Privacy Policy

ShuttleScore ("we", "us", "our") is a badminton tournament tracker open to anyone with a valid email address. If you have questions about this policy, contact us at info@ShuttleScore.com.

We collect only the data you provide or that is generated by your use of the service:

• Account information — your name and email address when you register. Your email is stored in lower-case and used to look up a Gravatar avatar (see §5).
• Profile image — an optional avatar you upload directly in Settings, or a Gravatar image automatically fetched using a SHA-256 hash of your email address.
• Account status — a role field (user or admin) and, if applicable, a ban record including reason and expiry date, managed by site administrators.
• Session data — authentication tokens, IP address, and browser type stored per active session. If an administrator uses the impersonation feature, that session is flagged with the administrator's ID for audit purposes.
• Tournament & match data — groups, players, tournaments, scores, and seasons you create.
• Usage data — standard server logs (IP address, browser type, pages visited) retained for up to 30 days for security and debugging purposes.

We do not collect payment information. ShuttleScore is free to use.

• To provide, maintain, and improve the service.
• To authenticate you and keep your account secure.
• To understand how the service is used — when you consent to analytics cookies, usage events (pages visited, features activated) and your account identifier, email address, and display name are sent to PostHog so that events can be linked to your account. This is done under your consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time via the cookie banner. No match scores are included in analytics events.
• To display your avatar — either an image you upload or a Gravatar image fetched by sending a SHA-256 hash of your email to Gravatar's servers. No email address itself is transmitted.
• To send transactional emails (e.g. email verification, password reset, email change confirmation) via our email provider. We do not send marketing emails without your explicit consent.
• To generate AI-powered commentary — tournament and match data is sent to a third-party AI provider (see §5). No personal identifiers beyond player nicknames you choose are included.
• To protect against bots and abuse — a proof-of-work challenge collects a browser fingerprint (e.g. whether cookies are enabled, and other device characteristics) to assign a difficulty level to write operations. This data is not stored and is used solely to rate-limit abusive requests.
• To enforce platform rules — administrators may view account status, ban abusive accounts, and in exceptional support cases impersonate an account. All impersonated sessions are logged and attributable to the acting administrator.

If you are located in the European Economic Area, we process your data under the following legal bases:

• Contract — processing necessary to provide the service you signed up for (Art. 6(1)(b) GDPR).
• Legitimate interests — security logging, abuse prevention, and platform integrity (Art. 6(1)(f) GDPR).
• Consent — analytics cookies and the associated transmission of your name and email to PostHog (Art. 6(1)(a) GDPR). You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.

We use the following sub-processors:

Each provider is bound by their own privacy policy and, where applicable, standard contractual clauses under GDPR.

We retain your account and tournament data for as long as your account is active. You can delete your account at any time from Settings → Security — your personal data is removed immediately upon deletion. Anonymised aggregated statistics may be retained indefinitely.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data — you can update your name and email directly in Settings → Profile.
• Request deletion of your data ("right to be forgotten") — available self-service via Settings → Security → Delete account, or by contacting us.
• Object to or restrict certain processing.
• Data portability — receive your data in a machine-readable format.

To exercise any of these rights, email info@ShuttleScore.com. We will respond within 30 days.

ShuttleScore uses browser local storage and IndexedDB to cache tournament data for offline use. We do not use third-party advertising cookies. Session cookies are used solely for authentication purposes and expire when you sign out or after 7 days of inactivity. Analytics cookies require your consent. If you accept analytics, PostHog sets a first-party cookie (ph_*) to distinguish unique visitors; this cookie does not track you across other websites. You can change your preference at any time by clearing your browser's local storage for this site.

Passwords are never stored in plain text — they are hashed using bcrypt. All data in transit is encrypted via HTTPS/TLS. We apply rate limiting and proof-of-work challenges on sensitive endpoints to prevent brute-force attacks. Administrator actions (role changes, bans, impersonation) are restricted to authenticated admin accounts and all impersonated sessions are logged.

ShuttleScore is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us so we can delete it.

We may update this policy from time to time. We will notify you of significant changes by updating the "Last updated" date above. Continued use of the service after changes constitutes acceptance of the revised policy.

Questions or concerns about this policy? Reach us at info@ShuttleScore.com.