Privacy Policy

Effective Date: May 8, 2026

DRAFT — pending attorney review. The wording below is starter content and may change before the effective date is final. Material questions should go to privacy@sportsref.net.

Overview

SportsRef.net (“SportsRef,” “we,” “us”) is a sports-officiating assignment platform operated by WeldonPC, a small business based in the Cleveland, Ohio area. We help athletic associations, schools, and leagues schedule officials for games, primarily in high-school hockey.

This policy explains what information we collect, how we use it, who we share it with, and the choices you have. If anything here is unclear, email privacy@sportsref.net and a human will respond.

Who This Policy Applies To

This policy covers everyone who uses SportsRef.net — organization admins, assignors, officials, coaches, and observers — whether you sign up directly or are added by an organization that uses our platform.

Information We Collect

We collect the minimum information needed to run the platform.

Account Information

Email address
Password (stored hashed with bcrypt — we never see or store your plain password)
First and last name
Phone number
Mailing address (city, state, ZIP)
Emergency contact (name and phone)
Officiating certifications and years of experience
Rating level (assigned by your organization)
Travel radius and assignment preferences

If you enable optional multi-factor authentication, we also store an email-MFA flag and/or an encrypted TOTP secret on your account.

Operational Information

As you use the platform, we record information needed to schedule and confirm games:

Games and events you are assigned to or have visibility into
Assignments you accept, decline, or have pending
Availability blocks you publish
Payment rates associated with assignments
Audit logs of actions you take in the system (for security and accountability)

Technical and Log Information

IP address (used for rate-limiting login attempts)
Failed login attempts associated with your account
Last login timestamp
Browser session cookies and CSRF tokens
Standard web server access logs

We do not use advertising trackers, third-party analytics pixels, or behavioral profiling cookies.

How We Use Information

Deliver the service (show you assignments, route notifications, run reports for your organization)
Send notifications you've opted into — assignment offers, decline confirmations, deadline reminders — by email and, if you've opted in, SMS
Process payments through Stripe when billing is enabled
Maintain audit logs for security, dispute resolution, and abuse investigation
Detect and respond to suspicious activity (failed-login spikes, unusual access patterns)
Communicate with you about your account, including security and policy updates

We do not use your information for advertising or to build behavioral profiles.

How We Share Information

We share information only with the service providers we need to run the platform. We do not sell personal information to anyone, ever.

Our current sub-processors:

cPanel hosting (Lambda server, US-based) — hosts the application, database, and file storage.
Stripe (payment processing) — when billing is enabled, Stripe processes card payments. Stripe handles card details directly; we never receive or store full card numbers.
Email delivery — currently cPanel Exim SMTP; planned migration to SendGrid, Amazon SES, or Mailgun. Delivers transactional email such as assignment notifications, password resets, and MFA codes.

We may also disclose information when required by valid legal process, to protect the rights or safety of users or the public, or in connection with a business transfer (in which case we will notify affected users and any successor entity will be bound by terms at least as protective as this policy).

We share information within your organization as the platform is designed to work — for example, an assignor can see contact info for officials they assign. That is the core function of the product.

Data Retention

Active accounts: we retain your account information for as long as your account is active and for as long as needed to provide the service to your organization.
Deleted accounts: when you (or your organization admin) delete an account, we soft-delete it for a 30-day grace period to allow recovery from accidental deletion. After 30 days, account information is hard-deleted from our active systems.
Audit logs and operational records: game assignments, payment records, and audit logs may be retained longer when your organization needs them for record-keeping, tax compliance, or dispute resolution. Where we retain these, your name will be replaced with a generic identifier after the 30-day window when feasible.
Backups: information may persist in encrypted backups for a limited rolling window after deletion. Backups are not used for any operational purpose and roll off automatically.

Cookies and Similar Technologies

Session cookies — keep you logged in.
CSRF tokens — protect against cross-site request forgery.

We do not use advertising cookies, social-media trackers, or third-party analytics tags. If that ever changes, we will update this policy and give you a meaningful choice.

Your Rights

Regardless of where you live, you can:

Access the information we hold about you
Correct information that is wrong or out of date
Delete your account and the information associated with it
Export your account information in a portable format
Object to specific uses of your information

To exercise any of these rights, email privacy@sportsref.net. We respond within 30 days. We may need to verify your identity before acting — usually by confirming you control the email address on file.

Children's Privacy

SportsRef.net is intended for adult users. You must be at least 18 years old to register an account.

We do not knowingly collect personal information from children under 13. If we learn we have collected information from a child under 13, we will delete it promptly. If you believe a child has provided information to us, contact privacy@sportsref.net.

The platform is used in high-school athletic contexts, but we store information about games, teams, and officials — not individual student-athletes. We do not maintain student records, grades, or any information that would make us a school official under FERPA.

California Residents (CCPA)

If you are a California resident, you have the rights described in the “Your Rights” section above, plus:

The right to know what categories of personal information we collect, the sources, the business purposes, and the categories of third parties we share with (all disclosed in this policy).
The right to opt out of the sale of personal information. We do not sell personal information as that term is defined under the CCPA.
The right to non-discrimination for exercising your rights.

To exercise California-specific rights, email privacy@sportsref.net.

EU and UK Residents (GDPR / UK GDPR)

Scope caveat: SportsRef.net is operated from the United States and primarily serves US-based organizations (especially Ohio high-school athletics). We do not actively market to or target users in the EU/UK. If you are an EU/UK resident using the platform, the section below applies.

If you are in the EU or UK, our legal bases for processing are:

Contract — we process account and operational data to deliver the service you or your organization signed up for.
Legitimate interests — we process technical and audit-log data to keep the platform secure and reliable, and to investigate abuse.
Consent — we rely on your consent for SMS notifications and any optional features you turn on.
Legal obligation — we process and retain data when law requires it.

You have the rights described in the "Your Rights" section above, plus the right to lodge a complaint with your local data protection authority. You can withdraw consent at any time without affecting the lawfulness of prior processing.

Security

Bcrypt password hashing — your password is never stored in readable form.
Multi-factor authentication — optional email-MFA and TOTP available on every account.
TLS encryption — all traffic between your browser and SportsRef.net is encrypted in transit.
Audit logs — sensitive actions are logged for security review.
Rate limiting — failed-login attempts are tracked and throttled per IP.
Hosted infrastructure — application and database run on a US-based hardened cPanel server with restricted SSH access.

No system is perfectly secure. If you suspect your account has been compromised, contact privacy@sportsref.net immediately.

Breach Notification

If we discover a security incident affecting your personal information, we will notify you and any required authorities without undue delay, consistent with applicable law. Notice will describe what happened, what information was affected, and what steps we and you should take.

Changes to This Policy

We may update this policy as the platform evolves. When we make material changes, we will:

Update the Effective Date at the top of the page
Post the new policy at this URL
Notify active account holders by email when changes are significant

Continued use of the platform after a change means you accept the updated policy.

Contact

Privacy questions, rights requests, or concerns:

Email: privacy@sportsref.net
Mail: WeldonPC — SportsRef.net Privacy
[Cleveland-area mailing address — to be added before launch]