This Privacy Policy explains how RosterLedger ("RosterLedger," "we," "us") collects, uses, discloses, stores, and protects personal information when you use our website and team-treasury software (the "Service"). We are committed to handling personal information responsibly and in accordance with applicable data-protection laws, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the EU and UK General Data Protection Regulation (GDPR), the Australian Privacy Act 1988 (and the Australian Privacy Principles), and the New Zealand Privacy Act 2020 — each to the extent it applies to you.
1. Our role: controller and processor
RosterLedger plays two different roles depending on the data:
- For your own account information (the email address you sign in with), we are the controller.
- For the team data you enter — your roster, contributions, sponsors, reimbursements, and ledger — the team and/or its sports association is the controller, and RosterLedger acts as a processor handling that data on your behalf and under your instructions.
2. Information we collect
- Account information: your email address (used for passwordless "magic link" sign-in) and your role on a team.
- Team and financial information you enter: team and season details, player names, parent/guardian names, emails and phone numbers, fees and payment status, sponsors, staff honoraria, reimbursements, game-day cash records, and ledger entries.
- Children's information: because youth-sports rosters include minors, the player names you enter may be those of children. See Section 6.
- Receipt files: images or PDFs you upload, which may contain personal information.
- Payment information: handled entirely by our payment processor, Stripe. We do not see or store your full card number.
- Essential technical data: a secure session cookie to keep you signed in, and standard server logs.
- Analytics data: we use web analytics to understand, in aggregate, how visitors find and use our site (see “Cookies & analytics” below). We do not use advertising cookies, and we do not sell your data.
3. How we use information
- To provide, operate, and secure the Service.
- To authenticate you and keep your session active.
- To process subscription payments and manage your access.
- To send you transactional emails (such as sign-in links).
- To respond to support requests and to meet legal obligations.
We do not sell personal information, and we do not use your team's data for advertising.
4. Legal basis for processing
Where PIPEDA applies, we rely on your consent and on the reasonable purposes of operating the Service you have asked us to provide. Where the GDPR applies, our legal bases are the performance of our contract with you, our legitimate interests in operating and securing the Service, your consent, and compliance with legal obligations.
5. Sharing and sub-processors
We share information only with the service providers that help us run the Service. Each is bound by contractual data-protection obligations:
- Supabase — database, authentication, and file storage.
- Vercel — application hosting and content delivery.
- Stripe — subscription billing and payment processing.
- Resend — delivery of transactional email.
- Google (Google Analytics) — aggregate website-traffic analytics to help us improve the site.
- Anthropic — AI processing for the optional “smart import” feature only (see below).
We may also disclose information if required by law, or to protect the rights, safety, and security of our users and the Service.
5a. AI-assisted import (optional)
When setting up a team, you can optionally upload a spreadsheet (for example, a roster or a previous treasurer's budget) and have RosterLedger read it for you. If you choose to do this, the contents of that file are sent to our AI provider, Anthropic, to extract the roster and budget into your team setup. This happens only when you upload a file for import — your ongoing team data is never sent to the AI provider in normal use. Anthropic processes the file to return the extracted result and does not use it to train its models. If you'd rather not use this, simply enter your team details by hand instead.
6. Children's information
RosterLedger is a tool for adult volunteer treasurers; it is not directed to children and children do not use it. However, the rosters you enter may contain the names of minors. By entering this information you confirm that you are authorized by your team or association to do so. We process children's information only to provide the Service, never for marketing, and we apply the same security protections to it as to all other personal information. We encourage treasurers to enter only the minimum information needed (for example, a player's name and a parent contact).
7. Where your data is stored
Your team's primary database — your roster, contributions, sponsors, receipts, and ledger — is hosted in Canada. Certain supporting services (such as application hosting, payment processing, and email delivery) may process limited data outside Canada, including in the United States. Where data is transferred internationally, it remains protected by appropriate contractual and technical safeguards, and may be subject to the laws of the country in which it is processed.
If you are located in the European Economic Area (EEA), the United Kingdom, Australia, or New Zealand, your team's data is transferred to and stored in Canada. Canada is recognised by the European Commission and by the United Kingdom as providing an adequate level of protection for personal data handled by private-sector organisations, and we rely on that adequacy together with contractual safeguards for these transfers. For transfers from Australia and New Zealand, we take reasonable steps to ensure your information continues to be handled consistently with the Australian Privacy Principles and the New Zealand Information Privacy Principles.
8. Data retention
We keep your team's data for as long as your subscription is active, so that financial history carries over from season to season. If your free trial ends or your subscription lapses, we keep your team's data for 12 months so you can pick up exactly where you left off if you return. After 12 months without an active subscription, the team and all of its data — including uploaded receipts — are permanently deleted.
You can export or permanently delete your team's data yourself at any time from the Settings page. When you delete a team, its records and uploaded receipts are permanently removed.
9. Your rights
Depending on where you live, you have rights to access, correct, export, and delete your personal information, and to withdraw consent. You can:
- Access and export a complete copy of your team's data from the Settings page.
- Correct any information by editing it directly in the app.
- Delete your team and all its data from the Settings page.
- Contact us at support@getrosterledger.com for any other request.
The specific rights available to you depend on where you live:
- EEA & United Kingdom (GDPR): you have the rights of access, rectification, erasure, restriction of processing, data portability, and objection, and the right to withdraw consent at any time. You also have the right to lodge a complaint with your local supervisory authority — in the UK, the Information Commissioner's Office (ICO).
- Australia (Privacy Act 1988): you may access and correct your personal information, and may complain to the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response.
- New Zealand (Privacy Act 2020): you may access and correct your personal information, and may complain to the Office of the New Zealand Privacy Commissioner.
- Canada (PIPEDA): you may access and correct your personal information, and may complain to the Office of the Privacy Commissioner of Canada.
We do not charge for exercising these rights, and we will respond within the timeframe required by the law that applies to you.
10. Security
We protect your data with encryption in transit, encrypted storage, row-level access controls that isolate each team's data, and passwordless authentication. No system is perfectly secure, but we work to protect your information using industry-standard measures.
11. Cookies & analytics
We use a strictly necessary cookie — a secure session cookie that keeps you signed in. We do not use advertising cookies.
To understand how our public website is used (in aggregate), we use two analytics tools:
- Vercel Web Analytics — privacy-friendly and cookieless; it does not track you across sites.
- Google Analytics — sets cookies to measure visits, pages viewed, and traffic sources. We have IP-address and on-page email redaction enabled, and we do not use this data for advertising.
You can opt out of Google Analytics with Google's browser opt-out add-on, or by blocking cookies in your browser settings.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will revise the "Last updated" date above and, for material changes, take reasonable steps to notify you.
13. Contact us
Questions or privacy requests: support@getrosterledger.com. If you are not satisfied with our response, you may also contact your local data-protection authority — for example, the Office of the Privacy Commissioner of Canada; in the UK, the Information Commissioner's Office (ICO), or your supervisory authority in the EEA; the Office of the Australian Information Commissioner (OAIC); or the Office of the New Zealand Privacy Commissioner.