Privacy

Privacy Policy

Last updated: May 2026 (rev. 4)

0. Jurisdiction and Audience

Rally HQ is operated from the United States and primarily serves Tournament Organizers and Participants located in the United States. We are not currently marketing the Service to residents of the European Economic Area, the United Kingdom, or Switzerland. EU/UK/Swiss residents who access the Service do so at their own initiative.

Where EU/UK/Swiss residents nevertheless interact with the Service, we apply the protections described in this Privacy Policy and our Data Processing Addendum, including the international-transfer safeguards in §6 of the DPA. This statement of audience is not a limitation on individual rights under applicable privacy law; it informs the jurisdictional scope of our marketing.

1. Introduction

Rally HQ ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our tournament management platform ("Service").

When you create an account or register for a tournament, we present these data practices to you and ask for your explicit acceptance. Your continued use of the Service following any material update to this policy will be preceded by a re-acceptance prompt rather than implied consent.

This policy should be read alongside our Data Processing Addendum (available at rallyhq.app/dpa for Organizers), our Sub-Processor List, and our Accessibility Statement.

2. Our Role: Data Controller vs. Data Processor

Important: For participant data, the Tournament Organizer is the Data Controller. Rally HQ acts as the Data Processor.

Rally HQ serves two types of users with different data relationships:

For Organizer Account Data

When you create an Organizer account (email, name, billing info), Rally HQ is the Data Controller. We determine how this data is used and are directly responsible for it.

For Participant Data

When Tournament Organizers input participant data (player names, team rosters, emails), the Organizer is the Data Controller and Rally HQ is the Data Processor acting on their instructions.

This means:

Organizers decide what participant data to collect and display
Organizers are responsible for obtaining necessary consents
Rally HQ processes this data only as instructed by Organizers
Participants seeking to modify or delete their data should contact the Organizer first

What This Means for Participants

If you are a tournament participant and want your data corrected or deleted:

Contact the Tournament Organizer first — they control your data
If you cannot reach the Organizer, email us at privacy@rallyhq.app and we will forward your request to the Organizer for approval

3. Information We Collect

Information You Provide

Account Information: Email address and name when you create an account or log in via Magic Link
Tournament Data: Tournament names, team names, player names/rosters, schedules, scores, and standings
Payment Handles: Venmo, Cash App, Zelle, or PayPal usernames that organizers choose to display for collecting entry fees (we do not collect credit card numbers or process payments)
Communications: Messages you send to us via email or support channels
Registration Consents: When registering a team, we record your acceptance of the liability waiver, media release, and data sharing consent, including the timestamp and IP address of your acceptance. This information is retained for legal compliance and may be shared with the Tournament Organizer or disclosed if required by law.
Phone Number: Captain phone numbers collected during registration are shared only with the Tournament Organizer for event-day communication. Phone numbers are not displayed publicly on the platform.

Where phone numbers are stored. Rally HQ is in the middle of a captain-identity transition and supports two registration paths. (a) Captains who register through the Magic Link path receive a Rally HQ account and may optionally save a phone number to their personal account profile (under "Account") in addition to the per-tournament copy that the Organizer can see. (b) Captains who register through the legacy verification-code path (no account is created) have their phone number stored only on the tournament-team record for Organizer access. In both cases the disclosure to the Organizer is identical; the difference is whether a second account-level copy exists. See Section 11 for retention details.

SMS / TCPA disclosure. Rally HQ does not currently send SMS messages to participants or Organizers. Phone numbers collected at registration are shared only with the Tournament Organizer for event-day voice/text communication that the Organizer initiates directly. If Rally HQ adds SMS functionality in the future, we will obtain express written consent compliant with the Telephone Consumer Protection Act (47 U.S.C. §227) and FCC 1:1 consent rules effective 2025 before sending any SMS.

Information Collected Automatically

Usage Data: Pages visited, features used, and interactions with the Service
Device Information: Browser type, operating system, and device type
Log Data: IP address, access times, and referring URLs
Session Tokens: Functional cookies necessary to keep you logged in and maintain your session

What We Do NOT Collect: Credit card numbers, bank account details, Social Security numbers, or detailed financial information. All tournament payments occur directly between users via third-party apps.

Biometric Data

Rally HQ does not collect, store, or process biometric identifiers (including face geometry scans, fingerprints, voiceprints, or retina/iris scans) from photographs or any other source. We do not perform face detection, face matching, or any other biometric extraction on uploaded media. This statement is provided in light of the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001), and similar state biometric privacy laws.

