Privacy Policy

Ubouk (“we”, “us”) operates a multi-tenant platform that lets sports organizations run branded registration portals, take payments, communicate with families, and manage participants and staff. Our role under privacy law depends on the information:

• Information we control. For the accounts people create on Ubouk (organization owners, staff, and family account holders), our billing records, and our usage analytics, Ubouk is the organization responsible for that personal information. This policy describes how we handle it.
• Information we process for an organization. When you register with a sports organization through Ubouk, that organization decides what to collect and why, and is responsible for it. Ubouk acts only as its service provider (processor), handling that data on the organization’s instructions. For questions about how a specific organization uses your information, contact that organization — see its own privacy page.

The person responsible for the protection of personal information (as required by Québec’s Law 25) is [Privacy Officer Name / Title]. Reach our Privacy Officer at [privacy@yourdomain.com], or by mail at [Company Legal Name], [Mailing Address], Québec, Canada.

• Account details — name, email, phone, hashed password, and any profile photo.
• Organization & billing — organization profile, payout account identifiers, billing contact, and subscription details.
• Participant information (including children’s) — names, dates of birth, gender, medical notes, emergency contacts, custom form answers, and signed waivers. We collect this on behalf of the organization you register with.
• Payment information — payments are processed by our payment provider (Stripe). We do not store full card numbers; we keep only references such as card brand, last four digits, amounts, and receipts.
• Communications — messages we send you, whether emails were delivered or opened, and your marketing consent and preferences.
• Documents — files you or an organization upload (e.g. client or HR documents).
• Usage & technical data — log data, first-party page-view analytics, general device/browser information, and a random visitor identifier stored in your browser.

• Provide, operate, and secure the platform and your account.
• Process registrations, payments, refunds, and receipts.
• Send transactional messages (confirmations, receipts, reminders) and — only with your consent — marketing messages you can unsubscribe from at any time.
• Provide customer support and respond to requests.
• Detect, prevent, and investigate fraud, abuse, and security incidents.
• Produce aggregate analytics to maintain and improve the service.
• Comply with legal, tax, and accounting obligations.

We rely on your consent and on what is necessary to provide a service you have requested. Marketing email is sent only with your opt-in consent, which you can withdraw at any time.

Children. A parent or guardian must create the account and provide the information used to register a minor. In Québec, consent for the personal information of a minor under 14 must be given by the person having parental authority; for a minor 14 or older, consent may be given by the minor or by the parent/guardian. By registering a child, you confirm you have the authority to provide their information and consent on their behalf.

We do not sell personal information. We share it with service providers who help us run the platform, under contracts that limit their use of the information to providing their service to us:

• Stripe — payment processing and payouts (United States / Ireland).
• Resend — sending email (United States).
• Cloudflare R2 — file/document storage (global).
• Turso — database hosting (United States / global).
• Vercel — application hosting (United States).
• Anthropic — powers the optional in-dashboard AI assistant (United States).

Because of these providers, personal information may be stored or processed outside Québec and Canada, including in the United States. Before relying on such transfers we conduct the privacy impact assessment Law 25 requires and put contractual safeguards in place. The organization you register with also receives your registration data — it is the party responsible for that data. We may also disclose information where required by law or to protect rights and safety. [Confirm this list of sub-processors with counsel and keep it current.]

The optional AI assistant in the dashboard helps an organization’s own staff work with that organization’s data, within strict per-organization access controls. It does not make automated decisions that produce legal or similarly significant effects about an individual. If that ever changes, we will disclose it and provide the information Law 25 requires about automated decision-making.

We keep personal information only as long as needed for the purposes above and to meet legal obligations (for example, tax and accounting records), after which it is deleted or anonymized. First-party analytics are kept for at most 12 months. [Set a detailed retention schedule with counsel.]

We use encryption in transit, hashed passwords, role-based access controls, strict per-organization data isolation, and time-limited signed links for private documents. No system is perfectly secure, but we work to protect your information and to limit access to those who need it.

Subject to legal limits, you may ask us to:

• Access the personal information we hold about you;
• Correct or update it;
• Delete it, or stop disseminating it where the law allows;
• Withdraw your consent (for example, to marketing);
• Receive a copy of the computerized personal information you provided, in a structured technological format (portability).

To exercise a right, contact our Privacy Officer (section 2). We will respond within 30 days. If you are not satisfied, you may file a complaint with the Commission d’accès à l’information du Québec (CAI) or, where applicable, the Office of the Privacy Commissioner of Canada.

If a confidentiality incident involving personal information presents a risk of serious injury, we will notify the CAI and the affected individuals with diligence, as Law 25 requires, and we keep a register of such incidents.

We use essential cookies needed to keep you signed in, and first-party page-view analytics. We do not use third-party advertising or cross-site trackers. You can turn off page-view tracking using the “Do not track me” link in the footer of any portal page.

We may update this policy. If changes are material, we will take reasonable steps to notify you. The “last updated” date above shows the current version.

Privacy questions or requests: [privacy@yourdomain.com]. General contact: [Company Legal Name], [Mailing Address], Québec, Canada.