Privacy Policy

Last Updated: March 2026

PostPlay (“we,” “us,” or the “Platform”) is committed to protecting the privacy of our users, especially student-athletes and their families. This Privacy Policy explains how we collect, use, store, and share your information when you use the PostPlay Verified Scarcity Outreach Protocol.

1. Data Collection

We collect the following categories of information solely for the purpose of facilitating collegiate athletic recruiting:

Identity Data: Name, email address, graduation year, high school or club affiliation, and institutional role (athlete, coach, parent, evaluator).
Academic Data: GPA, test scores, and academic honors as provided by the user and verified by their high school or club coach.
Physical Metrics: Height, weight, 40-yard dash time, vertical jump, arm velocity, and other sport-specific performance data as verified by coaching staff.
Media: Film links (e.g., HUDL), profile images, and other recruiting media uploaded voluntarily by the user.
Usage Data: Token usage, message history, login activity, and Platform interaction metrics used to improve the service.
Payment Data: Billing information is processed by Stripe, our PCI-compliant payment processor. PostPlay does not store credit card numbers or banking details on our servers.

2. Student-Athlete Protection

PostPlay takes the protection of student-athlete data seriously and maintains the following safeguards:

COPPA Compliance: We comply with the Children's Online Privacy Protection Act (COPPA). Users under the age of 13 are not permitted to create accounts. Users between 13 and 18 must have parental or guardian consent, which is facilitated through our Family Sanctuary feature.
Domain-Gated Access: Athlete data within the PostPlay Clearinghouse is accessible only to college coaches and evaluators who have authenticated through a verified institutional email domain (e.g., .edu). We do not share athlete data with unverified third parties.
No Data Sales: We do not sell, rent, or license athlete data to third-party data brokers, advertising networks, or marketing platforms. Your data is used exclusively for recruiting communication within the PostPlay ecosystem.
FERPA Awareness: While PostPlay is not an educational institution, we design our data practices to respect the spirit of the Family Educational Rights and Privacy Act (FERPA). Academic records shared on the Platform are voluntarily provided by users, not sourced from institutional records.

3. The Cryptographic Ledger

When an athlete sends a Verified Reach through the PostPlay Protocol, the system generates a public cryptographic receipt accessible via a URL parameter (?ref=hash). This receipt serves as proof of intent and verification status.

Public Receipt: The receipt confirms that a verified athlete spent a scarce token to contact a specific program. It displays the athlete's verification status and basic profile summary.
Masked Contact Info: Sensitive contact information (email addresses, phone numbers) is masked from non-authenticated viewers. Only the authenticated recipient (the college coach) can view full contact details.
Immutability: Once a receipt is generated, it cannot be retroactively altered. This ensures that both parties have a verifiable record of the outreach event.

4. How We Use Your Data

We use your information to:

Facilitate token-gated communication between athletes and college programs.
Verify and display athletic and academic credentials to authenticated evaluators.
Power the Bosco AI Pitch Coach to provide message drafting assistance.
Process payments and manage subscription billing through Stripe.
Send transactional notifications (delivery receipts, coach replies, token resets).
Improve Platform performance, security, and user experience through anonymized analytics.

5. Data Sharing

We share your information only in the following circumstances:

With Authenticated Evaluators: When you burn a token to send a Verified Reach, your profile data and verified stats are shared with the recipient coach.
With Service Providers: We use third-party services including Supabase (database), Vercel (hosting), Stripe (payments), and Resend (email delivery). These providers process data on our behalf under contractual data protection obligations.
As Required by Law: We may disclose data if required by law, regulation, legal process, or governmental request.

6. Data Retention & Deletion

We retain your data for as long as your account is active or as needed to provide the service. You have the right to request full deletion of your profile, verified stats, media vault, and message history at any time.

Deletion Request: To request data deletion, contact us at support@postplay.app. We will process deletion requests within 30 days.
Cryptographic Receipts: Due to their immutable nature, cryptographic receipts generated from Verified Reaches cannot be deleted. However, the underlying athlete profile data linked to the receipt will be anonymized upon account deletion.
Backup Retention: Anonymized backup data may be retained for up to 90 days following deletion for disaster recovery purposes.

7. Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest, row-level security policies on our database, and domain-gated authentication for evaluator accounts. While no system is perfectly secure, we are committed to protecting your information and will notify affected users promptly in the event of a data breach.

8. Contact

For questions about this Privacy Policy or to exercise your data rights, please contact us at support@postplay.app.