Privacy Policy
ScoreCounter is built to be useful with as little personal data as possible. There are no accounts, no login, no registration. This policy explains what is stored, where, why, the legal basis under the EU General Data Protection Regulation (GDPR) and the UK GDPR, and how to exercise your rights.
1. Who is the data controller
The data controller for the personal data processed by this service is Ruwix Services SRL, a company registered in Romania, which operates scorecounter.com. You can read more about who runs the service on the About page. Contact details are in section 17 below or find it on Ruwix.ro.
Because of the small scale and limited categories of data, no designated Data Protection Officer (DPO) is required under Article 37 GDPR. Privacy questions can be sent directly to the contact address below and will be answered by Ruwix Services SRL.
2. Summary
- No accounts👤, no sign-up, and no user profiles.
- We do not intentionally store personal information. We store only the scoreboard data you enter.
- If you type a real person's name or other personal information into a scoreboard and share the link, that information can be visible to others.
- Scoreboard data is held in a SQLite database on a hosted server.
- ScoreCounter itself does not set first-party HTTP cookies for the public service, but third-party services may use cookies or similar technologies where permitted by consent and applicable law.
- We use third-party services including Setupad, Cloudflare, Google Analytics, Google Ads, and Bluehost.
- We display a GDPR-compliant consent management platform (CMP) provided by Setupad where required.
- You can edit or delete any scoreboard you created using its admin URL. Inactive boards are auto-deleted within 7 days.
3. What we collect and the legal basis
Under Article 6 GDPR each category of data has a specific legal basis:
- Scoreboard content you enter (titles, team and player names, scores, custom CSS, label text). Legal basis: Article 6(1)(b) - performance of the service you requested by creating the board; and Article 6(1)(a) - your consent given by typing the content in.
- Random scoreboard IDs and edit-key hashes. Legal basis: Article 6(1)(b) - necessary to let only you, the creator, edit the board you made.
- API key records, only where you have been issued an API key for a higher scoreboard-creation limit: the key, an optional label, the limit, and basic usage data (a request count and last-used time). Legal basis: Article 6(1)(b) - performance of the arrangement under which the key was issued.
- Server access logs (IP address, request path, HTTP method, timestamp, user-agent). Legal basis: Article 6(1)(f) - legitimate interest in keeping the service secure, diagnosing operational issues, and blocking abuse. The IP address is processed only as long as needed for these purposes (see section 9).
- Local-storage UI preferences. Strictly necessary or functional, kept entirely in your browser and never transmitted to the server. No legal basis under Article 6 is needed for storage we never see.
We do not process special categories of personal data within the meaning of Article 9 GDPR (health, race, ethnicity, religion, sexual orientation, biometrics, etc.). Please do not type such data into a scoreboard.
4. What the server stores
When you create a scoreboard, the server stores the data needed to render and edit it. This is held in a local SQLite database on the server. For a generic scoreboard this includes:
- An auto-generated scoreboard ID.
- Your edit key (see section 5).
- What you typed in: title, team or player names, custom CSS, label text.
- Game state: scores, fouls, timeouts, current period, timer values, shot clock values.
- Display settings: theme, colours, font, layout, what is shown or hidden.
- Timestamps: created, last updated, last time the live view was opened, last time the admin view was opened.
- Status (active or ended) and an optional expiry timestamp.
Other scoreboard types (tennis, cricket, baseball, tournament, leaderboard, standings, scoresheet, race timer, chess clock) store similar fields appropriate to their format.
None of these fields are intended to be personal data. They only become personal data if you decide to type a real person's name or other personal identifier into a scoreboard. If you then share the live scoreboard URL, that information may be visible to anyone who opens the link you shared.
5. Edit keys
When a scoreboard is created, the server generates a random edit key, hashes it with SHA-256, and stores only the hash. The original key is returned to you once, embedded in the admin URL (?editkey=...) and displayed on the admin page in text and QR code formats. We cannot recover this key for you, and we cannot derive it from the stored hash. Keep your admin URL safe.
6. Cookies, local storage and consent
ScoreCounter itself does not set first-party HTTP cookies for the public scoreboard service. Nothing is written to document.cookie by the core ScoreCounter application. The one exception is a temporary session cookie used only on the private /manage dashboard, which is not part of the public service.
The application uses your browser's localStorage to remember a small number of functional preferences. localStorage stays in your browser and is not sent to the server by the browser automatically. The keys we use are:
siteTheme- your light/dark theme choice for the site interface.tourneyAutoAdvance- on the Tournament admin page, whether match winners auto-advance to the next round.sc_api_key- set only if you opened a link containing an API key; the key is stored here so it can be applied to the scoreboards you create. Clear your browser storage to remove it.
Because the site uses third-party advertising (Setupad), analytics (Google) and infrastructure services, those third parties may use cookies, local storage, identifiers, pixels or similar technologies, depending on your consent choice and applicable law. Where required, we show a GDPR-compliant consent management platform (CMP) provided by Setupad.
7. Who can see your scoreboard
- Anyone with the live URL can view it. Live URLs use short random IDs; they are not indexed by us, but they are not secret. Do not share the live URL with people you do not want watching.
- Anyone with the admin URL can edit or delete it. Treat this URL like a password.
- The server operator has direct access to the SQLite database file as part of normal hosting, backups and security maintenance.
