Privacy Policy
Privacy Policy
Effective Date: April 1, 2026 Last Updated: April 1, 2026
The Short Version
We collect only what we need to run a sailing event platform. We never sell your data. Race results are public (that's how racing works). You can export or delete your data anytime. We use trusted US-based infrastructure. Admin staff cannot remotely access your account unless you explicitly opt in. That's it.
1. Who We Are
SailScore ("we," "us," "our") operates a web-based platform for yacht racing event management, regatta scoring, sailor profiles, boat management, and class association portals. When this policy says "Service," it means our website, applications, and all related features.
Data Controller: SailScore is the data controller for all personal data processed through our platform. For data protection inquiries, contact us at privacy@sailscore.com.
2. Information We Collect
2.1 Information You Give Us
| Category | Examples | Why We Need It |
|---|---|---|
| Account basics | Name, email, phone, mailing address | Create and secure your account |
| Sailing profile | Sail number, boat name, class, club, US Sailing / World Sailing ID, PHRF rating, crew info | Run events and calculate scores |
| Event data | Registrations, results, declarations, crew weight | Administer races per Racing Rules of Sailing |
| Payment info | Billing address, payment method | Process entry fees (card data stays with Stripe — we never see or store it) |
| Emergency contacts | Name, phone, relationship | Keep you safe on the water — shared with race committees only |
| Your content | Boat photos, profile info, comments | Display on the platform as you intend |
2.2 Information We Collect Automatically
| Category | Examples | Why |
|---|---|---|
| Device & browser | IP address, browser type, OS, screen size | Security, debugging, and compatibility |
| Usage patterns | Pages visited, features used, session duration | Improve the product |
| Approximate location | Derived from IP address | Localize content and comply with regional laws |
We do not collect precise GPS location, and we do not use advertising trackers or behavioral profiling.
2.3 Information from Third Parties
- Yacht clubs & race committees — race results, ratings, and membership data they submit.
- Authentication providers — if you sign in with Google or Apple, we receive your name and email from that service.
- Rating authorities — PHRF certificates, IRC/ORC data used for scoring.
- Public sailing data — we aggregate publicly available race results from third-party platforms to build comprehensive racing histories. If any data about you is inaccurate, contact us and we'll correct or remove it.
3. How We Use Your Information
| What we do | Legal basis (GDPR) | Can you opt out? |
|---|---|---|
| Run the Service — accounts, scoring, registrations, payments | Contract performance | No (required to use the Service) |
| Publish race results and standings | Legitimate interest | No (inherent to competitive racing) |
| Share emergency contacts with event organizers | Vital interests | No (safety requirement) |
| Send transactional emails (confirmations, security alerts) | Contract performance | No (required for your account) |
| Improve the platform via aggregated analytics | Legitimate interest | Yes — contact us to object |
| Send marketing emails about events or features | Your consent | Yes — unsubscribe anytime |
| Detect fraud and prevent abuse | Legitimate interest | No (security requirement) |
| Comply with legal obligations | Legal obligation | No (required by law) |
4. How We Share Your Information
4.1 Public Race Data
Race results — your name, sail number, boat name, class, and finishing positions — are published on the Service and shared with governing bodies (US Sailing, World Sailing, etc.). This is how competitive sailing works worldwide, and you acknowledge this when you register for a scored event.
4.2 Event Organizers
When you register for an event, the organizing yacht club or race committee receives your registration details, sailing profile, and emergency contacts as needed to run the event safely.
4.3 Our Infrastructure Partners
We share data with trusted service providers only as needed to operate the platform:
| Provider | What they do | Data they process | Location |
|---|---|---|---|
| Supabase | Database, auth, file storage | All stored records | US |
| Railway | App hosting (frontend + backend) | Data in transit | US |
| Stripe | Payment processing | Payment details | US |
| Twilio / SendGrid | Phone verification + email delivery | Phone number, email, message content | US |
| OAuth sign-in, Translate widget | Email, name (OAuth); page content (Translate) | US / Global | |
| Sentry | Error monitoring | Error context, IP address | US |
Each provider is contractually bound to use your data only to perform services for us and to maintain appropriate security.
4.4 When the Law Requires It
We may disclose your information when required by law, regulation, subpoena, court order, or governmental request, or when we believe in good faith that disclosure is necessary to protect rights, safety, or investigate fraud.
4.5 Business Transfers
If SailScore is involved in a merger, acquisition, or asset sale, your data may transfer as part of that transaction. We will notify you via email at least 30 days before your data becomes subject to a different privacy policy.
