Privacy Policy

1. Data Controller

CoachAI is operated by Jason Stoudt ("we", "our", or "us"). For questions about data processing, contact our Data Protection contact at privacy@putmein.co.

2. Information We Collect

We collect the following categories of personal information:

Information You Provide

• Account Information: Name, email address, and password
• Team Data: Team names, player rosters (names, jersey numbers, positions), schedules, and game statistics
• Player Health Data: Medical notes and allergies for player safety (entered by coaches/guardians)
• Emergency Contacts: Names, phone numbers, and relationships for player emergency contacts
• Photos: Team and event photos uploaded by authorized users
• Phone Numbers: For SMS team invitations (provided by coaches)
• Push Notification Tokens: Device push subscription tokens when you opt in to browser push notifications (used solely to deliver game reminders, schedule updates, and team announcements)

Automatically Collected

• Usage Data: Features used, interaction patterns, and session duration (only with consent)
• Device Information: Browser type, operating system, and device identifiers (only with consent)
• Error Data: Application errors and performance data (only with consent)

3. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

• Contract Performance: Account management, team features, and game tracking
• Consent: Analytics (PostHog), error tracking (Sentry), AI drill generation, marketing communications
• Legitimate Interest: Security monitoring, fraud prevention, and service improvement
• Legal Obligation: Tax records for payment processing, responding to lawful requests

You may withdraw consent at any time by updating your cookie preferences or contacting us. Withdrawal does not affect lawfulness of processing before withdrawal.

4. AI Features and Data Processing

CoachAI uses artificial intelligence to generate drill animations and coaching suggestions. When you use AI features:

• Player jersey numbers (not names) are sent to our AI provider, Anthropic (Claude), to generate personalized drill animations
• Your natural language drill descriptions are processed by Anthropic's API
• Anthropic does not use API data for model training (per their API data policy)
• AI-generated content is stored in your account for future reference

No player names, medical information, or emergency contact data is ever sent to AI providers.

FTC Disclosure — AI-Generated Content Limitations

All drill animations and substitution suggestions generated by CoachAI are AI-generated and are clearly labeled as such within the application. In accordance with FTC Endorsement Guides (16 CFR § 255):

• AI-generated suggestions may contain errors, omissions, or recommendations that are unsuitable for your specific team or situation
• Substitution suggestions are advisory only and do not replace the professional judgment of a licensed or experienced coach
• Drill animations are algorithmically generated and may not reflect best coaching practices for all age groups or skill levels
• Always exercise your professional judgment before acting on any AI suggestion
• CoachAI does not guarantee the accuracy, completeness, or fitness for purpose of any AI-generated content

5. Third-Party Services

We share data with the following service providers:

• Supabase (US): Database hosting and authentication
• Vercel (US): Application hosting and deployment
• Google (US): OAuth sign-in authentication (when you choose Google login)
• PostHog (US): Analytics and product insights (consent required)
• Sentry (US): Error tracking and performance monitoring (consent required)
• Twilio (US): SMS delivery for team invitations
• Anthropic (US): AI-powered drill generation (jersey numbers only)
• Resend (US): Transactional email delivery (consent confirmations, account notifications)

SMS Communications (TCPA Disclosure)

CoachAI sends SMS messages for team invitations using Twilio. By providing a phone number, you consent to receive SMS messages related to the specific team invitation. Message frequency is low — typically one message per invitation.

• Message frequency: 1 message per invite event. Additional messages are only sent if you request them.
• Msg & data rates may apply depending on your mobile carrier plan.
• To opt out: Reply STOP to any SMS message at any time. You will receive a confirmation message and no further SMS messages will be sent to that number. You may also opt out by contacting privacy@putmein.co.
• To get help: Reply HELP to any SMS message or email support@putmein.co.
• Opting out of SMS does not affect your ability to use CoachAI or receive invitations via email.

