← NewTon DC Tournament Manager

Privacy Architecture

NewTon DC Tournament Manager: total privacy by design.

Overview

NewTon DC Tournament Manager's privacy model is simple: your data lives in your browser, period. This isn't a privacy policy you have to trust — it's an architectural guarantee. Your tournament data physically cannot leave your device unless you explicitly export and share it.

Privacy by architecture, not by policy. The system is designed so that even if we wanted to collect your data, we couldn't.

How It Works: Browser LocalStorage

What Is LocalStorage?

LocalStorage is a browser feature that stores data on your computer, isolated per website domain. When NewTon DC Tournament Manager saves your tournament, it goes into your browser's localStorage — a sandboxed area that:

Technical Details

Storage location examples:

Most browsers allow 5–10 MB per domain. NewTon DC Tournament Manager uses ~1–2 MB for typical tournaments. A 32-player tournament with full history uses around 110 KB.

Who can access your data:

What This Means in Practice

When you run a tournament:

  1. You open tournament.html (locally or on the demo site)
  2. NewTon DC Tournament Manager loads data from your browser's localStorage
  3. All processing happens in your browser
  4. Changes are saved back to your browser's localStorage
  5. Nothing is transmitted anywhere

Even on the demo site, the server only delivers the HTML/CSS/JavaScript files once. After that, all data stays in your browser.

What NewTon DC Tournament Manager Doesn't Do

No Analytics

No Google Analytics, no visitor tracking, no usage statistics, no page view counters.

No Telemetry

No error reporting to external servers, no performance metrics, no feature usage tracking.

No External Dependencies

No CDN calls, no external fonts from Google or Adobe, no JavaScript libraries loaded from external sources. All assets are served from the same domain or bundled directly in the HTML file.

No Cookies

No tracking cookies, no session cookies, no authentication cookies. Browser localStorage only — not cookies.

No User Accounts

No registration, no login, no passwords, no email addresses.

NewTon DC Tournament Manager cannot "phone home" even if it wanted to. There is no analytics endpoint, no telemetry server, no external service to send data to.

Storage Architecture

Per-Tournament Isolation (v4.0+)

Starting with version 4.0, each tournament stores its data in dedicated localStorage keys:

tournament_1729251357350         → Tournament data
tournament_1729251357350_history → Transaction history
tournament_1729456789123         → A different tournament
tournament_1729456789123_history → Its history
dartsTournaments                 → Tournament registry
dartsGlobalConfig                → Global settings
dartsSavedPlayers                → Saved player names

When you delete a tournament, all associated keys are removed — no residue, no contamination between tournaments.

Export Privacy

What's Included in Exports

When you export a tournament, the JSON file contains only:

What's not included: other tournaments' data, your browser information, your IP address, your global configuration, or any metadata beyond what you typed.

Sharing Exports

If you share an export file, recipients see only the tournament name, player names, match results, and final placements. No hidden metadata, no browser fingerprints.

Demo Site Model

The demo site at newtondarts.com follows the same privacy model as local use:

  1. Server delivers HTML/CSS/JavaScript files — a one-time download
  2. Your browser runs the application locally
  3. All data stored in your browser's localStorage
  4. Server never receives any tournament data

The REST API is disabled on the demo site (NEWTON_API_ENABLED=false), making it architecturally impossible for your data to leave your device.

The demo banner says "Everything you do is stored locally in your browser. Your data never leaves your device." — this is an architectural guarantee, not a policy statement. Even the server administrator cannot access your tournament data because it never reaches the server.

Self-Hosting & the REST API

NewTon DC Tournament Manager includes an optional REST API for self-hosters who want to share tournaments across devices. This is the only exception to the "data never leaves your device" model.

What the API Does

Uploading requires an explicit action — NewTon DC Tournament Manager never uploads anything automatically.

Any file uploaded to the server must pass the Tournament Manager's import validation before it can be loaded. Files that don't match the expected tournament structure are rejected by the client — they cannot affect your tournament data.

Privacy Implications

If the REST API is enabled on your self-hosted instance, only tournaments you explicitly upload are sent to the server. Tournaments you don't upload, your localStorage content, and all configuration remain entirely local.

