Privacy Policy

Effective: 2026-05-05

1. Who we are and what this policy covers

MatViz is a wrestling-tournament management platform offering live scoring, brackets, registration, payments, livestreaming, and recorded video. This policy describes how MatViz collects, uses, discloses, and retains personal information through the matviz.com website, its subdomains, and the MatViz desktop application (collectively, the "Service").

The data controller of personal information processed through the Service is Casey Finnicum, doing business as MatViz, a U.S.-based sole proprietor. References to "we," "our," and "MatViz" mean that operator.

This policy does not cover third-party tournament software, hardware scoring devices, or sites operated by tournament organizers, clubs, or schools that link to or from the Service.

2. Information we collect

2.1 Information you provide directly

  • Account. Email address, password (stored only as a salted bcrypt hash — never in plaintext), optional display name, and the time at which you confirmed you are at least 13 years old.
  • Profile. Profile-visibility setting (public or private) and, if you upload one, a profile photo. You may link your account to wrestler records you represent or manage.
  • Wrestler records you create or manage. First and last name, date of birth, gender, weight class, grade, club or team, school, and a parent or guardian contact email. For wrestlers under 13, see Section 8; those records are collected only by an adult on behalf of the minor under the representations in Section 9.
  • Tournament and registration data. Entries, weigh-in records, seedings, brackets, match results, and any custom fields a tournament organizer requires (e.g., USAW membership number, medical waiver acknowledgments).
  • Payment information. Cardholder data is collected and processed directly by Stripe, Inc. on Stripe-hosted forms; MatViz never sees or stores the card number, expiration date, or CVC. We receive only payment metadata such as Stripe customer ID, last four digits, card brand, payment status, and refund or dispute events.
  • Communications. Support emails, abuse reports, and access or deletion requests sent to hello@matviz.com.
  • Audio and video. Match livestreams and recorded clips, collected only when a user actively starts a livestream, uploads a clip, or records via the personal-recording feature.

2.2 Information collected automatically

  • Server logs. IP address, user-agent string, request paths, timestamps, and response status, kept for 90 days for debugging, abuse mitigation, and capacity planning.
  • Session records. A session token (stored hashed), IP address, user-agent, expiry, and last-seen timestamp, retained as long as the session is valid.
  • Coarse geolocation. Approximate country or region inferred from the IP address. We do not collect precise GPS or device-level location data.
  • Error data. Sentry collects exception traces and associated request context to diagnose production errors. Personal information — emails, IP addresses, cookies, sensitive headers, request bodies, and email- or token-shaped values inside error context — is stripped server-side before transmission.
  • Cookies and similar technologies. See Section 6.

2.3 Information from third parties

  • Stripe. Payment status, subscription updates, refund and dispute events, and account-link status for tournament organizers using Stripe Connect.
  • Resend. Email delivery status, bounces, and spam-complaint signals for transactional emails (magic-link logins, registration receipts, match alerts).
  • LiveKit (self-hosted). Streaming session metadata such as room IDs, participant identities, and recording start/stop events. We operate our LiveKit server on the same infrastructure as the rest of the Service.

2.4 Information about other people you provide

When you register a wrestler, invite a coach, add a roster entry, or list a parent contact, you provide information about other people. By doing so you represent that you have the authority to provide that information, including (where the information concerns a minor) the authority described in Section 9.

3. How we use your information

We use personal information to:

  • Provide the Service — account management, registration, weigh-ins, brackets, scoring, livestreaming, recording, payments, payouts, and storage of match results.
  • Communicate — magic-link login emails, receipts, optional match-start notifications, support replies, and security or policy announcements.
  • Improve the Service — aggregate, non-individualized analysis of feature usage, error trends, and platform load. We do not build individual behavioral profiles for marketing.
  • Prevent abuse and fraud — rate limiting, anomaly detection on payments and registrations, and investigation of suspected ToS violations.
  • Comply with law and defend legal claims — responding to subpoenas, court orders, valid data-subject requests, tax and accounting obligations, and preserving records relevant to anticipated litigation or regulatory inquiry.

We do not sell personal information (as that term is defined under the California Consumer Privacy Act — see Section 11.2), share it for cross-context behavioral advertising, or use your data — including video, match records, or wrestler profiles — to train artificial- intelligence or machine-learning models. MatViz does not integrate with any third-party AI provider as of the effective date.

