Privacy Policy

1. Overview

Derived Athletics, LLC ("we," "us," or "our") operates FencR. This Privacy Policy explains how we collect, use, store, and share information about you when you use our platform. By using FencR, you agree to the practices described here. If you are a parent or guardian creating or managing an account on behalf of a minor athlete, this policy applies to the information you provide on their behalf as well.

2. Information We Collect

Information you provide directly:

• Account information: full name, email address, password.
• Profile information: date of birth, profile photo, weapon specializations, city/state/ZIP, and (if provided) your USA Fencing member ID for use in club records and tournament eligibility checks. The USA Fencing member ID is stored as text only and is not currently transmitted to or validated against any USA Fencing system; if FencR later introduces direct validation against a USA Fencing API, we will update this Policy and disclose the data exchange before enabling it.
• Payment information: billing details processed and stored by Stripe (we do not store raw card numbers or bank account numbers). For clubs that accept Zelle, we store only the Zelle handle (email or phone number) you choose to register for receiving payments — we do not access your bank account.
• Club and organization data entered by administrators: schedules, member records, invoices, subscription plans (recurring plans with optional per-cycle typed or unlimited quotas, and one-time pre-paid packs), member groups, training locations, and club settings.
• Parent–child relationship data when a parent links a minor athlete's account to their own, including a parent's ability to manage multiple plan assignments on behalf of a child.
• Communications you send us (support requests, feedback).
• Notification preferences set in your account settings.

Information collected automatically:

• Log data: IP address, browser type, pages visited, timestamps.
• Device information: operating system, device identifiers.
• Usage data: features accessed, actions taken within the platform.
• Aggregated, privacy-preserving page-view and performance metrics collected by Vercel Analytics and Vercel Speed Insights. These metrics are recorded without third-party cookies and without persistent cross-site identifiers; Vercel hashes IP and user-agent on the edge to derive an anonymous, daily-rotating visitor token that we cannot reverse-engineer to identify you.
• Session authentication tokens (stored in secure HTTP-only cookies).
• Calendar sync tokens if you enable iCal or Google Calendar integration.

Information from third parties:

• If you sign in with Google or Apple, we receive your name and email address from those providers.
• If you verify your email via a one-time passcode during onboarding, we receive delivery and verification status from our email provider.
• Payment transaction data and payout information from Stripe.
• For clubs that have connected QuickBooks Online: customer records and invoice metadata imported into FencR to support two-way invoice sync.

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account and authenticate you securely.
• Provide the FencR platform and all its features, including scheduling, invoicing, payment processing, and analytics.
• Route invoices and payment responsibility to the correct parent or guardian when a minor athlete is the subject of an invoice.
• Send transactional emails and in-app notifications (invoice delivery, booking confirmations, payment receipts, account alerts).
• If you have given consent, send occasional marketing emails about product updates, new features, and tips. You can withdraw consent at any time from your account settings.
• Generate club-level analytics and reporting for administrators (aggregated and org-scoped).
• Respond to support requests and communicate with you about your account.
• Detect, investigate, and prevent fraud, abuse, or security incidents.
• Comply with legal obligations, including financial record-keeping requirements.
• Improve the platform based on aggregated usage patterns.

We do not sell your personal data to third parties. We do not use your data for targeted advertising.

4. How We Share Your Information

We may share your information with:

• Your club or organization: Club administrators and coaches can view member profiles, booking history, invoice status, and payment records for members of their organization. Parents can view invoices and payment history for their linked minor athletes.
• Service providers: Third-party vendors who help us operate the platform — Supabase (database and authentication), Stripe (payment processing), Vercel (hosting and edge infrastructure), and Resend (transactional email delivery). These providers access your data only to perform services on our behalf and are contractually prohibited from using it for other purposes.
• Bookkeeping integrations (QuickBooks Online): If your club has connected QuickBooks, invoice records and customer details (name, email, billing amount) may be synced from FencR into your club's QuickBooks account on a one-way or two-way basis, as configured by the club. The club acts as the data controller for the QuickBooks destination.
• Zelle recipients: When an invoice is set to be paid via Zelle, the payer is shown the recipient Zelle handle (email or phone number) registered by the club or coach. The actual Zelle transfer occurs between the payer's bank and the recipient's bank — FencR does not transmit funds, credentials, or banking details.
• Law enforcement or legal process: If required by law, court order, or to protect the rights, property, or safety of FencR, its users, or the public.
• Business transfers: In connection with a merger, acquisition, or sale of assets, in which case user data may be transferred as a business asset. Affected users will be notified in advance.

