Privacy Policy

Last updated: April 24, 2026

HomeTeam is operated by StanHattie LLC ("HomeTeam", "we", "our", "us"), 731 SE Alices Rd PMB 1035, Waukee, IA 50263. This policy explains what we collect, why, and the choices you have. Contact support@hometeamkit.com with any question.

Summary

• We collect the minimum data needed to run a youth team management service.
• We never sell your data, your kid's data, or photos.
• Analytics cookies load only after you accept the consent banner.
• Parental consent is required before we display or store photos of a specific child.
• You can delete your account and your kid's data at any time.

1. Information we collect

From adult account holders: name, email address, password (hashed with bcrypt/argon2, never plaintext), phone number if you provide one, role (parent / coach / admin), and profile photo if you upload one.

From teams you manage: team name, league, roster (Player names, dates of birth, jersey number, parent email), game schedule and scores, per-player stats you enter, announcements you post, and photos you upload.

Automatically: IP address, browser user-agent, pages visited, and (if you consent) analytics events via Google Analytics 4 and Microsoft Clarity.

From WebAuthn passkeys (optional, used at your choice): a credential ID, a public key, and a usage counter for each passkey you register on a device. We never see or store the private key, biometric, or fingerprint, those stay on your device.

2. Children's data

HomeTeam is designed for use by adult parents, coaches, and administrators. Children ("Players") do not create accounts. Adults add Players to team rosters. Before any photo of a child can be uploaded or displayed, the account holder for that child's Family must grant explicit, revocable consent for that specific child. Consent is recorded with a timestamp, the granting user's ID, and the source IP address.

We do not knowingly collect personal information directly from children under 13. We do not show behavioral advertising to anyone and do not use children's data for marketing. For school or district deployments, we will sign SDPC DPAs and align with COPPA and FERPA standards on request.

3. How we use information

• To operate the service (show you your teams, your games, your photos).
• To authenticate you and keep your account secure.
• To send transactional emails (sign-up confirmation, game announcements you post, password reset).
• To generate optional AI-assisted content (e.g., game recaps via the Claude API) that stays within your team's view unless you explicitly share it.
• To diagnose errors and improve reliability.
• To comply with the law.

4. What we do not do

• We do not sell personal information.
• We do not rent or share data with advertisers.
• We do not use your photos or content to train external AI models.
• We do not track children's behavior across websites.

5. Third-party subprocessors

We use the following third parties to operate HomeTeam. Each has its own privacy policy governing how they handle data we send them:

• Railway (railway.com) for hosting and our PostgreSQL database.
• Cloudflare (cloudflare.com) for DNS, CDN, and the Worker that serves this site.
• Backblaze B2 (backblaze.com) for photo and file storage.
• Resend (resend.com) for transactional email delivery.
• Migadu (migadu.com) for hosting email at hometeamkit.com.
• Google Analytics 4 (google.com) for privacy-respecting site analytics (consent-gated).
• Microsoft Clarity (clarity.microsoft.com) for session recording and heatmaps (consent-gated).
• Anthropic (Claude API) (anthropic.com) for AI-assisted copy features. We do not send Player personal data to the API.
• eBay (ebay.com) for marketplace listings. When you view the marketplace, eBay may set its own cookies per its policy.
• WebAuthn passkeys are processed entirely in your browser and on your device, no third-party processor is involved.
• Twilio (twilio.com) for SMS announcements, if you opt in.

6. Cookies and analytics

We use a small number of strictly necessary cookies to keep you logged in and prevent CSRF. Analytics cookies (GA4, Clarity) are loaded only after you accept the consent banner. You can change your choice by clearing the ht_cookie_consent entry from your browser storage.

7. Data retention

• Active accounts: we keep your data while your account is active.
• Inactive accounts (12 months of no login): we archive at 12 months and delete at 18 months, with a reactivation email at 10 months.
• Deleted accounts: we anonymize personal data within 30 days and delete fully within 90 days.
• Photos of Players: removed within 30 days of consent withdrawal or deletion request.
• Transaction and tax records (if any): retained seven years as required by law.
• Audit logs: minimum two years.

8. Your rights

You have the right to access, correct, export, and delete your personal data. For your child's data listed on your Family, the same rights apply and you exercise them on the child's behalf. Email support@hometeamkit.com to request any of the above. We respond within 30 days.

If you are in the European Economic Area, the UK, or California, you may have additional rights under GDPR, UK GDPR, or CCPA/CPRA. Contact us and we will honor them.

9. Security

Passwords are hashed. Data is transmitted over TLS. Cookies are HttpOnly and signed. We apply CSP, HSTS, and other hardening headers on every response. We audit ourselves regularly and fix issues on a schedule. No online service is perfectly secure; please use a strong, unique password.

10. International data transfers

Our servers are in the United States. If you use HomeTeam from outside the US, your data will be transferred to the US where our processors operate. By using the service you consent to this transfer.

11. Changes to this policy

Material changes will be announced on this page with a revised "Last updated" date and, for significant changes, by email to account holders.

12. Contact

Privacy questions or requests: support@hometeamkit.com, or StanHattie LLC, 731 SE Alices Rd PMB 1035, Waukee, IA 50263.