Privacy Policy

1. Who We Are

The Rowing Power Index (“RPI”, “we”, “our”) is an Elo-based rating and analytics platform for scholastic and youth rowing. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it. For general terms of use, see our Terms of Service.

2. What We Collect

We collect the following categories of personal data, depending on how you use the Service:

• Account datafrom your OAuth provider (Google, GitHub): email address, display name, avatar URL, and the provider’s unique user identifier. We never see or store your OAuth password.
• Profile data you choose to add: username, bio, title, website, X (Twitter) handle, affiliated team, and profile visibility setting.
• Subscription data: Stripe customer ID, Stripe subscription ID, current subscription tier, and billing period end date. Card details are handled entirely by Stripe and never touch our servers.
• Activity data: pick’em selections, championship bracket picks, prediction-market trades, Crew Coins wallet balance, favorite teams and notification preferences, and usage counters for metered features (simulations, matchups, team deep views).
• Contact form data: name, email, topic, and message, when you submit the contact form.
• Technical data: standard server access logs (IP address, user agent, request path, timestamp) generated by our hosting provider as part of normal operation.

3. How We Use It

• Provide and operate the Service (accounts, subscriptions, rankings, predictions, markets, brackets, favorites).
• Process payments and manage subscriptions through Stripe.
• Send transactional email (login notifications, receipts, system messages) through Resend.
• Prevent abuse, moderate content, and enforce our Terms of Service.
• Maintain the integrity of leaderboards, market resolutions, and historical statistics.
• Improve the Service by reviewing aggregate, non-identifying usage patterns.

We do not sell personal data, we do not run third-party advertising, and we do not use your data to train machine-learning models.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under Article 6 of the GDPR:

• Contract — to create your account, deliver your subscription, process payments, and run the Service you asked for.
• Legitimate interest — to compute rankings, operate prediction markets, prevent fraud and abuse, and maintain security.
• Legal obligation — to keep financial and tax records for the periods required by law.
• Consent — for any optional communication you explicitly opt in to. You can withdraw consent at any time.

5. Who We Share It With

We use a small number of vetted processors. Each processes data only to provide their service to us:

• Supabase — database, authentication, and file storage. supabase.com/privacy
• Stripe — payment processing and subscription management. stripe.com/privacy
• Resend — transactional email delivery. resend.com/legal/privacy-policy
• Anthropic — used by RPI administrators to extract race results from uploaded PDFs. Ordinary user data is not sent to Anthropic. anthropic.com/legal/privacy
• Vercel — application hosting and server logs. vercel.com/legal/privacy-policy

We may also disclose data when required by law, to enforce our Terms, or to protect the rights, property, or safety of RPI, our users, or others.

6. International Transfers

The Service is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US and in any other country where our processors operate. By using the Service you acknowledge this transfer.

7. Retention

• Account and profile data: kept while your account exists, deleted on account deletion.
• Prediction, bracket, market-trade, and leaderboard records: retained in aggregate for the integrity of historical rankings and leaderboards even after account deletion, but de-identified (linked to a deleted username rather than your personal data).
• Subscription and payment records: retained as long as required by tax and accounting law (typically up to 7 years) via Stripe.
• Contact form submissions: retained for up to 24 months, then deleted.
• Server logs: rotated automatically per hosting provider retention (typically 30 days).

8. Your Rights

Depending on where you live, you may have some or all of the following rights over your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data (“right to be forgotten”).
• Portability — receive your data in a portable format.
• Objection / restriction — object to, or ask us to restrict, certain processing.
• Withdraw consent — where processing is based on consent.
• Complain — lodge a complaint with your local data-protection authority.

California residents (CCPA/CPRA): you additionally have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined by the CCPA/CPRA, and we do not use cross-context behavioral advertising.

To exercise any of these rights, reach out via the contact page. We will respond within the timeframe required by applicable law (typically 30–45 days). We will not discriminate against you for exercising your rights.

9. Cookies & Local Storage

We use strictly-necessary authentication cookies (managed by Supabase) to keep you signed in, and a small amount of browser local storage (such as an onboarding-completed flag) to remember UI preferences. We do not currently run third-party analytics, advertising, or tracking pixels. See our Cookie Policy for the full list.

10. Children

The Service is not intended for children under 13. Users aged 13–17 must have a parent or guardian’s consent to create an account. If you believe a child under 13 has provided us personal data, contact us and we will delete it.

11. Security

We use industry-standard security measures including TLS in transit, encrypted storage at rest, OAuth-only authentication, and row-level security on our database. No system is perfectly secure; we cannot guarantee absolute security of any data transmitted to or stored on the Service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated “Last updated” date. Continued use of the Service after changes constitutes acceptance of the revised Policy.

Contact

Questions, requests, or complaints about this Privacy Policy can be sent through the contact page.