6. International Data Transfers & Data Processing Agreement

Our service providers are based in the United States. If you are located in the EEA/UK, your data is transferred to the US under Standard Contractual Clauses (SCCs) or equivalent safeguards maintained by each provider. Contact us for copies of applicable transfer mechanisms.

For EU coaches and organizations processing EU player data, a full Data Processing Agreement (GDPR Art. 28) is available. The DPA details all sub-processors, transfer mechanisms, and security measures. Contact privacy@putmein.co if you require a signed copy.

7. Data Retention

• Active accounts: Data retained while your account is active
• Deleted accounts: Anonymized immediately; hard-deleted after 30 days
• Expired invitations: Purged after 30 days
• Read notifications: Purged after 90 days
• Emergency contacts: Retained while the player is on a team roster; deleted when the player is removed or the account is deleted
• Emergency broadcast records: Message metadata retained for 1 year; message content purged after 90 days
• Game statistics: Retained for the duration of team membership
• Player records: Retained for 90 days after team deletion or roster removal, then permanently deleted
• PHI (medical / health data): Deleted immediately upon account deletion or upon verified coach request; never retained beyond active team membership
• Audit logs: Retained for 2 years for compliance and dispute-resolution purposes (GDPR Art. 5 accountability), then automatically purged
• AI-generated content: Drill animations and coaching suggestions retained while your account is active; deleted with account deletion
• Error tracking data (Sentry): Retained for 90 days; PII is stripped before transmission
• Analytics data (PostHog): Retained for 12 months; no PII is collected
• SMS phone numbers: Removed from invite records after acceptance
• Database Backups: Automated database backups are encrypted at rest and retained for a maximum of 30 days on a rolling basis. Backup data containing your personal information is automatically purged as backups age past 30 days. To request earlier deletion of backup data, contact privacy@putmein.co.

8. Your Rights

All Users

• Access the personal information we hold about you
• Request correction of inaccurate data
• Request deletion of your data (Settings → Delete Account)
• Export your data in a portable JSON format (Settings → Export Data)
• Opt out of analytics tracking via cookie preferences

EEA/UK Residents (GDPR)

• Right to restrict processing
• Right to object to processing based on legitimate interest
• Right to withdraw consent at any time
• Right to lodge a complaint with your local supervisory authority

California Residents (CCPA/CPRA)

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt out of the sale or sharing of personal information
• Right to non-discrimination for exercising privacy rights

Do Not Sell or Share My Personal Information: CoachAI does not sell personal information. We share limited data with service providers solely for operating the service. California residents may submit a formal opt-out request using the link below or by emailing privacy@putmein.co.

Right to Know & Download Your Data (CCPA § 1798.100): California residents may download all personal information we have collected via Settings → Download Your Data in the app, or by emailing privacy@putmein.co. We will respond within 45 calendar days.

Do Not Sell or Share My Personal Information

CCPA Categories of Information Collected

• Identifiers: Name, email, phone number
• Internet activity: Usage data, feature interactions (with consent)
• Professional information: Coaching role, team management data
• Protected characteristics: Age confirmation (18+ verification)
• Health information: Medical notes, allergies (for player safety only)

9. Children's Privacy (COPPA)

CoachAI is designed for adult coaches, parents, and guardians. All account holders must be at least 18 years old. We do not permit anyone under 18 to create an account. CoachAI complies with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and the FTC's implementing regulations at 16 CFR Part 312.

Who Collects Information About Children

Only coaches and team administrators add children to CoachAI. Children cannot self-register. Parents and guardians receive an invitation before their child's information is added to the platform. By entering a child's information, the parent or guardian consents to the collection and use of that information solely for team management purposes.

