Fusion ("we", "us", or "our") operates the Fusion family and team scheduling service (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. It is especially important because we process personal data of children (minors under 18 / under applicable age of consent) on behalf of their parents and guardians.
1. Information We Collect
- Account data: name, username, email, password (hashed), role (parent/owner), timezone, optional phone number.
- Children's data (the most sensitive category): first and last name, date of birth, gender, assigned color, family membership, event participation, team roster status, jersey numbers/positions (for owners).
- Family & scheduling data: family name, events (name, times, location, description, attendees), team information you create or join.
- Usage data: notifications, invites, login timestamps, device/IP for security (via django-axes).
- Organization data (for owners): organization name/description, teams, roster links.
2. Children's Privacy (COPPA / GDPR / Similar)
We do not knowingly collect personal information directly from children. All children's data is entered and controlled exclusively by verified parents, legal guardians, or authorized team/organization representatives ("Parents").
We collect the minimum data necessary to provide youth sports/family scheduling features (calendars, rosters, conflict detection, notifications).
Parents have full control: they can view, edit, export, or delete their children's data at any time via the Service (see "Your Rights" below). We never sell, rent, or use children's data for advertising, profiling, or any purpose outside the Service.
If you believe we have collected information from a child without proper parental consent, please contact us immediately so we can delete it.
3. How We Use Your Information
- To provide core functionality: calendars, team rosters, event invitations, conflict warnings, notifications.
- To authenticate users and enforce role-based access (parent vs. owner).
- To enable owners to contact parents of registered players (phone/email shown only to connected owners).
- Security, fraud prevention, and abuse detection (login attempts via axes).
- To comply with legal obligations and respond to data subject requests.
4. Data Sharing & Third Parties
We do not sell your data. We share data only as necessary:
- Supabase (PostgreSQL database hosting): Your data is stored in Supabase's infrastructure (aws-1-us-east-1 region as configured). Supabase acts as a data processor. See Supabase Privacy Policy.
- Within the Service: Other parents in your family can see basic family event details. Team owners/coaches see the names, DOB, gender, and (if provided) parent contact info only for children registered on their teams.
- Service providers: only the infrastructure required to run the app (hosting, no analytics or ad networks at this time).
We may disclose information if required by law or to protect rights/safety.
5. Data Retention
We retain your data only while your account is active or as needed to provide the Service. Upon account deletion (see below), we delete or anonymize personal data as described in the deletion flow. A minimal audit log entry (user ID, role, timestamp, IP at deletion) is retained for legal and security audit purposes for a limited period.
6. Your Rights & Choices (Data Protection)
- Access & Portability: Use the "Export My Data" button in Account Settings to download a JSON copy of your kids, events, teams you manage, notifications, etc.
- Correction: Edit your profile, kids, events, and teams directly in the app.
- Deletion ("Right to be Forgotten"): From Account Settings → Delete Account. This permanently removes your account and associated personal/children's data (with the safeguards and audit log noted above). Password confirmation + explicit "DELETE" typing required.
- Consent withdrawal: You may delete your account at any time. For new sign-ups we require explicit consent to children's data processing.
- Object / Restrict: Contact us for other requests.
To exercise rights or for questions, email support (or the contact method listed in the app).
7. Security
We use industry-standard practices: password hashing, CSRF protection, session security, rate-limiting (django-axes), SSL, role-based authorization checks on every view, and scoped database queries to prevent cross-user data access. No data is stored in client-side localStorage beyond what the browser session requires.
Despite our efforts, no system is 100% secure. Please use a strong unique password and keep your login credentials confidential.
8. Cookies & Tracking
We use only essential session cookies for authentication and CSRF protection. No third-party analytics, advertising, or cross-site tracking cookies are used at this time.
9. Changes to This Policy
We may update this Privacy Policy. Material changes will be announced via the Service or email. Continued use after changes constitutes acceptance.
10. Contact
If you have questions about this policy or your data, please reach out through the app or the contact information provided during onboarding.
This is a baseline policy suitable for a service handling children's data. For production use with real users you should have this reviewed by legal counsel and adapt to your jurisdiction (US state laws, GDPR if EU users, etc.).