Skip to main content Skip to content
Buckin' Rodeo
Shop

Legal

Privacy Policy

Last updated: 2026-05-07

This is the current operating policy for Buckin' Rodeo. It is reviewed quarterly and any material change is dated at the top of the page. If you want a copy of the data we hold on you, see Section 10.

1. Data we collect

Account data: email address you provide when you register, plus an optional display name. If you choose to sign in with a password, we store that password as a PBKDF2-SHA256 hash with a per-account random salt and 600,000 iterations. We never store the password itself. If you choose Sign in with Apple, we store the stable Apple subject id Apple gives us; if Apple shares your email with us, we store that, otherwise the relay address Apple provides. The legacy magic-link path remains available; magic-link tokens are single-use and expire after thirty minutes.

Profile data: handle, hometown, home circuit, favorite disciplines, bio, and any avatar you upload. All optional. All editable from the Account tab.

Pick'em data: the picks you submit on Pick'em surfaces, your leaderboard handle, and your point totals.

Comment data: your email is associated with comments you post on the Rails feed; your display name or handle is shown publicly. Comment reports, blocks, and mutes you initiate are stored against your account.

Usage data: page URL, referrer, user agent, IP address (truncated to /24 after ingestion), country code, timestamp.

Purchase data: if you buy from the Shop, Stripe collects payment details. We store only the order ID, SKU, and shipping address. Card numbers never touch our servers.

Click tracking: when you click a sponsored or affiliate link, we log the click to the `affiliate_clicks` table: timestamp, the link slug, the article you came from, device type, country code.

Push device tokens: if you grant push permission in the iOS app, we store the APNS device token tied to your account so push notifications can route to you.

2. What we don't collect

We don't run Google Analytics, Facebook Pixel, TikTok Pixel, or any cross-site tracking script. We don't sell or rent your data. We don't build advertising profiles.

3. Why we collect

  • To send you the content you signed up for (newsletter, comment replies).
  • To measure which stories readers find valuable, using our own first-party analytics only.
  • To prevent spam and abuse.
  • To fulfill Shop orders.
  • To report aggregate traffic to potential sponsors (e.g., "50,000 monthly readers, 60% rural states"), never individual data.

4. How long we keep it

  • Account records: until you delete the account from inside the iOS app or by emailing the address in Section 11. On deletion, we soft-delete immediately (your sessions end, your email is freed for a future re-registration, your handle and avatar are cleared) and hard-purge the row within 30 days.
  • Session tokens: each session token expires 90 days after issue. Password reset tokens expire 30 minutes after issue. Email verification tokens expire 7 days after issue.
  • Comments: we retain comments for the archival record of the article. You can request deletion of your comment record at any time.
  • Usage logs: aggregated after 90 days; raw IPs truncated immediately on ingest.
  • Purchase records: seven years for tax and warranty compliance.

5. Who we share with

  • Apple: if you sign in with Apple, Apple authenticates you. Apple does not see your activity on the Site or in the app beyond the sign-in event.
  • Apple Push Notification service: push notifications you opt in to are routed through Apple's servers using the device token your iPhone provides.
  • Stripe: payment processing for Shop purchases.
  • Resend: transactional email delivery (registration verification, password reset, magic-link, newsletters).
  • Cloudflare: site hosting, CDN, and database. Cloudflare sees request metadata inherent to serving the Site.
  • Affiliate partners (SeatGeek, Impact.com, Commission Junction, etc.): when you click an outbound affiliate link, they set their own cookie on the destination site. We do not share our data with them.

We do not share your data with ad networks, data brokers, or any third party not listed above.

6. Your rights

If you reside in California, Colorado, Virginia, Connecticut, Utah, or any other jurisdiction with a comprehensive consumer privacy law, you have the right to:

  • Know what we've collected about you.
  • Request deletion of your data.
  • Opt out of any "sale" of your data (we do not sell data, but this right applies anyway).
  • Correct inaccurate data.
  • Port your data to another service.

To exercise any right, email privacy@buckinrodeo.com with "Privacy Request" in the subject line. We respond within 30 days (with one 45-day extension allowed under California law).

EU/UK readers: our data practices are aligned with the principles of the GDPR and UK GDPR, lawful basis (consent for newsletters, legitimate interest for analytics and fraud prevention), data-minimization, purpose-limitation, storage-limitation. Contact privacy@buckinrodeo.com for any data-subject request.

7. Children

We do not knowingly collect personal data from children under 13. If you believe a child has submitted data through our Site, email privacy@buckinrodeo.com and we will delete the record.

Our coverage of high-school and junior rodeo is limited to information published by the governing bodies (NHSRA, NLBRA, AJRA, etc.). We do not display face photographs of minors. We do not publish contact information for athletes under 18.

8. Cookies

See the Cookies Policy for a full list.

9. Security

We host on Cloudflare's infrastructure with TLS encryption enforced. Passwords are stored as PBKDF2-SHA256 hashes with a per-account random salt and 600,000 iterations; the plaintext password is never written to disk. Magic-link tokens, email-verification tokens, and password-reset tokens are single-use and time-limited (thirty minutes for magic-link and reset, seven days for email verification). Sign in with Apple identity tokens are validated server-side against Apple's published JWKS on every sign-in. Sign-in endpoints are rate-limited per IP and per email to deter credential stuffing. Database access is restricted and logged.

9a. Account deletion

Account deletion is available from inside the iOS app under Account, Delete account, and is also available by emailing privacy@buckinrodeo.com. On deletion we immediately revoke every active session, anonymize your email so the address can be re-registered, and clear your handle, display name, bio, hometown, and avatar. The row is hard-deleted from our database within thirty days. Comments you posted are detached from your account but may remain visible on articles unless you also request comment deletion in the same message.

10. Changes

Material updates to this policy will be noted at the top of the page for thirty days. Date at the top of this page reflects the latest update.

11. Contact

Privacy questions: privacy@buckinrodeo.com.

Newsletter

The Dispatch in your inbox.

Weekly. Real writing, not a press release. Unsubscribe anytime.