Privacy Policy

Last updated: April 21, 2026

1. Introduction

PickleballTime ("we," "our," or "us") operates the itspickleballtime.com website and platform (the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have.

By using the Service you agree to the practices described here. If you don't agree, please don't use the Service.

2. Information We Collect

Information you provide directly

  • League admin accounts: name, email address, and password (stored as a bcrypt hash — never plaintext).
  • League configuration: league name, subdomain, plan tier, payment-method handles you choose to expose to players, and other settings.
  • Player accounts: display name, email address, and (optionally) DUPR rating.
  • Tournament data: tournament names, dates, locations, bracket configurations, match scores, and standings entered by you or your league administrators.
  • Contact-form submissions: when you fill out the contact form we store your name, email, subject, and message along with your IP address and the league subdomain (if any) where you submitted the form. This is used to respond to you and to detect abuse.

Information collected automatically

  • Server logs: standard request data (IP address, user agent, timestamps, paths visited) used for security monitoring and debugging.
  • Cookies: we set a session cookie (connect.sid) to keep you logged in, a CSRF token to protect form submissions, and — for super-admin operators only — a cross-subdomain authentication cookie (sa_token). These are essential cookies; the Service does not function without them. We do not use marketing or third-party tracking cookies.
  • Audit log: sensitive operator actions (such as a super-admin temporarily impersonating a tenant for support) are recorded in an internal audit log along with IP, user agent, and timestamp.

3. How We Use Your Information

We use the information we collect to:

  • Operate the Service: create and manage accounts, run tournaments, render brackets and standings.
  • Send transactional email: account verification, password resets, and contact-form replies. We do not send marketing email.
  • Process payments for paid plans through our payment processor (see Section 4).
  • Respond to your support requests.
  • Detect, prevent, and address abuse, fraud, or technical problems.
  • Maintain a forensic audit trail of administrative actions.

4. Information Sharing and Third-Party Processors

We do not sell, rent, or trade your personal information. We share information only in the situations below:

  • Public tournament data: tournament names, brackets, scores, standings, and player display names are publicly visible on your league's subdomain (and on the platform discovery page if your league is public). Email addresses, passwords, and contact-form submissions are never publicly displayed.
  • Hosting: the Service runs on Amazon Web Services (AWS Lightsail). AWS processes data on our behalf as a sub-processor.
  • Email delivery: outbound email is sent via SMTP through a transactional email provider configured by us. Your email address is shared with that provider only to deliver messages addressed to you.
  • Payments: paid plans are processed by Stripe. When you upgrade, your payment details (card number, billing address) go directly to Stripe and are governed by Stripe's Privacy Policy. We never see or store your full card number.
  • Legal requirements: we may disclose information if required by law or in response to a valid legal request.

5. Data Storage and Security

Your data is stored on servers we operate within AWS Lightsail. We apply the following technical measures:

  • HTTPS (TLS) for all data in transit.
  • Passwords hashed with bcrypt; never stored or logged in plaintext.
  • Session-based authentication with HTTP-only, SameSite=Lax, secure-in-production cookies.
  • Per-tenant database isolation: each league's tournaments and players live in a separate SQLite database, so one league cannot read another's data.
  • CSRF protection on every state-changing request, with strict Origin-header verification.
  • Session-ID rotation on every login to prevent session-fixation attacks.
  • Case-insensitive uniqueness enforcement on tenant admin emails to prevent duplicate-account confusion.
  • Forensic audit logging of super-admin impersonation events.

No system can guarantee absolute security. If you believe your account has been compromised, please contact us immediately through the form below.

6. Data Retention

We retain account information for as long as your account is active. If you close your account or request deletion, we will remove your personal information within 30 days, except where we are required to retain certain records for legal, accounting, or fraud-prevention purposes.

Tournament data (brackets, scores, standings) may be retained in aggregated or anonymized form for platform analytics after the underlying account is deleted.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate information.
  • Delete your personal data (subject to the retention exceptions above).
  • Export your data in a portable format.

To exercise any of these rights, please reach out via the contact form.

8. Children's Privacy

The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If a youth player participates in a tournament, the league administrator is responsible for obtaining the parental consent required by law before entering the player's information into the system. If we learn we have collected information from a child under 13 without verified parental consent, we will delete it.

9. Third-Party Links

The Service may contain links to third-party websites (for example, Stripe's checkout pages or external bracket viewers). We are not responsible for the privacy practices of those sites — please review their policies before sharing personal information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the "Last updated" date above. For material changes, we may also notify active account holders by email.

11. Contact Us

If you have a privacy question, a data-access request, or a security concern, please contact us through the contact form. We aim to respond within 5 business days.