Privacy

Privacy Policy

Last updated: January 2026

1. Introduction

Rally HQ ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our tournament management platform ("Service").

By using Rally HQ, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.

2. Our Role: Data Controller vs. Data Processor

Important: For participant data, the Tournament Organizer is the Data Controller. Rally HQ acts as the Data Processor.

Rally HQ serves two types of users with different data relationships:

For Organizer Account Data

When you create an Organizer account (email, name, billing info), Rally HQ is the Data Controller. We determine how this data is used and are directly responsible for it.

For Participant Data

When Tournament Organizers input participant data (player names, team rosters, emails), the Organizer is the Data Controller and Rally HQ is the Data Processor acting on their instructions.

This means:

  • Organizers decide what participant data to collect and display
  • Organizers are responsible for obtaining necessary consents
  • Rally HQ processes this data only as instructed by Organizers
  • Participants seeking to modify or delete their data should contact the Organizer first

What This Means for Participants

If you are a tournament participant and want your data corrected or deleted:

  1. Contact the Tournament Organizer first — they control your data
  2. If you cannot reach the Organizer, email us at privacy@rallyhq.app and we will forward your request to the Organizer for approval

3. Information We Collect

Information You Provide

  • Account Information: Email address and name when you create an account or log in via Magic Link
  • Tournament Data: Tournament names, team names, player names/rosters, schedules, scores, and standings
  • Payment Handles: Venmo, Cash App, Zelle, or PayPal usernames that organizers choose to display for collecting entry fees (we do not collect credit card numbers or process payments)
  • Communications: Messages you send to us via email or support channels

Information Collected Automatically

  • Usage Data: Pages visited, features used, and interactions with the Service
  • Device Information: Browser type, operating system, and device type
  • Log Data: IP address, access times, and referring URLs
  • Session Tokens: Functional cookies necessary to keep you logged in and maintain your session

What We Do NOT Collect: Credit card numbers, bank account details, Social Security numbers, or detailed financial information. All tournament payments occur directly between users via third-party apps.

4. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Service (brackets, schedules, scoring)
  • Send Magic Links for passwordless authentication
  • Display real-time tournament standings and brackets to participants and spectators
  • Process Rally HQ subscription payments (organizer accounts only, via Stripe)
  • Send administrative messages, updates, and security alerts
  • Respond to your support requests and questions
  • Monitor for fraudulent or prohibited activity
  • Improve the Service based on usage patterns

5. Public Visibility of Tournament Data

Important: Tournament brackets, schedules, scores, and standings are publicly viewable by default. Anyone with the tournament link can view this information.

When you register for a tournament or are added to a roster, the following information may be publicly visible:

  • Team name
  • Player names (as entered by the team captain or organizer)
  • Match schedules and court assignments
  • Game scores and standings
  • Tournament results and placements

Do not use sensitive personal information (such as full addresses, phone numbers, email addresses, or other private details) in team names, player names, or other publicly visible fields.

6. Information Sharing

We may share your information in the following circumstances:

With Tournament Organizers

When you register for a tournament, your registration information (name, email, team name) is shared with the specific tournament director of that event. Organizers need this information to manage their tournaments.

With Service Providers

We share information with third-party vendors who perform services on our behalf:

  • Supabase: Database hosting and authentication services
  • Stripe: Subscription payment processing (organizer accounts only)
  • Vercel: Application hosting
  • PostHog: Product analytics (see Section 8 for details)

These providers are bound by contractual obligations to keep your information confidential and use it only for the purposes we specify.

For Legal Compliance

We may disclose information when required by law, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

7. Children's Privacy (COPPA Compliance)

Important for Parents and Guardians: Rally HQ does not knowingly collect personal information directly from children under 13 without parental consent.

Our Approach

Rally HQ accounts must be created by users who are 18 years or older. When minors participate in tournaments:

  • A parent, guardian, or authorized adult (such as a coach) must register the team
  • The adult registrant is responsible for having authority to share participant information
  • Player names entered by adults may include minors, but the account holder is always an adult

Tournament Organizer Responsibility

Tournament directors who organize events involving minors are responsible for obtaining any necessary parental consents and maintaining appropriate safeguards for minor participants.

Parental Rights

If you are a parent or guardian and believe your child has provided personal information to Rally HQ without your consent, please contact us immediately at privacy@rallyhq.app. We will promptly delete such information.

