Privacy Policy
Last Updated: April 3, 2026 · Effective Date: April 3, 2026
This Privacy Policy describes how DugoutIQ (“DugoutIQ,” “we,” “us,” “our”) collects, uses, stores, and shares information through the DugoutIQ Tournament Platform at tournaments.dugoutiq.app (the “Platform”).
This Policy applies to all users of the Tournament Platform, including organization administrators, tournament directors, coaches, parents/guardians, fans, and members of the public who access tournament information.
This Policy is separate from and in addition to the DugoutIQ Coaching App Privacy Policy, which governs the coaching application at my.dugoutiq.app.
1. Who We Are and Our Role
DugoutIQ operates the Tournament Platform as both:
- A data controller — for information we collect directly from users (account registration, waiver signing, public registration forms), where we determine the purpose and means of processing; and
- A data processor — for tournament operational data submitted by Organizations and Tournament Directors, where the Organization is the data controller and DugoutIQ processes data on their behalf under their direction.
This distinction matters: when a tournament organization uses the Platform to manage their event, they bear responsibility for their own compliance with applicable privacy law with respect to their tournament participants. DugoutIQ's obligations as a processor differ from its obligations as a controller.
2. Information We Collect
2.1 Account Registration (Org Admins, Tournament Directors, Coaches)
When you create an account or are invited to use the Platform, we collect:
- Name and email address
- Role within the Platform (org admin, tournament director, coach)
- Authentication method (magic link, third-party OAuth (Google, Apple, Microsoft))
- Account creation timestamp
2.2 Team Registration (Coaches)
When a coach registers a team for a tournament, we collect:
- Team name, city, and state
- Head coach name, email address, and mobile phone number
- Division selection
2.3 Player/Roster Data (Submitted by Coaches on Behalf of Minor Athletes)
When a coach submits a tournament roster, we collect information about minor athletes, including:
- First name and last name
- Date of birth
- Jersey number
- Position
- Handedness (throws, bats) — optional
- Parent/guardian email address (used to send waiver invitation)
Note on minor athlete data: Player data is submitted by coaches acting on behalf of their teams. Minor athletes do not have accounts on the Platform and do not interact with the Platform directly. See Section 4 for our children's privacy practices.
2.4 Parent/Guardian Contact Data
When a coach submits a roster, we collect parent/guardian information to facilitate waiver signing:
- First and last name
- Email address
- Mobile phone number (optional; required only if SMS opt-in is selected)
- Relationship to the player (parent, guardian, or other)
2.5 Waiver Data
When a parent/guardian signs a waiver, we record:
- Signer's full name (typed)
- Signer's stated relationship to the minor athlete
- Player date of birth (as provided)
- Whether the player is a minor
- Whether COPPA applies based on player age
- Timestamp of signing
- IP address of the signing device
- User agent string of the signing browser
- Waiver PDF receipt (stored in cloud storage)
2.6 Tournament Operational Data
We collect and store tournament operational information, including:
- Tournament schedules, game results, and scores
- Pool play standings and bracket seeding
- Field assignments and venue information
- Division structures and pool assignments
2.7 Communications Data
When messages are sent through the Platform's communications feature, we log:
- Subject, body, and channel (email or SMS) of sent messages
- Recipient targeting (all coaches, all parents, by division, by team)
- Delivery status (delivered, failed, bounced) per recipient
- Timestamps
2.8 Automatically Collected Data
When you use the Platform, we automatically collect:
- Log data (IP address, browser type, pages visited, timestamps)
- Session information
- Analytics data through PostHog, including page views, feature usage, and session replays for authenticated admin users
- Error and diagnostic data through Sentry, including stack traces, browser and device context, and session identifiers, for authenticated users encountering application errors
Session recording via PostHog is enabled only for authenticated admin-facing pages (tournament director and org admin workflows). Session recording is explicitly disabled on team registration pages, waiver signing flows (/waiver/[token]), and data access request forms. No parent, guardian, or minor athlete session data is recorded.
The Platform includes a mobile application. Users who install the mobile app and enable push notifications are assigned a push notification token, which is stored and used solely to deliver tournament alerts. Push token registration uses an anonymous session identifier that does not correspond to a named account.
3. How We Use Information
We use collected information for the following purposes:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing tournament management services | All account and operational data | Performance of contract |
| Sending waiver invitation emails to parents/guardians | Parent email, player name | Legitimate interest (legal compliance) |
| Processing waiver signatures | Waiver data including IP and user agent | Legal obligation / legitimate interest |
| Sending transactional communications | Contact data | Performance of contract |
| Sending SMS tournament alerts (opted-in users only) | Phone number, SMS opt-in status | Consent |
| Displaying public tournament schedules and scores | Tournament operational data | Legitimate interest (public sports event) |
| Analytics and platform improvement | Aggregated usage data | Legitimate interest |
| COPPA compliance tracking | Player DOB, coppa_applicable flag | Legal obligation |
| Data retention and deletion per tournament policy | All data | Legal obligation |
We do not use player or parent data for advertising, behavioral profiling, or sale to third parties.
4. Children's Privacy and COPPA
4.1 Our Approach to Minor Athlete Data
The Platform is designed for use by adults. Minor athletes do not create accounts, submit forms, or otherwise interact with the Platform directly. Information about minor athletes is entered by coaches (adults) who are registering their teams for tournament participation.
When a player's date of birth indicates the player is under 13, the Platform applies the following additional protections:
- No marketing communications are sent to the parent or guardian of that player.
- The player's data is not used for advertising, behavioral profiling, or any purpose outside of tournament operations.
- A COPPA-specific disclosure notice is presented to the parent or guardian before they complete the waiver signing process, explaining what data has been collected about their child and how it is used.
