Privacy Policy

1. Introduction

Skoryd (“[LEGAL ENTITY NAME],” “Skoryd,” “we,” “us,” or “our”) operates the Skoryd website and mobile application (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information in compliance with applicable federal, state, and international privacy laws, including the Federal Trade Commission Act (15 U.S.C. § 45), state consumer privacy laws described in Section 6, state breach notification laws, the European Union General Data Protection Regulation (Regulation (EU) 2016/679, “EU GDPR”), the United Kingdom General Data Protection Regulation as incorporated into UK law (“UK GDPR”), and the Swiss Federal Act on Data Protection (“FADP”) where applicable to users in those jurisdictions.

The Service is accessible globally. If you access the Service from outside the United States, you understand that your personal information will be transferred to, processed, and stored in the United States. Section 6 describes additional rights available to residents of the European Economic Area, United Kingdom, and Switzerland.

This Service is intended for users 18 years of age or older. We do not knowingly collect personal information from persons under 18.

By using the Service, you acknowledge that you have read this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Personal Information We Collect

A. Information You Provide Directly:

B. Information Collected Automatically:

C. Information from Third Parties: Stripe (payment status, transaction identifiers, limited payment metadata); authentication providers (name and email if you log in through a third-party provider).

3. How We Use Personal Information

We use personal information for the following purposes:

(a) Service Operation: Create and manage your account; display your profile, standings, and match history to other users; process Event registrations; facilitate payment processing.

(b) Communications: Send account confirmation emails, password reset emails, match notification emails, and important Service announcements. These operational communications are not optional while your account is active.

(c) Improvement: Analyze usage patterns, diagnose technical issues, and develop new features.

(d) Safety and Security: Detect, investigate, and prevent fraudulent transactions, abuse, and violations of our Terms of Service.

(e) Legal Compliance: Comply with applicable legal obligations, respond to legal process, and enforce our Terms of Service.

(f) Marketing (Optional): With your consent, we may send you promotional communications. You may opt out at any time (see Section 6).

We do not sell your personal information for monetary consideration. We do not sell or share your personal information with advertisers. We do not use your personal information for cross-context behavioral advertising through third-party networks, and Skoryd does not operate its own advertising network within the Service.

Organizer-run promotional content. Skoryd may in the future allow Event Organizers to surface their own sponsors, vendors, or venue-specific promotions on Events they themselves run. Any such promotional content is the responsibility of the Organizer who chose to display it and is not Skoryd advertising. Skoryd does not target such content based on your personal data and does not share your personal information with those sponsors except as described in Section 4 (for example, if you separately register and pay for an Event the Organizer is running).

4. How We Disclose Personal Information

A. Service Providers (Processors Acting on Our Behalf):

These providers are contractually required to maintain the confidentiality and security of your information and may not use it for any purpose other than providing services to us.

B. Other Users of the Service: Your display name, profile photo (if uploaded), hometown, match results, league standings, and club affiliations are visible to other authenticated Service users as part of normal Service operation. Except as described in Section C below, your full name and email address are not publicly displayed within the Service.

C. Organization Director Directory (Opt-In): If you hold a regional director or event organizer role within a sanctioning Organization, you may choose to publish your contact information in that Organization's public director directory. This is strictly optional and off by default. When you opt in, your full (real) name, together with the contact email and/or phone number you provide for this purpose, is displayed publicly on the Organization's public profile page—visible to anyone, including unauthenticated visitors and search engines—so that players and clubs can reach the appropriate director. Your contact appears only when both you have opted in and the Organization has enabled its directory. You may withdraw at any time by turning off the directory contact setting on your profile edit page, which removes your name and contact details from the public directory.

D. Event Organizers: When you register for an Event, the Event's Organizer can see your display name and registration status. Organizers cannot see your full name, email address, or payment information. If you have joined a Club, the Organizers of that Club (the owner and any co-organizers) can additionally see any optional t-shirt size and optional self-identified gender you have set on your profile, so they can plan merchandise orders and gender-based brackets or matchups. Both fields are optional; leaving them unset means Organizers see nothing for that field. You may clear them at any time on your profile.

