Security & privacy

How we hold
your family’s data.

A sports app sits in a child’s life and a parent’s life. The privacy and security posture has to match. GameBrief defaults to closed and opens by named policy. What follows is the full posture — not the marketing version.

Twelve pillars

The posture, in detail.

Each pillar below corresponds to a specific architectural decision in the engineering spec. We name the cost of each — that is what tells you whether to trust the guarantee. A free guarantee is a slogan.

Under-13 data is parent-collected
Players under 13 have no direct logins. Their parents are the account holders. Their data is collected via the parent under COPPA's "operator-to-parent" pathway — not "operator-to-child." That single architectural decision eliminates the largest class of COPPA exposure in this category, and it is the part TeamSnap, SportsEngine, and BlueSombrero have not done.
No coach-to-kid private DMs
Every coach-to-player message is mirrored to a guardian. Coaches cannot DM a minor 1:1 outside that visibility. This is the SafeSport-adjacent posture and the lesson of Epic Games' $275M COPPA settlement: 1:1 chat with under-13s, enabled by default, is the feature you must not ship.
AES-256-GCM Coach Notebook · per-club key
The Coach Notebook is encrypted at the application layer with AES-256-GCM and a per-organization key derived via HKDF from a master secret that lives in the environment, never in the database. Our own AI is forbidden from reading it (lint enforces). Parents never see. The lawyer asks; the answer is we cannot decrypt this.
No card data, ever
Card numbers never touch our database. Stripe holds the token; Stripe is the system of record for the payment instrument. We hold the ledger of who owes what and what cleared. Webhook handlers verify the Stripe signature before any read or write — full stop.
Row-level security on every table
Every table with an `org_id` has Postgres row-level security enabled with the canonical policy. The service-role key is fenced inside Supabase edge functions and never used from app code. Cross-tenant isolation tests run in CI. A coach in club A cannot see a roster in club B; the audit is mathematical, not policy.
Document integrity via HMAC
Every signature row carries an HMAC stamp over the canonical (document_id | version | family_id | player_id | signer_name | signed_at) payload using a secret kept in environment. Versions are immutable; supersession is by reference, not by edit. The binder export is provable; a forged signature can be detected.
Per-feature AI kill switches
Every AI feature has an environment-flagged kill switch. Operations can disable the Weather Agent, the brief generator, the Sunday recap, the audience builder, the conflict resolver, the event composer, the RSVP predictor, or the decision summarizer in production without a code deploy. If AI is misbehaving, the panel disappears; no skeleton, no upgrade prompt, no fallback to a worse experience.
Audit log on every compliance action
A single `audit_logs` table receives every compliance-relevant mutation: refund issued, document signed, account deleted, role changed, AI feature toggled, guardian invited or revoked. The `action` enum is extensible; we add values, never overload existing ones. Export CSV when the lawyer asks; the one-line answer is in the log.
Magic link, no passwords
Authentication is magic-link via Supabase. No passwords stored, no password-reset flow to phish, no credential-stuffing attack surface. Single-use tokens expire in 60 minutes. The login page is the only entry point.
COPPA April 2026 compliance
The April 22, 2026 COPPA Rule amendments apply: defined data-retention period, written children's-information-security program, separate verifiable parental consent for third-party disclosure, and separate VPC for AI training of children's data. We meet each requirement and document it in the privacy policy. AI training does not happen against children's data without separate, documented parental consent.
Sensitive PI handling
Health information (allergies, medications, return-to-play status) is treated as sensitive personal information under CCPA, FL HB 3, TX SCOPE, NY CDPA, and CT/CO/VA equivalents. Opt-in per family, visible to coach role only, excluded from AI prompts, excluded from default exports. This is sensitive PI handling, not generic PII handling.
Observability without PII
Errors thrown from application code carry no personally identifiable information. A scrubber in the error path strips identifiable fields before logs leave the process. We do not log magic-link tokens, signatures, or message bodies. The scrubber is tested; the test suite enforces.

Things we explicitly refuse to do

A short list of never.

Every entry below is a business choice we have made and would close the company before changing. We list them so that you can recognize the kind of company you are doing business with.

We do not sell data.
Not even anonymized aggregates.
We do not run ad networks.
No partner banners. No promoted content.
We do not store card data.
Stripe Elements / Apple Pay / Google Pay only.
We do not pass coach notes to AI.
Encrypted, never decrypted server-side for AI.
We do not enable kid DMs.
Every coach message visible to a guardian.
We do not use third-party trackers.
First-party analytics only.
We do not deep-link to school records.
Until a district contract and DPA exist.
We do not surveil teen messaging.
Parents see who, not what.

The legal framework

The laws we’re built to meet.

This category sits inside a layered legal regime. We build to the strictest US floor so one architecture covers the whole country.

  • COPPA (federal, under-13)

    Parent-collected architecture, no under-13 logins, defined retention, separate VPC for third-party disclosure and AI training. 2025 amendments compliance by April 22, 2026.

  • California CCPA / CPRA · AB 1949

    Under-18 opt-in for any sale or share (we never sell or share). Right to delete, port, and correct via in-product self-service. Sensitive PI flagged and isolated.

  • Florida HB 3 · Texas SCOPE Act · NY Child Data Protection Act

    Under-18 protections — no targeted advertising, no precise geolocation, no minor purchases without parent verification. We meet each.

  • Connecticut, Colorado, Virginia minor-privacy

    Duty of care, DPIA for high-risk minor processing. We run DPIAs on new AI features touching kid data.

  • FERPA (when applicable)

    Inapplicable to rec/club/travel leagues. When a school district contracts with GameBrief, a DPA is signed and data is partitioned with FERPA flags before any school-tied data flows.

  • SafeSport Act adjacency

    We are not the regulated entity (clubs and NGBs are). We architect features that do not enable abuse vectors — specifically, no coach-to-kid private DMs.

  • State concussion laws (Lystedt-family)

    When a club ships a return-to-play feature, the workflow requires a healthcare-provider clearance signature on the audit-logged form before the player is cleared. We are not a medical record system; we provide the workflow rails.

Report a vulnerability

If you find something, we want to hear it before our users do.

Write to security@gamebrief.com with a description and a reproduction. We acknowledge in 48 hours and either fix or document the trade-off. Bug bounty is not yet live; the gratitude is real.