1. Introduction
rallymate ("we," "us," or "our") operates a facility management platform that connects mobile applications with IoT devices—including cameras, smart locks, and connectivity bridges—to enable secure, real-time monitoring and control of sports and recreation facilities.
This Privacy Policy describes the types of information we collect when you use the rallymate mobile application, cloud services, and connected hardware devices (collectively, the "Service"), and how that information is used, shared, and protected.
By using the Service you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Personal Information
We collect the following personal data when your account is created and when you use the Service:
| Data | Required | Purpose |
|---|---|---|
| Phone number | Yes | Primary account identifier; delivery of SMS one-time passcodes for authentication |
| Name | Yes | Display name within the application |
| Email address | No | Optional contact information |
2.2 Session & Device Information
When you sign in, we automatically collect:
- IP address — for session security and fraud prevention.
- Device information — a general identifier of the mobile device used to access the Service (e.g., device model and OS version).
- Session tokens — encrypted authentication tokens stored locally on your device to maintain your signed-in state.
- Session timestamps — the time of login, last access, and session expiration.
2.3 Facility & Membership Information
We store your association with one or more facilities, including your role (Player or Manager), membership start and expiration dates, and facility-related identifiers.
2.4 Information We Do Not Collect
- We do not collect GPS or geolocation data from your mobile device.
- We do not integrate third-party analytics, advertising, or tracking SDKs.
- We do not store passwords—authentication is entirely one-time-passcode based.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Authentication — to verify your identity via SMS one-time passcodes and maintain secure sessions.
- Service delivery — to provide access to facility cameras, smart locks, and device management features based on your role and membership.
- Device provisioning — to securely register and configure IoT bridge devices, cameras, and locks at your facility.
- In-app messaging — to enable communication between facility members and managers.
- Security & fraud prevention — to detect unauthorized access using IP addresses and session metadata.
- Activity logging — to maintain audit trails of device actions (e.g., lock/unlock events, camera streaming sessions) for facility accountability.
4. SMS & One-Time Passcodes
Your phone number is used to send SMS messages containing one-time passcodes (OTPs) for the sole purpose of authenticating your identity.
rallymate uses a passwordless authentication system. When you sign in, a 6-digit one-time passcode is sent to your registered phone number via SMS. This is the only method of authentication—no password is ever created or stored.
Key details about our SMS-based authentication:
- OTP codes expire after a short configurable window (default: 5 minutes).
- A maximum of 3 verification attempts is allowed per code.
- SMS sending is rate-limited to prevent abuse (maximum 3 messages per phone number per 10-minute window).
- We will never use your phone number for marketing, promotional messages, or any purpose other than authentication.
- Standard carrier messaging rates may apply to SMS messages you receive.
5. IoT Device & Facility Data
As a facility management platform, rallymate processes data generated by connected IoT devices:
5.1 Camera Data
- Live video streams — transmitted in real time via secure RTSP/WebRTC protocols through encrypted tunnels. Live streams are not stored on our servers.
- Video recordings — when recording is initiated (manually, on schedule, or by motion detection), video files and thumbnails are stored securely in cloud storage. Metadata includes start time, duration, file size, and recording trigger type.
- Camera activity logs — records of who started/stopped streaming or recording sessions for facility audit purposes.
5.2 Smart Lock Data
- Lock/unlock events — a log of all lock actions, including the identity of the user who initiated the action and a timestamp.
- Lock state — the current locked/unlocked status of each device.
5.3 Bridge & Connectivity Data
- Device connectivity status — online/offline state, cloud and edge connection health.
- Device certificates — cryptographic certificates issued by our internal Certificate Authority for secure mutual-TLS communication. These do not contain personal information.
6. Third-Party Services
We use a limited number of third-party service providers to operate the platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Twilio | SMS delivery for one-time passcodes | Phone number, OTP message content |
| Google Cloud Platform | Cloud infrastructure & video storage | Video recordings, service operational data |
We do not sell, rent, or trade your personal information to any third party. Third-party providers process data solely on our behalf and under contractual obligations to protect it.
7. Data Storage & Security
We implement multiple layers of security to protect your data:
- Encryption in transit — all communication between the mobile app, cloud services, and IoT devices uses TLS encryption. Device-to-cloud communication uses mutual TLS (mTLS) with certificates from our internal Certificate Authority.
- Encrypted authentication tokens — JWT session tokens are cryptographically signed and have limited lifetimes (access tokens: 24 hours; refresh tokens: 7 days).
- Role-based access control — users can only access facilities and devices they have been explicitly granted membership to, with actions scoped to their assigned role (Player or Manager).
- MQTT authorization — real-time device messaging is authenticated and authorized per-topic through a custom broker extension that validates every connection against our backend.
- No self-registration — user accounts are created by facility administrators only. There is no open registration.
8. Data Retention
- Account data — retained for as long as your account is active. Deactivated accounts may be retained for a reasonable period for audit and legal compliance purposes before permanent deletion.
- Session data — authentication sessions expire automatically (access tokens: 24 hours, refresh tokens: 7 days). Expired session records are purged periodically.
- OTP records — one-time passcode records are short-lived and purged after verification or expiration.
- Video recordings — retained according to the facility's configured retention policy. Facility managers control recording retention durations.
- Activity logs — device and user activity logs are retained for audit and security purposes as determined by facility policy.
9. Your Rights & Choices
Depending on your jurisdiction, you may have the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your personal data, subject to legal retention requirements.
- Portability — request your data in a structured, machine-readable format.
- Withdraw consent — you may stop using the Service at any time. Contact your facility administrator to request account deactivation.
- Opt out of SMS — since SMS is the sole authentication method, opting out of SMS will prevent you from accessing the Service. You may contact us to deactivate your account.
To exercise any of these rights, please contact us at the address below.
10. Children's Privacy
The Service is not directed to individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this page and, where appropriate, notify you through the application. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
12. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:
rallymate
Email: privacy@rallymate.net
Website: rallymate.net