E. Legal and Safety Disclosures: We may disclose personal information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, subpoena, or court order; (b) protect the rights, property, or safety of Skoryd, our users, or the public; or (c) detect, prevent, or address fraud, security issues, or technical problems.

F. Business Transfers: If Skoryd is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred to the successor entity. We will notify you via email and/or prominent notice on the Service at least thirty (30) days before your information becomes subject to a materially different privacy policy.

G. Aggregate or De-Identified Data: We may share aggregate or de-identified information (information that cannot reasonably be used to identify you) with third parties for research, analytics, or marketing purposes without restriction.

5. Cookies and Similar Technologies

We do not use advertising cookies or participate in cross-site behavioral advertising networks. You may disable non-essential cookies through your browser settings. Disabling strictly necessary cookies will prevent you from using the Service.

6. Your Privacy Rights and Choices

All Users — General Rights

Regardless of where you live, you have the following rights over the personal information we hold about you. Where the Service provides a built-in self-service tool, that is the fastest path; the email contact is available for everything else, and your residency may give you additional rights covered in the sub-sections below.

• Right of Access. You may review your profile information by signing in. For a complete machine-readable copy of everything we hold about you, click Download my data on your profile edit page (or send an authenticated GET to /api/users/me/export). The download covers your profile, club memberships, league registrations, match appearances, bug reports, beta application, organizer-created guest records, and score-edit log entries you authored.
• Right to Rectification (Correction). You may edit your display name, full name, location, t-shirt size, gender, bio, and photo at any time on your profile edit page. For corrections to data you cannot edit yourself (for example, a misattributed match), contact us at privacy@skoryd.com.
• Right to Erasure (Deletion). You may delete your account at any time from the Danger zone card on your profile edit page. Your profile, club memberships, league registrations, and authored bug reports are deleted within seven (7) days. Match results are retained but with your player slot anonymized to “TBD”, so opponents' statistics remain accurate. If you still own a Club, you will need to delete or transfer that Club first. To request deletion in a way the self-service tool does not cover, contact privacy@skoryd.com; we will respond within forty-five (45) days, subject to legal retention obligations described in Section 8.
• Right to Data Portability. The same Download my data tool described above returns your data in JSON, a structured commonly-used machine-readable format. EEA, UK, and Swiss users see additional portability detail in the GDPR sub-section below.
• Right to Restriction of Processing. You may ask us to limit how we process your personal information in specific circumstances (for example, while we evaluate a correction request). Contact privacy@skoryd.com with the subject line “Restriction Request” and a brief description of what you want restricted.
• Right to Object. You may object to processing based on our legitimate interests (fraud prevention, security monitoring, abuse detection, Service improvement, aggregate analytics). Contact privacy@skoryd.com with the subject line “Objection”. You may also object at any time to processing for direct marketing; if we ever introduce marketing communications, the unsubscribe link in any such email will be the fastest path.
• Right to Withdraw Consent. Where we rely on your consent (for example, optional profile fields like t-shirt size, gender, or future marketing communications), you may withdraw consent at any time by clearing the field on your profile, unsubscribing from the relevant email, or contacting privacy@skoryd.com. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.
• Right of Non-Discrimination. We will not deny you access to the Service, charge a different price, or downgrade the quality of service you receive because you exercised any of the rights above.

How we verify your identity. For requests submitted through a signed-in self-service tool (Download my data, Delete account, profile edit), your authentication is the verification — only the holder of the account credentials can trigger those actions. For requests submitted by email, we will reply to the email address associated with your account; if you no longer have access to that address, we may ask for additional information to confirm your identity before proceeding.

Response time. We aim to respond to every privacy request within thirty (30) days, and in any event within the maximum window required by your jurisdiction's laws (typically 45 days under most US state laws, 1 month under GDPR). We will not charge a fee for exercising your rights, except as expressly permitted by law for manifestly unfounded or repetitive requests.

