LaneParty

LaneParty — Privacy Policy

Last updated: 2026-04-19

LaneParty — Privacy Policy (DRAFT)

DRAFT — Requires attorney review before publication

Last updated: 2026-04-19

This is a draft privacy policy and does not constitute legal advice. This document has been prepared for internal review and requires approval from a qualified attorney licensed to practice in your jurisdiction before publication or use. Privacy regulations vary significantly by location (including GDPR, CCPA, PIPEDA, and state-specific laws). An attorney must review this policy to ensure compliance with applicable laws before it is deployed to users.

1. Introduction

Welcome to LaneParty ("we," "us," "our," or "Company"). We are committed to protecting your privacy and ensuring you understand what data we collect, how we use it, and what rights you have regarding your information.

This Privacy Policy explains our data practices for the LaneParty web application and mobile-web application (PWA) available at laneparty.com and laneparty.app (collectively, the "Service").

If you do not agree with this Privacy Policy, please do not use LaneParty.

2. What Data Do We Collect?

2.1 Account and Authentication Data

When you create a LaneParty account, we collect:

  • Email address (used for account recovery and communications)
  • Password (hashed by Supabase Auth using industry-standard encryption; we never store plain text passwords)
  • Username (for public identification in the app)
  • Display name (optional; how you appear to other users)

2.2 Profile Data

To personalize your experience, we collect:

  • Birth year (NOT your full date of birth; used for age verification and bowling statistics)
  • Avatar selection (your chosen profile image)
  • USBC ID (optional; United States Bowling Congress identifier for bowlers who compete officially)
  • PBA ID (optional; Professional Bowlers Association identifier)
  • Venue favorites (which bowling centers you've marked as favorites)

2.3 Bowling Score Data

The core function of LaneParty is tracking bowling scores. We collect and store:

  • Per-frame scores (pins knocked down in each frame)
  • Game sessions (complete bowling game records)
  • Session metadata: timestamp, game type (league, tournament, practice, casual), classification (official/practice/casual)
  • Associated bowling center (where the game was played)

Score data is immutable once a game session is closed — you cannot edit historical scores, ensuring data integrity.

2.4 Location Data

Collection scope: Location data is collected only during active game sessions when you grant permission.

What we collect:

  • GPS coordinates (latitude/longitude)
  • Timestamp of collection

How we use it:

  • To verify you are within 150 meters of a registered bowling center
  • To determine your "Location Verified" trust tier status
  • To authenticate official game sessions

You can decline location collection. If you do, you retain full app access but will not receive Location Verified status.

Location data is NOT continuously tracked. We collect it only when you opt in during a specific game session, not as background tracking.

2.5 Device and Analytics Data

We collect standard web analytics via PostHog:

  • Browser type and version
  • Operating system
  • Screen size / device type
  • General geographic region (country/state level)
  • Page navigation and feature usage patterns

This data helps us understand how users interact with LaneParty and identify performance issues.

2.6 AI Processing Data

Pro tier only. When you use AI features in LaneParty:

Scoresheet photos:

  • Photos of bowling scoresheets you upload are sent to Anthropic's Claude API for automatic score extraction
  • LaneParty does NOT retain these photos after processing
  • The extracted scores are stored in your account; the original image is discarded
  • Anthropic may retain images per their API terms — [ATTORNEY REVIEW NEEDED: Confirm Anthropic's data retention and obtain user consent language]

AI Portrait selfies:

  • Selfies you upload for AI portrait generation are sent to our AI image generation service
  • Selfies are discarded immediately after portrait generation
  • The generated portraits (not the original selfies) are retained and displayed in your profile
  • Generated portraits belong to you and can be deleted from your account at any time

2.7 QR Code Scanning Events

When you scan or receive a QR code to connect with another bowler:

  • We log who scanned whose QR code
  • The session location and timestamp
  • This creates a connection record between players

This data helps build your bowling network within the app.

