Privacy
Privacy Policy
Last updated: 17 June 2026
Sail Scoring takes a minimal-data approach. We collect what we need to run the service, nothing more. This page explains what that is, why we have it, where it lives, and what you can do about it.
Who we are
Sail Scoring is operated by Mark McLoughlin, based in Ireland, who is the data controller for the purposes of this policy. The contact for all privacy matters is mark@hyc.ie.
What we collect, and why
Scorers (account holders)
When you sign up for an account we collect your email address, your name, and the club or class association you score for. Sign-in is by magic link sent to your email — we do not collect or store a password. We use this information to identify you within a workspace, to send you the magic links you request, and to send occasional service-related email (a security notice, a planned outage, a material change to this policy or the Terms). We do not use it for marketing.
The lawful basis for processing scorer account data is performance of our agreement with you (the Terms of Service) and, for security and abuse prevention, our legitimate interest in keeping the service running and uncompromised.
Competitors and race data
Workspaces contain race data: competitor names, sail numbers, club affiliations, handicap ratings, finish times, results, and the published standings that follow. This is, in practice, the same information that clubs and class associations have long posted to the web, where it is already openly accessible.
Where a workspace enables it, recurring competitors can be linked into a single persistent profile, so that a sailor's results across different series sit together rather than scattered across separate regattas. Published results may then be surfaced as a public per-competitor timeline and a searchable index of competitors by name and sail number. These views draw only on results the workspace has already published — nothing unpublished appears in them. The workspace owner decides whether to enable this and what to publish.
For this data, the workspace owner (the club or class association) is the controller, and Sail Scoring is a processor. We store and process competitor data on the club's instructions. We do not sell it, share it with third parties for their own purposes, or use it to train anything. If a competitor wants their data corrected or removed, the right starting point is the club; if you are unable to reach the club, contact us and we will help.
Club FTP credentials
Some clubs publish results to their own website by FTP. If you configure FTP publishing for your workspace, we store the credentials you provide (hostname, username, password) so we can deliver the files you ask us to. These credentials are encrypted at rest and only used for the publishing task you configured. We will never publish anywhere you have not configured.
Activity log
Each workspace has an activity log recording who did what within that workspace — adding a competitor, recording a finish, publishing results, inviting a member. This is visible to members of the workspace and exists so that a panel of scorers can keep each other honest about who changed what. The lawful basis is our and the workspace's legitimate interest in an auditable record of changes.
Cookies
We use cookies for one purpose: keeping you signed in. When you authenticate, we set a session cookie (and a CSRF token) so that subsequent requests know who you are. These are strictly necessary to provide the service you have asked for and do not require consent. We do not use analytics cookies, advertising cookies, or any third-party tracking. There is no consent banner because there is nothing to consent to.
Where your data lives
The application and its database run in the European region. In concrete terms:
- Application and file storage: Vercel, Dublin (DUB1) region.
- Database: Neon, London (LHR1) region. The United Kingdom benefits from an EU adequacy decision, so data hosted there does not require additional transfer safeguards.
- Transactional email: Resend, used to deliver sign-in magic links and the occasional service email.
Our providers (Vercel, Neon, Resend) are US-incorporated companies operating EU/UK infrastructure. Where any incidental transfer to the United States occurs in the course of providing the service, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses as applicable.
Sub-processors
The complete list of sub-processors we rely on:
- Vercel Inc. — hosting, compute, file storage (Dublin region).
- Neon Inc. — managed Postgres database (London region).
- Resend — transactional email delivery.
If we add, remove, or substantially change a sub-processor we will update this page.
How long we keep it
- Scorer accounts: for as long as the account is active. When you delete your account we remove your personal details immediately; routine database backups age out within 30 days.
- Workspace and race data: for as long as the workspace exists. The workspace owner decides what to delete and when. If a workspace is deleted, its data is removed; backups age out within 30 days.
- Magic-link tokens: minutes — they expire automatically once used or after a short timeout.
- Session cookies: until you sign out or the session expires.
- Activity log: retained for the life of the workspace.
Your rights
Under the GDPR you have the right to access the personal data we hold about you, to have it corrected if it is wrong, to have it erased, to restrict or object to how we use it, and to receive a copy in a portable form. To exercise any of these, email mark@hyc.ie. We will respond within one month.
If you are unhappy with how we have handled your data, you can complain to the Irish Data Protection Commission at dataprotection.ie.
Changes to this policy
If we make material changes to this policy we will update the “last updated” date at the top and, for material changes that affect you directly, send notice by email to active account holders.
Contact
For privacy questions, requests, or anything else covered by this page: mark@hyc.ie.