How we protect your league

• Sign-in uses email and password or Google. Sessions are managed by our authentication provider and stored in your browser.
• Every request to view or change league data is checked server-side against your account and league membership.
• Organizer-only actions (creating events, billing, removing members) require an organizer role on that specific league.

• League, season, event, score, and media data is stored in a managed Postgres database with row-level security policies scoped to your league memberships.
• Uploaded photos and course maps are kept in private storage buckets and served only to authorized members.
• Internal billing identifiers and webhook records are not readable by app users.
• You can delete your account or league by contacting us; we will remove associated data from active systems.

• Lovable Cloud (hosting, database, auth, storage)
• Stripe (payments processing for paid plans)
• Google Maps Platform (maps, geocoding, course lookup)

We use only the data each provider needs to deliver its function.

If you believe you have found a security vulnerability, please reach out so we can investigate quickly. Include steps to reproduce and any relevant URLs. We will not pursue good-faith reports.