Privacy Policy

This Privacy Policy applies to:

• —Coaches and staff who register for and use XCIV.ai accounts
• —Organizations (schools, athletic programs, AAU teams) that access the Platform under institutional subscriptions
• —Student athletes whose information is entered into the Platform by authorized coaching staff

The Platform is not intended for direct use by students or parents. If you are a student or parent with questions about data entered about a student athlete, please contact your school's athletic department or reach us at zack@xciv.ai.

We collect information in three ways: information you provide directly, information about student athletes entered by authorized coaches, and limited technical information collected automatically.

Account and coach information:

• —Name, email address, and password (hashed)
• —School or organization name and role (head coach, assistant, etc.)
• —Billing information (processed by our payment provider; we do not store full card numbers)

Player and team data (entered by coaches):

• —Player names, jersey numbers, positions, grade levels
• —Performance statistics (points, rebounds, assists, etc.)
• —Coachability notes and qualitative assessments
• —Strengths, weaknesses, and playing style profiles
• —AI-generated training program content
• —Roster membership and team assignments

Opponent and scouting data (entered by coaches):

• —Opponent school names, team tendencies, and set plays
• —Opponent player profiles (names, positions, tendencies)
• —Scouting session notes and game plan content

Uploaded documents:

• —Scouting PDFs, schedule documents, and other files uploaded for AI parsing
• —Parsed data extracted from uploaded documents

Technical and usage data (collected automatically):

• —IP address, browser type, and device information
• —Pages visited, features used, and session duration
• —Error logs and performance diagnostics

The XCIV.ai iOS application is part of the Platform and is governed by this Privacy Policy. The mobile application is designed for use by coaches and authorized coaching staff. Players, students, and minors do not log in to the mobile app, and we do not knowingly collect personal data directly from individuals under 13 through any mobile surface.

Information collected via the mobile app:

• —Your account information (name, email, organization name) entered at sign-up or login
• —Coaching content you create or capture in the app: teams, players, opponents, scouting reports, game plans, practice plans, training programs, voice scouting notes (audio recordings and their transcripts), photos uploaded for parsing, and your coaching style profile
• —A server-issued user identifier and a device push token used to deliver notifications
• —App version, OS version, and device model collected for diagnostics and push-notification delivery
• —Product-interaction events (screen views, app lifecycle) used for first-party analytics

Device permissions:

The iOS application requests the following device permissions only when needed for a specific feature you initiate:

• —Camera: Used to scan opponent rosters and box scores, and to capture photos of whiteboards, scouting notes, or printed materials. Captured images are uploaded to XCIV.ai and processed by our AI subprocessor for OCR and structured-data extraction.
• —Microphone: Used to record voice scouting notes and to dictate text into long-form fields. Audio is uploaded to XCIV.ai and processed by our AI subprocessor for transcription; the transcript is stored in your account.
• —Photo Library: Used to import roster and box-score photos as an alternative to camera capture. Read access only; we do not modify your photo library.
• —Notifications: Used to deliver game-day reminders, practice reminders, and alerts when a game plan or scouting report is ready. You may disable at any time in iOS Settings.

Third-party SDKs in the mobile app:

The mobile app includes the following software development kits to support crash diagnostics and first-party product analytics:

• —Sentry (Functional Software, Inc., sentry.io) — receives crash reports, performance traces, breadcrumbs, your user ID, and your email address so we can diagnose and fix issues. See Sentry's privacy policy.
• —PostHog (PostHog Inc., posthog.com) — receives product-usage analytics, your user ID, and your email address. PostHog operates as our first-party product-analytics processor; it does not track you across other apps or websites and does not use third-party advertising identifiers. See PostHog's privacy policy.

No tracking, no advertising identifiers:

The XCIV.ai mobile app does not track you across other companies' apps or websites. The app does not use the iOS App Tracking Transparency framework because we have no behavior that requires it. The Apple Identifier for Advertisers (IDFA) is not collected. The app contains no advertising SDKs, no behavioral-advertising trackers, and no third-party tracking pixels.

