Privacy Policy

1. Who we are

leagues.sh is a youth sports management platform operated by leagues.sh, Inc. ("we", "our", or "us"). Our platform allows sports organizations to manage programs, registrations, teams, and family member accounts.

If you have questions about this policy or your personal data, contact our privacy team at [email protected].

2. Data we collect

We collect the following categories of personal data:

• Identity data: first name, last name, display name, date of birth, gender.
• Contact data: email address, phone number, mailing address.
• Account data: username, password (hashed), account creation date, role.
• Family data: parent/guardian relationships, player profiles for family members you add to your account.
• Program & registration data: program enrollments, registration status, team assignments, schedule participation.
• Payment data: invoice amounts, payment status. We do not store card numbers; payment card data is processed by our payment provider (Stripe) and subject to their privacy policy.
• Communications: messages sent through in-app broadcast and chat features.
• Device & usage data: IP address, device type, operating system, app version, and usage logs for security and support purposes.
• Notification preferences: your choices for email, SMS, push, and in-app notifications.

3. Purposes and lawful basis (GDPR Art. 6)

We process your personal data for the following purposes:

4. Children's data (COPPA)

leagues.sh is a youth sports platform. Accounts for players under 13 years old ("children") may be created only by a verified parent or legal guardian. By adding a child profile to your account you confirm that you are the parent or legal guardian of that child and consent to the collection and use of their data as described in this policy.

We collect only the minimum data necessary to provide sports program services for children: name, date of birth, gender (where required by the sport), and program participation records. We do not use children's data for marketing, sell it to third parties, or retain it beyond the periods described in Section 6.

Parents and guardians may request deletion of their child's data at any time by contacting [email protected]. We will complete verified deletion requests within 30 days.

5. How we share data

We share personal data only in the following circumstances:

• Sports organizations using our platform: your registration data, program participation, and contact information are shared with the organization that operates the program you register for.
• Service providers (sub-processors): we use a limited set of vetted third-party services to operate the platform, including payment processing (Stripe), transactional email (Postmark), push notifications (Expo/APNs/FCM), and infrastructure (AWS). A current list of sub-processors is maintained at leagues.sh/privacy/sub-processors.
• Legal requirements: we may disclose data when required by law, court order, or to protect the safety of our users or the public.

We do not sell personal data. We do not use personal data for advertising targeting.

6. Data retention

We retain personal data for as long as necessary to provide our services and comply with legal obligations. Key retention windows:

• Active account data: retained while your account is active.
• Payment and financial records: 7 years after the last transaction (tax and accounting obligations).
• Registration records: 3 years after program end.
• Communications and messages: 2 years.
• Security and audit logs: 2 years.
• Children's data (under 13): deleted within 90 days of account closure or parental deletion request, unless a financial record retention obligation applies.

When retention periods expire, data is automatically purged from our systems. Backups are purged on a rolling 30-day schedule.

7. Your rights

Depending on your location, you may have the following rights:

• Access (Art. 15 GDPR): request a copy of the personal data we hold about you.
• Rectification (Art. 16 GDPR): correct inaccurate data. You can update most data directly in your account profile.
• Erasure (Art. 17 GDPR / "right to be forgotten"): request deletion of your personal data, subject to retention obligations (e.g. financial records).
• Portability (Art. 20 GDPR): receive your personal data in a machine-readable format.
• Restriction (Art. 18 GDPR): request that we restrict processing of your data in certain circumstances.
• Objection (Art. 21 GDPR): object to processing based on legitimate interest.
• Withdraw consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• California residents (CCPA): you have the right to know, delete, and opt out of sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.

8. Security

We implement technical and organizational measures to protect your personal data, including encrypted connections (TLS), hashed passwords, role-based access controls, append-only audit logs, and structured logging with automatic secret redaction. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at [email protected].

9. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or in-app notification at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

10. Contact us

For privacy questions, data subject requests, or to report a security concern:

• Email: [email protected]
• Security: [email protected]