Trust Center
Trust, privacy & security
This page is maintained by the Rallyn team to answer common security and privacy questions about rallyn.app. It describes the controls currently enabled in the product and the third-party services we rely on. It is not an independent certification or audit report.
Authentication & access
Accounts are protected by email + password sign-in and Google sign-in through Lovable Cloud (Supabase Auth). Passwords are hashed by the auth provider — Rallyn never stores plaintext passwords. Password reset is handled via a one-time emailed link.
Inside the product, access is enforced by row-level security in our database. Event organizers see only their own organization's events and registrations. Participants see only the registrations and waivers tied to their own account.
Hosting & infrastructure
Rallyn runs on Lovable Cloud, which provides our managed Postgres database, authentication, file storage, and serverless server functions. Data is encrypted in transit (HTTPS/TLS) between your browser and our servers, and at rest by the underlying managed database and storage layer.
What data we collect
When you sign up we store your name, email, and an avatar URL if you provide one. When you register for an event we additionally store the data you submit on the registration form (e.g. division, wave, date of birth if collected, phone, teammate names/emails, and your waiver signature image).
Payment card details are never sent to or stored by Rallyn — they are entered directly on Stripe's hosted checkout page.
Subprocessors
We share data only with the third-party services required to operate the product:
- Stripe — payment processing and organizer payouts (Stripe Connect).
- Lovable Cloud (Supabase) — managed database, authentication, file storage, and server runtime.
- Google Maps — location autocomplete in the event editor.
- Transactional email provider — delivering confirmation, password reset, and event notification emails.
Each subprocessor receives only the data necessary to perform its function (for example, Stripe receives payment details; the email provider receives recipient addresses and message content).
Email & unsubscribe
We send transactional email (registration confirmations, password resets, organizer notifications) and operational reminders to organizers. Marketing-style messages include an unsubscribe link, and you can also opt out by visiting /unsubscribe.
Data retention & deletion
Account, event, and registration records are retained for as long as your account is active so that organizers and participants have a permanent record of their events. If you would like your account or specific personal data deleted, email us at the address below and we will process the request.
Reporting a security or privacy issue
If you believe you've found a security vulnerability, or have a privacy question or data request, please contact us at support@rallyn.app. We aim to acknowledge security reports within two business days.
This page is editable content maintained by the Rallyn team. It is not a Lovable certification or independent attestation. Last reviewed July 18, 2026.