Contact paths. For privacy rights requests, complaints, or questions about this Policy, use privacy@skoryd.com. For legal process, subpoenas, and other formal correspondence, use legal@skoryd.com.

California Residents — CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights:

(a) Right to Know. You may request that we disclose: the categories of personal information we have collected about you; the categories of sources from which we collected it; the business or commercial purposes for collection; the categories of third parties with whom we share it; and the specific pieces of personal information we have collected.

(b) Right to Delete. You may request deletion of personal information we have collected from you, subject to exceptions including: completing a transaction for which the information was collected; complying with a legal obligation; or other permitted purposes under the CPRA.

(c) Right to Correct. You may request correction of inaccurate personal information we maintain about you.

(d) Right to Opt-Out of Sale or Sharing. We do not sell your personal information for monetary consideration, and we do not share your personal information for cross-context behavioral advertising as defined by the CPRA.

(e) Right to Limit Use of Sensitive Personal Information. The only category of sensitive personal information (as defined by Section 1798.140(ae) of the Civil Code) we collect is the optional self-identified gender field on your profile, and only if you choose to provide it. We use this field solely to enable Club Organizers to plan gender-based brackets, matchups, and merchandise — the specific Service purposes for which you provided it. We do not use gender to infer characteristics about you, do not disclose it for any purpose other than the Organizer-visibility described in Section 4(C), and do not sell or share it. You may clear this field at any time on your profile, which removes Organizer visibility going forward. You may also contact us at privacy@skoryd.com to direct us to limit the use of this information.

(f) Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you a different price, or provide a different quality of service because you exercised a privacy right.

(g) Authorized Agents. You may designate an authorized agent to submit a privacy request on your behalf. We may require written proof of authorization and may verify your identity independently.

To exercise California rights, contact us at privacy@skoryd.com with the subject line “California Privacy Request.” We will verify your identity and respond within forty-five (45) days. We may extend this period by an additional forty-five (45) days when reasonably necessary, with prior notice.

California “Shine the Light” (Cal. Civil Code § 1798.83): We do not share personal information with third parties for their direct marketing purposes.

Virginia Residents — VCDPA Rights

Under the Virginia Consumer Data Protection Act, Virginia residents have the right to: confirm whether we process your personal data; access your personal data; correct inaccuracies; delete your personal data; obtain a portable copy of your personal data; and opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects concerning you. We do not sell personal data or use it for targeted advertising or such profiling. To submit a request, contact privacy@skoryd.com. If we deny your request, you may appeal by emailing privacy@skoryd.com with the subject “Privacy Request Appeal.” If your appeal is denied, you may contact the Virginia Attorney General at oag.state.va.us.

Colorado Residents — CPA Rights

Under the Colorado Privacy Act, Colorado residents have the right to access, correct, delete, and obtain a portable copy of personal data, and to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in such processing. To submit a request or appeal a denial, contact privacy@skoryd.com.

Connecticut Residents — CTDPA Rights

Under the Connecticut Data Privacy Act, Connecticut residents have rights to access, correct, delete, and obtain portable copies of personal data, and to opt out of targeted advertising, data sales, and profiling with significant effects. We do not engage in such processing. To submit a request or appeal a denial, contact privacy@skoryd.com.

Texas Residents — TDPSA Rights

Under the Texas Data Privacy and Security Act, Texas residents have rights to access, correct, delete, and obtain portable copies of personal data, and to opt out of the sale of personal data and targeted advertising. We do not sell personal data or use it for targeted advertising. To submit a request, contact privacy@skoryd.com.

Oregon Residents — OCPA Rights

Under the Oregon Consumer Privacy Act, Oregon residents have rights to access, correct, delete, and obtain portable copies of personal data, and to opt out of the sale of personal data and targeted advertising. We do not sell personal data or use it for targeted advertising. To submit a request, contact privacy@skoryd.com.

