Privacy Policy

UnderDraft ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy describes what personal information we collect, how we use it, who we share it with, and what rights you have regarding your data.

By using the UnderDraft platform, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use and contact us to delete your account.

We collect information you provide directly, information generated by your use of the Service, and limited information from third-party providers.

• Account information: name, email address, role (player / captain / organiser / referee).
• Profile information: display name, avatar, sport preferences, league affiliations.
• League & game data: scores, rosters, schedules, game events you record or are recorded in.
• Usage data: pages visited, features used, session duration — collected via PostHog analytics.
• Device data: browser type, operating system, IP address for security logging.
• Communications: messages you send to our support team.

We use your information only to operate and improve UnderDraft. Specifically:

• Provide, maintain, and improve the Service and its features.
• Authenticate your identity and enforce role-based access control.
• Send transactional emails (account confirmation, password reset, game reminders).
• Detect and prevent fraud, abuse, and security incidents.
• Analyse aggregate, anonymised usage patterns to guide product development.
• Comply with legal obligations.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• With service providers who process data on our behalf under strict confidentiality agreements (e.g. Supabase for database hosting, Fly.io for server infrastructure, Resend for transactional email).
• With other members of your league, to the extent necessary to run the league (e.g. your name appears on a roster visible to your teammates).
• As required by law, regulation, or valid legal process.
• In connection with a merger or acquisition, with your data subject to the same privacy protections.

We retain your personal information for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

Aggregated, anonymised data (e.g. statistics about league activity) may be retained indefinitely as it cannot be used to identify you.

We implement industry-standard security measures including TLS 1.3 encryption in transit, AES-256 encryption at rest, row-level database security, and regular security reviews. However, no method of transmission over the internet is 100% secure.

For a full overview of our security practices, visit our Security page at underdraft.app/security.

Your data is processed in Canada and the United States. Our infrastructure providers (Supabase on AWS, Fly.io) may process data in other jurisdictions. We ensure all providers meet equivalent data protection standards through contractual safeguards.

UnderDraft is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@underdraft.app and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification at least 14 days before the changes take effect. The "Effective" date at the top of this page will always reflect the most recent version.