Security & data protection
Your members’ data, protected by design
Schools trust QuickKicks with member contact details, kids' records, waivers, and payments. Here's exactly how we keep that data safe, and why it stays yours.
How we protect it
Security built into the platform, not bolted on
These aren't settings you have to turn on. They're how QuickKicks is put together.
Encrypted in transit and at rest
Every connection runs over HTTPS/TLS, and your data is encrypted at rest in our managed database and its backups. There's no plain-text copy of your roster sitting anywhere.
Database-level tenant isolation
Every record is tagged with the organization that owns it, and row-level security enforces that boundary in the database itself, not just in app code. One school can never see another school's members.
Card data never touches our servers
Payments run through Stripe. Card and bank numbers go straight to Stripe's PCI-certified vault. We only ever store the last four digits, card brand, and status, so a breach of QuickKicks can't expose a card number.
Passwords we can't read
Logins are handled by a dedicated identity provider. Passwords are stored only as salted hashes; we never see, log, or store the cleartext, and we support modern single sign-on.
DDoS protection and bot defense
Cloudflare sits in front of the platform for edge delivery and DDoS protection, with a bot challenge on signup and rate-limiting on sensitive actions to keep abuse out.
Audit trail on the actions that matter
Logins, signups, and payment events are time-stamped and logged. Significant changes leave a record, so there's always an answer to who did what and when.
Tamper-evident signatures
Electronic waivers capture the signed text, signer identity, timestamp, IP, and device as legal evidence under the ESIGN Act and UETA, so a signed record stays provable.
Backed up and recoverable
Production data is hosted in the United States on Microsoft Azure with automated backups, so an accident or outage doesn't mean lost records.
Your data, your call
No lock-in, no surprises
Your data is yours
The members, payment history, ranks, and notes in your account belong to you. Export them whenever you want. We act on your instructions as the processor and never use your members' data for our own purposes.
No selling, no ad trackers
We don't sell contact lists and we don't run third-party advertising trackers on the app. The only cookies we set are for keeping you signed in and blocking bots.
Leave clean
Cancel any time. After cancellation we keep your data for 30 days so you can export or recover it, then delete it from production. Backups roll off on a 30-day cycle.
Compliance & transparency
Honest about where we are
We're an independent company, and we'd rather show you exactly how the platform works than wave a badge at you. Our privacy policy lists every vendor that touches your data and why. If your vendor review needs more, a real person will answer it.
- GDPR and UK GDPR rights: access, correction, export, and deletion.
- COPPA-aware: the school stays the controller for its members.
- ESIGN Act and UETA evidence captured on every signed waiver.
- Published sub-processor list, updated before any change takes effect.
- Data Processing Agreement available for organizations that need one.
Security FAQ
The questions vendors and owners ask
In the United States, on Microsoft Azure (US regions), in a managed Postgres database encrypted at rest. The full list of sub-processors we rely on is published in our privacy policy and we update it before any change takes effect.
Run your school on software you can trust.
Start a 30-day free trial, no card required. Bring your security questions to the demo.