Michigan Residents

Michigan does not currently have a comprehensive consumer data privacy statute equivalent to California's CCPA. However, Michigan residents have the following rights under applicable law: (a) Breach Notification: Under Michigan's Identity Theft Protection Act (MCL 445.61 et seq.), we will notify you of any security breach of your personal information within 45 days of discovering the breach, as required by law. Notification will be provided by email to the address associated with your account and/or by prominent notice on the Service; (b) General Rights: You retain all general rights described under “All Users — General Rights” above, including the right to access, correct, and request deletion of your personal data. To exercise these rights, contact privacy@skoryd.com.

Other State Residents

Residents of Montana, Iowa, Delaware, New Hampshire, Utah, Indiana, and Tennessee also have privacy rights under their respective state laws. These rights are substantively similar to those described above and include rights to access, correct, delete, and obtain portable copies of personal data, and to opt out of the sale of personal data and targeted advertising. We do not sell personal data or use it for targeted advertising. To exercise rights under your state's law, contact privacy@skoryd.com. If your request is denied and your state law provides a right of appeal, you may appeal by emailing privacy@skoryd.com with the subject “Privacy Appeal – [YOUR STATE].”

European Economic Area, United Kingdom, and Switzerland Residents — GDPR / UK GDPR / FADP Rights

If you are located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, the EU General Data Protection Regulation (“EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and/or the Swiss Federal Act on Data Protection (“FADP”) provide you with the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data together with information about how it is processed.
• Right to Rectification (Art. 16 GDPR): You may request that we correct inaccurate personal data or complete incomplete personal data we hold about you.
• Right to Erasure / Right to be Forgotten (Art. 17 GDPR): You may request deletion of your personal data where one of the grounds in Art. 17(1) applies, including where the data is no longer necessary for the purposes for which it was collected, you withdraw consent, or you object to the processing and we have no overriding legitimate grounds.
• Right to Restriction of Processing (Art. 18 GDPR): You may request that we restrict processing of your personal data in certain circumstances, for example while a rectification request is being verified or while we evaluate an objection.
• Right to Data Portability (Art. 20 GDPR): Where processing is based on consent or contract and is carried out by automated means, you may request a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format, and have us transmit that data to another controller where technically feasible.
• Right to Object (Art. 21 GDPR): You may object at any time to processing of your personal data based on legitimate interests, including profiling. You may object at any time to processing for direct marketing purposes; if you object to direct marketing, we will stop processing your data for that purpose.
• Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.
• Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority, in particular in the EEA member state of your habitual residence, place of work, or place of an alleged infringement. UK residents may complain to the Information Commissioner's Office (ico.org.uk). Swiss residents may contact the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

Lawful Basis for Processing. We process your personal data on the following lawful bases under Art. 6 GDPR:

• Performance of a contract (Art. 6(1)(b)): Account creation, profile management, Event registration, match recording, payment processing through Stripe, and other core Service operations you have requested.
• Consent (Art. 6(1)(a)): Optional marketing communications and any non-essential cookies you affirmatively enable.
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, security monitoring, abuse detection, Service improvement, and aggregate analytics. We have balanced these interests against your rights and freedoms and concluded that processing is necessary and proportionate. You may object to processing on this basis at any time (see Art. 21 above).
• Compliance with legal obligations (Art. 6(1)(c)): Tax and financial record retention, responding to lawful requests from public authorities, and breach notification obligations.

International Data Transfers. Skoryd is based in the United States, and your personal data will be transferred to and processed in the United States. We rely on appropriate safeguards for transfers from the EEA, UK, and Switzerland, including the European Commission's Standard Contractual Clauses (and UK International Data Transfer Addendum or Swiss equivalent where applicable) executed with our processors. You may request a copy of the safeguards in place by contacting us at privacy@skoryd.com.