Subprocessors involved in mobile features:

When you use specific mobile features, the following processors may receive related data through our backend:

• —Google Cloud (Vertex AI / Gemini): receives voice recordings (for transcription), uploaded photos (for box-score and roster parsing), and scouting-note text (for tag extraction during coaching-style setup). Data is processed and returned to us; we use enterprise endpoints contractually excluded from public-model training. See Section 11b for the full subprocessor disclosure.
• —Apple Push Notification Service: receives push payloads and device push tokens for the sole purpose of delivering iOS notifications.

On-device storage:

• —Your authentication token, cached user object, push token, and notification preferences are stored in the iOS Keychain (via expo-secure-store). Keychain storage is encrypted by iOS and not accessible to other apps.
• —A local cache of recently-accessed API responses is kept in an on-device SQLite database to speed up screen loads. This cache is wiped automatically when you sign out or delete your account.

Account deletion:

You can delete your XCIV.ai account from within the mobile app at Settings → Delete Account. On confirmation:

• —Your authentication tokens are revoked immediately. Your account becomes inaccessible from any device on the next request.
• —Your personal data is scrambled in our database within minutes — email is randomized, name is replaced with “Deleted User”, and the password hash is removed.
• —Full purge of all associated data — teams, players, opponents, scouting reports, game plans, practice plans, training programs — completes within 30 days.
• —If you are the sole owner of an organization that still has other coaches on it, the app will prompt you to contact support@xciv.ai to transfer ownership before your deletion can proceed.

This complies with Apple App Store Guideline 5.1.1(v). See Section 09 for additional rights, including request-based deletion via email.

The iOS application is distributed through the Apple App Store. Your download and installation are also subject to Apple's applicable terms; however, your use of XCIV.ai itself is governed by this Privacy Policy and our Terms of Service.

We treat all player information as sensitive — whether or not it technically qualifies as a “student education record” under FERPA. This conservative approach protects students and our partner schools.

What we do with Player Data:

• —Store it securely and use it only to deliver the specific Platform features your organization has contracted for
• —Keep it completely isolated within your organization — no other school or program can see your players' data
• —Retain it only as long as your account is active, or as required by law or your school's data agreement

What we never do with Player Data:

• —Sell it, rent it, or share it with advertisers, data brokers, or third-party analytics firms
• —Use it to profile, target, or market products to student athletes or their families
• —Use it as training data to build AI models for other organizations without explicit consent
• —Share it with other schools, coaches, or athletic programs

Coachability notes: These are among the most sensitive data points in the Platform. Coachability notes are visible only to the coach who created them and authorized staff within your organization. We strongly recommend treating these notes as professional coaching records that reflect observable athletic behavior, not personal character assessments.

We share information only in these limited circumstances:

• —Service providers: We use third-party vendors (hosting, payment processing, AI model APIs) that access data solely to provide services on our behalf. All vendors are bound by data processing agreements that prohibit secondary use of your data.
• —Legal requirements: We may disclose information if required by a valid court order, subpoena, or applicable law. We will notify affected schools or coaches of any such request when legally permitted to do so.
• —Safety: We may disclose information if we believe in good faith that disclosure is necessary to prevent imminent harm to a person.
• —Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify you and you will have the right to request deletion before any transfer to a new entity takes effect.
• —With your consent: We will share data in other circumstances only with your explicit written consent.

We do not share information with: data brokers, advertising networks, analytics companies (other than aggregated usage data), other schools or athletic programs, or any third party for their independent commercial use.

We implement technical and organizational measures to protect your data, including:

• —Encryption of data in transit (TLS) and at rest
• —Multi-tenant data isolation — each organization's data is scoped and inaccessible to others at the database level
• —Access controls and authentication requirements for all staff who access Platform infrastructure
• —Regular security reviews and vulnerability assessments
• —Audit logging for administrative access to production data

Breach notification: In the event of a confirmed data breach affecting your organization's data, we will notify you within 72 hours of discovery. Notification will include the nature of the breach, data affected, and steps we are taking to remediate.

Data deletion requests for individual student athletes can be submitted at any time by emailing zack@xciv.ai with the subject line “Data Deletion Request.” We will confirm receipt and complete deletion within 30 days.

