GuardNILLegal

Last updated: 2026-05-19 · Designated security personnel: Galen Oakes — privacy@guardnilu.com

Privacy Policy

Effective date: 2026-05-08 · Version 1.0

1. What We Collect

Account Information

  • Email address, full name, role (parent / athlete / coach)
  • Password (hashed by Supabase Auth — never stored in plaintext)
  • US state of residence

Athlete Profile

  • Date of birth (required for COPPA age determination)
  • Gender (optional; used only to choose pronouns for personalized messages — you may decline)
  • School or organization name (not collected for athletes under 13)
  • Team affiliation
  • Academic records (GPA, grades) entered by parent or coach
  • Athletic performance stats entered by coach
  • XP, streaks, achievements, and daily recovery logs
  • Education module progress

Financial Information

  • Wallet balance and transaction history (internal ledger)
  • Bank account details (held by Stripe, Inc. — not stored on GuardNIL servers)
  • Payment approval history
  • Savings goals and allocations

Content

  • Social post drafts and published content
  • Encouragement messages between parent and athlete
  • Study Hall AI conversation history
  • Trip itineraries and schedule events

2. How We Collect It

For athletes under 13, all information is entered by the parent or guardian on the athlete's behalf. Direct login is not available to athletes under 13. For athletes 13 and older, information may be entered by the athlete directly, subject to parental oversight.

Coaches enter performance and schedule data for athletes on their roster. Parents review and approve all payment-related data.

3. How We Use It

  • Operate the GuardNIL platform and process allowance payments
  • Calculate incentive completions and payment eligibility
  • Generate AI-assisted encouragement messages (parent-reviewed)
  • Provide the Study Hall AI tutoring feature
  • Deliver email notifications and push alerts
  • Maintain audit records required by COPPA and financial regulations
  • Improve platform features through first-party product analytics. We record two kinds of analytics events:
    • Page events — anonymous visitor ID, device fingerprint, user agent, country and city (derived from your IP at request time and stored as text; we do not store the raw IP address), page URL, referrer, navigation path (previous page), UTM campaign parameters, and interaction metadata (scroll depth, dwell time, focus/blur, page exits, heartbeats, outbound clicks).
    • Form interaction events — for forms on the site (e.g. the waitlist wizard), we record which fields were completed and which were abandoned before the visitor left the page, time spent on the form, and basic device classification (device type, browser, OS).
    • Session activity — for signed-in users, GuardNIL records session start time, last-active timestamp, and total session duration for product analytics. No content or keystrokes are captured.
    For signed-in users, PostHog also receives your account ID so product usage can be attributed to your session. We do not sell or share this data with third-party advertisers.

4. Third-Party Processors

ProcessorPurposeData Shared
Stripe, Inc.Payment processing, bank account linkingParent billing info, payout bank details
Plaid, Inc.Bank account verificationBank account numbers (via Plaid Link)
Anthropic, PBCAI features (Study Hall, encouragement drafts, itineraries)Message content (no PII in prompts by design)
Google LLCAI features (alternate provider)Message content (no PII in prompts by design)
Resend, Inc.Transactional email deliveryEmail addresses, notification content
AyrshareSocial media posting on athlete's behalfSocial post content, connected account tokens
Inngest, Inc.Background job orchestrationEvent payloads (anonymized IDs, no raw PII)
Supabase, Inc.Database hosting, authenticationAll platform data (encrypted at rest)
PostHog, Inc.Product analytics (us.i.posthog.com)Pageviews, UTM params, account ID for signed-in users, device info
Braintied tracker (self-hosted)First-party page-event and form-interaction analytics (data stored in our Supabase)Anonymous visitor ID, device fingerprint, user agent, country/city, page URL, referrer, previous page, UTM parameters, scroll/dwell, outbound clicks; for forms: completed/abandoned field names, time on form, device type / browser / OS

5. Data Retention

  • Account data: retained while subscription is active + 30 days after cancellation
  • Parental consent records: retained for 3 years (COPPA requirement)
  • Financial transaction records: retained for 7 years (IRS requirement)
  • Audit log: retained for 3 years
  • Analytics events (gn_page_events, gn_form_abandonment_events): automatically deleted 90 days after collection by a nightly retention job
  • Deleted athlete data: soft-deleted immediately, hard-deleted after 30 days (consent records and financial records retained per above)

6. Parental Rights

Parents and guardians have the right to:

  • Access: Review all personal information collected about their child
  • Review: Obtain a copy of data collected about their child
  • Delete: Request deletion of their child's account and associated data
  • Revoke consent: Withdraw consent for data collection at any time (note: this will prevent use of the platform)
  • Correct: Update inaccurate information

To exercise these rights, email privacy@guardnilu.com.

7. Designated Security Personnel

GuardNIL's designated security and privacy contact is Galen Oakes. All privacy inquiries, data requests, and security concerns should be directed to privacy@guardnilu.com.

8. Security Measures

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Row-level security (RLS) enforced on every database table
  • Service-role keys never exposed to the browser
  • Stripe handles all payment card data (PCI DSS compliant)
  • Append-only audit log with no UPDATE or DELETE policies
  • AI content classifier screens all AI-generated content before delivery

9. COPPA Safe Harbor Status

GuardNIL is currently evaluating enrollment in a COPPA Safe Harbor program (kidSAFE or ESRB Privacy Certified). Until enrollment is complete, we operate under direct COPPA compliance. Enrollment is targeted for Q3 2026.

10. California Residents — AADC, CCPA, and CPRA

California residents have additional rights under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the California Age Appropriate Design Code (AADC):

  • Right to know what personal information is collected, used, and shared
  • Right to delete personal information
  • Right to opt out of the sale or sharing of personal information
  • Right to non-discrimination for exercising privacy rights
  • For minors aged 13–15: explicit opt-in required before any data sharing for advertising purposes

To exercise your "Do Not Sell or Share" right, visit Privacy Settings in your dashboard. Note: GuardNIL does not sell personal information to third parties for advertising. The first-party product analytics described in section 3 are operational data used solely to improve the platform; they are not shared with advertisers. To request deletion of analytics data tied to your account, email privacy@guardnilu.com.

11. State-Specific Addenda

Texas (TX SCOPE Act)

Texas residents have additional data minimization rights. GuardNIL applies enhanced data minimization for all Texas accounts.

Florida (FL HB 3)

Florida residents under 14 are blocked from social-platform posting features in compliance with FL HB 3.

New York (NY Child Data Protection Act)

New York residents benefit from additional data minimization requirements. Targeted advertising is prohibited.

Connecticut

Targeted advertising to minors is prohibited for Connecticut residents.

Illinois (IL BIPA)

GuardNIL does not collect biometric information. The biometric collection flag is set to blocked for Illinois accounts.

12. Contact

For privacy inquiries, data requests, or to report a privacy concern:

  • Email: privacy@guardnilu.com
  • Designated Contact: Galen Oakes
  • Response time: within 45 days as required by COPPA