Privacy Policy

Last updated: 20 April 2026

This Privacy Policy explains what personal data Kickboxer collects, why we collect it, and what we do with it. If anything is unclear, email privacy@kickboxer.app.

1. Who is the controller?

[OPERATOR LEGAL NAME] is the data controller for personal data collected through the Service.

2. What we collect

  • Account data: name, email, role, password hash (never the plaintext password).
  • Fighter profile data: name, date of birth, gender, weight, height, experience, emergency contact, medical notes — only when provided by you or by an authorised club.
  • Event data: weigh-in results, matches, scores, bracket placements. This is the core of what the Service does.
  • Technical data: IP address, browser, approximate session cookie lifetime. Used for security (rate limiting, audit logs) and to keep the service running.

3. Why we use it

  • Contract: to provide the tournament management service you signed up for.
  • Legitimate interests: to secure the Service against abuse, to audit changes, and to debug issues.
  • Legal obligation: to keep accounting or safety-incident records where legally required.
  • Consent: for anything optional, such as opting in to a public fighter profile.

4. Who we share with

  • Your club: club owners and admins of clubs you belong to see your fighter / coach profile.
  • Event organisers: tournaments you register for receive the profile fields needed to run the event.
  • Service providers: our database host, email provider (Resend), and error-monitoring provider. They process data on our instructions only.
  • Authorities: where legally required.

5. Cookies

We use a single session cookie (kb_session) to keep you signed in. It is HttpOnly, SameSite=Lax and expires after seven days. We don't use tracking or advertising cookies.

6. Retention

We keep account data while your account is active and for 12 months afterwards for audit purposes. Event data is retained for the lifetime of the event series so historical results stay meaningful. You can request earlier deletion (see below).

7. Your rights

Under UK / EU GDPR you can ask us to: access your data, correct it, delete it, restrict processing, or port it to another service. Email privacy@kickboxer.app. We reply within 30 days.

8. Security

Passwords are stored as scrypt hashes with a unique salt per account. Sessions are signed with a rotating secret. All traffic is served over HTTPS. We log security-relevant events (logins, role changes, score edits) for audit.

9. Contact

For any privacy question, email privacy@kickboxer.app. If we don't resolve your concern you may complain to your national data-protection authority (in the UK, the ICO).