Privacy policy

This policy explains how RinkTracker collects, uses, shares and protects personal data, and your rights over it. It is written to the standards of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By “personal data” we mean information that identifies, or could identify, a living person.

Who we are

RinkTracker is operated by Wayne Austin, trading as “RinkTracker” (“we ”, “us”, “our”). We are the data controller for the personal data described in this policy. You can reach us about anything in this policy, including to exercise your rights, at hello@rinktracker.app.

[TO CONFIRM: legal entity] — the trading status and registered details of the controller (for example, whether RinkTracker operates as a sole trader or a registered company, plus any company or ICO registration number) are to be confirmed and inserted here before launch.

The data we collect

We collect only what we need to provide RinkTracker. That includes:

• Account data. If you sign in with Google, we receive your name, email address and profile picture from your Google account. If you create an account with an email address and password, we store your name, email address and a one-way hash of your password (using bcrypt) — we never store your password itself.
• The content you add. Skating sessions, costs (including amounts and payment status), venues, tournaments, and kit and roster information you choose to record.
• Coach records.Details you choose to store about coaches, which may include their name, role, email address, phone number, hourly rate and bank details (bank name, account name, account number, sort code and a payment reference). You only add this if you choose to; please make sure you have a proper basis for recording another person’s details.
• Children’s data.Skater profiles, which may include a child ’s name, date of birth and photo. See the dedicated section below.
• Notifications.If you enable push notifications, the browser/device’s push subscription details (endpoint and keys) so we can deliver reminders.
• Contact-form submissions. If you message us through the site, the name, email address and message you provide, which are forwarded to our team inbox.
• Technical data.Authentication cookies that keep you signed in, a preference cookie that remembers your light/dark theme, and a copy of your family ’s data stored locally in your browser (IndexedDB) so the app works offline.

We do not collect anything else, we do not use advertising or third-party tracking, and we never sell your data.

Children’s data

RinkTracker is a tool for parents and guardians to organise their children’s skating. Children do not hold their own accounts and do not interact with the service directly. Any information about a child — including a skater’s name, date of birth and photo — is entered by the adult account holder.

By adding a child’s information, you confirm that you are that child’s parent or guardian, or otherwise have the right to provide it, and that you are responsible for how it is used within your family’s account. Under UK GDPR (including the Article 8 and age-13 considerations for online services), the lawful basis and any consent for a child’s data rests with the responsible adult. You can view, correct, export or delete a child’s data at any time, and you can ask us to remove it by contacting hello@rinktracker.app.

Why we use your data and our lawful bases

Under UK GDPR we must have a lawful basis for using personal data. Ours are:

• Performance of a contract.Providing the RinkTracker service to you — creating your account, storing and displaying your family’s data, and keeping it in sync across your devices.
• Legitimate interests. Keeping the service secure and reliable — for example, rate-limiting sign-in attempts, preventing abuse, and operating the contact form. We balance these interests against your rights and freedoms.
• Consent. Optional features you switch on, such as push notifications and any optional emails. You can withdraw consent at any time, for example by turning off notifications.

Where your data is stored and who processes it

Your data is held in our managed PostgreSQL database and in your browser’s local storage. Family data is visible only to members of your own family. We use a small number of carefully chosen processors and sub-processors to run the service:

• Vercel — application hosting and global edge delivery. Vercel operates infrastructure in the United States and globally, so some processing may take place outside the UK. International transfers are intended to be covered by an appropriate safeguard such as the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum. [TO CONFIRM: transfer mechanism].
• Managed PostgreSQL database — where your account and family data are stored. [TO CONFIRM: database provider and hosting region]. The hosting region must be stated honestly here once confirmed; where data is processed outside the UK, the same transfer-safeguard position as above applies.
• Resend — sends transactional emails (such as sign-in verification and password-reset links) and forwards contact-form messages to our inbox.
• Geoapify — powers address search when configured. Only the text you type into an address search is sent; no account data is shared.
• postcodes.io — performs UK postcode lookups. Only the postcode being looked up is sent.
• Google — provides Google sign-in (OAuth) if you choose that method.

Each processor acts on our instructions under terms that require them to keep your data secure and use it only to provide their service to us.

Cookies and local storage

We use a small number of strictly necessary and preference cookies and no advertising or tracking cookies:

• Authentication cookie — keeps you signed in (strictly necessary).
• Theme cookie — remembers your light/dark mode preference.
• Local storage (IndexedDB)— stores a copy of your family’s data in your browser so the app works offline. This stays on your device and is cleared when you sign out or clear your browser data.

How long we keep it

We keep your account and family data for as long as your account is active. If you ask us to delete your account, we will action your request within 30 days. Some records are “soft-deleted” first (marked as deleted and hidden from the app) before being removed, and copies may persist in routine encrypted backups for a limited period before they expire. We keep contact-form messages only as long as needed to deal with your enquiry.

How we keep it secure

We take a security-first approach. At a high level: all traffic is encrypted in transit (HTTPS); passwords are stored only as bcrypt hashes, never in plain text; access to family data is restricted to members of that family; and sensitive links such as email-verification and password-reset tokens are single-use and stored only as hashes. No online service can be guaranteed perfectly secure, but we work to protect your data against unauthorised access, loss or misuse.

Your rights

Under UK GDPR you have the right to access your data; to have inaccurate data corrected (rectification); to have your data erased; to receive your data in a portable format and, where feasible, have it transferred; to restrict or object to certain processing; and to withdraw consent where we rely on it.

You can exercise much of this yourself in the app: go to Settings → Data & privacy to download your sessions and costs as CSV files and your full family record as JSON. For anything else — including correcting or deleting data, or closing your account — email hello@rinktracker.app and we will respond within one month, as required by law.

Complaints

If you have a concern about how we handle your data, please contact us first at hello@rinktracker.app so we can try to put it right. You also have the right to complain to the UK’s data protection regulator, the Information Commissioner’s Office (ICO), at ico.org.uk.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, let you know in the app or by email.