Privacy Policy

Account info you give us: name, email, phone (optional), the organization you represent. Event activity: tickets and add-ons purchased, teams and rosters you create or join, scores you submit, sponsor and donor details when an org admin enters them, kiosk check-in records and waiver signatures. Payments: collected by Stripe on our behalf — they receive card details and tax-ID info; we receive only the order, amount, and Stripe identifier needed to operate the platform. Operational data: IP, user agent, session cookies (HttpOnly), basic request logs.

To operate the platform — sign-ins, processing orders, running events, sending receipts and tax statements, generating leaderboards, supporting org admins and captains, securing the service, and complying with our legal obligations. We use a small number of subprocessors (Cloudflare for hosting and AI; Stripe for payments; SMTP2GO for transactional email; Twilio for SMS) and only share what each one needs to perform that function.

When an organizer or captain uploads a scorecard image, we send the image to Cloudflare Workers AI for one-shot OCR. Cloudflare does not use Pull Shoot inputs to train models. Images and extracted values remain in your event's storage; you can delete them from the event admin at any time.

We don't sell personal data. We share data only with: • Subprocessors (above) to operate the service on our behalf • Org admins and team captains, who see the data within the scope of their event • Law enforcement or government when legally required, or to protect rights, safety, or the integrity of the platform

Pull Shoot uses an HttpOnly first-party session cookie (sb_sid) to keep you signed in. We do not run third-party advertising trackers. The Cloudflare CDN may set its own operational cookies for routing and bot mitigation.

We keep account and event data while your account is active and for a reasonable window after closure (typically 12 months) to support audits, disputes, and tax reporting. Stripe retains payment records under their own retention policy. You can request deletion of inactive data by emailing hello@pullshoot.com.

Depending on where you live, you may have rights to access, correct, port, or delete your personal data, and to opt out of certain processing. Email hello@pullshoot.com to make a request — we will respond within 30 days. We do not sell or "share" personal information under California Consumer Privacy Act definitions.

Pull Shoot is intended for users 13 and older. Players under 13 may have a parent or guardian register them as a stub player on a team without creating an individual account. We don't knowingly collect personal data from children under 13 outside of that scope.

Passwords are hashed via PBKDF2-SHA256 (100,000 iterations) before storage; sessions are server-side and revocable. Card data never touches our servers — Stripe handles it. All traffic is HTTPS via Cloudflare. We log security events and review them. No system is perfectly secure; report any suspected vulnerabilities to hello@pullshoot.com.

We may update this policy. Material changes will be announced via email and reflected in the "Last updated" date above.