- Parents and guardians may request access to, correction of, or deletion of their child's data at any time by contacting admin@dugoutiq.app.
4.2 Parental Rights
Parents and legal guardians of minor athletes have the right to:
- Review the personal information we hold about their child
- Request correction of inaccurate information
- Request deletion of their child's information (subject to legitimate record-keeping requirements, including retention of executed waivers)
- Withdraw consent for data processing, subject to the impact on tournament participation eligibility
To exercise any of these rights, contact admin@dugoutiq.app. Requests will be processed within 5 business days.
5. Data Sharing and Third-Party Vendors
We do not sell personal information. We share data with the following third-party vendors as necessary to operate the Platform:
| Vendor | Purpose | Data Involved | Notes |
|---|---|---|---|
| Supabase | Database and authentication hosting | All user and tournament data | Region: us-east-2. DPA executed. |
| Amazon Web Services (AWS) | Application hosting, email (SES), SMS (SNS), AI inference (Bedrock) | Transactional comms; admin help chat queries | AWS DPA. Bedrock used for admin-only help chatbot; no player, roster, or parent data in queries. |
| PostHog | Product analytics and session replay | Authenticated admin session data only | US Cloud. Admin sessions only. DPA executed. |
| Sentry | Error monitoring and diagnostics | Error context, stack traces, session identifiers for authenticated users | Production only. No minor athlete data intentionally included in error payloads. |
| Expo | Push notification delivery | Push notification tokens, notification payloads | Mobile app users who enable push notifications only. |
| Cloudflare | Bot detection and CAPTCHA (Turnstile) | Browser fingerprint and behavioral signals | Collected client-side on applicable forms. Cloudflare privacy policy applies. |
We do not share parent/guardian contact data or minor athlete data with analytics vendors.
6. SMS Communications and TCPA Consent
If you provide a mobile phone number and opt in to SMS communications through the Platform, you consent to receive text messages related to tournament operations from DugoutIQ or the organizing tournament body.
- Opt-in is required before any SMS message is sent to a contact. The opt-in field defaults to off and requires an affirmative action by the user to enable.
- We record the timestamp at which opt-in consent was provided.
- Each SMS message includes opt-out instructions (reply STOP to any message).
- Opt-out requests are processed promptly. No further SMS messages are sent to a contact after an opt-out is received.
- SMS is used for transactional tournament communications only. No marketing SMS messages are sent.
7. Data Retention
| Data Category | Retention Period | Notes |
|---|---|---|
| Tournament operational data | Duration + 180 days post end_date | Default configurable per tournament (default: 365 days) |
| Player roster data | Same as tournament retention | Purged with associated tournament data |
| Waiver records | 3 years | PDF receipt stored in AWS S3 |
| Parent/guardian contact data | Same as tournament retention | |
| Account data (coaches, directors) | Duration + 30 days after closure | |
| Communications logs | 1 year | |
| Audit logs | 1 year |
After the applicable retention period, data is deleted or de-identified. Tournament directors may request early deletion of their tournament data by contacting admin@dugoutiq.app. Waiver records and other data subject to legal retention requirements may not be eligible for early deletion.
8. Data Access, Correction, and Deletion Rights
8.1 Account Holders (Coaches, Directors, Org Admins)
You may request access to, correction of, or deletion of your personal account data by contacting admin@dugoutiq.app.
8.2 Parents/Guardians
Parents and guardians may request access to, correction of, or deletion of data relating to their minor child by contacting admin@dugoutiq.app. See also Section 4.2 above. Requests will be processed within 5 business days.
Please include in your request:
- Your full name and email address
- The tournament name and your child's name
- The specific action requested (access, correction, or deletion)
Deletion of waiver records may be subject to legal retention requirements.
8.3 California Residents (CCPA/CPRA)
California residents have the right to:
- Know what personal information we collect about them and how it is used
- Request deletion of their personal information
- Request correction of inaccurate personal information
- Opt out of the sale or sharing of personal information (DugoutIQ does not sell or share personal information for cross-context behavioral advertising)
- Non-discrimination for exercising these rights
To exercise your California privacy rights, contact admin@dugoutiq.app.
8.4 Residents of Other U.S. States
Residents of certain U.S. states have privacy rights under their state's laws. The following states have enacted comprehensive consumer privacy legislation that may apply:
- Virginia (Consumer Data Protection Act)
- Colorado (Colorado Privacy Act)
- Connecticut (Connecticut Data Privacy Act)
- Texas (Texas Data Privacy and Security Act)
- Other states with enacted comprehensive privacy laws as of the effective date of this Policy
To submit a privacy rights request under applicable state law, contact admin@dugoutiq.app. We will respond within the timeframe required by your state's law. We will not discriminate against you for exercising your privacy rights.
9. Data Security
We implement reasonable technical and organizational security measures to protect personal information, including:
- Row-level security policies on all database tables
- Encrypted data transmission (TLS)
- Role-based access controls limiting data access to authorized users only
- Token-based waiver access, scoped to specific waiver records
- Audit logging of administrative actions
No method of data transmission or storage is 100% secure. We cannot guarantee absolute security.
In the event of a data breach that requires notification under applicable law, we will notify affected users and/or regulators as required by law and within legally required timeframes.
10. Cookies and Analytics
The Platform uses cookies and similar technologies for session management and product analytics. PostHog analytics is used on admin-facing pages to track feature usage and improve the Platform. Session recording is limited to authenticated admin workflows as described in Section 2.8.
The waiver signing flow and public tournament pages operate with minimal data collection and are excluded from session recording.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify account holders of material changes by email or through the Platform interface at least 14 days before changes take effect. Continued use of the Platform after changes take effect constitutes acceptance of the updated Policy.
12. Contact Us
For privacy-related questions, data access requests, or to report a concern:
Email: admin@dugoutiq.app