How we hold your family's data.

Posture

Nine guarantees, each with a cost.

Every guarantee here corresponds to a section of the engineering spec (§13). We name the cost because that is what tells you whether to trust the guarantee: a free guarantee is a slogan.

Authentication

Magic-link auth via Supabase. No passwords stored, no password reset flow to phish. Single-use tokens expire in 60 minutes. The login page is the only entry point.

Row-level security

Every table with an `org_id` has RLS enabled and the canonical policy applied. Cross-org tables follow the patterns in spec §13. The service-role key is fenced inside Supabase functions and never used from app code.

Encryption at rest

Database storage is encrypted at rest by the platform. Coach Notebook entries get a second layer: app-level AES-256-GCM with an HKDF-derived per-org key. The master key lives in env, never in the DB. AI is never given the plaintext.

Document integrity

Every signature row carries an HMAC stamp over the canonical (document_id|version|family_id|player_id|signer_name|signed_at) payload using `SIGNED_LINK_SECRET`. Versions are immutable; supersession is by reference, not by edit.

Payments

Stripe Elements / Apple Pay / Google Pay only. No card data ever touches our storage. Webhook handlers verify the Stripe signature before any DB read or write. Idempotency keys gate mutating endpoints; mobile retry is safe.

Audit log

A single `audit_logs` table receives every compliance-relevant mutation: refunds, document signatures, account deletion, AI feature toggles, role changes. The `action` enum is extensible; we add values, never overload existing ones.

AI safeguards

Every AI feature has a per-feature kill switch in env. The audience-builder uses constrained tool-use only; prompt-injection probes are part of the test suite. Coach Notebook content is never passed to a model.

Observability hygiene

Errors thrown from app code carry no PII. A scrubber in the error path (spec §13.9) strips identifiable fields before logs leave the process. We do not log magic-link tokens, signatures, or message bodies.

COPPA & FERPA-conscious

Players under 13 are subject to the COPPA path: explicit guardian consent, age verification, and a minimized data footprint. Documents and signatures are designed for the FERPA-aligned schools and leagues that audit.

Statements you can verify

A short list of negatives.

No vendor cookies on /login.

No advertising network anywhere.

No PII to AI.

Inputs scrubbed before each call.

No password.

Magic link only.

No third-party tracking.

Our own first-party analytics.