Privacy Policy

WI Athlete(“we,” “us,” “our”) is a Wisconsin high-school athletics data platform operated by [OPERATOR: legal entity name, e.g. “WI Athlete LLC” or “Kyle Van Dyn Hoven, sole proprietor dba WI Athlete”]. Our mailing address is [OPERATOR: physical mailing address — required by CAN-SPAM]. You can reach us at hello@wiathlete.com for general questions or [OPERATOR: privacy@wiathlete.com once the alias exists] for privacy-specific requests.

This policy explains what data we collect, how we use it, who we share it with, and what rights you have. It applies to wiathlete.com and every owned-variant domain (wisathlete.com, wiathletes.com, wiathletics.com).

We split data into four buckets by who it’s about:

Athletes (the public results layer)

• Public meet results — times, distances, places, wind readings, heat assignments — pulled from public timing-company feeds (AccuRace, AthleticLive, MileSplit, PrimeTime) and from HyTek exports submitted by coaches.
• Directory information— name, school, graduation year, gender, event. FERPA-exempt under 34 CFR §99.3.
• Optional, opt-in profile data — GPA, ACT / SAT scores, intended major, personal statement, social handles. Only collected if a parent or 13+ athlete fills the profile-edit form. Always parent-managed for athletes under 18.

Coaches and meet hosts

• School affiliation, contact email, phone (optional).
• Coach PIN hash for team-page authentication.
• Stripe Connect on-boarding data when collecting meet entry fees (held by Stripe; we receive a connected-account ID only).
• Email send / open / bounce events for messages you broadcast to your roster.

Parents

• Email address (added by the head coach to the team roster).
• Follow / unfollow choices and email preferences.
• RSVP and meet-attendance responses.

College recruiters

• .edu email (required), institution, sport, role.
• IP address at signup and during sensitive actions (fraud detection — see Section 6).
• Search history, watchlist, message log — retained for 5 years per NCAA audit-trail standard.
• Stripe payment data for Recruiter Pro and Recruiter Department tiers (held by Stripe; we never see card numbers).

• Display rankings, leaderboards, profile pages, and meet results.
• Deliver weekly recap emails and PR notifications to followers.
• Process payments for Coach Pro, Meet Host, Recruiter Pro, and Recruiter Department tiers.
• Send transactional email (coach broadcasts, recruiter messages to HS coaches, RSVP reminders, payment receipts).
• Run abuse and fraud detection (rate limits, disposable-email blocking, recruiter self-match heuristics).
• Maintain the NCAA compliance audit trail for recruiter actions.
• Share aggregate, de-identified statistics with the WIAA or with the press on request — never including the optional profile data in Section 2.

We do not sell your data. We do not run third-party advertising. We do not use your data to train AI models offered to third parties.

We share data only with the vendors that power the platform. Every vendor below is bound by a Data Processing Addendum or equivalent and processes data on our instructions:

• Supabase— database and authentication. US region.
• Vercel— web hosting and edge functions.
• Stripe— payments and Stripe Connect for Meet Host fee collection.
• Resend— transactional email delivery (coach broadcasts, recruiter messages, PR alerts, weekly digests).
• Cloudflare— DNS, bot protection (Turnstile) on signup forms.
• PostHog— product analytics. Loaded only when you accept analytics cookies. PII scrubbing on by default. [OPERATOR: remove this row if PostHog is not integrated by public launch]
• Sentry— error monitoring. Loaded only when you accept analytics cookies. Email and IP scrubbing on by default. [OPERATOR: remove this row if Sentry is not integrated by public launch]

We may disclose data when required by law (subpoena, court order) or to protect the safety of a user. We notify the affected user unless legally prohibited.

We use a small set of cookies and similar storage:

• Essential— auth session (coach PIN, recruiter login, admin), Stripe checkout session, Cloudflare Turnstile token, your consent choice. These are always set; no consent required under GDPR / CCPA.
• Analytics— PostHog if integrated. Off by default; loaded only after you accept the cookie banner.
• Error monitoring— Sentry if integrated. Same gating as analytics.

You can change your choice anytime by clearing your browser storage for wiathlete.com. The banner will re-prompt on your next visit.

• Public results and rankings — retained indefinitely as a historical record. Even if your account is deleted, your meet results stay public (FERPA directory exemption). Equivalent to a high-school yearbook or the printed meet program.
• Coach and parent contact data — deleted within 30 days of a verified request. See Section 9.
• Optional profile data (GPA, test scores, social handles, personal statement) — deleted on parent request; auto-purged within 30 days.
• Recruiter audit log — 5 years per NCAA standard. Cannot be deleted earlier even on recruiter request, because the log exists to protect the athletes the recruiter contacted.
• Payment data— held by Stripe per their retention schedule (typically 7 years for tax and chargeback compliance). We only retain the Stripe customer ID on our side.
• Server logs— 30 days unless they are part of a fraud or abuse investigation.

We treat athletes under 13 with extra care. We do not solicit personal data directly from any child. Results we display come from public meet programs and timing-company feeds, which is the same data published on a host school’s athletics page or in a printed meet program. See our COPPA notice for full detail.

FERPA protects educational records (transcripts, class grades, disciplinary records). We do not collect those. Athletic performance data — times, distances, places — is directory information and is FERPA-exempt. See our FERPA notice.

Verified recruiter accounts (.edu email required) can search the WI Athlete athlete database, save watchlists, and message HS coaches about specific athletes. Recruiter actions are logged in a tamper-evident audit trail for 5 years. Recruiters cannot directly message athletes through the platform — the only outbound channel is recruiter → HS coach. See our NCAA compliance posture for the full audit and calendar story.

Wherever you live, you can:

• Knowwhat we hold about you — email [OPERATOR: privacy@wiathlete.com] and we will respond within 30 days.
• Correct any inaccurate data we hold.
• Delete your account and the non-public data tied to it (subject to the retention rules in Section 6).
• Opt out of recruiter discovery (parent-managed flag on the athlete profile page).
• Restrict or objectto specific processing — tell us what and why.
• Lodge a complaint with your local data-protection authority (e.g. the FTC in the US, your national DPA in the EU).

California residents have the same rights under the CCPA / CPRA. EU and UK residents have the same rights under GDPR. We honor them globally as a matter of policy.

We do not knowingly collect personal information directly from children under 13. Public meet results that include a child’s name and school come from public timing-company feeds and are FERPA directory information. If you are a parent and want a specific child’s results removed from the public listings, email [OPERATOR: privacy@wiathlete.com] and we will action the request within 30 days. Full detail is on our COPPA notice.

Our hosting (Supabase, Vercel) is US-based. If you access the platform from outside the US, your data will be transferred to and processed in the United States. By using the platform you consent to that transfer. The platform is targeted at Wisconsin high-school athletics; we do not actively market outside the US.

We use industry-standard practices: HTTPS everywhere, hashed passwords and coach PINs, row-level security on the database, signed HMAC session cookies, rate limits and bot protection on sign-up endpoints. No system is unbreakable. If we ever experience a breach affecting your personal data, we will notify you within 72 hours, as required by GDPR and most US state breach-notification laws.

We may update this policy. When we do, we bump the version number and effective date at the top and notify users by email for material changes (new sub-processor, new data category, new retention window). Continued use of the platform after the effective date constitutes acceptance.

Privacy questions or data-subject requests: [OPERATOR: privacy@wiathlete.com]. General support: hello@wiathlete.com. Mail: [OPERATOR: physical mailing address].