Effective date: 2026-07-07
Security Philosophy
Hockey Anchor should only make security claims that are actually implemented and verified.
The Release 1 security approach is practical and evidence-bound. It focuses on protecting payment flow, sign-in, household data, paid access, case records, and support handling.
Payment Security
Stripe handles card payment processing.
Hockey Anchor does not store full card numbers or card security codes.
Sign-In
Hockey Anchor uses magic-link/session-based sign-in for Release 1.
Families should not forward magic links or send magic links through support.
Paid Access
Paid access depends on server-verified payment and entitlement state.
A client-side claim, screenshot, or manually edited browser state is not enough to create paid access.
Household And Case Protection
Hockey Anchor's private case and entitlement flows are designed around household isolation and protected route behavior.
Authenticated users should not be able to access or mutate another household's cases, entitlements, or support records.
Privileged Access
Privileged database credentials and service-role access must stay server-side.
Service-role credentials, API keys, webhook secrets, session tokens, magic links, and internal credentials must not appear in public docs, support messages, screenshots, reports intended for sharing, or commits.
What Families Should Not Send
Do not send:
- Payment card numbers.
- Card security codes.
- Passwords.
- Magic links.
- Session cookies.
- API keys or service credentials.
- Private communications unless essential to the support issue.
Reporting A Security Concern
Use Support or Contact for security concerns.
Security and privacy issues are prioritized for same-day or next-business-day response.
Limits
No security page should imply that Hockey Anchor is risk-free.
Security is an operating responsibility. If a material payment, access, privacy, security, youth-data, case-integrity, or incorrect-delivery incident affects a family, Hockey Anchor should notify affected families according to the incident notification rules.