Privacy Policy

When you sign up:

• Your email address. Used to send a 6-digit sign-in code and to identify your account. We never send marketing.
• An optional display name you can set in Settings.

When you use the app:

• The coaching content you create — teams, rosters, playbooks, plays (including drawn diagrams, animation timelines, freehand ink, voice-over recordings if you record one, and any optional video URLs you attach), practices, drills, games, and scout reports.
• Roster details about your players if you choose to enter them — first name, last name, jersey number, position, status, and optional season stats. You decide what to enter. See “Coaches of minors” below.
• Activity records — “you created play X,” “you finished practice Y” — so the dashboard can show you what you’ve been doing.
• App settings — your default surface, default court type, whether you’ve loaded the demo dataset, etc.

We don’t track you across the web and don’t use advertising cookies. We do run two operational telemetry tools:

• Sentry for crash and error reporting. Sentry sees stack traces and breadcrumb logs when the app errors. We strip Authorization headers from the breadcrumb data, scrub any base64 audio that gets caught in an event payload, and send only your user identifier (never your email).
• PostHog Cloud (US region) for product analytics: a frozen list of fourteen named events (signup, play_created, play_saved, play_published, play_shared, play_viewed, play_forked, invite_sent, invite_accepted, demo_seeded, demo_skipped, quiz_attempted, voice_over_recorded, signup_started / signup_completed). The event payload includes the event name, a session id, the user id when signed in, and a small JSON properties object — no email, no roster names, no play content.

Both processors are listed on /legal/subprocessors.

Two places:

• In your browser via IndexedDB. This is what makes Quick Plays work offline. Clearing your browser data wipes the local copy.
• On Supabase (our hosted Postgres provider) in their us-west-2 region (Oregon, USA). When you’re signed in, your data syncs there so you can use it from another device.

Supabase processes the data on our behalf. Their own privacy notice covers what they do with operational data (logs, IP addresses attached to authentication events): supabase.com/privacy.

The site itself is served by Cloudflare Pages. Cloudflare may log request metadata (IP address, user agent) for DDoS protection and routing. cloudflare.com/privacypolicy.

By default, nobody. Your account’s data is scoped to your user ID at the database level (Postgres Row-Level Security) — other Quick Plays users can’t read it.

You can opt into sharing in a few ways:

• Inviting an assistant coach or player to a team gives them access to that team’s playbooks and plays.
• Publishing a play or playbook (the “Share” button) makes it readable by anyone with the link, including unauthenticated visitors. Published voice-overs aren’t included in the public copy.

We don’t sell your data, share it with advertisers, or use it to train any model.

Basketball coaching covers a lot of youth and high-school teams. Roster fields like names and jersey numbers can be personal data about minors. You, the coach, are the data controller for your roster. By entering player details you confirm you have the right to do so (typically: you’re an authorised coach for the team and the players or their guardians have consented).

We don’t advertise to or knowingly collect data directly from children under 13. Players don’t sign up themselves; you invite them.

If you ever want a player removed, delete the row from Roster — or email [email protected] and we’ll do it.

You can, at any time:

• Export everything as a JSON file (Settings → Data → Export all data). This is the most-complete copy we can produce.
• Change your email (Settings → Account → Email). We’ll send a confirmation link to both the old and new address — both must be clicked.
• Recover your account if you’ve lost access to your sign-in email — see our recovery process. We verify identity manually (no automated path can work when the inbox itself is gone) and then move your account to a new email.
• Delete your account (Settings → Danger zone → Delete account). This permanently removes your auth row and cascades through every owner-scoped table — teams, plays, books, practices, drills, games, scout reports, settings, notifications, the works. We can’t recover it after.

GDPR “right to be forgotten” and the equivalent US-state rights map onto the deletion flow above. If you’re in the EU / UK and want a formal data-access report instead of the JSON export, email us.

We keep your data as long as your account exists. Deleting your account removes it immediately from the database; cached copies in Supabase’s backup snapshots roll off within 30 days.

Sign-in is passwordless via 6-digit email codes. Database access is gated by Postgres Row-Level Security policies — your auth token determines what rows you can read or write. All traffic is HTTPS.

We’re a small team; we don’t claim SOC 2. If you discover a security issue, please email [email protected] and we’ll respond within a few business days.

We’ll update the “Last updated” date at the top when the policy changes. If a change materially expands what we collect or who sees it, we’ll notify signed-in users via the in-app notification bell before the change takes effect.

We don’t sell personal information. We don’t share it with advertisers or other commercial partners outside the sub-processors listed on /legal/subprocessors. California residents have the right under the CCPA to opt out of the sale or sharing of personal information for cross-context behavioral advertising; we extend this opt-out to all users. Because we don’t engage in either, there is no separate opt-out toggle — this page is the disclosure required by Cal. Civ. Code § 1798.135. If our practices ever change to involve selling or sharing data, we’ll update this page and surface a real opt-out in Settings before the change takes effect.

Questions, deletion requests, security reports: [email protected]. Copyright takedowns: see /legal/dmca. Sub-processor list: /legal/subprocessors. DPA for institutional use: /legal/dpa.