You control the server — self-hosted means you own the data. No telemetry or analytics are ever sent anywhere, regardless of API settings.

For the full API reference including endpoints, request/response format, and security practices, see REST API Documentation.

Recommended Configurations

Maximum privacy (public deployments):

environment:
  - NEWTON_API_ENABLED=false  # Block all API endpoints
  - NEWTON_DEMO_MODE=true     # Show privacy banner

Private self-hosting (trusted environment):

environment:
  - NEWTON_API_ENABLED=true   # Allow tournament sharing
  # Data stays on your server, under your control

Security Architecture

NewTon DC Tournament Manager's privacy model and security model are the same thing. The architecture that protects your data also eliminates attack vectors.

Read-Only Server Surface

The server delivers static files via GET requests. There are no POST, PUT, or DELETE endpoints in normal operation (the optional REST API is disabled by default). With no write mechanism, there is no way for an attacker to persist anything on the server.

Security Headers

All pages are served with comprehensive security headers, enabled by default in Docker deployments:

Documentation pages and the landing page achieve an A+ grade on securityheaders.com with a strict CSP. The tournament app grades A — see below for why.

Why unsafe-inline Is Safe in NewTon

The Tournament Manager's CSP includes unsafe-inline for scripts and styles — normally considered a security risk because it allows inline scripts to execute. In a traditional web application, this enables Stored Cross-Site Scripting (XSS): an attacker saves a malicious script to a database, and every visitor who loads the page runs it.

NewTon has no database. There is nowhere for an attacker to persist a malicious script. The entire attack model collapses:

The result: the only way to execute malicious inline code would require a user to deliberately inject it into their own browser. The risk is localized to the person doing it, non-persistent, and architecturally sandboxed. It cannot spread to other users because there is no shared state.

This is why unsafe-inline — a genuine vulnerability in applications with databases and user accounts — is architecturally neutralized in NewTon DC Tournament Manager's read-only, stateless, self-contained model.

Offline Operation

NewTon DC Tournament Manager works completely offline because:

Typical offline workflow: Download tournament.html while you have internet, copy to a USB drive, open on the tournament laptop at the venue, run the entire tournament, export results when done.

Frequently Asked Questions

Can NewTon DC Tournament Manager track me if I run it locally?

No. When you open tournament.html directly from your file system, there's no network connection for data to travel over.

Can the demo site see my tournament data?

No. The server only delivers the application files once. All data is stored in your browser's localStorage, which the server cannot access.

What if I use browser sync (Chrome sync, Firefox sync)?

If you have browser sync enabled, your browser may sync localStorage data across your devices — depending on browser settings. This is a browser feature, not a NewTon DC Tournament Manager feature. Your data still doesn't go to NewTon; it goes to Google's or Mozilla's sync servers if you've enabled that. To avoid sync: use a profile without sync, use private/incognito mode, or disable localStorage sync in browser settings.

What about browser extensions?

Browser extensions with storage permissions can theoretically access localStorage. This is true for any website — it's a browser security model limitation. For maximum privacy, use a clean browser profile without extensions.

Does NewTon DC Tournament Manager comply with GDPR?

GDPR doesn't apply to NewTon DC Tournament Manager in most cases because no data is processed by the software — data stays on your device — and no personal data is collected by NewTon's authors. If you collect player names for your own club records, you are the data controller (same as using a spreadsheet).

Can I verify these privacy claims?

Yes — NewTon DC Tournament Manager is open source. View the source code at github.com/skrodahl/NewTon, inspect network requests in browser DevTools (should be zero outbound), and examine localStorage directly. Don't trust — verify.

What if I delete my browser data?

Your tournaments are deleted. LocalStorage is part of browser data. Export your tournaments regularly and keep the files somewhere safe — treat exports as your permanent backup and localStorage as working storage.

Summary

What NewTon DC Tournament Manager guarantees:

The only exception:

Privacy by architecture. NewTon DC Tournament Manager is designed so your data cannot leave your device unless you explicitly export and share it. This isn't a promise — it's how the system is built.

NewTon DC Tournament Manager — BSD-3-Clause License — GitHubPrivacy

No popups? No cookies!