Privacy Policy

• Email address - To create and authenticate your account
• Name - To personalize your profile
• Profile photo - Optional, for your account avatar

• Create and manage your AthleticOps account
• Authenticate you when you sign in
• Display your name and photo to other users within your organization
• Send you important account and service notifications

AthleticOps' use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

This means we:

• Only use Google data for the specific purposes described above
• Do not sell Google user data to third parties
• Do not use Google user data for serving advertisements
• Do not transfer Google user data to third parties except as necessary to provide core functionality (such as our secure hosting provider)
• Do not use Google user data for creditworthiness determinations or lending purposes

We collect information that you voluntarily provide when using our service:

• Account Information: Name, email address, password, phone number
• Profile Information: Role within your organization, affiliated schools/teams, preferences
• Organization Data: School names, team information, organizational structure
• Team Management Data: Team rosters, member roles, jersey numbers, contact information
• Event Information: Schedules, game details, locations, results
• Communications: Messages sent through our platform, support requests

When you access our service, we automatically collect:

• Usage Data: Pages visited, features used, time spent, interaction patterns
• Device Information: Browser type, operating system, device identifiers
• Log Data: IP address, access times, referring URLs
• Cookies and Tracking: Session tokens, preferences

We may receive information from:

• Authentication Providers: If you sign in using third-party authentication
• Integration Partners: Calendar services, communication tools (with your permission)
• Public Sources: Publicly available athletic schedules and event information

When you sign in with Google, we access the following Google user data:

• Email Address: Used to create and authenticate your account
• Name: Used to personalize your account and identify you within the platform
• Profile Photo: Optional, used for your account avatar

AthleticOps' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We do not use Google user data for any purpose other than providing you with authentication and the core features of AthleticOps. We do not sell, share for advertising purposes, or use Google user data to train AI models or serve personalized advertisements.

• Provide, maintain, and improve AthleticOps functionality
• Manage user accounts and authentication (including Google Sign-In)
• Enable team management, scheduling, and communications
• Process and display athletic events and results
• Create and display your user profile within the platform

Information received from Google APIs is used exclusively for:

• Account Creation and Authentication: Your Google email address is used to create your AthleticOps account and verify your identity when you sign in
• Profile Personalization: Your name and profile photo (if provided) are displayed in your account settings and to other users within your organization based on your permission level
• Communication: Your email address is used to send account-related notifications, security alerts, and service updates

We do NOT use Google user data to:

• Sell or share your information for advertising purposes
• Train artificial intelligence or machine learning models
• Serve personalized advertisements
• Transfer data to third parties except as necessary to provide the service (e.g., our hosting provider)
• Any purpose unrelated to the core functionality of AthleticOps

• Send service-related notifications and updates
• Respond to support requests and inquiries
• Share important account or security information
• Send optional newsletters or product updates (with consent)

• Understand how users interact with our platform
• Identify and fix technical issues
• Develop new features and functionality
• Conduct research and analysis to improve our service

Analytics data is aggregated and anonymized whenever possible. We do not use Google user data for analytics purposes beyond understanding basic authentication patterns.

• Detect and prevent fraud, abuse, or security incidents
• Comply with legal obligations and enforce our Terms of Use
• Protect the rights, property, and safety of AthleticOps and our users

When we provide services to schools and school districts, we act as a "school official" under the Family Educational Rights and Privacy Act (FERPA) and as a service provider/processor under applicable privacy laws.

In this capacity, we process student and family information on behalf of and at the direction of the school. The school or district is responsible for:

• Providing required privacy notices to parents and students
• Obtaining necessary consents for data collection and use
• Ensuring compliance with FERPA, state education privacy laws, and other applicable regulations
• Determining what information is collected and how it may be used
• Managing access rights and data retention according to their policies

We act only on the school's instructions and do not use student data for any purpose other than providing the Service to the school.

When individuals, coaches, or independent organizations use our Service directly (not through a school), we may act as a data controller for information provided by coaches, parents, or organization administrators.

In these cases, the individual or organization using the Service is responsible for ensuring they have proper authority and consent to provide participant information to AthleticOps.

Team Administrators and Coaches (collectively "Team Admins") are users who create and manage teams, add participants to rosters, schedule events, and control access to team information. Team Admins are responsible for:

• Obtaining Proper Consent: Ensuring they have proper authorization to add participants (especially minors) to teams and provide their personal information to AthleticOps
• Accuracy of Information: Verifying that roster information, contact details, and participant data is accurate and up-to-date
• Managing Privacy Settings: Controlling who can view team rosters, schedules, and other team information
• Compliance with Applicable Laws: Ensuring their use of the Service complies with COPPA, FERPA (if applicable), and other privacy regulations
• Handling Data Deletion Requests: Processing requests from participants or parents to remove or modify personal information

Important: Team Admins act independently when creating and managing teams. AthleticOps does not verify that Team Admins have obtained proper consent before adding participants to rosters. By adding participants to a team, Team Admins represent and warrant that they have all necessary permissions and authorizations to do so.