How to Exercise GDPR Rights. To exercise any of the rights above, contact us at privacy@skoryd.com with the subject line “GDPR Request.” We will respond within one (1) month of receiving your request, as required by Art. 12(3) GDPR. We may extend this period by a further two (2) months where necessary, taking into account the complexity and number of requests, and will inform you of any extension within the first month. There is no fee for exercising these rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, as permitted by Art. 12(5) GDPR.

No Automated Decision-Making. We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).

7. Data Security

We implement commercially reasonable technical and organizational security measures designed to protect your personal information from unauthorized access, use, disclosure, alteration, and destruction. Our security practices include:

• TLS/SSL encryption for all data transmitted between your device and our servers
• Password hashing using industry-standard bcrypt via Supabase Auth (we do not store plaintext passwords)
• Row-level security (RLS) policies on our database restricting data access based on authenticated user identity
• Access controls limiting employee and contractor access to personal information to those with a legitimate need
• Payment card security — Skoryd does not store full payment card numbers; all card data is handled by Stripe, a PCI DSS-compliant processor

No security system is perfect. We cannot guarantee that unauthorized parties will never gain access to your information. In the event of a security breach involving your personal information, we will notify affected individuals as required by applicable law. Notification timelines vary by state; for example, California requires notification in the most expedient time possible (generally within 72 hours of discovery), Michigan requires notification within 45 days (MCL 445.72), and most other states require notification within 30–60 days. We will always comply with the most protective standard applicable to the affected individuals.

8. Data Retention

We retain personal information for as long as your account is active and for a reasonable period thereafter as needed to: provide and improve the Service; comply with legal obligations (including tax and financial record retention requirements); resolve disputes; enforce our Terms of Service; and maintain historical league and tournament records.

Upon account deletion, we will delete or anonymize your personal profile data (name, email, profile photo, bio, hometown) within forty-five (45) days. Match scores and standings may be retained in anonymized or aggregate form indefinitely as part of the historical record of organized Events.

We retain payment transaction records for seven (7) years in compliance with applicable tax and financial regulations.

Beta Tester Applications. If you submitted a closed-beta application but did not subsequently create an account, we retain the application (including your responses to free-text questions about your prior experience and current tools) for up to twelve (12) months from the date of submission so we can re-evaluate cohorts and detect duplicate submissions. After that period, applications that have not been linked to a registered account will be deleted or anonymized. If you registered an account using a beta invitation, the application is retained alongside your account for the duration of the account's lifetime, then deleted on the schedule above. You may request earlier deletion at any time by contacting privacy@skoryd.com.

9. Children's Privacy

The Service is intended exclusively for users 18 years of age or older. We do not knowingly collect, use, or disclose personal information from persons under 18 years of age. If we learn that we have collected personal information from a person under 18, we will take immediate steps to delete that information from our systems. If you believe that we may have collected information from a person under 18, please contact us immediately at privacy@skoryd.com.

10. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third-party properties. We are not responsible for the privacy practices of any third party. We encourage you to read the privacy policies of any third-party services you use.

11. Do Not Track

Some browsers transmit “Do Not Track” signals to websites. The Service does not currently respond to Do Not Track signals. As described in Section 5, we do not use advertising cookies or behavioral tracking for advertising purposes.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by: (a) sending an email to the address associated with your account; and/or (b) posting a prominent notice on the Service at least thirty (30) days before the change takes effect. The revised Privacy Policy will include a new “Last Updated” date. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised Privacy Policy, you must stop using the Service and delete your account.

13. Contact Us

For questions, concerns, privacy rights requests, or complaints regarding this Privacy Policy or our data practices, please contact us at:

[LEGAL ENTITY NAME], operating as Skoryd
Email: privacy@skoryd.com
Mailing Address: [MAILING ADDRESS]

If you are a California resident, you may also file a complaint with the California Privacy Protection Agency at cppa.ca.gov.

If you are located in a state with an attorney general empowered to enforce state privacy laws, you may file a complaint with your state attorney general's office after exhausting your appeal rights with us.