4. How we share your information

4.1 Subprocessors

MatViz uses the following subprocessors. Each is bound by a contract or data-processing agreement that limits use of the information to providing services to MatViz.

SubprocessorPurposeData leaves the U.S.?
Stripe, Inc.Payments, subscriptions, Connect payoutsNo
ResendTransactional emailNo
Backblaze B2Off-host encrypted backupsNo
Cloudflare, Inc.DNS, email routing for @matviz.comNo
Hetzner Online GmbHPrimary hosting — server, Postgres, LiveKit, recordingsSee Section 7.2.
Sentry (Functional Software, Inc.)Error monitoring (PII-stripped)No

We do not currently use third-party web-analytics, advertising pixels, or fingerprinting libraries. If we add any in the future, we will update this section and present a cookie-consent interface before any non-essential cookie is set.

4.2 Other categories of disclosure

  • Tournament organizers see registration, weigh-in, bracket placement, match results, and payment status for the participants in their tournament.
  • Club and school administrators see roster information for wrestlers affiliated with their club — name, date of birth, weight class, and match history.
  • Public-by-design data. Some information you provide is intended to be public: a wrestler's name in a public bracket, registration list, or match result; a livestream marked public; a video clip set to public visibility. Once published, these items may be cached, indexed, or copied; we cannot fully recall them (see Section 5).
  • Legal compliance. We may disclose personal information in response to a valid subpoena, court order, or other legal process, or when reasonably necessary to protect the rights, property, or safety of MatViz, our users, or the public.
  • Business transfer. If MatViz is sold, merged, or reorganized, personal information may be transferred to the acquirer. We will notify users by email and post a notice on the Service before personal information becomes subject to a different privacy policy.

5. How long we keep your data

CategoryRetention
Account profile and linked wrestlersUntil account deletion, then a 30-day grace window during which the account may be restored, then permanent purge of email and password hash and anonymization of historical match records
Tournament results, brackets, match recordsIndefinite — these are public-record outputs of a live event, frequently referenced after the event
Wrestler date of birthRetained while the wrestler record is active; deleted with the record
Video — livestreams, recordings, clipsUntil the publishing user deletes the clip or the account is deleted. Tournament-archive recordings may be kept by the tournament organizer for the season
Audit logs (acceptance, COPPA, role-grant, webhook)Indefinite — required for compliance defense
Server logs and session records90 days
Sentry error eventsPer Sentry's default retention
Stripe recordsPer Stripe's retention policy and applicable financial recordkeeping law

Account-deletion behavior. Requesting deletion (a) marks the account deleted and inaccessible immediately, (b) opens a 30-day grace window during which it can be restored on email request, then (c) replaces the email address with a non-identifying value, drops the password hash, invalidates all sessions, removes linked-wrestler associations, and anonymizes any wrestler records you exclusively owned. Historical match results are preserved with a generic name (e.g., "Withdrawn") to preserve bracket integrity. We cannot recall results already displayed publicly, but we can stop attributing them to you.

COPPA-specific deletion. A parent or legal guardian may at any time request immediate deletion of all personal information MatViz has collected about their child under 13, including video and historical match records. We honor such requests within 30 days of verification (see Section 8).

6. Cookies and similar technologies

MatViz sets only first-party cookies, all classified as strictly necessary or functional:

  • user_token — session cookie set after login; HTTP-only, Secure, SameSite=Strict.
  • session_token — short-lived role cookie for in-tournament scoring; HTTP-only, Secure, SameSite=Strict.
  • csrf_token — paired with state-changing requests as a CSRF defense; required for any write action.
  • Functional cookies — small preference cookies (e.g., default profile-visibility, preferred scoreboard layout). Not used for cross-site tracking.

We do not use third-party advertising cookies, tracking pixels, session-replay tools, or browser fingerprinting. Because no non- essential cookies are set, MatViz does not display a cookie-consent banner today. If we add analytics or advertising technologies, we will update this section and present a consent interface where required.

7. Your rights

The rights available to you depend on where you live. We honor verified requests through the contact channels in Section 13 within 45 days, or the shorter period required by your jurisdiction.

7.1 California residents (CCPA / CPRA)

You have the right to:

  • Know what personal information we collect and how we use it (this policy is the disclosure under Cal. Civ. Code §1798.100).
  • Access specific pieces of personal information and a portable copy.
  • Delete your personal information, subject to the limits in Section 5.
  • Correct inaccurate personal information.
  • Opt out of sale or sharing. We do not sell or share personal information; this opt-out is honored automatically.
  • Limit use of sensitive personal information to providing the Service. We do not use it for secondary purposes.
  • Non-discrimination in service or pricing for exercising any right above.

