Privacy Policy

1. What we collect

We collect only what we need to operate the Service.

• Account data you give us. Email address (required for sign-in), first and last name (required during account setup), optional date of birth and gender, and the date and time you accepted these Terms and this Privacy Policy. Whether you arrived as an organizer or as an invited player, this is the same set of details.
• Data we receive about you from an organizer. When an organizer invites you to a team, we record your invited email address so we can match it when you sign up. Once you accept the invitation, the pending invite is removed and you're added to the team's roster. If you don't accept, the organizer can cancel the invite and remove the email from our records.
• Program data entered in the product. Organizations, leagues, season plans, teams, rosters, schedules, scores, venues, cost models, and recorded actuals — whatever you or other users enter into the product. Organizers enter most of this; captains and players contribute scores, roster changes within their permissions, and their own profile details.
• Server logs.Technical details such as your IP address, the browser or device you're using, and the time of each request. Used for security monitoring, abuse prevention, and debugging.
• Performance measurements. An anonymous performance-monitoring service captures how quickly pages load and respond (industry-standard measurements known as Core Web Vitals — LCP, INP, CLS). These measurements don't identify you.
• Cookies. We set a small first-party cookie to keep you signed in. No tracking cookies. No advertising cookies. No third-party analytics cookies.

We do not run ads on Onepass and we do not use third-party analytics beyond the anonymized performance telemetry described above.

2. How we use it

• Operate the product.Keep you signed in, display your data back to you, run margin and variance calculations, generate schedules, and otherwise make the Service work. If you're a player, your name is shown to your organizer, your captain, your teammates, and on public league surfaces (standings, schedule, the score strip, and your team page).
• Necessary email. Send sign-in emails — a one-time sign-in link sent to your email (we call this a magic link) — and team invitations through an email delivery service. These emails are necessary for the Service to function.
• Internal admin alerts. During the pilot, the Onepass team receives an automated email when a new user signs up or a new organization is created. This is operational visibility during a small private pilot and will be phased out as the product matures.
• Debug and improve. Diagnose errors, investigate abuse reports, and improve product quality.

We do not sell personal data, and we do not share it with advertisers or data brokers.

3. Who can see your data

Onepass is a multi-user product. The data you enter is visible to different people depending on your role and the surface in question:

• Your organizer.The user who owns the organization running a league you've joined sees your full profile (name, email, optional DOB, optional gender) on their roster and admin surfaces.
• Your team captains.A captain on a team you're on can see your name and email on the team roster, and can remove non-captain teammates.
• Your teammates.Other members of a team you're on can see your name on the team roster.
• The public.Anyone who visits a league's public link can see your name on the standings, the schedule, the score strip showing recent and upcoming games, and your team's public page.
• The Onepass team. During the pilot, the Onepass team can access your data to provide support, and receives admin alerts when a new user signs up or a new organization is created.

If you're an organizer, the same flow runs in the other direction: players who accept invitations to your leagues share their profile data with you so you can manage rosters.

4. Service providers

Onepass relies on third-party service providers (sub-processors), including (a) a website hosting provider, (b) a database hosting provider, (c) an email delivery provider, and (d) an anonymous performance-monitoring service. The specific vendors may change as we evolve the platform. Where required by law, we enter into appropriate data-processing agreements with these sub-processors (including Standard Contractual Clauses or equivalent safeguards for transfers outside the EEA/UK).

5. Retention

Account data is kept while your account is active. When an organizer deletes an organization, league, or season plan, it's hidden from the Service for roughly 30 days and then permanently removed during routine cleanup — this gives operators a window to recover something deleted by mistake. Other items (teams, memberships, invites, games) are permanently removed right away. Server logs are kept for a short operational window and then discarded.

If you're a player and you leave a team (or are removed by an organizer or captain), your team membership is removed immediately. Historical games you played in still display the team and roster as it stood at the time the game was played — we don't rewrite history when someone leaves a team. Your account itself stays active until you request deletion.

You can request full account deletion at any time by emailing support.

6. Your rights

• Access. Request a copy of the data we hold about you.
• Correction.Edit your profile and any program data you control directly in the product, or contact support for help. If you're a player and want a roster entry corrected, ask your captain or organizer — they control roster membership for their team.
• Deletion.Email support and we'll delete your account and associated data within 30 days. If you're a player and you want your name removed from a specific league's public page without deleting your account, contact the organizer first — they control whether you're on the roster, and roster membership is what drives the public-page listing.
• Portability. Email support for an export of your data in a machine-readable format.

Residents of certain jurisdictions (including California, the EU / EEA, the UK, Switzerland, and several other US states) have additional rights — see §7.

7. Your jurisdiction-specific rights

The rights below apply to residents of the jurisdictions named. If your jurisdiction isn't listed but its law gives you additional rights, see the catchall in §7(e) — those rights apply to the extent the law requires.

(a) California residents (CCPA / CPRA)

If you live in California, the California Consumer Privacy Act and the California Privacy Rights Act give you the following rights:

• The right to know what personal information we collect about you and how it's used.
• The right to access, correct, or delete that personal information.
• The right to opt out of the “sale” or “sharing” of personal information.
• The right to limit the use and disclosure of sensitive personal information.
• The right to non-discrimination for exercising any of these rights.
• The right to designate an authorized agent to act on your behalf.

We do not sell or share personal information as those terms are defined under the CCPA / CPRA. To exercise any of the rights above, email support at the address in §17.

(b) Other US states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and similar)

If you live in a US state with a comprehensive consumer privacy law — including the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Montana Consumer Data Privacy Act (MTCDPA), or a comparable law in another state — you may have rights similar to those in §7(a), including access, correction, deletion, portability, and the right to opt out of targeted advertising or the sale of personal information.