Organization Administrators manage entire organizations or schools within AthleticOps. They are responsible for:

• Designating which users can create and manage teams
• Setting organization-wide privacy and visibility settings
• Ensuring compliance with their organization's policies and applicable laws
• Managing user access and permissions across the organization

If you are added to a team roster as a participant (or your child is added), you have the right to:

• Request access to your (or your child's) personal information
• Request corrections to inaccurate information
• Request deletion of your (or your child's) account and information
• Contact your Team Admin or Organization Administrator with concerns
• Contact us directly at privacy@timwagnerjr.com if Team Admins do not respond to your requests

Depending on team and organization settings, the following information may be visible:

• Team Rosters: Names, jersey numbers, and roles of team members may be visible to other teams within your organization or league
• Schedules and Events: Game schedules, event details, and results may be visible to opposing teams, league members, or the public
• Profile Information: Your name and role may be visible to other users within your organization
• Communications: Messages sent through team channels may be visible to all team members and administrators

Do not share sensitive personal information through AthleticOps that you do not want others to see. This includes:

• Social Security numbers, financial information, or government IDs
• Medical information or health conditions (unless required for team participation)
• Home addresses (unless necessary for team communication)
• Any information about minors that is not necessary for team management

While we provide privacy controls, Team Admins control visibility settings. If you have concerns about what information is visible, contact your Team Admin or Organization Administrator.

Google user data (email address, name, profile photo) is shared only with the following third parties:

• Supabase (Database & Authentication Provider): Stores your Google email address, name, and profile photo to enable account creation and authentication. Supabase is SOC 2 Type II certified and provides enterprise-grade security. Your Google data is encrypted in transit and at rest.
• Within Your Organization: Your name and profile photo (obtained from Google) are displayed to other users within your organization (team members, coaches, administrators) based on their permission level. Your email address is visible only to administrators who manage user accounts.

We do NOT share Google user data with any other third parties. We do not sell, rent, or share Google user data for advertising, marketing, or any purpose not directly related to providing AthleticOps services.

Team members, coaches, and administrators within your organization can access relevant information based on their permission level. Roster information may be visible to other teams within your organization or league.

We work with trusted third-party service providers who assist us in operating AthleticOps. We share only the minimum information necessary for each provider to perform their specific function. All service providers are contractually obligated to protect your information and use it only for specified purposes.

Data Processing Agreements: Where required by law (such as GDPR), we maintain data processing agreements with service providers to ensure they handle your information in compliance with applicable privacy regulations.

We may disclose information when required by law or to:

• Comply with legal process (subpoena, court order)
• Enforce our Terms of Use
• Protect the rights, property, or safety of AthleticOps, our users, or the public
• Investigate potential violations or security incidents

Our security program includes:

• Encryption: Data is encrypted in transit using TLS/HTTPS and at rest using industry-standard encryption algorithms
• Access Controls: Row-level security policies and role-based access controls restrict data access based on user permissions
• Authentication: Secure authentication mechanisms including password hashing and OAuth 2.0 integration
• Infrastructure Security: Hosting with SOC 2 Type II certified infrastructure providers (Supabase)
• Monitoring: Regular security monitoring, logging, and incident detection
• Updates: Regular security patches and updates to maintain protection against emerging threats

For detailed information about our current security practices, please contact privacy@timwagnerjr.com.

Important: No method of transmission over the internet or electronic storage is 100% secure. While we implement reasonable security measures and work with certified infrastructure providers, we cannot guarantee absolute security against all potential threats.

You acknowledge that you use the Service at your own risk and that we are not liable for security breaches that occur despite our implementation of industry-standard security measures.

Google user data receives the following specific protections:

• Encrypted Storage: Your Google email address, name, and profile photo are stored in Supabase's PostgreSQL database with encryption at rest using AES-256 encryption
• Encrypted Transmission: All Google user data is transmitted over HTTPS/TLS 1.3 with perfect forward secrecy
• Access Controls: Google user data is protected by row-level security (RLS) policies that restrict access based on user roles and permissions. Only authorized personnel can access the data, and all access is logged
• Isolated Storage: Your Google authentication tokens are never stored in our database. We use Supabase Auth's secure session management, which stores tokens in HTTP-only cookies
• SOC 2 Compliance: Our infrastructure provider (Supabase) maintains SOC 2 Type II certification, ensuring enterprise-grade security controls

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Update your profile and preferences at any time

You can request a copy of your data in a structured, machine-readable format.

You can delete your account at any time through your account settings or by contacting us at privacy@timwagnerjr.com.

What Gets Deleted:

• Your login credentials and authentication data
• Your application permissions and access rights
• Your account is disconnected from your participation records

What Is Retained:

• Participation history (team rosters, schedules, event records) is retained for organizational record-keeping purposes
• Chat messages and communications remain in organizational records
• Anonymized data may be retained for statistical analysis

Complete Data Deletion Request:

If you wish to have all of your data permanently deleted, including participation history and organizational records, please contact us at delete@timwagnerjr.com. We will process complete deletion requests within 30 days and notify you when complete. Please note that complete data deletion may affect the integrity of organizational historical records.