What We Will Never Do
- Sell your personal information. Period.
- Share your data with advertisers. We don't run ads.
- Share your data with data brokers. Never have, never will.
5. Global Privacy Control (GPC)
We recognize and honor Global Privacy Control signals from your browser. If your browser sends a GPC signal, we treat it as a valid opt-out request for any non-essential data processing, including marketing communications.
6. Your Rights
No matter where you live, we believe you should have control over your data. Here's what you can do:
| Right | How to exercise it |
|---|---|
| See your data | Dashboard -> Account Settings -> Export My Data (JSON) |
| Fix inaccuracies | Dashboard -> Profile -> edit any field |
| Delete your account | Dashboard -> Account Settings -> Delete Account |
| Export your data | Self-service JSON export (machine-readable, portable) |
| Stop marketing emails | Click "unsubscribe" in any email, or update preferences in Account Settings |
| Object to processing | Email privacy@sailscore.com |
| Withdraw consent | Account Settings -> Privacy, or email us |
| Restrict processing | Email us — we'll limit processing while we resolve your concern |
| Control support access | Account Settings -> Privacy -> toggle "Allow Support Access" on or off |
| View support access history | Account Settings -> Privacy -> Support Access Log |
We respond to all requests within 30 days (or sooner if your jurisdiction requires it).
6.1 For California Residents (CCPA/CPRA)
You have additional rights under California law:
- Right to Know — what personal info we collect, use, and share.
- Right to Delete — request deletion, subject to legal retention requirements.
- Right to Correct — fix inaccurate personal info.
- Right to Opt Out of Sale/Sharing — we don't sell or share your data for advertising. Full stop.
- Right to Limit Sensitive Info — we only collect sensitive info (like race emergency contacts) when necessary.
- Non-Discrimination — exercising your rights will never result in worse service.
We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA.
6.2 For EU/EEA/UK/Swiss Residents (GDPR/UK GDPR)
In addition to the rights above:
- Right to Data Portability (Article 20) — receive your data in structured JSON format.
- Right to Lodge a Complaint — contact your local data protection authority. Find yours at edpb.europa.eu.
- Legal Bases — detailed in the table in Section 3.
- Data Processing Agreements — available upon request for organizations using SailScore in a data controller capacity. Email privacy@sailscore.com.
7. Data Retention
We keep your data only as long as we need it:
| What | How Long | Why |
|---|---|---|
| Active account | While your account exists | You're using the Service |
| After you delete | Personal data anonymized within 30 days | Fulfilling erasure obligations |
| Race results | Indefinitely (anonymized if you delete your account) | Historical integrity of the competitive sailing record |
| Payment records | 7 years | Financial/tax regulations |
| Audit logs | 1 year | Security monitoring |
| Support tickets | 3 years after last contact | Service continuity |
| Consent records | Account lifetime + 3 years | Proving we had lawful consent |
8. Data Security
We take security seriously:
- Encryption in transit — TLS 1.2+ on every connection.
- Encryption at rest — AES-256 for all stored data (managed by Supabase).
- Row-Level Security — database policies ensure you can only access your own data.
- Role-based access control — staff access is strictly limited by role.
- Audit logging — all admin actions logged with timestamp, identity, and IP.
- Authentication — passwordless login with email verification codes and passkey authentication; MFA via TOTP available; phone verification via Twilio OTP.
- Infrastructure — Railway provides SOC 2 Type II certified hosting with isolated containers and disk encryption.
No system is 100% secure. If you discover a vulnerability, please report it to security@sailscore.com.
8.1 Data Breach Notification
If a breach affects your personal data, we will:
- Notify affected users without undue delay and within 72 hours where required by GDPR.
- Notify relevant supervisory authorities as required by applicable law.
- Comply with all US state breach notification laws.
- Describe the nature of the breach, likely consequences, and measures taken.
9. Authentication Methods
We offer passkey authentication using the WebAuthn standard. Passkeys allow you to sign in using Face ID, fingerprint, or a security key instead of a verification code.
Biometric data (fingerprint, face scan) is processed entirely on your device and is never transmitted to or stored on our servers. The WebAuthn protocol ensures that only a cryptographic public key is shared with SailScore — your biometric data never leaves your device.
9.1 Passkey Data Storage
When you enroll a passkey, we store a public key, credential identifier, device name, and usage timestamps associated with your account. This data is used solely to authenticate your identity and manage your enrolled devices.
