Privacy Policy
This Privacy Policy explains how Headwind Holdings LLC ("Company," "we," "us") collects, uses, shares, and protects personal information when you use Season Ticket Manager Pro, the marketing site at seasonticketmanager.app, and our related services (collectively, the "Service"). It also describes the rights you may have under privacy laws including the EU and UK General Data Protection Regulations ("GDPR" / "UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other U.S. state privacy laws (Virginia, Colorado, Connecticut, Utah, and similar).
If you don't agree with this Policy, don't use the Service. By using the Service you confirm you've read and understood it.
1. Who We Are
The data controller (or "business" under U.S. state law) is Headwind Holdings LLC, a Texas limited liability company. You can contact us at privacy@seasonticketmanager.app.
2. Information We Collect
a. Information you give us
- Account information: name, email address, password (hashed — we never see the plain text), and your time zone and display preferences.
- Profile information: profile photo (avatar), display name, and any biographical text you choose to add.
- Authentication information from third parties: if you sign in with Google or Apple, we receive a stable identifier, the email address tied to that account, and basic profile details (e.g., name and avatar). We do not receive your Google or Apple password.
- Ticket and group data: the season schedules, teams, seat and parking inventory, ownership shares, member lists, roles and permissions, requests, approvals, assignments, and similar coordination records you create or that members of your group create.
- Sales and payment notes: records you choose to keep about ticket sales (sale price, status, profit/loss). The Service does not process payments or move money. These are private records you maintain for your own group.
- Photos and other uploads: images you upload as game memories, avatars, or game-detail images. These are processed for size and stored in our infrastructure.
- Communications: messages and comments you post in the Service, support requests, and any feedback you send us.
- Marketing list signups: if you subscribe through the landing page at seasonticketmanager.app, your email address is sent to MailerLite to manage the waitlist.
b. Information collected automatically
- Device and log data: IP address, browser type, device type, operating system, language, referring URL, timestamps, pages and features used, and similar diagnostic data. We use these to operate, secure, and improve the Service.
- Cookies and similar technologies: session cookies and refresh tokens to keep you signed in, preference cookies (e.g., theme, time zone), and limited analytics. We don't use third-party advertising cookies. The marketing site uses Google Analytics; the in-app Service uses minimal first-party analytics. You can control cookies in your browser; blocking session cookies will sign you out.
c. Information from third parties
- Identity providers (Google, Apple) when you sign in via OAuth, as described above.
- Sports data providers such as the MLB Stats API and BallDontLie supply public schedule, score, and pitcher information for the teams your group follows. This is not personal information about you.
- Service providers (e.g., our email and hosting providers) may give us metadata about deliverability, errors, and security events.
We do not buy personal information from data brokers, and we do not collect facial-recognition or biometric data.
3. How We Use Information
We use personal information to:
- Create and operate your account and authenticate you.
- Provide the Service: store your group's data, enable invitations, deliver notifications, generate reports, render images and PDFs, and similar.
- Send transactional emails (account verification, password reset, invitations, request notifications, security alerts) via Resend or another email provider.
- Communicate with you about your account, support requests, changes to the Service, security incidents, and (if you opt in) marketing or product updates.
- Operate the marketing waitlist and, if you opt in, send updates about availability.
- Secure the Service, prevent and investigate abuse, fraud, and security incidents, and enforce our Terms.
- Improve the Service, including using aggregated or de-identified data to understand usage patterns.
- Comply with legal obligations and respond to valid legal process.
Lawful bases (GDPR / UK GDPR)
Where the GDPR or UK GDPR applies, we rely on the following lawful bases:
- Performance of a contract (Article 6(1)(b)) — to deliver the Service to you.
- Legitimate interests (Article 6(1)(f)) — to secure the Service, prevent fraud, communicate with you about your account, and improve our products. You may object to processing based on legitimate interests by contacting us.
- Consent (Article 6(1)(a)) — for optional cookies, marketing emails, and any other processing for which we ask your consent. You can withdraw consent at any time.
- Legal obligation (Article 6(1)(c)) — to comply with applicable law, including responding to lawful requests.
We do not knowingly process special categories of personal data (e.g., health, biometric, religious data). Please don't upload them.
4. How We Share Information
We do not sell your personal information for money, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA and similar laws.
We disclose personal information only as follows:
- Within your ticket group. Information you put into a ticket account (your name, avatar, role, assignments, requests, comments, photos, and your sales records) is visible to other members of that account according to their permissions. If you don't want your group to see something, don't post it.
- Service providers (sub-processors) that help us run the Service under written contracts requiring confidentiality and limited use:
- Hosting and database (cloud hosting and managed PostgreSQL).
- Email delivery — Resend (transactional emails) and MailerLite (waitlist marketing).
- Identity providers — Google and Apple, when you choose them for sign-in.
- Sports data APIs — MLB Stats API, BallDontLie.
- Analytics — Google Analytics on the marketing site only.
- Error and uptime monitoring as needed to operate the Service.
- Recipients of magic-link sharing. If you, as a manager, send a guest a recipient invite link, the recipient sees the games, seats, and content you choose to share with them.
- Legal and safety. We may disclose information if we believe in good faith it's required to comply with law, valid legal process, or to protect the rights, property, or safety of users, the public, or the Company.
