How we handle your data

This policy applies to USSSA Membership (“we,” “us,” “our”) and the services we provide at usssamembership.com — including player registration, the parent and coach portals, the director field-verification tools, and any associated mobile wallet cards.

We’re an authorized membership platform working with United States Specialty Sports Association (USSSA). USSSA has its own privacy practices for the parts of the program they operate directly — sanctioned events, Director’s Corner, and so on. This policy only covers what happens on our platform.

From parents and players

• Player’s legal name, date of birth, and state of residence
• Sport and age division
• Team name (when supplied by a parent or coach)
• USSSA Player ID (if you have one)
• Parent or guardian’s name, email, and phone number
• Optional player photo for the digital member card
• Birth certificate or passport image, only for age verification (see Section 5)

From coaches

• Name, email, phone, state, and sports you coach
• USSSA Manager ID, when supplied
• Background check status as reported to us by USSSA (we don’t run the check ourselves; we surface the status)

From directors

• Name, email, phone, state, and sports you officiate
• USSSA Director ID
• Background check status as reported to us by USSSA

Automatically

• IP address and basic device information, used for security, fraud prevention, and basic analytics
• Authentication and session cookies so you stay signed in
• Application logs (which pages were loaded, which API calls were made) for debugging and security

We try to ask for the minimum. If you see a field that’s not on this list, it’s either optional or specific to a feature we’ve described in-context.

We use your information to:

• Create your membership and issue your USSSA member card
• Verify your player’s age and division eligibility
• Process payments and send receipts
• Send necessary email notifications (registration receipts, magic-link sign-in, team invites, document reminders)
• Provide the coach and director portals (roster, invites, field verification)
• Share membership and eligibility status with USSSA so you can compete in sanctioned events
• Detect and prevent fraud, abuse, and security incidents
• Improve the product (in aggregate — we don’t profile individual families)
• Comply with legal obligations

We do not use your data for advertising. We don’t sell it, rent it, or share it with marketing partners. There are no third-party ad networks in this product.

We only share data with the parties below, and only as needed to run the service:

• USSSA. Player name, date of birth, division, membership status, and verification status are shared with USSSA so your player can be recognized in their sanctioned events and Director’s Corner.
• Coaches and directors on your team. A coach who has you on their roster can see your player’s name, age division, and verification status. They cannot see your birth certificate or passport.
• Stripe processes payments. We never see your card number; Stripe handles all card data under PCI-DSS.
• Persona handles the age verification check. The birth certificate or passport image is captured by Persona’s embedded modal and reviewed by their team. We receive only the outcome (verified, pending, or not verified) and a record of the inquiry.
• Supabase hosts our database and authentication. Data at rest is encrypted; access is restricted to a small set of administrators.
• Cloudflare hosts the web application and provides DDoS and bot protection.
• Resend sends transactional email (registration receipts, magic-link sign-in, team invites, reminders).
• NCSI conducts coach and director background checks at USSSA’s direction. We surface the resulting status; the underlying report stays with NCSI and USSSA.
• Law enforcement and legal process. We will share information when legally required, when we believe it’s necessary to protect someone’s safety, or to defend our legal rights.

Each of these vendors processes data only on our instructions, under contract terms that require them to handle your data with at least the same care we do.

When a player’s age needs to be verified, we ask for a birth certificate or passport image. We take this seriously:

• The image is captured inside Persona’s embedded verification modal — not uploaded to us directly.
• Persona reviews the document and returns a verification result (verified, pending, or not verified) and a one-time inquiry ID.
• We store only the outcome and the inquiry ID. We do not store the document itself.
• The verified ✓ badge that appears on the player’s card and roster does not reveal any document content — just that the check passed.
• Persona retains the document under its own policy. You can request Persona delete its copy by contacting us; we’ll forward the request.

If your platform configuration ever changes such that we directly receive or store the document image, this policy will be updated and you’ll be notified.

All membership payments are processed by Stripe. We don’t see, store, or have access to your card number, CVV, or full card details. We receive only:

• The fact that a successful payment was made
• A masked summary (e.g. card brand and last 4 digits) so you can recognize the charge
• The Stripe customer and payment intent IDs, so we can issue refunds or troubleshoot

For full details on how Stripe handles card data, see Stripe’s privacy policy.

Many USSSA players are children. The Children’s Online Privacy Protection Act (COPPA) requires us to take extra care with data about anyone under 13, and we do.

• Children under 13 cannot create their own account. Only a parent or legal guardian can register a player.
• By registering a player under 13, you confirm that you are the player’s parent or legal guardian and that you consent to the collection and use described in this policy.
• We collect from children only what’s necessary to enroll them as a USSSA member: name, date of birth, sport, division, and team.
• We don’t use children’s data for marketing, behavioral advertising, or profiling.
• A parent or guardian can review, correct, or delete their child’s data at any time by emailing [email protected].
• A parent or guardian can refuse further collection at any time. Doing so may end the player’s membership.

We hold onto data only as long as we need it. In practice:

• Active members — we retain your data while your membership is active and for as long as you keep an account with us.
• Expired memberships — we retain core membership records for up to 7 years to comply with sport-eligibility, tax, and audit requirements.
• Payments — Stripe records are retained per Stripe’s policy and applicable tax law.
• Verification outcomes — we retain the verified/pending/not verified status while the membership is active and for the same retention window as the membership itself.
• Logs and security data — routine application logs are kept for up to 90 days; security incident logs may be kept longer if needed.
• Marketing or contact-form messages — retained until resolved, then archived for up to 2 years.

You can request earlier deletion under Section 9.

You can ask us to:

• Show you what data we hold on you or your minor player
• Correct anything that’s wrong
• Delete your account and associated personal data (subject to retention obligations above)
• Export your data in a portable format
• Withdraw consent for further processing (which may end the membership)
• Opt out of non-essential email — we’ll keep sending essential service emails (receipts, reminders, security alerts)

Email [email protected] from the email address on file. We respond within 30 days.

If you’re a California resident, you have additional rights under the CCPA and CPRA, including the right to know what categories of personal information we’ve collected and the right to non-discrimination for exercising your privacy rights. We do not sell personal information.

If you’re a resident of the EU, UK, or another jurisdiction with comparable rights, you may also have the right to lodge a complaint with your local data protection authority.

We use only the cookies we need to run the service:

• Authentication cookies so you stay signed in
• Session cookies to remember your preferences (like which player profile you last viewed)
• Security cookies to detect and prevent abuse

We don’t use third-party advertising cookies, social-network tracking pixels, or cross-site behavioral profiling.

We take security seriously and use industry-standard safeguards including:

• Encryption in transit (HTTPS) for every page and API call
• Encryption at rest on our database
• Strict access controls for staff — only people who need access to a piece of data can get to it
• Passwordless magic-link authentication so there are no parent passwords to leak
• Audit logs for sensitive actions on the platform
• Regular dependency and infrastructure reviews

No system is perfectly secure. If we ever detect an incident that affects your data, we’ll notify you as required by law and tell you what we’re doing about it.

Our systems are operated primarily in the United States. If you access the platform from outside the U.S., your data will be transferred to and processed in the U.S. We rely on standard contractual clauses or equivalent safeguards where required for cross-border transfers.

We’ll update this policy when our practices change. When we make a material change, we’ll update the “Last updated” date and, where appropriate, notify you by email or via the platform.

For privacy questions, data requests, or anything else in this policy:

Last updated June 10, 2026.