Information Collected About Minor Players

When a coach adds a player profile, the following information may be collected about a minor player:

• Full name and jersey number
• Team position(s)
• Date of birth (if provided, used for age-group classification)
• Team membership and attendance records
• Game statistics (playing time, substitutions, performance notes)
• Medical and injury notes added by coaches (stored in encrypted form)
• Parent and guardian contact information (name, email, phone number)
• Profile photo (only with explicit parental consent)

Third-Party Services That Receive Children's Information

The following third-party services may process minor players' data as part of providing CoachAI (16 CFR § 312.4(b)(3)):

• Supabase (Supabase Inc., US) — Database storage and authentication. Receives player profiles, statistics, and all data described above for storage and retrieval.
• Sentry (Functional Software Inc., US) — Error tracking and performance monitoring. Player names and PII are stripped before transmission; only anonymized diagnostic data is sent.
• Anthropic (Anthropic, PBC, US) — AI drill generation. Only jersey numbers (not player names) are sent to generate drill animations. Medical data and personal identifiers are never sent to Anthropic.
• PostHog (PostHog Inc., US) — Product analytics. Usage patterns only; no player PII is collected or transmitted.
• Twilio (Twilio Inc., US) — SMS delivery for parent invitations. Parent phone numbers are used solely to deliver the one-time team invitation message.

Your Rights as a Parent or Guardian (16 CFR § 312.6)

Parents and guardians may exercise the following rights regarding their child's data at any time:

• Review all information stored about their child by emailing privacy@putmein.co with the subject line "COPPA Data Review Request." We will provide a complete summary of data held within 30 days.
• Correct inaccurate information by contacting the team coach or emailing privacy@putmein.co.
• Delete their child's information by emailing privacy@putmein.co with the subject line "COPPA Deletion Request." All data will be permanently removed within 30 days.
• Withdraw consent and stop further collection by removing their child from the platform or emailing us. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
• Refuse further collection — if you do not consent to continued data collection, you may request removal of your child at any time.

We will respond to verified parental requests within 30 days. To verify your identity as a parent or guardian, we may ask you to confirm the email address associated with your CoachAI account or the team your child belongs to.

No Conditioning of Participation

Participation in CoachAI is not conditioned on a child disclosing more personal information than is reasonably necessary to participate in the platform's activities (16 CFR § 312.7).

Contact for COPPA Questions

For questions about our children's privacy practices or to exercise parental rights, contact us at privacy@putmein.co.

10. Club Features

CoachAI allows coaches and organizations to create and manage clubs. When you participate in club features:

• Club Membership: Your name and role are visible to other club members
• Club Messages: Messages you send in club channels are visible to other club members (or targeted teams)
• Join Requests: When you request to join a club, the club admins can see your name and email
• Data Retention: Club data follows the same retention policies as team data. When you delete your account, all club memberships, messages, and join requests are removed.

11. Photos

Team and event photos may be uploaded by authorized team members. Photos of minors require parental/guardian consent. Photos are stored securely and only accessible to team members. Parents may request removal of any photo containing their child by contacting the team coach or emailing us.

12. Data Security

We implement appropriate technical and organizational security measures including encrypted connections (HTTPS/TLS), secure authentication, rate limiting, input validation, and access controls. Sensitive data such as medical notes and allergies is access-controlled and audited—only authorized team members (coaches and the player's parent/guardian) can view this information, and all access is logged for security monitoring. However, no method of transmission over the Internet is 100% secure.

13. Cookies and Tracking

We use cookies and similar technologies to enhance your experience. Analytics and error tracking cookies are only activated after you give explicit consent through our cookie consent banner. See our Cookie Policy for detailed information.

14. Automated Decision-Making

CoachAI uses automated processing to suggest player substitutions based on playing time data. These suggestions are advisory only and do not produce legal or similarly significant effects. Coaches make all final substitution decisions.

15. Security Incidents and Data Breaches

We take security seriously and maintain technical and organizational safeguards to protect your personal data. In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected individuals without undue delay when the breach is likely to result in high risk to their rights and freedoms.
• Document all breaches in our internal incident register.

To report a security vulnerability or suspected breach, contact security@putmein.co.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and changing the "Last updated" date. Your continued use after changes constitutes acceptance of the updated policy.

18. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights, contact us at privacy@putmein.co.

If you are in the EEA/UK and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.