Show My Score Privacy Policy

1) Scope & Who We Are

This Privacy Policy applies to the Show My Score website, web app, mobile experiences, and related services (collectively, the "Services"). "We," "our," and "us" mean the Show My Score operating entity. "You" means the user (or a parent/guardian acting on behalf of a minor) and any visitor.

2) Key Principles

• User control: You decide if/when to make your profile or a specific score visible through a shareable URL or QR code. You can revoke public visibility at any time from settings.
• No selling or advertising "sharing": We do not sell your personal information and do not share it for cross‑context behavioral advertising.
• Data minimization: We only collect what we need to verify scores, run the service, and keep it secure.
• Security by design: We apply industry‑standard protections to keep your data safe.
• Transparency & rights: We provide clear controls to access, correct, export, or delete your data, and to withdraw consent for optional features.

3) Information We Collect

3.1 Information you provide

• Account & profile: name, email, graduation year, school/college, country/region, profile photo (optional), bio (optional).
• Scores & proofs you submit: standardized test results (e.g., SAT/ACT/other), year/month taken, and any documents/screenshots you upload for verification (e.g., a PDF or image of your score report).
• Public profile content (optional): anything you choose to publish on your public page (e.g., programs applied to, interests, achievements).
• Communications: messages you send to support or feedback you provide.

3.2 Information collected automatically

• Device & log data: IP address, browser type/version, device identifiers, pages viewed, links clicked, date/time stamps, and referral URL.
• Cookies & similar tech: strictly necessary cookies for login and security; optional analytics cookies (if enabled).

3.3 Information from third parties (optional)

• Single‑Sign‑On (SSO): when you sign in with a third‑party account, we receive basic profile data (e.g., name and email).
• Verification partners (if you choose them): if you connect a third‑party source to verify your score, we only receive what's needed to complete verification. We do not store your third‑party passwords.

Sensitive data: We do not knowingly collect financial account numbers, health data, or precise geolocation. Please do not upload these.

4) How We Use Your Information

• Provide the Services: create and maintain your account; verify scores; power your private dashboard and, if you opt in, your public profile.
• Sharing at your direction: generate a unique link/QR to your profile or a specific score card when you explicitly choose to share.
• Safety & integrity: detect/prevent fraud and abuse; secure accounts; monitor system reliability and performance.
• Communications: send account notices (verification emails, important service updates); send optional tips and product updates (you can opt out).
• Analytics & product improvement: aggregate and de‑identify usage data to improve features and reliability.
• Legal compliance: comply with laws, enforce our Terms, and respond to lawful requests.

5) Public Profiles, Links & QR Codes (Your Controls)

Private by default. Your scores and profile are private unless you explicitly make them public or create a shareable link/QR.

Granular controls. You can:

• Make your entire profile public or keep it private.
• Revoke sharing at any time; shared links/QRs will stop resolving to your profile.

Important limitations when you share:

• Link previews & scanners. Messaging apps and social platforms may fetch a preview (title/image) when a link is pasted. Some corporate/security tools auto‑scan links.
• Copies & screenshots. Others can capture or repost what they see. Revoking a link won't delete copies outside our control.
• Metadata hygiene. We design shareable links/QRs to avoid embedding your name, email, or score in the URL/QR itself. Only the page—when opened by a viewer—displays what you've chosen.

6) Cookies & Similar Technologies

We use:

• Strictly necessary cookies for secure login, session continuity, and fraud prevention (cannot be turned off).
• Optional analytics cookies to understand usage and improve the product. We'll ask for your consent where required. You can change preferences anytime in Cookie Settings.

We do not use cookies for cross‑site behavioral advertising.

7) When We Share Your Information

We do not sell or rent your personal data. We only share in these scenarios:

• At your direction: when you create a public profile or share a link/QR, or when you connect your account to a third party (e.g., posting to LinkedIn).
• Service providers (processors): trusted vendors that host our infrastructure, email delivery, analytics (if enabled), content delivery, and security. They are bound by confidentiality and data‑processing terms and may only use data to provide services to us.
• Legal/safety: to comply with the law, court orders, or lawful requests; or to protect the rights, property, or safety of you, us, other users, or the public.
• Business transfers: if we undergo a merger, acquisition, or asset sale, we will provide notice and your choices.

