Privacy Policy

1. Who we are

Shinny (the “Service”) is operated by Bristol-Jones Group, LLC (“Shinny,” “we,” or “us”), a Tennessee limited liability company based in Nashville, Tennessee, United States. If you have any privacy question, write to admin@shinny.io.

2. What we collect

We try to keep the data set small. Here is everything we store, and why:

• Account info— your email, display name, position (skater/goalie/both), and self-reported skill level. Used to sign you in, badge your RSVPs, and route notifications.
• Home rinks & subscriptions— which rinks and skill bands you follow. Used to send you alerts when matching games post.
• Activity— games you post, RSVPs, reviews, rink check-ins (manual, only if you opt in), and timestamps for each. Used to run the social features of the platform.
• Notification preferences— whether you’ve enabled in-app, email, web-push, or SMS notifications; whether you’re currently muted; and your unsubscribe token. Used to deliver alerts you’ve asked for and to stop delivering ones you haven’t.
• Mobile number (optional)— only if you opt in to SMS alerts or reminders. Stored in E.164 format and shared only with our SMS carrier (Twilio) for the sole purpose of delivering the texts you asked for. We log the timestamp of your opt-in for legal compliance (TCPA). You can remove the number, turn off SMS, or reply STOP to any text at any time; we honor STOP both at the carrier level and by flipping your opt-ins off in our database. Standard carrier rates may apply — that’s between you and your phone provider.
• Location, only if you opt in— if you turn on location opt-in, we record the rinks you’ve checked in at and when. You can leave a rink, delete your history, or turn the feature off at any time from your profile. We do not track your continuous location.
• Device & technical data— IP address, browser/user-agent, and basic page-load metrics. Used to keep the service running and to detect abuse. We do not run third-party analytics scripts on your browser.

We do not collect data we don’t need: no contacts, no advertising IDs, no social-graph scraping, no fingerprinting, no behavioral profiles for retargeting.

3. How we use it

• Run the app — sign you in, match you to games, send you alerts.
• Keep it working — investigate bugs, fight spam, audit suspicious behavior.
• Send you transactional email you’ve asked for.
• Improve the product — understand which features are used, which rinks are getting demand, which workflows confuse people.
• Comply with law — respond to subpoenas, court orders, and other lawful government requests, when we have to.

4. Aggregated, anonymized data

When you create a Shinny account, you agree that we may use anonymized, aggregated data— counts and patterns that can’t be traced back to you — to improve the app and share insights with rink operators and partners. Examples of what we’d share at this aggregate level:

• “Centennial Sportsplex had 142 pickup-game RSVPs last month.”
• “75% of Nashville-area sessions start between 8pm and 10pm.”
• “Goalie no-show rate at C-tier games is 8%; at CC-tier games it’s 14%.”
• “Demand for stick-and-puck sessions in Toronto has grown 30% year-over-year.”

None of this contains your name, email, IP, device, or any data that could be used to identify you. We aggregate across many users before sharing, and we apply standard de-identification practices — removing identifiers, suppressing small cells, and never sharing aggregations from a group smaller than a meaningful threshold.

5. Sharing your individual data (opt-in only)

We do notshare your individual, identifiable activity data with third parties — unlessyou explicitly opt in. If you check the “data sharing” box during signup or in your profile settings, you permit Shinny to share your individual activity (games joined, skill level, play history) with third-party research or marketing partners we’ve vetted.

You can withdraw that consent at any time at /profile — uncheck the box and click save. Withdrawal applies going forward; data we shared before withdrawal cannot be unshared, but partners are contractually obligated to honor deletion requests.

If you never opt in, we never share your individual data with marketing or research partners, full stop.

6. Operational service providers

A handful of vendors process small slices of data on our behalf so that the app functions. They’re bound by contracts that limit what they can do with the data and require them to keep it secure:

• Supabase— database, authentication, file storage.
• Cloudflare— hosting, DNS, network security, email routing.
• Resend(operated by Resend, Inc., on AWS SES) — outbound email delivery.

These are operational tools, not marketing partners. They do not have permission to use your data for their own purposes.

7. Your rights

You can, at any time:

• Access — view your profile data on the /profile page. Ask us by email for an exported copy.
• Correct— edit anything on your profile directly.
• Delete — visit /delete-account to delete specific categories of your data (RSVPs, reviews, check-ins, posted games, announcements), wipe everything but keep your login, or request a full account closure. For account closure we’ll remove your profile, RSVPs, reviews, and check-ins within 30 days. Posted games and rink data we keep for historical accuracy, with your identifying details scrubbed. You can also email admin@shinny.io if you can’t sign in.
• Withdraw consent— uncheck the individual-data-sharing box in profile settings anytime.
• Pause notifications— mute for a period, or fully unsubscribe via the link in every email. For SMS, reply STOP to any text or untick the SMS toggles in your profile.
• Opt out of location— turn off location opt-in and erase your check-in history from /profile.

California, Virginia, Colorado, Connecticut, Utah, and other state-resident requests, plus EU GDPR / UK and Canadian PIPEDA rights, are honored on the same email channel.

8. Data retention

We keep your account data for as long as you have an account. Bug reports, audit logs, and email-delivery records may be retained up to 24 months for security and compliance. When you delete your account, identifying data is removed within 30 days; backups age out within 60 days after that.

9. Children

Shinny is not directed at children under 13, and we don’t knowingly collect their personal data. If you believe a child under 13 has an account, write to admin@shinny.io and we’ll remove it.

10. Security

We use modern hosting infrastructure with encryption in transit (TLS) and at rest, row-level security on the database, scoped API keys, and access controls on admin tools. No system is perfectly secure, but we treat your data the way we’d want ours treated.

11. International transfers

Our infrastructure is primarily in the United States. If you’re in Canada, the EU, or elsewhere, your data may be processed in the US. We’ll honor any regional data-protection rights you have under your local law on request.

12. Changes

If we change this policy, we’ll update the date at the top and, for material changes, notify you in-app or by email at least 14 days before the change takes effect. Continued use of Shinny after the change means you accept it.

13. Contact

Email admin@shinny.io for anything privacy-related — a question, a deletion request, a complaint. We answer.