Privacy Notice
Olds Minor Soccer Club · Jersey Bond Authorization
Effective date: 2026‑04‑30. This notice applies to omsc‑payments.spearstone.ca and the cardholder data collected by Olds Minor Soccer Club (“OMSC”, “we”) for the jersey‑bond program.
1. What we collect
- Your email address (for sign‑in by one‑time code).
- The name on the credit card, the billing address, and a printed name + acknowledgement capturing your authorization.
- The card brand, last four digits, and expiry month/year returned to us by Stripe. We do not store the full card number, the CVV, or any magnetic‑stripe data — that information goes directly from your browser to Stripe and never touches our servers.
- The names of the children you enroll for the jersey bond.
- Operational logs of staff contact attempts with you about jersey returns (date, method, notes).
- Technical metadata at sign‑up time (IP address, browser user‑agent, timestamp) recorded as the digital equivalent of a wet‑ink signature.
2. Why we collect it
- To authenticate you when you sign in (email + one‑time code).
- To save a credit card on file via Stripe so OMSC can charge $150 CAD per child whose jersey is not returned within one week of the season's end — the “jersey bond.”
- To audit‑log every staff action that affects your account for accountability and dispute defence.
- To send you transactional notifications (sign‑in code, card on file, jersey‑late notice, charge confirmation/failure).
We do not use this information for marketing, do not share it with third parties for advertising, and do not sell it.
3. Where it lives
- Cloudflare D1 (database) — primary storage for your profile and the audit log. Cloudflare‑hosted, may be replicated across multiple regions.
- Cloudflare R2 — nightly tamper‑evident archive of the audit log.
- Stripe (payment processor) — holds the card number and full payment‑method data. Stripe is PCI‑DSS Level 1 certified. We are scoped to PCI‑DSS SAQ A because no card data ever transits our systems.
- TundraFox (mail.tundrafox.ca, Stalwart) — outbound transactional email. Hosted on bare‑metal servers in Toronto, Canada (Leaseweb). No US cloud provider in the chain.
4. How long we keep it
Cardholder records are retained for as long as the parent has at least one child active in OMSC programming, plus seven (7) years after the last charge or last activity, matching Canada Revenue Agency record‑keeping requirements. After that window, the record is purged on request from OMSC staff or by automated retention sweep.
The audit log is retained indefinitely — but after a parent record is deleted (see below), the audit rows referencing them retain only the pseudonymous UUID and the actor email of any staff member who acted, not the parent's name or address.
5. Your rights under PIPEDA
- Access — you may request a complete copy of every record we hold about you, including the audit‑log slice. OMSC will produce this within 30 days at no charge.
- Correction — if any field is wrong (your name, address, etc.), email [email protected] and we'll correct the record.
- Deletion / withdrawal of consent — you may request deletion of your record at any time by emailing the address above. We will: (a) detach your card from Stripe, (b) delete your profile, your children's records, and the related contact log, and (c) preserve only the audit chain entries (with no PII beyond the pseudonymous UUID). The cascade completes within 7 days of the request.
- Complaints — if you are not satisfied with OMSC's response, you may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.
6. How we secure it
- HTTPS‑only with HSTS preload.
- Strict Content‑Security‑Policy limited to OMSC and Stripe origins.
- Sign‑in tokens are 256‑bit, hashed before storage,
carried in
__Host‑prefixed Secure HttpOnly SameSite Lax cookies, and rotated on activity. - Every staff action is recorded in a hash‑chained audit log and exported nightly to tamper‑evident cold storage.
- Stripe payment processing is PCI‑DSS Level 1 certified. We never see your full card number or CVV.
7. Contact
For privacy questions, access requests, or deletion requests, email [email protected].
This notice may be updated. Material changes will be communicated by email to all parents on file at the time of the change.