We do not engage in targeted advertising or the sale of personal information as those terms are defined under these state laws. To exercise any rights under your state's law, email support at the address in §17.

(c) European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)

Controller. Onepass is the controller of personal data processed through the Service. You can reach the controller at the support address in §17.

Legal bases for processing. We rely on the following legal bases under the GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection (FADP):

• Contract. To provide the Service you signed up for — keeping you signed in, displaying your leagues, calculating margins and variance, generating schedules, and related functionality.
• Legitimate interests. To keep the Service secure, debug and improve the product, send necessary email (such as sign-in links and invitations), and (during the pilot) send internal admin alerts to the Onepass team when a new user signs up or a new organization is created.
• Consent. Where required by law — for example, if we later introduce marketing email (not in scope today).
• Legal obligation. To comply with laws that apply to us.

Rights of data subjects. If you live in the EEA, the UK, or Switzerland, you have the following rights with respect to your personal data:

• Access, rectification, erasure (the “right to be forgotten”), restriction of processing, data portability, and the right to object to processing.
• The right to withdraw consent at any time, where processing is based on consent (this does not affect the lawfulness of processing before withdrawal).
• The right to lodge a complaint with a supervisory authority — for example, the data protection authority in the EEA member state, UK nation, or Swiss canton where you live or work.

Automated decision-making. Onepass does not engage in automated decision-making (including profiling) that produces legal or similarly significant effects concerning you.

Data transfers outside the EEA / UK / Switzerland. Personal data from the EEA, the UK, or Switzerland may be transferred to and processed in the United States by our service providers. See §10 (International transfers) for the details — we rely on appropriate safeguards under applicable law, such as Standard Contractual Clauses or equivalent mechanisms.

(d) Nevada residents

Nevada law grants residents the right to opt out of the “sale” of certain personal information. We do not sell personal information as defined under Nevada law. If you have questions, email support at the address in §17.

(e) Other jurisdictions

If you live somewhere not listed above and your local law grants you additional rights with respect to personal data, those rights apply to the extent the law requires, and you can exercise them by emailing the support address in §17. Nothing in this policy limits any non-waivable statutory right you have under the law of your jurisdiction.

8. Security

Your data is encrypted while it travels between your device and Onepass, and encrypted again when it's stored with our database provider. We limit how often sensitive actions can be performed (for example, sign-in attempts and sending invitations) to deter abuse. We follow reasonable engineering practices to protect data, but no method of transmission or storage over the internet is 100% secure, and we cannot guarantee absolute security. You use the Service at your own risk and are responsible for safeguarding your sign-in access, including by keeping your email account secure (because access to your email is what lets you sign in with the magic link).

9. Children

Onepass is not directed at users under 13. We do not knowingly collect personal information from children under 13 (or the applicable age threshold in your jurisdiction) without verifiable parental consent. If we become aware that we have collected personal information from such a child without that consent, we will take reasonable steps to delete it. Organizers running programs for minors are solely responsible for handling parental or guardian consent, waivers, and any other documentation required by their jurisdiction before inviting a child to Onepass. A child who plays on a parent's or guardian's Onepass account is the parent's or guardian's responsibility, not the child's, and a parent or guardian accepting these terms on behalf of a minor is responsible for that minor's conduct on the platform. If you believe a child has provided us with personal information, email support and we will delete the information.

10. International transfers

Our service providers may handle data in the United States or other countries. If you use the Service from outside those countries, your data may be transferred to, and stored in, jurisdictions whose data-protection laws differ from your own. For transfers from the EEA, the UK, or Switzerland to the United States, we rely on appropriate safeguards under applicable law — such as Standard Contractual Clauses or equivalent mechanisms — through our agreements with those providers. By using the Service you consent to this transfer.

11. Cookies

We set a small first-party cookie to keep you signed in and to confirm that requests are coming from a valid browser session. We do not set third-party cookies and we do not use cookies for advertising or cross-site tracking.

12. Disclosure for legal and safety reasons

Onepass may disclose information about you when we believe in good faith that disclosure is necessary to (a) comply with valid legal process, including subpoenas, court orders, search warrants, or government or regulatory requests; (b) enforce the Terms of Service, including investigating potential violations; (c) protect the rights, property, or safety of Onepass, our users, or others; or (d) detect, prevent, or otherwise address fraud, security, or technical issues. Where legally permitted, we will use reasonable efforts to notify the affected user before disclosure.

13. Changes to this policy

We may update this Privacy Policy from time to time. For material changes, we'll notify users by email or by an in-product notice. The “Last updated” date at the top of this page reflects the most recent revision.

14. Limitation of rights to applicable law

The rights described in this policy apply to the extent required under the law of your jurisdiction. Where local law requires more, those local rights prevail; where local law allows less, we still honour the commitments we've made here. We may decline a request that is manifestly unfounded, excessive, or that would compromise another user's rights, the security of the platform, or our ability to comply with legal obligations.

15. No warranties about this policy

This Privacy Policy is provided for informational purposes only. Onepass makes no representations or warranties about its sufficiency under any specific law, regulation, or framework. The Privacy Policy does not create any contractual right enforceable against Onepass beyond what applicable law independently requires.

16. Governing law

This Privacy Policy is governed by the laws of the Province of Ontario and the federal laws of Canada applicable in Ontario, without regard to conflict-of-laws rules, subject to any non-waivable rights you may have under the data-protection law of your jurisdiction.

17. Contact

Questions, data requests, or anything privacy-related? Email hello@onepass.club.