Privacy Policy

From Clerk (authentication)

• Email address
• Display name (if provided)
• Authentication tokens and session metadata

Created while you use the Service

• Saved schedules, including selected games and trip groupings
• Trips and trip items (flights, hotels, tickets, costs, notes)
• Filter preferences (home airport, preferred days, blackout dates)

Automatically

• IP address (used for rate limiting and abuse prevention)
• Browser type, OS, screen size, referring URL
• Pages viewed and feature interactions (PostHog product analytics, when enabled)
• Error context (Sentry) when something crashes — stack traces, request ID, browser info

• To authenticate you and protect your account
• To generate, save, and display your stadium-tour schedules and trips
• To detect and respond to abuse, fraud, and security incidents
• To improve the Service (which features get used, where users get stuck)
• To send transactional email related to your account (e.g., confirmation, security)
• To respond to support and privacy inquiries

We use the following third parties to operate the Service. Each is bound by their own privacy commitments and by data-processing terms with us:

• Clerk — authentication and user management
• Supabase — managed PostgreSQL database (US region)
• Railway — backend hosting (US region)
• Cloudflare — frontend hosting, DNS, CDN, email routing
• PostHog — product analytics (opt-out available, see § 6)
• Sentry — error tracking and crash reporting
• Resend — transactional email delivery
• Affiliate networks (e.g., booking, ticketing partners) when you click an affiliate link

We do not sell your personal information for money. However, under California’s CPRA the term “sharing” also covers cross-context behavioral advertising and certain partner data exchanges.

When we add affiliate links (third-party booking, ticketing, or travel partners) and you click one, your click may include a partner-specific identifier (a “sub-ID”) that lets the partner attribute a resulting purchase back to LeagueLooper. CPRA classifies this as “sharing.” California residents can opt out at any time using the link in § 6.

We retain your account and the trips/schedules you create for as long as your account is active. When you delete your account, all owned rows (saved schedules, schedule games, trips, trip items) are removed via cascading delete typically within minutes. Backup snapshots are purged on a rolling 30-day window. Logs containing IP addresses are retained for up to 90 days for security and debugging.

If you are a California resident, you have the right to:

• Know what personal information we have collected about you, the categories of sources, and the categories of third parties with whom we have shared it.
• Delete personal information we have collected from you, subject to limited exceptions.
• Correct inaccurate personal information.
• Opt out of the “sale” or “sharing” of your personal information.
• Limit use of sensitive personal information (we do not collect categories of sensitive PI such as government IDs, precise geolocation, or financial-account credentials).
• Non-discrimination — we will not deny service, charge a different price, or provide a different level of quality because you exercised these rights.

To exercise any of these rights, email [email protected] from the address associated with your account. We will respond within 45 days as required by California Civil Code § 1798.130. To opt out of the “sharing” described in § 4, use the “Do Not Sell or Share My Personal Information” link in our cookie banner or in the site footer.

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, email [email protected] and we will delete it.

We use industry-standard safeguards including TLS for all data in transit, hashed and rotated authentication tokens (via Clerk), parameterized SQL to prevent injection, per-IP rate limiting, and PII redaction in our application logs. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you as required by California Civil Code § 1798.82.

LeagueLooper is intended for use within the United States. If you access the Service from outside the US, you understand and consent to your data being processed in the US, which may have different data-protection rules than your country.

We may update this policy from time to time. Material changes will be announced on the Service or by email. The “Effective” date at the top of this page reflects the most recent revision.

Privacy questions, requests, or complaints: email [email protected].