9.2 Passkey Deletion Rights
You can remove enrolled passkeys from your account settings at any time. Credential data is permanently deleted upon removal. Removing all passkeys does not affect your ability to sign in — you can always use email verification codes as a fallback.
10. Session Management
Sessions may expire after a period of inactivity as configured by your organization's administrator. When a session expires, you will be redirected to the login page and can sign in again using any available method (passkey or email code).
The default inactivity timeout is 30 minutes. Your organization's administrator may adjust this value.
11. Children's Privacy
SailScore is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect information from children under these ages.
Youth sailors ages 13-17 may use the Service with the involvement and consent of a parent or legal guardian. Event registrations for minors should be submitted by a parent or guardian.
If we learn we've collected data from a child without appropriate consent, we'll delete it promptly. Parents: contact privacy@sailscore.com if you believe your child's data was collected without your consent.
12. International Data Transfers
SailScore is based in the United States. If you access the Service from outside the US, your data will be transferred to, stored, and processed in the US.
For transfers from the EU/EEA/UK:
- EU-US Data Privacy Framework — where our sub-processors are certified.
- Standard Contractual Clauses (SCCs) — incorporated into Data Processing Agreements with all sub-processors.
Our key sub-processors (Supabase, Twilio/SendGrid, Google, Railway, Stripe) each maintain DPAs and/or SCCs to safeguard international data transfers.
13. Automated Decision-Making
SailScore uses automated processing for:
- Race scoring — calculating results per published racing rules (PHRF, IRC, ORC, etc.).
- Series standings — aggregating results across events.
These systems apply published rules uniformly to all competitors. No profiling or automated decision-making with legal or similarly significant effects is performed on your personal data.
14. Support Access (Account Impersonation)
14.1 What It Is
To provide technical support and troubleshoot issues, our administrators have the ability to temporarily view your account as if they were you ("Support Access"). This allows support staff to see the same screens, data, and settings that you see, so they can diagnose and resolve your issue.
14.2 Opt-In Only — We Will Never Access Your Account Without Permission
Support Access is disabled by default. An administrator can only access your account if all of the following conditions are met:
- You have explicitly opted in by enabling "Allow Support Access" in your Account Settings -> Privacy.
- You can revoke access at any time by toggling the setting off — this takes effect immediately and terminates any active session.
- Sessions are time-limited — each Support Access session expires automatically (maximum 2 hours).
If you have not opted in, no administrator can view your account through Support Access, regardless of the reason.
14.3 What Support Staff Can See
During a Support Access session, the administrator can see the same data you see in your Dashboard — your profile, boats, registrations, results, and settings. They cannot:
- Access or view your authentication credentials or password.
- Access your payment card details (these are held by Stripe, not SailScore).
- Impersonate other administrators.
- Extend a session beyond the maximum duration.
- Act without a complete audit record.
14.4 Full Audit Trail
Every Support Access session is logged with:
- Who — the administrator's identity.
- When — start time, end time, and duration.
- What — every action taken during the session (views, edits, changes) is recorded in our audit log with the administrator's identity, not yours.
- Where — the IP address of the administrator.
Actions taken during Support Access are attributed to the administrator, not to you. You will never be held responsible for changes made by support staff during an impersonation session.
14.5 Your Visibility
You can view your complete Support Access history — including which administrator accessed your account, when, and for how long — in Account Settings -> Privacy -> Support Access Log. You will also receive a notification when a Support Access session begins on your account.
14.6 When We Might Ask You to Opt In
If you contact support with an issue that requires us to see your account, we may ask you to temporarily enable Support Access. You are never required to do so — we will always attempt to resolve your issue through other means first.
15. Third-Party Links
The Service may link to yacht clubs, class associations, governing bodies, and other third-party sites. We don't control their privacy practices and encourage you to review their policies.
16. Communication Preferences
- Transactional emails (registration confirmations, security alerts, result notifications) — cannot be opted out of; they're necessary for the Service.
- Marketing emails — opt-in only. Unsubscribe via the link in any email or through Account Settings -> Notifications.
- SMS — we only text you for phone verification. We will never send marketing SMS.
17. Changes to This Policy
When we make material changes:
- We update the "Last Updated" date above.
- We email registered users at least 30 days before changes take effect.
- We post a prominent notice on the Service.
Your continued use after changes take effect means you accept the updated policy. If you disagree, delete your account before the effective date.
18. Contact Us
SailScore General: support@sailscore.com Privacy: privacy@sailscore.com Security: security@sailscore.com
We respond to all privacy requests within 30 days.
This Privacy Policy was last reviewed and updated on April 1, 2026.