Email hello@matviz.com from the address associated with your account, or use the Account page when available . We may ask follow-up questions to verify your identity.

7.2 EU/EEA, U.K., and Swiss residents (GDPR / U.K. GDPR)

MatViz is U.S.-based and does not target the European market. If you use the Service from the EU/EEA, U.K., or Switzerland:

  • Lawful bases. Performance of a contract (Art. 6(1)(b) GDPR) for account, registration, payment, and core features; legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and product improvement; consent (Art. 6(1)(a)) where presented; the parental- consent framework in Section 8 for children under 13.
  • Rights. Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
  • International transfer. Your data is hosted on a Hetzner server and may be processed by the U.S.-based subprocessors listed in Section 4.1. Where data leaves the EU/EEA we rely on the European Commission's Standard Contractual Clauses or other lawful transfer mechanisms.
  • No EU representative appointed. MatViz operates at a scale we believe is below the GDPR Art. 27 threshold.
  • Supervisory authority. You may lodge a complaint with the data- protection authority in your country.

7.3 Other U.S. state privacy laws

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive consumer-privacy statutes have substantially the same rights described in Section 7.1, exercised through the same channels.

8. Children's Privacy

MatViz is a platform for wrestling tournaments and clubs. Wrestler profiles on MatViz (including those of athletes under the age of 13) are created and managed by parents, legal guardians, coaches, club administrators, and tournament directors — collectively, "Adult Account Holders." MatViz does not knowingly permit children under 13 to create their own user accounts. Account creation requires confirmation of being age 13 or older.

When an Adult Account Holder enters information about a wrestler under the age of 13 — including name, date of birth, weight class, club affiliation, and match results — and authorizes MatViz to process video footage of that wrestler's matches, the Adult Account Holder represents that they are the parent or legal guardian of the wrestler, OR that they are a coach or administrator with documented parental consent on file. MatViz relies on this representation in lieu of obtaining direct verifiable parental consent under the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) and its implementing regulations at 16 C.F.R. Part 312.

We collect the following categories of information about wrestlers under 13, all of which is provided by the Adult Account Holder or generated during ordinary platform use:

  • Identifiers: first and last name, date of birth, club or team affiliation, weight class, tournament registration records.
  • Competition data: match results, brackets, weigh-in records, historical performance.
  • Audiovisual data: video footage of matches recorded by tournament cameras or by Adult Account Holders using the personal-recording feature.

We use this information solely to operate the platform — running tournaments, displaying brackets, computing standings, and storing video for later playback by Adult Account Holders and the wrestler's family. We do NOT use under-13 wrestler information for behavioral advertising, profile building, or sale to third parties. We do not condition a wrestler's participation in any activity on the disclosure of more information than is reasonably necessary to participate.

A parent or legal guardian may at any time:

  • Request access to the personal information MatViz has collected about their child.
  • Request correction of inaccurate information.
  • Request deletion of all of their child's personal information, including video footage and historical match records.
  • Refuse to permit further collection or use of their child's information.

To exercise any of these rights, contact us at hello@matviz.com from the email address associated with your MatViz account, or — if you do not have a MatViz account — provide enough information for us to locate your child's records (full name, date of birth, club or tournament name). We will respond within 30 days of receipt. Verifying your identity may require us to ask follow-up questions; we will not act on a request until we are reasonably satisfied that the requestor is the parent or legal guardian.

If you believe MatViz has collected information from a child under 13 without sufficient authorization, please contact hello@matviz.com and we will investigate and, where appropriate, delete the information.

9. User Representations Regarding Minors

By creating a MatViz account or otherwise using the Service, you represent and warrant that you are at least 13 years of age. If you create, manage, register, or otherwise enter information about any wrestler who is under the age of 13 — including but not limited to entering the wrestler in a tournament, adding the wrestler to a club roster, or authorizing the recording of video footage of the wrestler's matches — you further represent and warrant that:

  1. You are the parent or legal guardian of that wrestler, OR you are a coach, club administrator, or tournament director who has obtained documented parental consent from the wrestler's parent or legal guardian to enter the wrestler's information into the Service and to authorize the activities described above; AND

  2. You have read and understood the MatViz Privacy Policy, including its "Children's Privacy" section, and you authorize MatViz to collect, store, and process the wrestler's personal information (including match-related video footage) as described in that policy; AND

  3. You will promptly notify MatViz at hello@matviz.com if your authority to act on behalf of the wrestler ends — for example, if a parent revokes consent, or if you cease to coach or administer a club at which the wrestler is registered — so that MatViz can update or remove the wrestler's records as appropriate.

You agree to indemnify and hold harmless MatViz, its operators, and its service providers from any claim, demand, or liability — including reasonable attorneys' fees — arising out of or related to your breach of the representations and warranties in this section, including any claim that you lacked authority to enter or authorize the processing of an under-13 wrestler's personal information.

MatViz reserves the right to suspend or terminate any account, and to remove any wrestler record, that we determine in our reasonable judgment was created or used in violation of this section.

10. Security

We protect personal information through:

  • Encryption in transit — HTTPS enforced site-wide via Caddy with Let's Encrypt certificates.
  • Password storage — bcrypt with a per-password salt; never stored in plaintext.
  • Cookie hardening — authentication cookies are HTTP-only, Secure, and SameSite=Strict.
  • CSRF protection — all state-changing requests require a matching CSRF token.
  • Rate limiting — authentication endpoints throttled against brute- force and credential-stuffing attacks.
  • Encrypted backups — daily off-host backups encrypted with restic before transmission to Backblaze B2. No continuous on-disk plaintext database dumps are produced inside the application container; the only plaintext dumps that ever land on disk are short-lived pre-migration safety snapshots taken during a deploy and on-demand dumps that a super-administrator explicitly triggers — both of which are also swept into the daily encrypted restic snapshot.
  • Error monitoring — Sentry alerts the operator on production errors; PII is stripped from error events before transmission.
  • Append-only audit logs for acceptance, COPPA, and role-grant events.

Limits of our security posture, stated honestly:

  • We do not apply application-level encryption at rest beyond what Postgres and Backblaze B2 provide by default.
  • MatViz is not SOC 2 or ISO 27001 certified.
  • MatViz is operated by a single individual; there is no dedicated security team or 24x7 incident response. We rely on conservative defaults, automated monitoring, and rapid manual response.

In the event of a personal-information breach, we will notify affected users and, where required, regulators in accordance with applicable breach-notification statutes.

11. California-specific disclosures

11.1 Categories collected in the past 12 months

For purposes of Cal. Civ. Code §1798.140, MatViz has collected the following CCPA-defined categories: identifiers (name, email, IP, account ID); customer records (contact info, parent/guardian contact); commercial information (registration history, subscription status, payment metadata); internet or network activity (server logs, session records, request paths); geolocation (coarse IP-derived only); audio and visual (match livestreams and recorded clips); professional or club-related information (coaching role, club affiliation, tournament-organizer role); and inferences (bracket seeding, match-result trends, aggregate platform usage).

11.2 "Sale" and "share" of personal information

MatViz does not sell personal information for monetary or other valuable consideration and does not share personal information for cross-context behavioral advertising, as those terms are defined in the CCPA/CPRA. We have not done so in the past 12 months and have no present intention to do so.

11.3 Sensitive personal information

Under CPRA, "sensitive personal information" includes a child's information where the business has actual knowledge that the consumer is under 16. MatViz collects information about under-13 wrestlers as described in Section 8 and does not use that information for any purpose other than providing the Service.

11.4 Authorized agents

You may designate an authorized agent to make a request on your behalf by providing written, signed authorization. We may require you to verify your identity directly.

12. Changes to this policy

When we make a material change, the canonical text changes and so does its sha256 hash. Authenticated users see a re-acceptance banner on their next login and must re-acknowledge before continuing; the acceptance is recorded in our acceptance audit log with the new hash. Non-material changes (typo fixes, contact-information updates, clarifications) may be applied without a re-acceptance prompt; the "Effective" date at the top of this policy is updated for any change. We will not silently apply a change that materially expands the purposes for which we use your information.

13. Contact

Questions about this policy, requests to exercise your rights, complaints, and reports of suspected COPPA violations:

Email: hello@matviz.com

EU/EEA, U.K., and Swiss residents may also lodge a complaint with their national data-protection supervisory authority. California residents may also contact the California Attorney General's office. We respond to verified requests within 45 days, or the shorter period required by your jurisdiction; children's-privacy requests within 30 days (see Section 8).