You can opt out of:

• Non-essential email communications (via unsubscribe link)
• Certain data collection practices (via browser settings)
• Specific features that require data sharing

We comply with the Children's Online Privacy Protection Act (COPPA):

• We do not knowingly collect personal information from children under 13 without verifiable parental consent
• School officials and parents/guardians act as authorized representatives when creating accounts for minors
• Parents/guardians have the right to review, delete, or refuse further collection of their child's information

For U.S. educational institutions, we act as a "school official" under FERPA:

• We use student information only for legitimate educational purposes
• We maintain strict confidentiality requirements
• We do not disclose education records without appropriate consent

• Essential Cookies: Required for the service to function (authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our platform

Some web browsers and devices permit you to broadcast a preference that you not be "tracked" online. At this time, there is no industry consensus on what constitutes "Do Not Track" (DNT) signals or how to respond to them.

Our Current Approach:

• We do not currently respond to DNT signals because there is no standard interpretation of these signals
• We do not engage in cross-site tracking for advertising purposes, so DNT signals do not affect our practices
• We support Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will treat it as an opt-out request for the sale/sharing of personal information (where applicable under state law)

If industry standards for DNT signals are established, we will reassess our approach and update this policy accordingly.

• Account Information: Retained for as long as your account is active. Deleted within 30 days of account deletion (authentication credentials and personal account data).
• Participation Records: Team rosters, schedules, event records, and game results are retained indefinitely for organizational historical records, even after account deletion. These records are disconnected from your account but preserved for team and organization continuity.
• Communications: Chat messages and team communications are retained as part of team records and are not deleted when you delete your account. Request complete data deletion at delete@timwagnerjr.com to remove all communications.
• Analytics Data: Aggregated and anonymized usage data may be retained indefinitely for product improvement and statistical purposes. This data cannot be linked back to you.
• Error Logs: Technical error logs (Sentry) are retained for 90 days, then automatically deleted.
• Database Backups: Backups containing your data are retained for 90 days for disaster recovery, then permanently deleted.
• Legal and Compliance Records: We may retain certain information longer if required by law, to resolve disputes, enforce agreements, or prevent fraud and abuse.

When you delete your account through account settings:

• Immediate: Your login credentials are disabled and you can no longer access AthleticOps
• Within 30 days: Your authentication credentials, email address, and application permissions are permanently deleted from production databases
• Within 90 days: Your data is removed from all backup systems
• Retained: Participation history remains in team records (disconnected from your account) for organizational continuity

To request complete deletion of all data including participation history, contact delete@timwagnerjr.com. We will process complete deletion requests within 30 days. Note that complete deletion may affect the integrity of team and organization historical records.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

To exercise any of these rights, contact us at privacy@timwagnerjr.com. We will verify your identity before processing your request.

If you are a resident of Virginia, Colorado, or Connecticut, you have rights under the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), or Connecticut Data Privacy Act (CTDPA), including:

• Right to Access: You may confirm whether we are processing your personal data and access that data
• Right to Correction: You may correct inaccuracies in your personal data
• Right to Deletion: You may delete personal data you have provided to us
• Right to Data Portability: You may obtain a copy of your personal data in a portable format
• Right to Opt-Out: You may opt out of:
  • Targeted advertising (we do not engage in targeted advertising)
  • Sale of personal data (we do not sell personal data)
  • Profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling)

To exercise these rights, contact us at privacy@timwagnerjr.com. We will respond to your request within 45 days (or as otherwise required by applicable law).

Right to Appeal: If we decline to take action on your request, you have the right to appeal our decision. We will provide information about how to appeal in our response to your request.

Nevada law (SB 220) allows Nevada residents to opt out of the sale of certain personal information. We do not sell personal information as defined by Nevada law. If our practices change, we will update this policy and provide an opt-out mechanism as required.

To exercise any state-specific privacy rights:

• Email us at privacy@timwagnerjr.com with "Privacy Rights Request" in the subject line
• Include your full name, email address, and state of residence
• Specify which right(s) you wish to exercise
• We may request additional information to verify your identity

Authorized Agents: You may designate an authorized agent to make requests on your behalf. Authorized agents must provide proof of authorization, and we may require you to verify your identity directly with us.

If you are located in the European Union or United Kingdom, please note that the United States may not provide the same level of data protection as your home country. However:

• We use service providers (such as Supabase) that maintain certifications and implement safeguards for international data transfers
• Where required, we implement Standard Contractual Clauses or other approved transfer mechanisms
• Our analytics provider (PostHog) offers EU cloud hosting options, which we use for data residency compliance

By using AthleticOps, you consent to the transfer of your information to the United States and other countries where we or our service providers operate.

If you are located outside the United States, you may have rights under your local data protection laws, including:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

To exercise these rights, contact us at privacy@timwagnerjr.com.