Notice at Collection (CCPA / CPRA)

At the point we collect personal information, we are required to disclose: the categories of personal information being collected, the purposes for which it will be used, the retention period for each category (see Section 11), and the third parties with whom it is shared (see Section 6). That information appears in this policy. We do not sell or share personal information for cross-context behavioral advertising.

4. How We Use Your Information

We use the information we collect to:

Provide and maintain the Service (brackets, schedules, scoring)
Send Magic Links for passwordless authentication
Display real-time tournament standings and brackets to participants and spectators
Process Rally HQ subscription payments (organizer accounts only, via Stripe)
Send administrative messages, updates, and security alerts
Respond to your support requests and questions
Monitor for fraudulent or prohibited activity
Improve the Service based on usage patterns

We do not use personal information for advertising, and we do not use personal information — including any data relating to children — for AI/ML model training.

5. Public Visibility of Tournament Data

Important: Tournament brackets, schedules, scores, and standings are publicly viewable by default. Anyone with the tournament link can view this information.

When you register for a tournament or are added to a roster, the following information may be publicly visible:

Team name
Player names (as entered by the team captain or organizer)
Match schedules and court assignments
Game scores and standings
Tournament results and placements

Do not use sensitive personal information (such as full addresses, phone numbers, email addresses, or other private details) in team names, player names, or other publicly visible fields.

6. Information Sharing

We may share your information in the following circumstances:

With Tournament Organizers

When you register for a tournament, your registration information (name, email, team name) is shared with the specific tournament director of that event. Organizers need this information to manage their tournaments.

With Service Providers

We share information with third-party vendors who perform services on our behalf:

Supabase: Database hosting and authentication services
Stripe: Subscription payment processing (organizer accounts only)
Cloudflare: Application hosting and edge network
PostHog: Product analytics (see Section 8 for details)

These providers are bound by contractual obligations to keep your information confidential and use it only for the purposes we specify. A full list of sub-processors is available at rallyhq.app/sub-processors.

For Legal Compliance

We may disclose information when required by law, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

Copyright Matters

For DMCA takedown requests and copyright concerns, please see our policy at rallyhq.app/dmca.

7. Children's Privacy (COPPA Compliance)

Important for Parents and Guardians: Rally HQ does not knowingly collect or process personal information from children under 13 without verifiable parental consent (VPC) obtained by the Tournament Organizer, as defined in 16 CFR §312.5.

Our Approach

Rally HQ accounts must be created by users who are 18 years or older. When minors participate in tournaments:

A parent, guardian, or authorized adult (such as a coach) must register the team
The adult registrant is responsible for having authority to share participant information
Player names entered by adults may include minors, but the account holder is always an adult

Tournament Organizer Responsibility

Tournament directors who organize events involving minors are responsible for obtaining any necessary parental consents and maintaining appropriate safeguards for minor participants. Organizer indemnification provisions in our Terms of Service do not shift FTC enforcement liability; Rally HQ maintains a constructive-knowledge posture and will act on any credible notice that under-13 data is being processed without VPC.

For tournaments with under-13 athletes, Rally HQ recommends that Organizers display first name and last initial only (or jersey number) in all public-facing surfaces.

Children's Data — Additional Protections

Rally HQ does not market to children.
Rally HQ does not use children's personal information for advertising purposes.
Rally HQ does not use children's personal information for AI or machine-learning training.
Where tournament media (photos or video) may depict minors, explicit consent must be obtained by the Organizer before collection. Rally HQ does not use photos or video of minors for marketing, promotional materials, or any purpose other than displaying the content within the specific tournament context for which consent was given, without a separate parental opt-in.

Parental Rights

If you are a parent or guardian and believe your child has provided personal information to Rally HQ without your consent, please contact us immediately at privacy@rallyhq.app. We will promptly delete such information.

8. Cookies and Tracking

Essential Cookies

Rally HQ uses cookies required for the Service to function:

Session tokens: To keep you logged in after using a Magic Link
Authentication cookies: To verify your identity across page requests

These cookies are essential for the Service to work and cannot be disabled.

Analytics

We use PostHog, a product analytics platform, to understand how users interact with Rally HQ. This helps us improve the Service. PostHog collects:

Pages visited and features used
Button clicks and form interactions
Device type, browser, and operating system
Anonymous or pseudonymous user identifiers

PostHog may use cookies or local storage to track your activity across sessions. We configure PostHog to respect your browser's "Do Not Track" setting. If you enable DNT, analytics tracking is disabled for your sessions.

