WrestleFlow — Privacy Policy

Last updated: May 20, 2026  ·  Effective: May 20, 2026

This Privacy Policy describes how WrestleFlow ("we", "our", "the app") — operated by John Shoufler — collects, uses, and shares information when you use the WrestleFlow mobile application (iOS and Android) and the website at wrestleflow.com.

1. Information we collect

Account information

When you register or log in we collect: name, email address, role (coach, wrestler, parent, referee), team affiliation, and optional profile photo. Authentication is handled via session cookies and (for native apps) a Bearer token tied to your account.

Health & performance data (you voluntarily enter)

The app lets coaches and wrestlers log practice attendance, drill workouts, cardio sessions, GPS run tracks, lifting logs, weight-management entries, and diet plans. This information is stored on our servers under your team organization and is visible to your team's coaching staff.

Location data — bus tracking

If you are a coach or driver and you start a bus trip in the app, we collect your device's GPS location while the trip is active so parents and other coaches can see live trip progress.

• When collected: only while a bus trip is "Active" (started by you, not yet ended).
• Frequency: approximately every 30 seconds while moving.
• Background access: the app uses background location so updates continue when you switch to Google Maps for navigation. iOS users will be asked to "Always Allow" location for this purpose. Android users will see a persistent foreground-service notification ("WrestleFlow Bus Trip — Trip in progress") whenever tracking is active.
• What we do not collect: we never collect your location when no trip is active. We do not collect location from wrestlers, parents, or referees — only from the trip-driver / coach who explicitly starts a trip.
• Retention: trip route points are stored for 90 days for replay/analytics, then deleted. You can delete an entire trip from the bus tracking page.

Push notification tokens

To deliver push notifications (messages, schedule changes, trip updates), we register your device with Firebase Cloud Messaging (FCM) and store the resulting device token associated with your account. You can disable notifications in your device settings at any time, which will cause the token to stop receiving messages.

Device and usage data

Standard server logs (IP address, browser/device user-agent, timestamps, requested URLs) are collected for security and debugging. These are retained for 30 days.

Account security and password reset emails

If you request a password reset, we generate a single-use token and send an email from noreply@wrestleflow.com to your registered address containing a link valid for 1 hour. The token is stored in our database and is automatically invalidated when used or when the 1-hour window expires. Your IP address and the timestamp of the reset request are captured in our standard server access logs (retained 30 days). We do not maintain a separate audit trail for password reset requests beyond these logs.

2. How we use your information

• To provide and operate the WrestleFlow service for your team.
• To send push notifications, emails, and SMS related to your team activities.
• To display live bus-trip location to your team's authorized parents and coaches.
• To diagnose technical problems and maintain service security.
• We do not sell your data, share it with advertisers, or use it for marketing outside of your own team.

3. Third-party services

• Firebase Cloud Messaging (Google) — to deliver push notifications. Receives only your device token and the notification payload (title + body). Firebase privacy.
• Google Maps / OpenStreetMap — to render maps and provide turn-by-turn directions. The bus-driver's destination is sent to Google Maps when navigation starts.
• DigitalOcean — our infrastructure host (servers in the US).

4. Children's privacy

The app is intended for use by school wrestling programs. Wrestlers under 13 may have accounts created by their parents or coaches; in those cases the parent/guardian or school is the controller of the child's data. Parents may request deletion of any child's data at any time by emailing us.

5. Data security

All connections use HTTPS/TLS. Passwords are stored hashed (bcrypt). Access tokens for native apps are stored in the OS keychain. Firebase service-account credentials are stored on a server with restricted file permissions.

6. Your rights

You can: (a) view and edit your profile data in the app, (b) request a copy of all data we hold about you, (c) request deletion of your account and associated data, (d) opt out of push notifications via your device settings. To exercise these rights, email lovsvettes@gmail.com.

7. Changes to this policy

We may update this policy. Material changes will be announced in the app and via email at least 14 days before they take effect.

8. Contact

John Shoufler
Email: lovsvettes@gmail.com
Web: wrestleflow.com