Privacy Policy

Effective March 31, 2026

SpikePath is built for student-athletes and their families. We take the privacy of our users seriously, especially because many of them are minors. This policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data.

1. Information We Collect

When you create an account and use SpikePath, we collect the following categories of information:

Account Information

• Full name, email address, and date of birth
• Phone number (optional)
• Parent or guardian name and contact information (when provided)

Athletic Profile

• Position, height, graduation year, and club team
• Highlights video URL and Instagram handle
• Standing reach and vertical jump (optional)

Academic Information

• GPA, SAT score, ACT score, intended major, and high school

Location

• Zip code, city, and state

Usage Data

• Pages visited, features used, and timestamps
• Schools added to your pipeline and communications sent

Payment Information

• Subscription plan selection and billing status. All payment processing is handled by Stripe. SpikePath does not store credit card numbers or banking information.

2. How We Use Your Information

• Platform features: Your profile data powers school matching, email draft generation, and recruiting recommendations.
• AI-powered features: Your name, position, height, grad year, club team, academic stats, and preferences are sent to Google's Gemini API to generate personalized matches, school insights, and email drafts.
• Communications: We use your email address for account-related communications (password resets, subscription confirmations). We do not send marketing emails.
• Service improvement: Aggregated, anonymized usage data helps us improve the platform.

3. Third-Party Data Sharing

We share your data with the following third-party services solely to provide the SpikePath platform:

• Google Gemini (AI): Profile data is sent to Google's Gemini API to power AI matching, email drafts, and school summaries. Google's data usage policies apply to this processing.
• Stripe (Payments): Payment and billing information is processed by Stripe. See Stripe's Privacy Policy.
• Supabase (Database): Your data is stored in Supabase-hosted PostgreSQL databases with row-level security. See Supabase's Privacy Policy.
• Vercel (Hosting): The application is hosted on Vercel's infrastructure.

We do not sell your personal information. We do not share your information with colleges, coaches, or any third party unless you explicitly initiate contact (for example, by sending an email to a coach through the platform).

4. Children's Privacy

SpikePath is designed for student-athletes ages 13 and older. We take the following measures to protect younger users:

• Users must be at least 13 years old to create an account. Date of birth is collected during registration to verify age.
• Users under 18 must confirm that a parent or guardian has reviewed and approved their use of SpikePath.
• Parents can link their account to their athlete's profile to view recruiting activity via the parent dashboard.
• Parents may request data review or deletion on behalf of their child at any time.
• We do not knowingly collect personal information from children under 13. If we discover that a user is under 13, we will delete their account and data promptly.

5. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law. AI-generated content (cached insights, email drafts, matching results) is deleted along with your account.

6. Your Data Rights

You have the right to:

• Access your personal data and receive a copy of the information we hold.
• Correct inaccurate or incomplete information in your profile.
• Delete your account and all associated data.
• Withdraw consent at any time by deleting your account.

To exercise any of these rights, contact us at support@spikepath.app. Parents or guardians may exercise these rights on behalf of their minor children.

7. Data Security

• All data is encrypted in transit via HTTPS/TLS.
• Database access is protected by row-level security policies, ensuring users can only access their own data.
• Authentication is handled by Supabase Auth with secure session management.
• Passwords are never stored in plain text.

8. Cookies

SpikePath uses essential cookies for authentication and session management (provided by Supabase Auth). We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

9. State Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. As stated above, we do not sell personal information. Residents of other states with privacy laws (Virginia, Colorado, Connecticut, etc.) may have similar rights. Contact us to exercise them.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or an in-app notice. The “Effective” date at the top of this page indicates the most recent revision.

11. Contact

Questions or concerns about your privacy? Contact us at support@spikepath.app.