EU / UK Consent

If you access the Service from the European Economic Area, United Kingdom, or Switzerland, we will request your consent before loading non-essential cookies (including PostHog analytics). You may withdraw consent at any time via our cookie preferences control. Essential cookies (session, authentication) load without consent because they are strictly necessary for the Service to function under Article 5(3) of the ePrivacy Directive.

Global Privacy Control (GPC)

Rally HQ honors the Global Privacy Control (GPC) signal as an opt-out of sale and sharing of personal information, consistent with the California Attorney General Opinion 22-101 and applicable state law requirements. When we detect a GPC signal from your browser, we treat it as a do-not-sell / do-not-share instruction.

What We Don't Use

Rally HQ does not use:

Third-party advertising networks or retargeting pixels
Facebook Pixel, Google Ads, or similar ad trackers
Cross-site tracking that follows you to other websites

We do not sell data to advertisers or share analytics data with third parties for advertising purposes.

9. Magic Link Authentication

No Passwords: Rally HQ uses passwordless "Magic Link" authentication. We never store or transmit passwords because we don't use them.

How Magic Links Work

When you log in to Rally HQ, we send a unique, time-limited link to your email address. Clicking this link authenticates you without requiring a password. Here's what happens:

You enter your email address on the login page
We generate a cryptographically secure, single-use token
We send an email containing a link with this token to your email address
When you click the link, we verify the token and create a session
The token expires after use or after a short time period (typically 1 hour)

Security Benefits

Magic Link authentication provides several security advantages:

No password database: We cannot leak passwords because we don't store them
No password reuse risk: Your Rally HQ account cannot be compromised by a breach at another service
Phishing resistant: There's no password for attackers to steal via fake login pages
Email as second factor: Access requires control of your email account

Your Responsibilities

Because your email account is the key to accessing Rally HQ:

Secure your email: Use a strong password and two-factor authentication on your email account
Don't forward Magic Links: Each link is meant for you alone; forwarding it grants access to your account
Check the sender: Magic Link emails come from Rally HQ domains only
Report suspicious emails: If you receive a Magic Link you didn't request, someone may be attempting to access your account—contact us at security@rallyhq.app

Session Management

After authenticating via Magic Link, we create a session that keeps you logged in:

Sessions are stored as secure, HTTP-only cookies
Sessions expire after a period of inactivity
You can log out at any time to end your session
Logging out on one device does not affect sessions on other devices

10. Data Security

We implement appropriate technical and organizational security measures to protect your information:

Database encryption at rest
Encrypted data transmission (HTTPS/TLS)
Passwordless authentication via Magic Links (no passwords to leak)
Regular security reviews and updates

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

Breach Notification

If we determine that a security incident has compromised your personal information, we will notify you and any required regulator within the timeframe required by applicable law: at minimum within 72 hours of confirming the breach to the supervisory authority for individuals in jurisdictions covered by GDPR Art. 33, and within 30 days to affected individuals for all other US jurisdictions unless law enforcement requires delay. Notifications will describe the categories of data affected, the steps we are taking, and steps you can take to protect yourself.

11. Data Retention

We retain your personal information for the periods set out in the table below, or longer where required by law, to resolve disputes, or to enforce our agreements.

Retention periods by data category
Data category	Retention period
Organizer account data (email, name)	Until account deletion + 90 days
Tournament data (brackets, scores, standings)	7 years for historical record
Registration consents (timestamp, IP, accepted text)	7 years from event date
Captain phone numbers	Retained while the captain's account is active; deleted within 90 days of last sign-in.
Magic Link tokens	1 hour or single-use (whichever comes first)
Session cookies	Until logout or inactivity timeout
Server logs (IP, access times)	1 year
PostHog analytics	7 years (or per PostHog platform defaults)
Stripe payment records	7 years (per IRS / PCI-DSS requirements)

12. Your Data Rights

Depending on your location, you may have certain rights regarding your personal information. You may submit a request by email at privacy@rallyhq.app (subject line: "Data Request") or via our web form at rallyhq.app/privacy-request.

Available Rights

Access: Request a copy of the personal information we hold about you
Correction / Right to Correct: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information (subject to legal retention requirements)
Portability: Request your data in a portable format
Objection: Object to certain processing of your information
Opt-Out of Sale / Sharing: Opt out of any sale or sharing of your personal information for cross-context behavioral advertising (Rally HQ does not currently sell or share personal information for these purposes)
Opt-Out of Profiling: Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects
Limit Use of Sensitive Personal Information: Where applicable law provides this right, you may request that we limit use of your sensitive personal information to the purposes necessary to perform the Service

How to Submit a Request

Please include your name and email address associated with your account, a description of what you are requesting, and any relevant tournament names or dates to help us locate your data. We may need to verify your identity before processing certain requests.

