Talentelly sits between private operations (rosters, drafts, financial screens under /admin/...) and public storytelling (hub pages, profiles, shareable certificates). Security is not only password strength—it is who can see what, what you export, and how you behave in WhatsApp groups when rosters are involved.
Three layers of visibility (with examples)
1. Individual account
Private by default: login identifiers, notification preferences, and activity that you have not chosen to surface publicly. Manage these under Account, settings, and notifications.
Example: Priya sets her phone for SMS alerts but does not display her phone on her public profile. Coaches reach her through in-app or official channels.
2. Entity workspace (admin)
Operational truth: full rosters, draft events, bulk upload error logs, payment states—meant for authorized staff. Entry points include admin dashboard, users, groups, and entity.
Example: Lincoln Academy’s junior coach can manage matches for U-12 but cannot access payments or connections—reducing accidental financial exposure and cross-org mistakes.
3. Public hub
Published and intentional: entity marketing copy, live activities you made discoverable on hub, public profile fields participants opted into, published certificates (often shared as /hub/certificate/{id}).
Example: A tournament page shows standings and schedules; it does not show parent phone numbers or internal disciplinary notes—those never belonged on the hub.
Roles and least privilege
Least privilege means: grant the minimum access someone needs today, review quarterly, and revoke on last day. Review who appears under entity admins.
| Role archetype | Often needs | Often should not have |
|---|---|---|
| Head coach | Groups, events, matches, reports | Entity payments, connections |
| Volunteer scorer | Specific match edit | Full user export |
| Registrar | Users, bulk upload | Delete production data without process |
Example: Annual fest uses *50 student volunteers. Only two get admin-grade access; the rest get role-limited accounts or paper runbooks—preventing “someone clicked the wrong button” incidents.
Data hygiene in the real world
- Exports: Download rosters only for specific tasks; store in approved drives with access controls; delete when obsolete.
- Chat apps: Posting full spreadsheets in public Telegram channels has caused real breaches. Share hub links or redacted PDFs per policy.
- Minors: Treat any child data as sensitive. Consent and guardian visibility rules depend on your jurisdiction—your legal counsel should name what Talentelly may hold and how you communicate that to parents.
Example: A dance school stops emailing complete class lists with birthdates. They send “your child is in Batch B” from the system or masked summaries instead.
Incidents and requests (“I want my data deleted”)
- User requests: Route through your privacy process—verify identity, check legal retention needs, coordinate with support (help, tickets) if platform-level deletion is required.
- Suspected unauthorized access: Force password reset for affected accounts, review entity admins, ticket support with timelines.
Example: A shared laptop in a clubhouse was left logged in. The club revokes sessions if the product supports it, changes passwords, and re-trains volunteers on sign-out—treating it as a process problem, not only a tech glitch.
Demos, screenshots, and projectors
Example: A vendor demo uses fake entity “Acme Demo High” with synthetic names. Never mirror production rosters on a conference screen—shoulder surfing is a real exposure path. Use business collateral for commercial storytelling instead of live child data.
Authentication habits
- 2FA where your identity provider supports it—especially for finance and owner roles.
- Shared credentials (“office@…”) are an audit nightmare; prefer named admins listed in entity admins.
Tips
- Quarterly access review: Export admin list; remove leavers; confirm contractors have end dates.
- Public copy audit: Read your entity blurb aloud—if it overshares participant stories, trim for dignity and consent.
- Train coaches on one rule: “If you would not pin it on the school gate, do not paste it in a public URL without policy review.”
Related: User management · Help and support · Privacy policy (platform-wide legal text)