- Business transfers. If we're involved in a merger, acquisition, financing, sale of assets, or bankruptcy, personal information may be transferred as part of that transaction. We'll notify you of any change in ownership or use of your data.
5. Where We Store Data and International Transfers
Personal information is stored and processed in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., which has different data-protection laws than your home country.
For transfers from the European Economic Area, the UK, and Switzerland, we rely on appropriate safeguards permitted by law (such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum) to provide an adequate level of protection. Contact us at privacy@seasonticketmanager.app for a copy of the safeguards used for a specific transfer.
6. How Long We Keep Information
We keep personal information for as long as your account is active and for a reasonable period after to satisfy operational and legal obligations:
- Account and group data — until you delete the account; afterward we may retain limited records (or de-identified data) for up to 24 months for backup, audit, fraud-prevention, and legal-compliance purposes.
- Photos and uploaded files — deleted along with your account or when removed from the Service, subject to short-term backup retention.
- Transactional logs — typically 12 months, depending on the type and security needs.
- Marketing list data (MailerLite) — until you unsubscribe; you can do that any time using the link in any marketing email.
- Records we are legally required to keep (e.g., tax, accounting) for the period required by law.
When we no longer need personal information, we delete or de-identify it.
7. Security
We use industry-standard administrative, technical, and physical safeguards designed to protect personal information — including encryption in transit (HTTPS/TLS), salted password hashing (bcrypt), access controls, audit logs, and least-privilege access for our personnel. No system is perfectly secure, however; we cannot guarantee absolute security. If we ever experience a personal-data breach affecting you, we'll notify you and any required regulator as the law requires.
8. Children's Privacy
The Service is not intended for children under 16, and we do not knowingly collect personal information from them. If you believe a child has given us personal information, contact us at privacy@seasonticketmanager.app and we will delete it.
9. Your Privacy Rights
The rights below apply depending on where you live. We provide them to all users where reasonably feasible. To exercise any right, email privacy@seasonticketmanager.app from the address on your account or use any in-Service tool we provide. We may need to verify your identity before acting on a request, and we'll respond within the time required by law.
a. Everyone
- Access and edit your profile and most account data from your profile and settings pages.
- Export key account data on request.
- Delete your account from your profile settings; some data may be retained for the limited purposes described in Section 6.
- Opt out of marketing emails via the unsubscribe link in any marketing message; transactional emails (security alerts, account notices) cannot be opted out while you have an account.
b. EU / EEA, UK, and Switzerland (GDPR / UK GDPR)
You have the right to: access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; objection to processing based on legitimate interests or for direct marketing; and withdrawal of consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with your local data-protection authority (in the UK, the Information Commissioner's Office). We do not engage in solely automated decision-making with legal or similarly significant effects.
c. California (CCPA / CPRA)
If you're a California resident, you have the right to:
- Know the categories and specific pieces of personal information we collect, the categories of sources, the business purposes, and the categories of recipients.
- Delete personal information we collect from you, subject to legal exceptions.
- Correct inaccurate personal information.
- Limit the use and disclosure of sensitive personal information (we don't currently use it for any purpose that triggers this right, but you may request limitation any time).
- Opt out of sale or sharing of personal information. We do not sell personal information for money and we do not share it for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals where applicable.
- Non-discrimination — we won't deny service, charge different prices, or provide a different level of service because you exercised a right.
You may use an authorized agent to make a request; we may require proof of authorization.
d. Virginia, Colorado, Connecticut, Utah, and similar U.S. states
You generally have the rights to access, correct, delete, port, and opt out of targeted advertising, the sale of personal data, and certain profiling. We do not engage in targeted advertising or selling. To appeal a decision we make about a privacy request, reply to our response email or write to privacy@seasonticketmanager.app with "Privacy Appeal" in the subject.
e. Other regions
Where applicable law (including Brazil's LGPD, Canada's PIPEDA, and similar) gives you privacy rights, we'll honor them on the same email channel.
10. Cookies and Tracking Technologies
We use a small number of cookies and similar technologies:
- Strictly necessary cookies and refresh tokens to authenticate you and keep your session alive.
- Preferences cookies to remember UI choices (e.g., theme, time zone).
- Analytics — minimal first-party analytics in the app and Google Analytics on the marketing landing site to understand usage and improve the Service.
We do not use cookies for advertising. Most browsers let you block or delete cookies; doing so may break parts of the Service. Where required by law, we'll ask for your consent through a banner before setting non-essential cookies.
11. Do Not Track
Some browsers send a "Do Not Track" signal. Because there is no industry consensus on how to interpret it, the Service does not currently respond to it. We do honor the GPC signal in jurisdictions where it has legal effect.
12. Third-Party Sites and Content
The Service may contain links to or integrations with third-party services we don't operate (e.g., team or league websites, calendar providers, payment apps you use outside the Service). Their privacy practices are their own; please review their policies before sharing information with them.
13. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we'll give you reasonable advance notice — by email, through the Service, or by updating the "Last Updated" date — before the changes take effect. Your continued use of the Service after the effective date means you accept the updated Policy.
14. Contact Us
For privacy questions, requests, complaints, or appeals:
Headwind Holdings LLC
Attn: Privacy
5900 Balcones Drive, Suite 100
Austin, Texas, 78731
privacy@seasonticketmanager.app
If you'd like a paper copy of this Policy, email us and we'll send one.