Response Timeframes

We will respond to your request within the timeframe required by applicable law: within one calendar month for GDPR / UK GDPR requests; within 45 days for CCPA / CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, MODPA, and all other applicable US state privacy law requests. We may extend by an additional 45–60 days for complex requests, with written notice to you within the original period.

Appeals

If we deny your data request, you may appeal by replying to our decision email. We will respond to appeals within 60 days. If your appeal is denied, you may submit a complaint to your state attorney general or, if you are in the EEA, UK, or Switzerland, to your supervisory authority.

Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We will require written proof of your authorization and may verify your identity directly before fulfilling a request submitted through an agent.

Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will not receive a lower quality of service, be charged different prices, or be denied access to the Service because you exercised a right described in this section.

13. International Data Transfers

Rally HQ is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

These countries may have data protection laws that differ from those in your country of residence. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal transfer mechanism under GDPR Art. 46 where applicable. We apply appropriate supplementary measures consistent with the European Data Protection Board's guidance following Schrems II (C-311/18).

EU Representative — not appointed. Rally HQ does not target the European Economic Area, the United Kingdom, or Switzerland and does not knowingly process the personal data of EU/UK/Swiss residents for purposes of GDPR Article 3(2). Accordingly, we have not appointed a representative under GDPR Article 27. If Rally HQ begins offering the Service to EU/UK/Swiss residents or processing their data on a regular basis, we will appoint a representative before doing so and disclose their contact information here. EU/UK/Swiss residents who nonetheless wish to make a data-protection inquiry may contact us at privacy@rallyhq.app and we will respond as a courtesy.

14. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

In the prior 12 months, we have collected the following categories of personal information (as defined under CCPA §1798.140): identifiers (email, IP address), commercial information (subscription records), internet or other electronic network activity (usage data, log data), and geolocation data (approximate location derived from IP address). We have not sold and have not shared any personal information for cross-context behavioral advertising in the prior 12 months.

Sensitive Personal Information (CPRA §1798.140(ae))

Under CPRA, the following categories of Sensitive Personal Information (SPI) that Rally HQ may collect are:

Account credentials: Your email address used for Magic Link authentication constitutes account log-in credentials
Precise geolocation: IP-derived approximate location (we do not collect GPS-level precise geolocation unless you grant browser permission)
Communications content: Content of support emails or messages you send to us

Your CCPA / CPRA Rights

Right to Know: Request information about the categories and specific pieces of personal information we have collected, used, disclosed, or sold
Right to Delete: Request deletion of your personal information, subject to exceptions
Right to Correct (CPRA §1798.106): Request correction of inaccurate personal information
Right to Opt-Out of Sale / Sharing (CPRA §1798.120(a)): We do not sell or share personal information for cross-context behavioral advertising. This right exists and you may exercise it even though we do not currently engage in these activities. We also honor the Global Privacy Control (GPC) as an opt-out signal.
Right to Limit Use and Disclosure of Sensitive Personal Information (CPRA §1798.121): You may direct us to limit use of your SPI to what is necessary to perform the Service. To exercise this right, submit a request via email or the web form listed in Section 12.
Right to Non-Discrimination: We will not discriminate against you for exercising your California privacy rights

12-Month Look-Back Disclosure (CCPA §1798.130(a)(5)(B))

In the 12-month period preceding the date of this policy:

Categories of personal information collected: identifiers, usage data, commercial information, communications content
Categories of personal information disclosed for a business purpose: identifiers shared with Supabase, Stripe, Cloudflare, and PostHog as sub-processors; registration data shared with Tournament Organizers
Personal information sold: None
Personal information shared for cross-context behavioral advertising: None

Submitting California Requests

California residents may submit requests via two methods:

Email: privacy@rallyhq.app with subject line "California Privacy Request"
Web form: rallyhq.app/privacy-request

Authorized Agent (CCPA §1798.130(a)(6))

You may designate an authorized agent to submit a CCPA request on your behalf. We will require proof of the agent's written authorization and may require you to verify your identity directly with us. Agents may submit requests via the same channels above.

