Privacy Policy

1. Who we are

The Pyxton platform is operated by Enright Collective LLC, an Illinois limited liability company ("Pyxton", "we", "us", "our"). Pyxton is a club management platform built for rugby clubs and amateur sports organizations. If you have questions about this policy, contact us at [email protected] or by mail at:

2. What we collect

We collect information you provide directly when you create an account and use Pyxton:

• Account information: name, preferred name, email address, password (stored encrypted)
• Profile information: phone number, date of birth, gender, pronouns, profile photo, Discord username
• Club membership information: CIPP ID, CIPP status, dues status, positions, skill assessments
• Emergency contact information: emergency contact name and phone number
• Event information: availability responses for matches and events

We do not use analytics tracking, advertising cookies, or any third-party tracking scripts.

3. Legal bases for processing (EU/UK users)

If you are in the European Economic Area, United Kingdom, or Switzerland, we process your personal data on the following lawful bases under the GDPR or UK GDPR:

• Performance of a contract: processing necessary to provide the Pyxton platform to you and your club
• Legitimate interests: operating, securing, and improving Pyxton, and communicating with you about your account
• Consent: for optional integrations (Google Calendar, Discord, Square) and optional communications you opt in to
• Legal obligation: for compliance with applicable laws, including responses to lawful requests from authorities

4. How we use your information

Your information is used to:

• Provide and operate the Pyxton platform
• Manage your club memberships and team assignments
• Display relevant information to club administrators, coaches, and captains as needed for club operations
• Send transactional emails (account confirmation, password reset)
• Communicate important updates about the service

5. Who can see your information

Your information is visible within Pyxton based on your club roles and permissions. Club administrators, coaches, board members, and captains may see member details relevant to club operations (such as contact information, availability, and CIPP status).

We do not sell, rent, or share your personal information with third parties for marketing purposes. We will never share your data outside the application without your explicit permission.

6. Third-party integrations

Pyxton offers optional integrations with third-party services. These integrations are activated by club administrators and only access the minimum data necessary for the stated purpose.

Google Calendar

Club administrators may connect a Google Calendar to their club to automatically sync club events (such as matches, practices, and social events) to a selected Google Calendar. When this integration is enabled:

• Data accessed: Pyxton requests permission to view your calendar list (to let you select which calendar to sync to) and to create, update, and delete events on your calendars.
• How we use this data: Pyxton uses Google Calendar access solely to push club event details (event title, time, location, event type, and opponent) to the selected Google Calendar and to update or remove those events when they change in Pyxton. We do not read, store, or process any existing events from your Google Calendar.
• Data stored: Pyxton stores an OAuth access token and refresh token (encrypted at rest) to maintain the calendar connection, the selected calendar ID, and a mapping of which Pyxton events have been synced. No other Google data is stored.
• Data sharing: Google Calendar data is not shared with any third parties, used for advertising, or used for any purpose other than the calendar sync feature described above.
• Revoking access: Club administrators can disconnect Google Calendar at any time from the club settings page. You may also revoke access from your Google Account permissions page. Events already synced to your Google Calendar will remain there after disconnecting.

Pyxton's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Discord

Members may optionally link their Discord account to enable automatic role syncing within their club's Discord server. Pyxton accesses your Discord user ID and username for this purpose. You can unlink your Discord account at any time from your profile settings.

Square

Club administrators may connect a Square account to sync payment and dues information. Pyxton accesses order and customer data from Square solely to match payments to club members.

7. Service providers

We use the following third-party services to operate Pyxton:

• Heroku (Salesforce) for application hosting
• Amazon Web Services (S3) for file storage (profile photos, club logos) and backup storage
• Postmark for transactional email delivery
• Better Stack for application logging and monitoring

These providers only process your data as necessary to provide their services to us and are bound by their own privacy policies and our data processing agreements.

8. International data transfers

Pyxton is operated from the United States, and all personal data is stored on servers located in the United States (primarily AWS us-east-1 and Heroku US regions). If you access Pyxton from outside the United States, your information will be transferred to, stored in, and processed in the United States.

For users in the European Economic Area, United Kingdom, or Switzerland: we rely on the European Commission's Standard Contractual Clauses (June 2021) as the safeguard for transfers of personal data to the United States. A copy of the applicable clauses is available on request by emailing [email protected].

9. Data security

We take reasonable measures to protect your information. Passwords are encrypted using industry-standard hashing. All data is transmitted over HTTPS. Access to personal data within the application is controlled by role-based permissions. OAuth tokens for third-party integrations are encrypted at rest using Active Record Encryption.

No method of transmission or storage is 100% secure. If you become aware of a security issue, please contact us immediately at [email protected].

If we become aware of a personal data breach that affects your information, we will notify you and applicable supervisory authorities without undue delay and in accordance with applicable law.

10. Data retention and deletion

We retain your information for as long as your account is active. You can permanently delete your account at any time from your profile settings. When you delete your account, your personal information enters a 30-day soft-delete window during which deletion can be reversed by contacting support; after 30 days, all associated personal information is permanently and irrecoverably removed, except where we are required to retain certain records by applicable law (such as tax records or records subject to a legal hold).

When a Google Calendar integration is disconnected, the stored OAuth tokens and calendar mapping data are immediately and permanently deleted. Events already synced to the external Google Calendar are not removed.

11. Children's privacy

Pyxton is not intended for use by anyone under the age of 13, and we do not knowingly collect personal information from children under 13. If you are under 18, you may only use Pyxton with the consent and supervision of a parent or legal guardian, and your parent or guardian must agree to these terms on your behalf at signup.

Pyxton is designed for use by adults and teenage members of amateur sports clubs. Club administrators are responsible for ensuring that any data they enter about members under 18 is collected and used with appropriate parental or guardian consent.

If you believe a child under 13 has provided us with personal information, please contact us at [email protected] so we can remove it.

12. Your rights

You have the right to:

• Access the personal information we hold about you (visible in your profile)
• Correct inaccurate information (editable in your profile)
• Delete your account and all associated data
• Request a copy of your data in a portable format by contacting us
• Object to or restrict certain processing
• Withdraw consent at any time where processing is based on consent
• Revoke third-party integrations (Google Calendar, Discord, Square) at any time

To exercise any of these rights, email [email protected]. We will respond within 30 days (45 days for California residents) of receiving a verifiable request, and may extend by up to 60 days for complex requests with notice to you.

If you are in the EU, UK, or Switzerland, you also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your personal data in accordance with applicable law.

13. California residents

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the rights described in Section 12 above, including the right to know, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information.

We do not sell or share your personal information. We have not sold or shared the personal information of California residents in the preceding 12 months and have no plans to do so. We do not use or disclose sensitive personal information for purposes other than those permitted by the CPRA.

California residents may also designate an authorized agent to make requests on their behalf by emailing [email protected] with appropriate written authorization.

14. Changes to this policy

We may update this privacy policy from time to time. If we make significant changes, we will notify users through the application or via email. The "Last updated" date at the top of this policy reflects the most recent revision. Continued use of Pyxton after changes constitutes acceptance of the updated policy.