Legal

Privacy Policy

Effective Date: April 16, 2026 · Last Updated: April 16, 2026

This policy is currently a founding draft under attorney review. If you have a privacy question, email us at privacy@rundownsports.app.

1. Who We Are

Rundown is operated by Rundown Sports Inc. ("Rundown," "we," "us," "our"), a British Columbia corporation with its registered office in Vancouver, British Columbia, Canada. Our website is rundownsports.app. You can reach us at privacy@rundownsports.app.

Our Privacy Officer (as required by PIPEDA and BC PIPA) is Ben Meachen, reachable at privacy@rundownsports.app.

2. Scope of This Policy

This policy explains what information we collect, how we use it, who we share it with, and your rights. It applies to coaches who create accounts, players who use the app under a coach's roster, and parents whose children use the app. If you are a parent of a player under 13, please also read our Parents Corner.

This policy is intended to comply with:

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
British Columbia's Personal Information Protection Act (BC PIPA)
The U.S. Children's Online Privacy Protection Act (COPPA)
The California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
Where applicable, the EU/UK GDPR

3. What We Collect from Coaches

Full name
Email address
Password (stored as a one-way cryptographic hash — we never see your plaintext password)
Payment information, processed and stored by Stripe; we receive only the last 4 digits and card expiry for display
Team name and roster structure you create
Device and session information (browser type, IP address, timestamps) for security and fraud prevention
Usage analytics (which screens you visit, which features you use) if you consent to analytics

4. What We Collect from Players

For every player on a roster — regardless of age — we collect:

First name only (no last name)
Age bracket (under 13, 13–17, 18+) as entered by the coach
Gameplay answers and scores, stored against an internal server-side identifier (UUID)

We do not collect from players:

Last name, home address, email address, or phone number
Date of birth (we use the age bracket entered by the coach, not a specific DOB)
Photos, videos, or voice recordings
Precise geolocation
Biometric data
Persistent device identifiers, advertising IDs, or cross-site tracking cookies
Any behavioural or interest data for advertising purposes

5. What We Collect from Parents (When Applicable)

When a coach adds a player under 13, we contact the parent (using the email address supplied by the coach) and collect:

Parent email address
Parent's consent decision and timestamp
Any preferences the parent sets (e.g., delete data, opt out)

6. How We Use Information

To operate and secure the service
To process coach subscription payments
To notify parents when their child is added to a roster, and honour any choices they make
To send coaches transactional messages (receipts, password resets, service announcements)
To send commercial electronic messages under CASL only where we have express consent or a valid implied-consent basis
To comply with legal obligations (CRA tax records, dispute resolution, court orders, breach notification under PIPEDA and COPPA)
To improve the product using aggregate, de-identified usage data

We do not use player information for advertising, profiling, or sale.

7. Service Providers (Sub-Processors)

We use the following vendors. Each has its own privacy practices and a Data Processing Agreement with us where applicable. Most of our sub-processors are located in the United States. Personal information may be transferred to, processed, and stored in the United States.

Vendor	Location	Purpose	Data Shared
Supabase	United States (N. California)	Database and authentication	Coach account data, roster data, player first names and scores
Stripe	United States + Canada	Payment processing	Coach billing details
Netlify	United States	Website hosting	Public marketing site traffic
Resend	United States	Transactional and commercial email	Coach email, parent email
PostHog	United States / EU	Product analytics (coach-facing only)	Coach usage events (consent required)

We take reasonable safeguards (PIPEDA Principle 4.7) to protect personal information, including signed DPAs, encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and vendor security reviews. We do not share player data with any third party for advertising. We do not sell player data.

8. Your Rights Under PIPEDA and BC PIPA (Canadian Residents)

Access the personal information we hold about you.
Correct inaccurate personal information.
Withdraw consent for collection, use, or disclosure, subject to legal or contractual restrictions.
Complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the BC OIPC (oipc.bc.ca) if you believe we have mishandled your information.

To exercise these rights, email privacy@rundownsports.app. We will verify your identity and respond within 30 days.

9. Parental Rights Under COPPA (US Residents)

If you are a parent of a child under 13 who uses our service, you have the right to:

Review the personal information we have collected from your child
Direct us to delete the information
Refuse further collection or use of the information

We do not disclose player information to third parties for marketing purposes regardless. Email privacy@rundownsports.app from the email address on file to exercise these rights.

10. California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, request deletion, correct inaccurate information, and opt out of cross-context behavioural advertising (not applicable — we don't do this). Non-discrimination for exercising rights.

11. EU / UK Residents (GDPR / UK GDPR)

We do not target EU or UK residents. If you use the service while located there: our lawful bases are contract (for coaches), parental consent (for children under 16, Member-State-specific), and legitimate interest (for security). You have rights of access, rectification, erasure, restriction, portability, and objection.

12. Data Retention

Coach accounts: retained while your subscription is active plus 90 days after cancellation, then deleted.
Payment records: retained as required by tax law (6 years CRA / 7 years IRS — longer of the two).
Player records: retained for 12 months from last activity, then auto-deleted.
Parent contact records: retained only while the associated player is active, plus 90 days.
Security logs: retained for 12 months.
CASL consent records: retained for 3 years after last activity.

13. Security

TLS 1.2+ in transit, AES-256 at rest, role-based access controls, least-privilege service accounts. We maintain a breach response plan and will notify affected individuals and the Office of the Privacy Commissioner of Canada as soon as feasible where a breach creates a "real risk of significant harm" (PIPEDA standard).

14. Children Under 13

Rundown knowingly collects limited personal information from children under 13, and only with verifiable parental consent. See our Parents Corner for the full policy for this age group.

15. Cross-Border Transfers

The service is operated from Canada. Most of our technical service providers are located in the United States. By using the service, you acknowledge that your information may be transferred to, processed in, and stored in the United States and other countries, where data-protection laws may differ from those in your country of residence. We take contractual and technical safeguards to protect your information regardless of where it is processed.

16. Changes to This Policy

We will post material changes on this page, update the "Last Updated" date, and notify account holders by email. For children under 13, we will obtain new parental consent before applying any material change that expands collection or use.

17. How to Contact Us

Privacy Officer: Ben Meachen — privacy@rundownsports.app
General: support@rundownsports.app
Legal: legal@rundownsports.app
Mail: Rundown Sports Inc., Vancouver, British Columbia, Canada