15. U.S. State Privacy Rights

In addition to California, the following states have enacted comprehensive consumer privacy laws that may apply to you:

U.S. state privacy laws in effect as of May 2026
State	Law	Effective date
Virginia	Consumer Data Protection Act (VCDPA)	January 1, 2023
Colorado	Colorado Privacy Act (CPA)	July 1, 2023
Connecticut	Connecticut Data Privacy Act (CTDPA)	July 1, 2023
Utah	Utah Consumer Privacy Act (UCPA)	December 31, 2023
Texas	Texas Data Privacy and Security Act (TDPSA)	July 1, 2024
Oregon	Oregon Consumer Privacy Act (OCPA)	July 1, 2024
Montana	Montana Consumer Data Privacy Act (MCDPA)	October 1, 2024
Florida	Florida Digital Bill of Rights (FDBR)	July 1, 2024
Iowa	Iowa Consumer Data Protection Act (ICDPA)	January 1, 2025
Delaware	Delaware Personal Data Privacy Act (DPDPA)	January 1, 2025
New Hampshire	New Hampshire Privacy Act (NHPA)	January 1, 2025
New Jersey	New Jersey Data Privacy Act (NJ DPA)	January 15, 2025
Tennessee	Tennessee Information Protection Act (TIPA)	July 1, 2025
Minnesota	Minnesota Consumer Data Privacy Act (MCDPA)	July 31, 2025
Maryland	Maryland Online Data Privacy Act (MODPA)	October 1, 2025
Indiana	Indiana Consumer Data Protection Act (ICDPA)	January 1, 2026
Kentucky	Kentucky Consumer Data Protection Act (KCDPA)	January 1, 2026
Rhode Island	Rhode Island Data Transparency and Privacy Protection Act (DTPPA)	January 1, 2026

Unified Rights Summary

Regardless of which state law applies to you, residents of the states above generally have the following rights, subject to exceptions and thresholds in each law:

Access: Know what personal data we collect and how we use it
Correct: Request correction of inaccurate personal data
Delete: Request deletion of personal data we hold about you
Portability: Obtain a copy of your data in a portable format
Opt-Out of Sale: Opt out of the sale of your personal data (Rally HQ does not sell personal data)
Opt-Out of Targeted Advertising: Opt out of processing for cross-context behavioral advertising (Rally HQ does not conduct targeted advertising)
Opt-Out of Profiling: Opt out of profiling in furtherance of decisions producing legal or similarly significant effects on you

Universal Opt-Out Mechanism

Rally HQ honors the Global Privacy Control (GPC) browser signal as a universal opt-out of sale and targeted advertising, as required by California and adopted by other states as they implement universal opt-out mechanism requirements.

Response Timeframe

We will respond to state privacy requests within 45 days of receipt. We may extend this period by an additional 45 days when reasonably necessary, with written notice to you within the initial 45-day period.

Appeals Process

If we deny your request in whole or in part, you may appeal our decision by replying to our decision email or by emailing privacy@rallyhq.app with the subject line "Privacy Request Appeal." We will respond to appeals within 60 days. If your appeal is denied, you may file a complaint with your state attorney general. States with explicit appeal rights under their laws include Virginia, Colorado, Connecticut, Florida, Montana, Oregon, Texas, Maryland, New Jersey, New Hampshire, Kentucky, Tennessee, Rhode Island, and Minnesota, among others.

Complaint with State Attorney General

If you believe we have not honored your rights under your state's privacy law, you have the right to file a complaint with your state attorney general or the applicable enforcement authority.

16. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Right to access your personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent

Our legal basis for processing your data is: (1) your consent, (2) performance of a contract (providing the Service), and (3) our legitimate interests in operating and improving the Service.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority. A full list of EEA supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk. Swiss residents may contact the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on this page with a new "Last updated" date
Sending an email notification to account holders for significant changes
Presenting a re-acceptance prompt within the Service for material changes

We will not rely on implied consent for material changes. You will be asked to affirmatively accept any update that materially affects how we use your data.

18. Contact Us and Entity Disclosure

Operating entity: Rally HQ is operated by Signal X Studio LLC, an Illinois limited liability company. Our business mailing address is c/o Northwest Registered Agent Service, Inc., 2501 Chatham Rd Suite N, Springfield, IL 62704, USA.

If you have questions about this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: privacy@rallyhq.app
Data Requests (email): privacy@rallyhq.app (subject: "Data Request")
Data Requests (web form): rallyhq.app/privacy-request
Security Issues: security@rallyhq.app
General Support: support@rallyhq.app
EU Representative: Not appointed — Rally HQ does not target or knowingly process EU/UK/Swiss resident data. See §13 above.