DRAFT: This policy is pending legal review. Content is subject to change before publication.
Privacy Policy
Version: 2.0•Last Updated:
This policy applies to users 18 years and older. For users under 18, please see our Child-Friendly Privacy Policy.
1. Introduction and Scope
Scorecrypt ("we," "our," or "us") is committed to protecting your privacy and the privacy of the minor athletes whose information may be processed through our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our wrestling team management and tournament scoring platform.
Effective Date: [TBD - To be set upon legal approval]
This policy applies to coaches, administrators, parents/guardians, and other adult users (18+) of Scorecrypt. If you are a minor under 18 years of age, please review our Child-Friendly Privacy Policy which explains our practices in simpler terms. Parents and guardians of children under 13 should also review our COPPA Direct Notice to Parents.
2. Information We Collect
2.1 Account Information
- Name, email address, and password
- Organization or team affiliation
- Role within the platform (coach, administrator, parent, athlete)
- Phone number (optional, for account recovery)
2.2 Athlete Information
- Athlete name, date of birth, and age
- Weight class and competition records
- Team roster information
- Parent/guardian contact information
- State of residence (for jurisdictional compliance)
2.3 Messaging Data
- Message content sent through platform communication features
- Sender and recipient information
- Message timestamps and delivery status
- Safety flag status and moderation outcomes
2.4 Technical Information
- IP address and approximate location
- Device type, browser, and operating system
- Usage patterns and feature interactions
- Session and authentication data
2.5 SafeSport Compliance Data
- Background check completion status (coaches and administrators)
- SafeSport training certification records
- Incident reports and investigation records
- Mandatory reporter submission logs
3. AI Content Moderation Disclosure
Important Notice:
All messages sent through the Scorecrypt platform are automatically analyzed by artificial intelligence-powered safety detection systems to identify potential child safety concerns, including grooming behaviors, inappropriate content, and policy violations. This monitoring occurs in real-time as messages are sent.
Flagged content may be reviewed by trained SafeSport-certified staff members. This automated monitoring is required for compliance with child protection laws, SafeSport requirements, and platform safety policies. By using our messaging features, you consent to this automated analysis.
4. How We Use Your Information
We use collected information for the following purposes:
4.1 Service Delivery
- Providing team management and tournament scoring features
- Facilitating communication between authorized users
- Processing payments and managing subscriptions
- Sending service-related notifications and updates
4.2 Safety Monitoring
- Analyzing messages for potential safety concerns
- Investigating reported incidents
- Enforcing platform policies and terms of service
- Complying with mandatory reporting obligations
4.3 Legal Compliance
- Meeting COPPA requirements for children under 13
- Responding to law enforcement requests
- Fulfilling SafeSport reporting obligations
- Complying with state-specific privacy laws
5. Parent Visibility Requirements
To comply with child protection requirements and SafeSport guidelines, the following transparency measures are in place for communications involving minor athletes:
- Automatic Parent Inclusion: Parents or guardians are automatically included as recipients on all electronic communications between coaches/staff and their minor children.
- Message Archive Access: Parents may request access to their child's complete message history at any time.
- No Private Adult-Minor Messaging: One-on-one messaging between adults and minors without parent visibility is prohibited by platform design.
- Real-time Notifications: Parents receive notifications when their child receives or sends messages through the platform.
6. Third-Party Data Sharing
We share your information with the following categories of third parties:
| Third Party | Purpose | Data Shared |
|---|---|---|
| Supabase (Database) | Data storage and authentication | All user and application data |
| Resend (Email) | Transactional email delivery | Email addresses, notification content |
| Stripe (Payments) | Payment processing | Billing information, transaction data |
| OpenAI (Content Moderation) | AI-powered safety analysis | Message content for safety classification |
| Law Enforcement | Legal compliance and safety | As required by law or mandatory reporting |
7. Data Retention Periods
We retain different types of data for varying periods based on legal requirements, safety considerations, and operational needs:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Standard messages (no flags) | 7 years from send date | SafeSport baseline requirement |
| Flagged/incident messages | 16 years from review date | Statute of limitations considerations |
| Mandatory report records | Indefinite | Legal compliance proof |
| COPPA consent records | Until child reaches age 21 | FTC guidance (18 + 3 years) |
| Audit logs | 16 years | Statute of limitations considerations |
| User profiles (no incidents) | Account life + 3 years | Privacy compliance |
8. Your Rights
You have the following rights regarding your personal information:
- Right to Access: Request a copy of the personal information we hold about you.
- Right to Correction: Request correction of inaccurate or incomplete information.
- Right to Deletion: Request deletion of your personal information, subject to legal retention requirements.
- Right to Data Portability: Request your data in a structured, commonly used format.
- Right to Withdraw Consent: Withdraw consent for optional data processing at any time.
- Right to Object: Object to certain types of data processing.
Note: Certain data related to safety incidents, mandatory reports, or legal compliance may not be subject to deletion requests.
9. Data Export Procedures
To request an export of your personal data:
- Log into your Scorecrypt account
- Navigate to Settings > Privacy > Data Export
- Select the data categories you wish to export
- Submit your request
Format: Data is provided in CSV and JSON formats.
Timeline: Export requests are processed within 30 days.
Verification: Identity verification may be required for data export requests.
10. Security Measures
We implement industry-standard security measures to protect your information:
- Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit
- Access Controls: Role-based access control (RBAC) limiting data access to authorized personnel
- Authentication: Multi-factor authentication (MFA) available for all accounts
- Monitoring: Continuous security monitoring and audit logging
- Compliance: SOC 2 Type II compliant infrastructure [TBD - certification pending]
11. State-Specific Privacy Rights
California Residents (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know what personal information is collected and how it is used
- Right to delete personal information
- Right to opt-out of the sale or sharing of personal information
- Right to non-discrimination for exercising privacy rights
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information
Note: We do not sell personal information. We do not use personal information for cross-context behavioral advertising.
Other State Privacy Laws
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights. Please contact us to exercise your state-specific privacy rights.
12. Contact Information
For questions about this Privacy Policy or to exercise your privacy rights, please contact us:
- Email: privacy@scorecrypt.com
- Subject Line: "Privacy Request"
- Response Time: Within 30 days of receipt
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
Notification: We will notify you of material changes by:
- Email notification to account holders
- Prominent notice on our website
- In-app notification for significant changes
Effective Date: Changes become effective 30 days after notification unless otherwise specified.
Continued Use: Your continued use of Scorecrypt after changes become effective constitutes acceptance of the updated policy.