Privacy Policy
Last updated: March 28, 2026
1. Introduction and Scope
RinkTrack ("we," "us," or "our") operates the RinkTrack platform, an ice time allocation service for amateur hockey associations. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our Service.
This policy applies to all users of the Service, including association administrators, schedulers, and team managers. We are committed to protecting your privacy in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
2. Privacy Officer
Our Privacy Officer is responsible for our compliance with this policy and applicable privacy laws. You may contact our Privacy Officer at:
Email: privacy@rinktrack.com
3. Information We Collect
We collect the following categories of personal information:
| Category | Data Collected | Purpose |
|---|---|---|
| Account Information | Full name, email address, password (hashed) | Authentication, account management, communication |
| Association Information | Association name, logo, timezone | Service configuration and branding |
| Organizational Data | Divisions, teams, facilities, rinks, seasons | Core service functionality |
| Team Manager Contacts | Manager names, email addresses | Schedule delivery notifications |
| Schedule Data | Ice slots, assignments, times, locations | Ice allocation and schedule management |
| Financial Data | Ice slot costs, payment tracking | Cost tracking and reporting |
| Usage Data | Error logs, browser type, IP address | Service reliability and troubleshooting |
4. How We Use Your Information
We use the information we collect for the following purposes:
- To provide, operate, and maintain the Service, including ice scheduling, team management, and schedule delivery.
- To authenticate your identity and manage your account.
- To send transactional communications, such as schedule notifications and account-related messages.
- To monitor and improve the reliability, security, and performance of the Service.
- To respond to your support requests and inquiries.
- To comply with legal obligations and enforce our Terms of Service.
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
5. How We Share Your Information
We share personal information only with the following sub-processors, each of which is contractually obligated to protect your data:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | All application data | United States |
| Vercel | Application hosting and delivery | Request data, IP addresses | United States |
| Resend | Transactional email delivery | Email addresses, schedule content | United States |
| Sentry | Error monitoring | Error traces, browser metadata | United States |
We may also disclose your information if required by law, court order, or governmental request, or if necessary to protect the rights, property, or safety of RinkTrack, our users, or the public.
6. Cross-Border Data Transfers
Our sub-processors are located in the United States. As a result, your personal information may be transferred to, stored, and processed in the United States. Under PIPEDA, organizations may transfer personal information to a foreign jurisdiction for processing, provided they use contractual or other means to ensure a comparable level of protection.
We have contractual agreements with each sub-processor that require them to protect your data in a manner consistent with this Privacy Policy and applicable Canadian privacy law. By using the Service, you acknowledge that your data may be processed in the United States.
7. Data Storage and Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Row-Level Security (RLS): Database-level policies ensure each Association can only access its own data.
- Encryption in transit: All data is transmitted over TLS/HTTPS.
- Encryption at rest: Database storage is encrypted at rest using AES-256.
- Password hashing: User passwords are hashed using bcrypt and are never stored in plain text.
- Access controls: Administrative access to production systems is restricted and audited.
While we take reasonable steps to protect your information, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
8. Data Retention and Deletion
We retain your personal information only as long as necessary to fulfill the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account plus 60 days after deletion request |
| Association and organizational data | Duration of account plus 60 days after deletion request |
| Schedule and assignment data | Duration of account plus 60 days after deletion request |
| Error logs and usage data | 90 days (rolling) |
| Billing and transaction records | 7 years (as required by Canadian tax law) |
Upon account termination, you have a 30-day window to export your data. After that window closes, we will delete your Content within 60 days, except for data we are required to retain by law.
9. Cookies
We use only essential cookies that are strictly necessary for the operation of the Service. These include:
- Authentication session cookies: Used to maintain your signed-in state and secure your session.
We do not use marketing or advertising tracking cookies. Our analytics tools (described in Section 10) are cookie-free and do not use tracking cookies or scripts to identify individual users.
10. Analytics and Performance Monitoring
We use Vercel Analytics and Vercel Speed Insights to understand how the Service is used and to monitor page performance. These tools collect:
- Page views: Which pages are visited and how often, reported in aggregate.
- Web Vitals: Browser performance metrics (loading speed, interactivity, visual stability) measured per page to help us identify and fix slow pages.
- Custom events: A small number of key actions (such as activating a season or importing ice slots) are counted in aggregate to help us understand feature usage.
These tools are provided by Vercel Inc. and operate without cookies. They do not collect personal information, do not track individual users across sessions, and do not share data with third-party advertisers. All data is aggregated and cannot be used to identify you. This approach is compliant with PIPEDA and GDPR requirements for anonymous analytics.
For more information, see Vercel's Analytics Privacy Policy.
11. Children's Privacy
The Service is designed for use by adult administrators, schedulers, and team managers within hockey associations. We do not knowingly collect personal information from children under the age of 18. The Service does not store player rosters, player names, or any information about individual players or minors.
If you believe that a child has provided us with personal information, please contact us at privacy@rinktrack.com and we will promptly delete that information.
12. Your Rights Under PIPEDA
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the following rights:
- Access: You may request access to the personal information we hold about you.
- Correction: You may request correction of any inaccurate or incomplete personal information.
- Withdrawal of consent: You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions. Withdrawal of consent may limit your ability to use the Service.
- Deletion: You may request deletion of your personal information, subject to our retention obligations.
- Complaint: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.
To exercise any of these rights, contact us at privacy@rinktrack.com. We will respond to your request within 30 days.
13. Breach Notification
In the event of a breach of security safeguards involving personal information that poses a real risk of significant harm, we will:
- Notify the Office of the Privacy Commissioner of Canada as required under PIPEDA.
- Notify affected individuals as soon as feasible, including a description of the breach, the types of information involved, and steps individuals can take to reduce the risk of harm.
- Keep a record of the breach as required by law.
14. CASL Compliance
The Service sends email communications to team managers on behalf of your Association. These communications are transactional in nature (schedule deliveries, assignment changes, and account-related notices) and are exempt from the consent requirements of Canada's Anti-Spam Legislation (CASL) under Section 6(6).
All emails sent through the Service include:
- Clear identification of the sender (your Association, via RinkTrack).
- Contact information for your Association and for RinkTrack.
- An unsubscribe mechanism, allowing recipients to opt out of future schedule notifications.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will provide at least 30 days' notice of material changes by email or through the Service. Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes.
16. Contact and Complaints
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
Privacy Officer: privacy@rinktrack.com
General Support: support@rinktrack.com
If you are not satisfied with our response to your privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:
- Website: www.priv.gc.ca
- Phone: 1-800-282-1376