8. Recipients of data and third-party services
We do not sell, rent or trade personal information. However, the site uses third-party services for hosting, security, analytics, advertising and consent management:
- Bluehost - the hosting provider for the application server and the SQLite database.
- Cloudflare - the content delivery network that fronts the site for caching, TLS termination, performance and DDoS protection.
- Setupad - the advertising provider and consent management platform provider.
- Google Analytics - used to understand aggregate website traffic and usage.
- Google Ads - used in connection with advertising and ad measurement.
- Public visitors of a live URL you have shared. Anyone with the live scoreboard link can view the scoreboard data you entered.
These services may process technical data such as IP address, browser information, device information, request path, timestamps, approximate location, consent choices, ad identifiers or analytics identifiers, depending on the service, your consent choice and applicable law.
9. Retention and deletion
Scoreboard data is short-lived by design:
- Scoreboards: a nightly cleanup might delete any scoreboard that has not been opened (live or admin) for 7 days. You can delete a scoreboard yourself at any time from its admin page; deletion is immediate and the record is removed from the database.
- Server access logs: retained for up to 30 days, then rotated and deleted. Logs are used only for security and operational purposes.
- Database backups: kept for up to 30 days on the same server, then overwritten.
- Local-storage preferences: kept by your browser until you clear them. The server never sees them.
Once data has been deleted from the database and rotated out of backups it cannot be recovered.
10. Hosting and international data transfers
The application server and database are hosted on Bluehost. The site is fronted by the Cloudflare content delivery network for caching, TLS termination, performance and DDoS protection. Advertising and consent management are provided through Setupad, and the site may also use Google Analytics and Google Ads.
Transfers from the European Economic Area (EEA) to the United States rely on Article 49(1)(b) GDPR (transfer necessary for the performance of a contract with the data subject) for the scoreboard content you submit, and on the EU-US Data Privacy Framework together with Standard Contractual Clauses (SCCs) agreed with the providers for any other transfer. Bluehost and Cloudflare both publish their terms and SCCs on their respective websites.
11. Security
Reasonable technical and organisational measures are in place:
- HTTPS for all public traffic, with HSTS in production.
- A strict Content Security Policy and other security headers via Helmet.
- Edit keys stored only as SHA-256 hashes, never in plain text.
- The private
/managedashboard is protected by a password and rate-limited login. - Operating-system patching and minimal exposed services on the host.
No system is perfectly secure. If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR, and we will inform affected users without undue delay where Article 34 applies.
12. Automated decision-making and profiling
ScoreCounter performs no automated decision-making or profiling within the meaning of Article 22 GDPR. The service simply renders the values you typed in. No decisions producing legal or similarly significant effects are made about you.
13. Children
The service is not directed at children under 16 (or under the digital-consent age set by your Member State under Article 8 GDPR, which can be as low as 13). No accounts exist, so we do not knowingly collect any personal data from children. If you become aware that a child has typed personal data into a scoreboard, please contact the operator and we will remove it.
14. Your rights under the GDPR
Under Articles 15 to 22 GDPR you have the following rights with respect to your personal data:
- Right of access (Article 15) - obtain confirmation of whether we hold data about you and a copy of that data. Because we store no identifiers, please supply the scoreboard ID or admin URL so we can locate the record.
- Right to rectification (Article 16) - have inaccurate data corrected. You can do this yourself by editing the scoreboard from its admin URL.
- Right to erasure / "right to be forgotten" (Article 17) - have your data deleted. Use the Delete button on the admin page, or ask the operator and provide the scoreboard ID.
- Right to restriction of processing (Article 18) - pause processing in certain circumstances. In practice, deletion of the scoreboard achieves the same result on this service.
- Right to data portability (Article 20) - receive the data you provided in a structured, commonly used and machine-readable format. On request the operator will export the scoreboard's content as JSON.
- Right to object (Article 21) - object to processing based on legitimate interest. This mainly applies to server access logs; contact the operator and we will discuss what is technically possible.
- Right not to be subject to automated decision-making (Article 22) - not applicable, since we make no automated decisions about you.
- Right to withdraw consent (Article 7(3)) - where processing is based on consent (the content you typed in), you may withdraw consent at any time by deleting the scoreboard. Withdrawal does not affect lawfulness of processing before withdrawal.
To exercise any of these rights, contact the operator at the address in section 17. We will respond within one month of the request as required by Article 12(3) GDPR. Exercising your rights is free of charge unless requests are manifestly unfounded or excessive (Article 12(5)).
15. Right to lodge a complaint with a supervisory authority
If you believe your personal data has been handled in a way that breaches the GDPR, you have the right to lodge a complaint with a supervisory authority (Article 77 GDPR), in particular in the EU/EEA Member State of your habitual residence, your place of work, or the place of the alleged infringement. The list of national supervisory authorities is published by the European Data Protection Board. The supervisory authority for the data controller, Ruwix Services SRL, is Romania's National Supervisory Authority for Personal Data Processing (ANSPDCP). In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ICO).
We would also appreciate the chance to address your concern directly first - the contact details are in section 17.
16. Changes to this policy
This policy may be updated from time to time, for example to reflect changes in the service, the law, or guidance from supervisory authorities. The "Last updated" date in the header reflects the most recent change. Material changes will be highlighted at the top of this page.
17. Contact
For privacy questions, data subject requests, or to report a concern, contact the operator at the email address shown below.