8. Cookies and Tracking

Essential Cookies

Rally HQ uses cookies required for the Service to function:

  • Session tokens: To keep you logged in after using a Magic Link
  • Authentication cookies: To verify your identity across page requests

These cookies are essential for the Service to work and cannot be disabled.

Analytics

We use PostHog, a product analytics platform, to understand how users interact with Rally HQ. This helps us improve the Service. PostHog collects:

  • Pages visited and features used
  • Button clicks and form interactions
  • Device type, browser, and operating system
  • Anonymous or pseudonymous user identifiers

PostHog may use cookies or local storage to track your activity across sessions. We configure PostHog to respect your browser's "Do Not Track" setting. If you enable DNT, analytics tracking is disabled for your sessions.

What We Don't Use

Rally HQ does not use:

  • Third-party advertising networks or retargeting pixels
  • Facebook Pixel, Google Ads, or similar ad trackers
  • Cross-site tracking that follows you to other websites

We do not sell data to advertisers or share analytics data with third parties for advertising purposes.

9. Magic Link Authentication

No Passwords: Rally HQ uses passwordless "Magic Link" authentication. We never store or transmit passwords because we don't use them.

How Magic Links Work

When you log in to Rally HQ, we send a unique, time-limited link to your email address. Clicking this link authenticates you without requiring a password. Here's what happens:

  1. You enter your email address on the login page
  2. We generate a cryptographically secure, single-use token
  3. We send an email containing a link with this token to your email address
  4. When you click the link, we verify the token and create a session
  5. The token expires after use or after a short time period (typically 1 hour)

Security Benefits

Magic Link authentication provides several security advantages:

  • No password database: We cannot leak passwords because we don't store them
  • No password reuse risk: Your Rally HQ account cannot be compromised by a breach at another service
  • Phishing resistant: There's no password for attackers to steal via fake login pages
  • Email as second factor: Access requires control of your email account

Your Responsibilities

Because your email account is the key to accessing Rally HQ:

  • Secure your email: Use a strong password and two-factor authentication on your email account
  • Don't forward Magic Links: Each link is meant for you alone; forwarding it grants access to your account
  • Check the sender: Magic Link emails come from Rally HQ domains only
  • Report suspicious emails: If you receive a Magic Link you didn't request, someone may be attempting to access your account—contact us at security@rallyhq.app

Session Management

After authenticating via Magic Link, we create a session that keeps you logged in:

  • Sessions are stored as secure, HTTP-only cookies
  • Sessions expire after a period of inactivity
  • You can log out at any time to end your session
  • Logging out on one device does not affect sessions on other devices

10. Data Security

We implement appropriate technical and organizational security measures to protect your information:

  • Database encryption at rest
  • Encrypted data transmission (HTTPS/TLS)
  • Passwordless authentication via Magic Links (no passwords to leak)
  • Regular security reviews and updates

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

11. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Tournament data (brackets, scores, standings) is retained to provide historical records for participants.

We will retain and use your information as necessary to:

  • Comply with legal obligations
  • Resolve disputes
  • Enforce our agreements
  • Maintain historical tournament records

12. Your Data Rights

Depending on your location, you may have certain rights regarding your personal information:

Available Rights

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Portability: Request your data in a portable format
  • Objection: Object to certain processing of your information

How to Exercise Your Rights

To request access to, correction of, or deletion of your personal data, please email us at privacy@rallyhq.app with the subject line "Data Request."

Please include:

  • Your name and email address associated with your account
  • A description of what you are requesting
  • Any relevant tournament names or dates to help us locate your data

We will respond to your request within 30 days. We may need to verify your identity before processing certain requests.

13. International Data Transfers

Rally HQ is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

These countries may have different data protection laws than your country of residence. By using the Service, you consent to the transfer of your information to these countries.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You can request information about the categories and specific pieces of personal information we have collected
  • Right to Delete: You can request deletion of your personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

We do not sell personal information. Rally HQ does not sell, rent, or trade your personal information to third parties for monetary consideration.

15. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent

Our legal basis for processing your data is: (1) your consent, (2) performance of a contract (providing the Service), and (3) our legitimate interests in operating and improving the Service.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification to account holders for significant changes

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

17. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: