Privacy Policy

1. Introduction

This Privacy Policy explains how HangTime (“HangTime,” “we,” “us,” or “our”) collects, uses, shares, and protects information about you when you use our website at gohangtime.com, our web application at app.gohangtime.com, our mobile applications, and any related services we provide (collectively, the “Service”).

HangTime is a platform for organizing pickup basketball games and building small basketball communities. We take privacy seriously because the data you trust us with — your phone number, your photos, your location at a given time, your relationships with other players — is sensitive, and we do not want to be sloppy with it.

This policy applies to anyone who visits our website, creates an account, joins a group, RSVPs to an event, posts content, or otherwise interacts with the Service. If you do not agree with this policy, please do not use the Service.

2. Definitions

Service means the HangTime website, web app, mobile apps, and any related products and services. Account means the user account you create to access authenticated parts of the Service. User Contentmeans anything you submit to the Service — messages, photos, videos, event details, group names, comments, and so on. Personal Data means information that identifies you or could reasonably be linked to you, such as your name, phone number, email address, IP address, device identifiers, or photographs of your face.

3. Information We Collect

We collect information in three ways: information you give us directly, information collected automatically when you use the Service, and information we receive from third parties (such as our authentication provider).

3.1 Account data

When you create an Account, we collect the information needed to set it up and authenticate you over time. This typically includes your name, phone number, email address, and a profile photo if you choose to upload one. If you sign in using Google, we receive your name, email address, and Google profile photo from Google.

We also store the timestamp at which you accepted these Terms and this Privacy Policy (the legalAccepted record described in Section 5), so we have a record that you agreed to the contract under which we provide the Service.

3.2 Usage data

When you use the Service, we automatically collect information about how you use it. This includes the pages you visit, the buttons and links you click, the events you RSVP to, the groups you join or leave, the search queries you run, and similar interactions. We use this data to operate the Service, debug problems, and understand which features people actually use.

3.3 Device and connection data

We automatically log technical information about the device and network you use to access the Service, including your IP address, browser type and version, operating system, device type, screen size, language preference, and the referring URL. We use this information for security (detecting suspicious sign-ins or abuse), reliability (knowing which device combinations are breaking), and rough geolocation (country/region only — we do not collect precise GPS location from the web app).

3.4 Cookies and similar technologies

We use a small number of cookies and browser storage mechanisms to keep you signed in and to measure how the Service is being used. The full list, including cookie names, expiry windows, and how to opt out, lives in our Cookie Policy.

3.5 Photos and videos

If you upload a profile photo, post photos to a group, or upload video clips of a game, we store those files. Profile photos are visible to other members of your groups. Group photos and videos are visible to other members of the specific group they were posted to. Video clips are processed by our video infrastructure provider (see Section 6) so they can be played back in-app.

Photos and videos can include identifiable images of you and other people. By uploading them, you confirm that you have the right to do so and that the people in them have not asked you to keep them off the platform. See our Acceptable Use Policy for more on this.

3.6 Phone number

We collect your phone number for two reasons: to verify your identity at sign-in (via SMS one-time passcode) and to send you transactional messages about the Service (for example, an event reminder or a notice that someone added you to a group). We use Twilio to send these SMS messages on our behalf. Standard message and data rates from your carrier may apply. We do not sell your phone number, share it with advertisers, or use it for marketing campaigns.

3.7 Information from third parties

Our authentication provider (Clerk) handles the actual sign-in flow and passes us a verified record of who you are after you sign in. If you sign in via Google, Clerk also receives basic profile information from Google and forwards it to us. If you grant additional permissions (calendar access, contacts, etc.) in a future feature, we will tell you what we collect at the point of permission.

4. How We Use Your Information

We use the information described above to:

• Deliver the Service. Run the website and apps, sign you in, route messages and notifications, store your photos and videos, show you events and groups you belong to.
• Provide support. Respond to your questions and troubleshoot problems you report.
• Keep the Service secure. Detect fraudulent sign-ins, spam, abuse, and other behavior that violates these Terms or our Acceptable Use Policy.
• Improve the product. Understand which features get used, where users get stuck, and which bugs need fixing.
• Send transactional communications. Event reminders, security alerts, billing receipts (if applicable), and material updates to these legal documents.
• Comply with the law. Respond to lawful requests from government authorities, enforce our Terms, and protect HangTime, our users, and the public.

We do not use your data to train artificial intelligence or machine learning models, and we do not sell your data to third parties. We do not run an advertising business. The only third parties who handle your data are the sub-processors listed in Section 6 — vendors who run infrastructure on our behalf under contract.

5. Legal Basis for Processing

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) requires us to identify a legal basis for each kind of processing we do. We rely on the following bases:

5.1 Performance of a contract — GDPR Art. 6(1)(b)

When you create an Account and accept these Terms, you enter into a contract with us under which we provide the Service. The processing necessary to provide that Service — storing your account record, authenticating your sign-ins, delivering messages, storing your photos and videos, recording your event RSVPs — is performed on the legal basis of contract performance under Art. 6(1)(b).

This includes the act of recording your acceptance of these Terms (the legalAccepted field). Capturing that record is necessary for us to demonstrate, later, that the contract exists. We treat this as contract performance, not as freely-given consent under Art. 6(1)(a), because the record is a precondition of the Service rather than an optional add-on.

5.2 Legitimate interests — GDPR Art. 6(1)(f)

Some processing is not strictly necessary to deliver the Service but is necessary to run a sustainable, secure product. We rely on legitimate interests for:

• Product analytics (PostHog) — understanding which features are used so we can prioritize improvements.
• Session replay — debugging visual bugs and confusing flows by replaying anonymized interaction recordings.
• Security — logging IP addresses and device fingerprints to detect abuse, credential stuffing, and account takeover.
• Service operations — aggregate metrics, error reporting, uptime monitoring.

Where we rely on legitimate interests, we balance our interest against your privacy. You can object at any time using the in-app analytics opt-out (see Section 9) or by contacting us.

5.3 Consent — GDPR Art. 6(1)(a)

We currently do not rely on consent for any required processing. If we introduce optional marketing communications, surveys, or similar non-essential processing in the future, we will ask for your specific, informed, unambiguous consent first, and you will be able to withdraw that consent at any time without affecting the rest of the Service.

5.4 Compliance with legal obligations — GDPR Art. 6(1)(c)

We may process and retain certain data — for example, records of deletion requests — to comply with our obligations under applicable law.

6. Sharing and Sub-Processors

We do not sell your Personal Data. We share it only with the sub-processors listed below, who run infrastructure on our behalf under a written contract that limits their use of your data to providing services to us, and with parties you explicitly direct us to share with (for example, by adding them to a group).

Our current sub-processors are:

• Clerk— authentication, sign-in, session management, and the verified user identity record.
• Neon— managed PostgreSQL database hosting our primary application data.
• Vercel— web and API hosting, edge networking, and Vercel Blob for stored photo and asset files.
• PostHog— product analytics, feature flags, and session replay.
• Mux— video ingestion, transcoding, and playback for game clips.
• Twilio— SMS delivery for one-time passcodes and transactional event notifications.

We may also share Personal Data when required by law (e.g., a subpoena or court order), to enforce our Terms, to defend ourselves in legal proceedings, or to protect the safety of HangTime, our users, or the public. If we are ever acquired or our assets are transferred, your data may transfer with the business; we will notify you of any such change in advance to the extent required by law.

7. Data Retention

We keep Personal Data only as long as we need it for the purposes described in this policy or as required by applicable law.

If you delete your account through the in-app deletion flow (see Section 9), the deletion runs in two phases:

1. Soft delete. Your account is immediately marked as deleted, you are signed out everywhere, and a 14-day grace window begins. During this window, you can no longer sign in, but the data is recoverable on operator request from a verified phone of record.
2. Hard purge. 14 days after the soft delete, a nightly cron job permanently removes your account record from our database and from Clerk, Vercel Blob (avatars and photos), Mux (video assets), and PostHog (the person profile and associated events). User Content you posted into shared spaces (e.g., comments in a group thread) is retained but anonymized, so the surrounding conversation remains intelligible to other group members.

For approximately 30 days after a soft delete, an encrypted snapshot of the Personal Data needed for restoration is retained in a separate deletion log. After 30 days that snapshot is purged, and restoration is no longer possible.

8. Security

We protect Personal Data using a combination of technical and organizational controls. All traffic to and from the Service is encrypted in transit using TLS. Data at rest in our database, blob storage, and video infrastructure is encrypted by our sub-processors. Access to production systems is restricted to a small number of authorized engineers, protected by strong authentication, and audited on a regular basis.

We rely on our authentication provider (Clerk) for password and session security, and we never see or store your password directly. SMS one-time passcodes are short-lived and single-use. Sensitive operational secrets are managed through dedicated secret stores rather than checked into source code.

No system is perfectly secure, and we will not pretend otherwise. If we ever experience a data breach that affects your Personal Data and triggers a notification obligation under applicable law, we will notify you and the relevant authorities within the timeframes the law requires, with the information the law requires us to provide. You can help by using a unique sign-in method, reporting suspicious activity to legal@gohangtime.com, and keeping the email address and phone number on your account current so we can reach you.

9. Your Rights and Choices

Depending on where you live, you may have the following rights with respect to your Personal Data:

• Access. Request a copy of the Personal Data we hold about you.
• Correction. Ask us to correct inaccurate Personal Data. Most fields can be edited directly in your account settings; for anything else, contact us.
• Deletion.Delete your account and the Personal Data associated with it through the in-app deletion flow (Settings → Account → Delete account). The flow runs the soft-delete and hard-purge process described in Section 7.
• Portability. Request a machine-readable export of the Personal Data you provided to us.
• Objection.Object to processing we do under legitimate interests — in particular, opt out of analytics and session replay using the in-app toggle (Settings → Notifications → Analytics & session replay) or by enabling Do Not Track in your browser.
• Withdraw consent. Where we rely on consent (currently none, but reserved for future optional features), withdraw it without affecting other processing.
• Complaint. Lodge a complaint with your local data protection authority. We would prefer you contact us first so we can try to resolve the issue, but you are not required to.

To exercise any of these rights, email legal@gohangtime.com from the email address on your account or contact us using the verified deletion request flow on the website. We will respond within the timeframe required by applicable law (typically 30 days).

10. California Privacy (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), gives you specific rights regarding your Personal Information. This section supplements the rest of this Privacy Policy.

10.1 Categories of Personal Information collected

In the past 12 months, we have collected the following categories of Personal Information described in the CCPA:

• Identifiers— name, email address, phone number, IP address, account identifier.
• Customer records— profile photo, account settings.
• Internet or other electronic network activity— browsing history within the Service, page views, click events, session-replay recordings.
• Geolocation data— coarse location derived from IP address (country/region, not precise GPS).
• Audio, electronic, visual, or similar information — profile photos, photos and videos posted to groups.
• Inferences— usage patterns derived from the above.

10.2 Sale and sharing of Personal Information

We do not knowingly sell your Personal Information for money or other valuable consideration. We do not run an advertising business and we do not provide your data to ad networks for cross-context behavioral advertising.

10.3 Right to Limit / Do Not Share

California residents have the right to opt out of any sharing of Personal Information for cross-context behavioral advertising. To exercise this right, do any of the following:

• Toggle Analytics & session replayoff in Settings → Notifications inside the app. This disables PostHog analytics and session-replay capture for your account going forward.
• Enable Global Privacy Control (GPC) or Do Not Track in your browser. We respect both.
• Email legal@gohangtime.comwith the subject line “Do Not Share — California”.

You also have the rights to know, access, correct, and delete your Personal Information described in Section 9 above. We do not discriminate against California residents who exercise these rights.

11. Children’s Privacy

The Service is not directed at children. You must be at least 18 years old to create an Account. We do not knowingly collect Personal Data from anyone under 18. If we learn that we have collected Personal Data from someone under 18, we will delete the account and the associated data, and we will refuse further service to that account.

Because we set the eligibility floor at 18, the U.S. Children’s Online Privacy Protection Act (COPPA), which governs the collection of personal information from children under 13, is out of scope for HangTime. If you are a parent or guardian and you believe a child under 18 has created an account on the Service, please contact us at legal@gohangtime.com and we will remove the account.

If you created a HangTime account before this 18+ requirement was put in place, we will send a one-time email notice to your registered email address making the updated policy known. Your continued use of the Service after that notice is your representation that you meet the 18+ requirement; if you do not, please delete your account.

12. International Data Transfers

HangTime is operated from the United States. Our database, blob storage, and most of our sub-processors store data on servers in the United States. If you access the Service from outside the United States, your Personal Data will be transferred to, stored in, and processed in the United States.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make a material change — one that meaningfully affects how we use or share your Personal Data — we will notify you at least 30 days before the change takes effect, by email to the address on your account and via an in-app notice. Non-material changes (clarifications, typo fixes, sub-processor name updates) take effect when posted, and we will update the “Last updated” date at the top of this page.

Your continued use of the Service after the effective date of a material change constitutes acceptance of the updated policy. If you do not agree, your remedy is to stop using the Service and delete your account.

14. Contact

Questions, requests, or complaints about this Privacy Policy or our privacy practices? Email legal@gohangtime.com. We try to respond to privacy inquiries within a few business days, and to formal rights requests within the timeframes required by the law that applies to you.

For formal notice purposes, the data controller is [ENTITY — TO VERIFY], registered at [ADDRESS — TO FILL]. If you are a resident of the European Economic Area or the United Kingdom and would prefer to contact a representative under Article 27 GDPR or its UK equivalent, contact legal@gohangtime.com for the current designated representative; we will update this section with their direct details once appointed.