2.8 Product Feedback and Surveys

When you submit feedback or respond to in-app surveys:

  • Your feedback is tied to your user ID and the trigger context (which feature, what action prompted the survey)
  • Feedback is stored indefinitely to help us improve the product

2.9 Email and Push Notification Data

We track:

  • Your email subscription preferences
  • Whether marketing emails were opened or clicked
  • Push notification settings and delivery status

This helps us understand communication preferences and avoid sending unwanted messages.

2.10 Payment Data

LaneParty never collects or stores full credit card numbers, expiration dates, or CVV codes.

Payment processing is handled entirely by Stripe. When you subscribe to a Pro plan:

  • Your payment method is tokenized by Stripe
  • Only Stripe sees your full payment details
  • We receive confirmation that your payment succeeded or failed
  • We may store the last 4 digits of your card for your reference

2.11 Children's Data (Under 13)

If a user under 13 wants to use LaneParty:

  • A parent or guardian creates a "managed profile" for them
  • The child does NOT have an independent email account or login
  • NO direct communication is sent to the child
  • Only birth year is collected (no full DOB)
  • The parent is the data controller; LaneParty is a processor

Under-13 profiles have zero access to third-party services (no analytics, no AI features, no external sharing). Parents can delete the managed profile at any time; full deletion occurs within 30 days.

2.12 Teen Accounts (13–17)

Users aged 13–17 may create their own accounts with the following restrictions:

  • Maximum privacy defaults: no public profile visibility by default
  • Parental co-sign: certain sensitive actions (like sharing location, subscribing to Pro, changing privacy settings) may require parental approval [ATTORNEY REVIEW NEEDED: Confirm age-gating and parental consent requirements for your jurisdiction]
  • No targeted advertising
  • Limited third-party data sharing

3. How We Use Your Data

3.1 Core Product Functionality

We use your data to:

  • Create and maintain your account
  • Store and retrieve your bowling scores
  • Track your statistics and game history
  • Calculate ratings, averages, and performance metrics
  • Display your profile to other users (if public)
  • Verify your location during official game sessions
  • Process AI requests (scoresheet scanning, portrait generation)
  • Log QR code connections and bowling networks

3.2 Communication

We use your email to:

  • Send transactional emails (password reset, subscription confirmation, receipt)
  • Send product updates and feature announcements
  • Send marketing emails (with unsubscribe option)
  • Respond to your support inquiries

3.3 Analytics and Product Improvement

We use aggregated and anonymized data to:

  • Understand how users navigate and use LaneParty
  • Identify bugs, crashes, or performance issues
  • Track feature adoption and usage patterns
  • Improve the user experience and app performance

We may use or disclose your data if required to:

  • Comply with applicable law, court orders, or government requests
  • Enforce our Terms of Service
  • Detect, prevent, or address fraud, security, or technical issues
  • Protect the rights and safety of LaneParty, our users, or the public

4. Third-Party Data Sharing

We do NOT sell or rent your personal data to third parties for marketing purposes. However, we do share your data with service providers who help operate LaneParty. These are "data processors" — they access your data only to perform specific functions on our behalf and are contractually obligated to keep your data secure.

4.1 Data Processors

| Service | Purpose | Data Shared | Notes |

|---------|---------|-------------|-------|

| Supabase | Database, authentication, storage | All account, profile, and score data | [ATTORNEY REVIEW NEEDED: Confirm Supabase's DPA terms] |

| Vercel | Web hosting and deployment | Application logs, analytics summaries | Standard web hosting data |

| Stripe | Payment processing | Payment method tokens, subscription status | PCI-compliant; never sees full card details |

| Resend | Email delivery | Email address, subscription status, engagement data | Email service provider; GDPR-compliant |

| Anthropic Claude API | AI scoresheet scanning | Scoresheet photos (temporary) | Photos not retained by LaneParty; see Anthropic's privacy policy |

| AI Image Generation Service | AI portrait generation | Selfies for processing only | [ATTORNEY REVIEW NEEDED: Confirm which service; obtain DPA and data retention terms] |

| PostHog | Product analytics | Anonymous usage events, browser/OS data | GDPR-compliant analytics; no PII transmitted |

| Sentry | Error tracking and monitoring | Error logs, stack traces, minimal PII | [ATTORNEY REVIEW NEEDED: Confirm Sentry's data retention and PII scrubbing] |

| Google Places API | Bowling center data | Bowling center names, addresses, locations | Data used to populate our bowling center database |

| Printful (future) | Physical merchandise | Name, address, order details | Only when user orders merchandise (future feature) |

[ATTORNEY REVIEW NEEDED: Obtain and review Data Processing Agreements (DPAs) for all third-party services, especially Supabase, Anthropic, Resend, and Sentry.]

4.2 No Selling of Data

We do NOT:

  • Sell your personal data to advertisers or data brokers
  • Share your data with third parties for their direct marketing
  • Rent your email address or contact information

4.3 Aggregated and Anonymized Data

We may share aggregated, anonymized statistics (e.g., "average bowling score across all users," "most popular bowling centers") with third parties for analytics, research, or marketing purposes. This data cannot identify you personally.

5. How Long Do We Keep Your Data?

5.1 Data Retention Schedule

| Data Type | Retention Period | Notes |

|-----------|------------------|-------|

| Account data (email, password, username) | Until account deletion | Deleted within 30 days of account closure request |

| Profile data (birth year, avatar, IDs) | Until account deletion | Deleted within 30 days of account closure request |

| Score data (all game records) | Until account deletion | Immutable once recorded; integral to your history |

| Location data | Until account deletion | Retained with session data; deleted with scores |

| AI scoresheet photos | Not retained | Discarded immediately after processing |

| AI selfies | Not retained | Discarded immediately after portrait generation |

| Generated AI portraits | Until account deletion or manual deletion | User can delete portraits at any time |

| Product feedback/surveys | Indefinitely | Anonymized after account deletion (tied to user ID removed) |

| Email engagement data | 1 year | Standard email provider retention |

| Analytics data (PostHog) | 30 days (aggregated) | Raw events deleted after aggregation; aggregate reports retained longer for trend analysis |

| Error logs (Sentry) | 30 days | Automatically purged; older logs unavailable |

5.2 Account Deletion

When you delete your LaneParty account:

  1. Your personal data (email, name, profile, scores) is permanently deleted within 30 days
  2. Your account becomes inaccessible immediately
  3. Anonymized feedback tied to your account is retained (no longer linked to you)
  4. You can request expedited deletion by contacting us

[ATTORNEY REVIEW NEEDED: Confirm compliance with state data deletion laws and set realistic timelines.]

6. Your Rights and Choices

6.1 Right to Access

You can view all data LaneParty stores about you:

  • Your account and profile information is visible in app settings
  • Your complete game history and scores are accessible in the "Stats" section
  • Location verification records are shown with each session

6.2 Right to Data Export

Pro tier users can export their data:

  • Bowling statistics as CSV or PDF
  • Game history with scores and dates
  • Performance trends and ratings

[ATTORNEY REVIEW NEEDED: Confirm mechanism for exporting raw personal data in machine-readable format (GDPR/CCPA requirement).]

6.3 Right to Deletion

You can delete your account at any time:

  1. Go to Settings > Account > Delete Account
  2. Confirm the deletion (this action is permanent)
  3. Your data is deleted within 30 days

[ATTORNEY REVIEW NEEDED: Ensure app deletion mechanism is functional and tested.]

6.4 Right to Opt-Out

You have the following opt-out rights:

Marketing emails:

  • Every marketing email contains an "Unsubscribe" link
  • You can manage email preferences in your account settings

Push notifications:

  • Disable push notifications in app settings or device settings
  • You will still receive critical transactional alerts (password resets, payment confirmations)

Location sharing:

  • You can decline location collection during game sessions
  • Declining location does NOT limit app functionality; you simply won't receive Location Verified status

Analytics:

  • PostHog analytics can be disabled in app settings [ATTORNEY REVIEW NEEDED: Confirm this feature is implemented]
  • Some analytics may be necessary for app stability and security

6.5 Do Not Track (DNT)

Some browsers include a "Do Not Track" signal. LaneParty does not respond to DNT signals, as most third-party services (analytics, error tracking) require usage data to maintain security and performance. [ATTORNEY REVIEW NEEDED: Confirm DNT policy aligns with legal obligations.]

7. Security

7.1 How We Protect Your Data

LaneParty employs industry-standard security measures:

  • HTTPS encryption for all data in transit
  • Hashed passwords (via Supabase Auth)
  • Database encryption at rest (Supabase Postgres)
  • Role-based access control within our systems
  • Regular security monitoring via Sentry
  • No storage of sensitive payment data (Stripe handles payments)

7.2 Limitations

While we implement reasonable security measures, no online service is 100% secure. We cannot guarantee absolute protection against:

  • Sophisticated cyberattacks
  • Insider threats
  • Zero-day vulnerabilities
  • Social engineering
  • Loss or corruption of data due to factors beyond our control

7.3 Your Security Responsibilities

You are responsible for:

  • Keeping your password confidential
  • Logging out after using LaneParty on shared devices
  • Reporting suspicious account activity immediately
  • Enabling two-factor authentication (if available) [ATTORNEY REVIEW NEEDED: Confirm if 2FA is implemented]

8. Children and Teens

8.1 Under 13

LaneParty does not knowingly collect personal information from children under 13 without parental consent. If a child under 13 wishes to use LaneParty:

  • A parent or legal guardian must create a "managed profile"
  • The child does NOT create their own account or email
  • NO direct communication is sent to the child
  • The parent is the data controller and can delete the profile at any time
  • Under-13 profiles do NOT have access to third-party services (no analytics, no AI processing)

If we discover we have collected data from a child under 13 without proper parental consent, we will delete that data immediately.

8.2 Ages 13–17

Teens can create their own accounts with enhanced privacy protections:

  • Default privacy setting: private profile (not visible to other users)
  • No targeted advertising
  • Limited third-party data sharing
  • Certain actions may require parental co-sign [ATTORNEY REVIEW NEEDED: Specify which actions and confirm age verification method]
  • Teens have the right to delete their own accounts

8.3 Parental Rights

If you are a parent and believe your child's data is being collected improperly, please contact us immediately at [ATTORNEY REVIEW NEEDED: Add contact email].

9. International Users

9.1 United States

LaneParty is primarily operated in and for users in the United States. If you are a US resident, this Privacy Policy governs your data.

9.2 California Residents (CCPA)

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You can request what personal information LaneParty collects, uses, and shares
  • Right to Delete: You can request deletion of personal data (with limited exceptions)
  • Right to Opt-Out: You can opt-out of "selling" or "sharing" of personal data
  • Right to Correct: You can request correction of inaccurate information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To submit a CCPA request: Contact [ATTORNEY REVIEW NEEDED: Add contact method and process]

[ATTORNEY REVIEW NEEDED: Confirm CCPA compliance procedures, timeline for requests (45 days), and verification methods.]

9.3 Canadian Residents (PIPEDA)

If you are a resident of Canada, your data is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA):

  • You have the right to access, correct, and request deletion of your personal information
  • You have the right to withdraw consent at any time
  • LaneParty will not use your information for purposes beyond those stated in this policy without your consent

[ATTORNEY REVIEW NEEDED: Confirm PIPEDA compliance, especially regarding consent withdrawal and cross-border data transfer to US servers.]

9.4 European Union Residents (GDPR)

If you are a resident of the European Union or UK, your data is protected by the General Data Protection Regulation (GDPR):

  • Legal basis: We process your data based on your consent (account creation, AI features) and legitimate business interests (analytics, security, fraud prevention)
  • Rights: You have rights to access, rectification, erasure, data portability, and to object to processing
  • Data transfers: Your data may be transferred to the United States (where LaneParty's servers are hosted). This transfer is justified under [ATTORNEY REVIEW NEEDED: Confirm legal basis — Standard Contractual Clauses, adequacy decision, or other mechanism]
  • Data Protection Officer: [ATTORNEY REVIEW NEEDED: Confirm if DPO is required; if yes, add contact]

To exercise GDPR rights: Contact [ATTORNEY REVIEW NEEDED: Add contact method]

[ATTORNEY REVIEW NEEDED: Obtain Data Processing Agreements with all service providers (Supabase, Vercel, etc.) that comply with GDPR Article 28. Confirm legal basis for cross-border data transfer.]

LaneParty may contain links to third-party websites (bowling center websites, social media, etc.). We are not responsible for the privacy practices of third-party sites. Please review their privacy policies before sharing any information.

Currently, LaneParty does not integrate with social media logins (Facebook, Google, etc.). If this changes in the future, this policy will be updated.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will:

  1. Post the updated policy on LaneParty
  2. Update the "Last Updated" date at the top
  3. Notify you of material changes via email or in-app notification

Your continued use of LaneParty after changes means you accept the updated policy. [ATTORNEY REVIEW NEEDED: Confirm notification timeline and process.]

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or believe we have mishandled your data:

Email: [ATTORNEY REVIEW NEEDED: Add contact email]

Mailing address: [ATTORNEY REVIEW NEEDED: Add physical address if required by GDPR/CCPA]

Response time: We will respond to inquiries within 30 days [ATTORNEY REVIEW NEEDED: Confirm commitment and actual capacity]

For California residents, you can also submit requests through our designated agent: [ATTORNEY REVIEW NEEDED: Add CCPA agent info if applicable]

13. Dispute Resolution and Governing Law

[ATTORNEY REVIEW NEEDED: Add dispute resolution process, arbitration clause, governing law, and jurisdiction.]

Summary of Data Practices (Quick Reference)

| Practice | Status |

|----------|--------|

| Do we sell your data? | No |

| Do we use targeted advertising? | No (not yet — may change with future updates) |

| Do we track location continuously? | No (only during active game sessions, with permission) |

| Do we retain AI photos? | No (discarded after processing) |

| Do we share data with third parties? | Only with service providers who operate the app |

| Can you delete your account? | Yes, anytime (deleted within 30 days) |

| Can you export your data? | Yes (Pro users can export stats; all users can request their data) |

| Can you opt-out of marketing? | Yes (unsubscribe link in every email) |

| Can children use LaneParty? | Yes, with parental oversight (under 13 requires managed profile) |

Appendix: ATTORNEY REVIEW CHECKLIST

  • [ ] Confirm jurisdiction(s) — US, Canada, EU, or others?
  • [ ] Verify all Data Processing Agreements (DPAs) are in place with third-party services
  • [ ] Confirm GDPR compliance (legal basis for processing, data transfers, consent mechanisms)
  • [ ] Confirm CCPA compliance (opt-out mechanisms, request procedures, timelines)
  • [ ] Confirm PIPEDA compliance (consent withdrawal, cross-border transfer)
  • [ ] Clarify legal basis for AI processing (Anthropic, portrait generation service)
  • [ ] Specify under-13 and teen parental consent/co-sign mechanisms
  • [ ] Add contact email and response procedures
  • [ ] Confirm account deletion and data retention timelines are feasible
  • [ ] Add dispute resolution and governing law clause
  • [ ] Review 2FA implementation (mentioned but needs verification)
  • [ ] Verify Sentry, PostHog, and Anthropic data retention and privacy terms
  • [ ] Confirm DNT policy aligns with legal obligations
  • [ ] Add GDPR Data Protection Officer contact (if required)
  • [ ] Obtain legal review from attorney licensed in primary jurisdiction
  • [ ] Obtain legal review specific to Canada (PIPEDA) if Canadian users are expected
  • [ ] Test account deletion and data export mechanisms before publication

This Privacy Policy is a DRAFT. Do not publish or share with users until reviewed and approved by a qualified attorney.