5. Children's Privacy

FencR is designed to support clubs that manage minor athletes. Minor athlete accounts are created and supervised by a parent or legal guardian. We do not knowingly collect personal information directly from children under 13 without verifiable parental consent.

Parents and guardians retain control over their minor's data within the platform, including the ability to update profile information or request deletion by contacting us. Invoices for minor athletes are routed to the linked parent or guardian's account, not to the minor's account.

For full details on what we collect from children, how we use it, who we share it with, the verifiable parental consent mechanism we use, and how you can review or revoke consent, please see our Children's Privacy Notice. Parents see and confirm this notice at the moment they create a child profile, and we record the date, time, and notice version of each consent.

If you believe we have inadvertently collected information from a child under 13 without proper consent, contact us at support@derivedathletics.com and we will delete it promptly.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. If you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal or accounting purposes. Financial records (invoices, payment history) may be retained in de-identified form for up to 7 years to satisfy accounting and tax obligations. De-identified or aggregated analytics data may be retained indefinitely.

7. Cookies and Session Tokens

FencR uses secure HTTP-only cookies to maintain your authenticated session. These are strictly necessary for the platform to function and cannot be disabled. We do not use third-party advertising cookies, cross-site tracking pixels, or session replay tools.

We use Vercel Analytics and Vercel Speed Insights to measure aggregate page views, navigation patterns, and front-end performance. Vercel Analytics operates without third-party cookies. To distinguish unique daily visitors without tracking identities, Vercel hashes a combination of your IP address and user-agent on the server with a daily-rotating salt; the result is an anonymous token that cannot be linked back to you or correlated across days. Raw IPs are not stored by Vercel Analytics. You can read Vercel's privacy documentation at vercel.com/docs/analytics/privacy-policy.

If you connect a calendar integration (iCal), we generate a unique feed token stored in your account. You can regenerate or revoke this token at any time from your settings, which will invalidate any existing calendar subscriptions.

8. Data Security

We implement industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest, row-level security policies on our database (ensuring users can only access data within their authorized organizations), and strict access controls. API routes verify authentication and role authorization on every request. Service-role database access is restricted to server-side code only and never exposed to the client.

No method of transmission over the internet is 100% secure. Please notify us immediately at support@derivedathletics.com if you suspect unauthorized access to your account.

Breach notification. If we determine that a security incident has resulted in the unauthorized access, disclosure, alteration, or loss of personal information, we will notify affected users and, where applicable, the affected club administrators acting as data controllers, without undue delay and in any event within 72 hours of becoming aware of the incident — except where law enforcement requests a delay or where notification within that window would materially increase risk to affected users. Notifications will describe, to the extent then known, the nature of the incident, the categories of data involved, the steps we are taking to contain and remediate it, and the steps you can take to protect yourself. Club administrators are responsible for any further downstream notification their members or jurisdictions require.

9. Your Rights and Choices

Depending on your location, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete information (via account settings).
• Delete your account and associated personal data (via account settings → Danger Zone).
• Portability — request a copy of your data in a structured format.
• Opt out of non-essential email notifications (via account settings → Email Notifications toggle).
• Withdraw marketing consent at any time (via account settings → Marketing Emails toggle). Withdrawal does not affect transactional emails.
• Withdraw consent where processing is based on consent.

To exercise these rights or make a data request, go to your account settings or contact us at support@derivedathletics.com. We will respond within 30 days.

10. International Transfers

FencR is operated in the United States. If you access the platform from outside the US, your data will be transferred to and processed in the United States. By using FencR, you consent to this transfer. For transfers from the European Economic Area, we rely on standard contractual clauses and other lawful mechanisms where applicable.

11. Third-Party Links

FencR may contain links to third-party websites or services (for example, Stripe's payment portal or your club's external website). We are not responsible for the privacy practices of those third parties and encourage you to review their privacy policies before providing any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and revising the effective date. We encourage you to review this page periodically. Continued use of FencR after changes are posted constitutes your acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact: