Security

How we help protect ClubTrackr, client sites, and organization data

Effective: May 18, 2026

ClubTrackr LLC (“ClubTrackr,” “we,” “us,” or “our”) takes security seriously. This page summarizes the safeguards, practices, and shared responsibilities that help protect ClubTrackr.com, client or tenant versions of ClubTrackr, hosted portals, support tools, and related software services.

Security is a shared responsibility. ClubTrackr works to build, maintain, and support secure software. Client organizations are responsible for managing their authorized users, choosing appropriate roles and permissions, using strong account practices, and maintaining secure hosting environments when they self-host or use a third-party host.

1. Secure access and authentication

  • Role-based access controls are used to limit access based on user type, permissions, and organization role.
  • Passwords are stored using one-way password hashing through PHP’s password_hash() or an equivalent secure password-hashing method.
  • Session protections are used to reduce common risks, including HttpOnly, SameSite, and Secure cookie settings where applicable.
  • Client administrators are responsible for promptly removing, deactivating, or updating users who should no longer have access.

2. Application security

  • State-changing forms and requests use CSRF protection where appropriate.
  • Database queries use prepared statements or similar safeguards to help reduce SQL injection risk.
  • User input is validated, escaped, or sanitized where appropriate for the context.
  • File uploads, where available, are limited by validation and access controls intended to reduce risk from unsafe files.
  • Permission checks are applied to sensitive workflows such as account management, administrative actions, ticket handling, inventory operations, and client configuration.

3. Transport security and hosting

  • ClubTrackr-managed sites are intended to use HTTPS/TLS encryption for traffic between users and the website.
  • ClubTrackr-hosted client sites may include SSL certificate configuration, domain or subdomain configuration, basic monitoring, and routine maintenance depending on the applicable agreement.
  • If a client organization self-hosts ClubTrackr or uses a third-party hosting provider, that client organization may be responsible for server security, SSL configuration, backups, access controls, hosting credentials, and compliance with applicable data-handling requirements.
  • Hosting arrangements do not change ownership of the ClubTrackr software or the client organization’s data.

4. Administrative and emergency access

ClubTrackr may maintain administrative, emergency, or technical access to client instances or hosting environments to provide support, troubleshoot issues, apply updates, address outages, perform security work, verify licensing, and maintain operational continuity.

When using administrative or emergency access, ClubTrackr seeks to access only the data, settings, and systems reasonably necessary for the support, maintenance, security, licensing, or operational purpose involved.

Administrative access is not intended for continuous monitoring of client activity or unrelated review of client data.

5. License validation and technical protection

ClubTrackr-powered software may perform automated license checks, API calls, or related technical measures to verify valid license status, protect the software, prevent tampering, and support security or operational functions.

Attempting to disable, bypass, interfere with, or tamper with license validation, logging, update mechanisms, security controls, or other technical protection measures is prohibited.

6. Data protection

  • Client data remains owned by the client organization or its users, as applicable.
  • ClubTrackr does not sell client data or use it for third-party advertising.
  • Access to client data is limited to authorized use cases such as support, maintenance, hosting, updates, security, legal compliance, or agreement enforcement.
  • Users and client organizations should avoid entering unnecessary sensitive personal information into comments, notes, support tickets, attachments, uploads, or other free-text fields.

7. Backups, logging, and availability

  • ClubTrackr-managed hosting may include basic operational monitoring, server logging, and maintenance appropriate for the client’s service arrangement.
  • Backups and export support may be available depending on the applicable hosting or license agreement and technical feasibility.
  • Security and operational logs may be used to troubleshoot issues, investigate suspicious activity, maintain reliability, and protect the service.
  • Unless a written agreement states otherwise, ClubTrackr is provided on a best-effort basis and does not guarantee uninterrupted availability, error-free operation, or permanent data availability.

8. Client organization responsibilities

Client organizations help protect their ClubTrackr instance by:

  • assigning appropriate roles and permissions;
  • removing or deactivating users who no longer need access;
  • using strong passwords and protecting administrative accounts;
  • reviewing what personal information is entered into the system;
  • following applicable school, district, club, privacy, and consent requirements;
  • maintaining secure hosting and backups if they self-host or use a third-party server;
  • reporting suspected security issues promptly.

9. Vulnerability disclosure

If you discover a vulnerability or security concern, please email support@clubtrackr.com with the subject line “Security Report.” Include a description, affected page or system, steps to reproduce, and any relevant screenshots or proof-of-concept details.

Please follow responsible disclosure practices:

  • Do not access, modify, delete, download, or disclose data that is not yours.
  • Do not disrupt, degrade, or overload ClubTrackr or any client site.
  • Do not use automated scanning, denial-of-service testing, social engineering, phishing, or physical attacks.
  • Give ClubTrackr a reasonable opportunity to investigate and remediate before public disclosure.

ClubTrackr does not currently operate a paid bug bounty program. Security reports are appreciated, but compensation is not promised unless agreed in writing in advance.

10. Third-party providers

ClubTrackr may use third-party providers for hosting, email delivery, domain or SSL configuration, payment processing, infrastructure, backups, security, or support. These providers help operate and secure the service, but no third-party system can be guaranteed to be completely secure.

11. No absolute security guarantee

We use reasonable administrative, technical, and physical safeguards designed to protect ClubTrackr and the information processed through it. However, no website, software system, network, or method of transmission or storage is completely secure. Security practices may change over time as ClubTrackr evolves.

12. Contact

Security questions or reports may be sent to support@clubtrackr.com.