How we protect player,
family, and academy data.

Player photos are uploaded only by coaches, only with academy director authorization, and only with parent consent on a per-player basis. Stored in a private Supabase Storage bucket (player-photos) with row-level security restricting read access to: (1) the parent of the player, (2) coaches assigned to the player’s team, (3) the academy director.

Photos are never used for ML training. Never shared cross-academy. Never used in PlayerFocus marketing without explicit additional written per-parent consent. A parent can revoke consent at any time — the photo is deleted from storage on the next request cycle.

All data is encrypted at rest (AES-256 via the underlying Supabase Postgres + Storage layer) and in transit (TLS 1.2+ for all client-server communication, including API requests, webhook deliveries, and file uploads).

Client devices communicate over HTTPS only. We do not maintain any unencrypted backup paths.

Every database table is protected by row-level security (RLS) policies enforced at the Postgres layer — not just at the application layer. This means even a compromised application key cannot retrieve data the policy doesn’t allow.

Roles: Director (full academy access), Coach (assigned-team access only), Parent (linked-children access only). No role can access another academy’s data, ever — by design at the database level, not by convention at the code level.

COPPA-aware: We collect minimal data on players under 13. Photos and personally identifiable information are gated behind explicit parent consent. No advertising data, no third-party tracking pixels on parent-facing surfaces.

GDPR-aware: Right to access (data export on request), right to erasure (account deletion deletes all linked data within 30 days), and data-processing transparency (this page). Sub-processors disclosed on request.

SOC 2: Type II audit pending. Currently in pre-audit posture — controls in place, observation period not yet complete. Available to share progress with serious procurement teams under NDA.

PlayerFocus serves academies across North America. Production data is hosted in geographically distributed regions — Supabase’s Toronto / Montreal infrastructure by default for Canadian programs, with US-region hosting (us-east-1 / us-west-2) available on request and standard on Performance and Enterprise tiers. Data never crosses an academy’s configured residency boundary without explicit director approval.

For multi-club groups (League / Enterprise), residency is included as a contractual term with documented sub-processor regions and a data-flow diagram.

Daily automated backups with 30-day retention on all production databases. Point-in-time recovery available within the retention window.

Disaster recovery target: 4-hour RPO, 12-hour RTO. Tested quarterly.

Security incidents are triaged within 24 hours of detection. Material incidents affecting customer data are disclosed to the affected academy within 72 hours, with details and remediation timeline.

Report a security concern: security@playerfocus.ca. We respond within one business day.

Every academy can export its full data — reports (PDF), evaluations (CSV), roster (CSV), and parent communications history (CSV) — from the director dashboard at any time, no support ticket required.

Account deletion: trigger from director settings, or by emailing support. All academy data is permanently deleted from production within 30 days. Backup retention purges complete within 60 days.