We do not share your personal data for targeted advertising or cross‑promotion.

8) Data Retention

• Account data & scores: kept while your account is active.
• Public links/QRs: remain active until you revoke them or delete the linked content.
• Logs & security records: retained for a limited period for security, analytics (if enabled), and compliance.
• Backups: data may persist in encrypted backups for a limited time before being overwritten.

When you delete data or your account, we remove it from active systems and scheduled backups subject to technical and legal limits. We may retain de‑identified/aggregated data that cannot reasonably identify you.

9) Your Rights & Choices

9.1 Universal controls for all users

• Edit: update your name, email, and profile details.
• Delete: delete your account.
• Withdraw consent: turn off public sharing and analytics cookies at any time.

9.2 Additional rights by region (summary)

• EEA/UK (GDPR): right to access, rectification, erasure, restriction, portability, and objection; right to not be subject to decisions based solely on automated processing.
• California (CCPA/CPRA): right to know, delete, correct, and limit use of sensitive personal information; right to opt out of sale or "sharing" (we do not sell/share for cross‑context behavioral advertising). No discrimination for exercising rights.

We verify requests and may ask for additional information to protect your account. To exercise any rights, use Settings → Privacy or contact us (see Contact).

10) Security

• Encryption in transit (HTTPS/TLS) and at rest for primary data stores.
• Strict access controls, least‑privilege role design, and MFA for internal access.
• Logging, monitoring, and automated alerts for suspicious activity.
• Vulnerability management and regular security reviews.

No method of transmission or storage is 100% secure. We will notify you of a data breach as required by applicable law.

11) Children & Minors

The Services are designed for users 16 years and older. We do not allow children under that age to use this service.

If you believe a child provided us with personal data without proper consent, please contact us, and we will take appropriate steps.

12) International Data Transfers

We may store/process data in countries other than where you live. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses for EEA/UK transfers) and commit to protecting your data consistently with this policy.

13) Third‑Party Links & Social Sharing

If you share to third‑party sites (e.g., LinkedIn, Instagram), their terms and privacy policies govern those platforms. We do not control those services. Please review their privacy practices before sharing.

14) Automated Decision‑Making

We do not use automated decision‑making that produces legal or similarly significant effects about you. We may use automated systems for fraud prevention and service reliability.

15) Changes to This Policy

We may update this policy to reflect changes to our Services or applicable laws. We will post the updated policy with a new "Last updated" date, and, where appropriate, provide additional notice (for example, email or an in‑product banner). Your continued use of the Services after an update means you accept the revised policy. If changes materially affect your rights, we will seek your consent where required by law.

16) Contact

Privacy questions & requests:

Email:  privacy@showmyscore.com

17) Region‑Specific Notices (Detailed)

California (CCPA/CPRA)

• Categories of personal information collected: Identifiers (name, email), internet or other electronic network activity information (usage logs), education information (scores/credentials you upload), inferences (non‑identifying, product analytics).
• Sources: you (directly), your devices, optional SSO/verification services.
• Purposes: provide/secure the Services, verification, communications, analytics (if enabled).
• Disclosure for a business purpose: to service providers (hosting, email, security, analytics).
• Sale/Sharing: we do not sell or share your personal information for cross‑context behavioral advertising.
• Sensitive personal information: we do not collect SPI as defined by CPRA (e.g., government IDs) unless you voluntarily provide it.
• Your rights & requests: To access/know, delete, correct, or limit use of SPI, use Settings → Privacy or contact privacy@showmyscore.com. We honor Global Privacy Control (GPC) signals where applicable.

EEA/UK (GDPR)

• Controller: Show My Score (entity details to be added).
• Legal bases: (i) Contract – to provide the Services; (ii) Consent – for public sharing and analytics cookies; (iii) Legitimate interests – security, fraud prevention, service improvement (balanced with your rights); (iv) Legal obligation – compliance with law.
• Data subject rights: access, rectification, erasure, restriction, portability, objection, and complaint to a supervisory authority.
• Transfers: we rely on appropriate safeguards (e.g., SCCs) for cross‑border transfers.