights.

12. School and District Customers

If a school, school district, or other education agency uses Scorecrypt, the following additional protections apply to student data:

• FERPA.Where the Service processes "education records" within the meaning of the Family Educational Rights and Privacy Act, Scorecrypt acts as a "school official" with a "legitimate educational interest" performing institutional services that would otherwise be performed by school employees. Scorecrypt is under the direct control of the school with respect to the use and maintenance of education records.
• Illinois SOPPA.For Illinois public schools (105 ILCS 85), Scorecrypt operates as the school's vendor and does not sell, rent, or trade student data, does not use student data for targeted advertising, and does not build non-educational student profiles.
• Other state student privacy laws. Scorecrypt complies with applicable state student privacy laws for school customers, including California SOPIPA-style requirements where applicable.
• Data Processing Addendum. A Scorecrypt Data Processing Addendum is available on request from a school, district, or other education-agency customer. When signed, the DPA supplements these terms and, in the event of conflict with this Privacy Policy regarding the processing of student personal information, the signed DPA controls.

For the full set of school-customer commitments, see Section 11 of our Terms of Service.

13. Contact Information

For questions about this Privacy Policy or to exercise your privacy rights, please contact us:

• Email: privacy@scorecrypt.com
• Subject Line:"Privacy Request"
• Response Time: Within 30 days of receipt

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification: We will notify you of material changes by:

• Email notification to account holders
• Prominent notice on our website
• In-app notification for significant changes

Effective Date: Changes become effective 30 days after notification unless otherwise specified.

Continued Use: Your continued use of Scorecrypt after changes become effective constitutes acceptance of the updated policy.