What we use on our public site

XCIV.ai uses cookies and similar tracking technologies on our public marketing pages only — the pages you visit before logging in. We use these tools to understand how visitors find and interact with our site, and to measure whether our advertising is working. The three tools we use are:

• —Meta Pixel (Meta Platforms, Inc.) — measures conversions from Meta ad campaigns and builds anonymized audiences for ad targeting.
• —Google Analytics 4 (Google LLC) — collects anonymized traffic and usage data to help us improve the site.
• —Google Ads Conversion Tracking (Google LLC) — measures whether visitors who click our ads complete actions like signing up or requesting a demo.

These tools may collect your IP address (anonymized), browser type, pages visited, time on page, and referral source.

What we do NOT do in the application

Advertising trackers, behavioral pixels, and third-party analytics tools are completely absent from the authenticated XCIV.ai application. No tracking tags fire on any page that requires a login or that displays student, roster, or coaching data. This is a hard technical rule, not a policy preference.

Platform cookies

We also use a minimal set of cookies necessary to operate the Platform:

• —Session cookies: Keep you logged in during your session. Expire when you close your browser.
• —Authentication tokens: Secure tokens that maintain your login across sessions. Expire after 30 days of inactivity.
• —Preference cookies: Remember settings like display preferences. Optional and deletable.

Your choices

When you first visit XCIV.ai, a cookie consent banner will appear. You may accept all tracking, decline non-essential tracking, or manage your preferences individually. If you decline, only essential cookies required for site functionality will be set. No advertising or analytics tags will fire until you accept.

You may also opt out at any time using these tools:

• —Google Analytics: Google Analytics Opt-out Add-on
• —Meta advertising: facebook.com/ads/preferences
• —Browser settings: blocking session cookies will prevent you from logging in to the Platform.

Cookies we set

As a coach or organization using XCIV.ai, you have the following rights regarding your data and the data of student athletes in your care:

To exercise any of these rights, contact us at zack@xciv.ai. We will respond within 30 days. We may need to verify your identity before processing requests involving student data.

Visitors to our public marketing site may update their cookie and tracking preferences at any time by clicking the “Manage Preferences” link in the site footer.

FERPA (Family Educational Rights and Privacy Act):

XCIV LLC operates as a “school official” under FERPA when providing services to schools that receive federal funding. This means:

• —Schools must execute a written Data Processing Agreement with us designating us as a school official before sharing student data
• —We operate under the direct control of the school with respect to student data use
• —We use student data only for the purpose specified in the contract — coaching and athletic program management
• —We do not re-disclose student data to third parties without school authorization

COPPA (Children's Online Privacy Protection Act):

XCIV.ai treats all data for athletes in grades K–8 as subject to COPPA protections. The Platform is operated as a tool for coaches and authorized organizational staff; we do not knowingly collect personal information directly from children under 13 through any user-facing surface.

Schools: When data about an athlete under 13 is entered by a school employee, that school provides the COPPA-required consent under the “school authorization” framework recognized by the FTC, in conjunction with the Data Processing Agreement executed between XCIV LLC and the school.

AAU and club programs: When data about an athlete under 13 is entered by an AAU or club organization, that organization represents and warrants to XCIV LLC that it has obtained verifiable parental consent (VPC) under COPPA, or that an applicable COPPA exception applies. Organizations bear sole responsibility for obtaining and documenting such consent.

If you believe a child's data has been entered without proper authorization or consent, contact us at zack@xciv.ai and we will delete it within 30 days.

XCIV.ai operates in Kansas and serves schools in Kansas, Nebraska, Colorado, and Oklahoma. Each state has enacted student data privacy laws with specific requirements. We comply with applicable state law in each jurisdiction we operate.

Kansas residents: XCIV LLC is a Kansas limited liability company. We comply with the Kansas Student Data Privacy Act (K.S.A. 72-6314 et seq.), including its restrictions on the sale of student data, requirements for school authorization before collection, and breach notification obligations. This Privacy Policy and our Terms of Service are governed by the laws of the State of Kansas.

Colorado residents: Colorado has enacted comprehensive student data privacy protections. We comply with the Colorado Student Data Transparency and Security Act, including explicit data breach notification requirements and restrictions on secondary use of student data.

Oklahoma residents: We comply with Oklahoma's Student Data Accessibility, Transparency, and Accountability Act, including data localization provisions. Schools in Oklahoma should inquire about our data storage practices for their specific requirements.

California residents: If XCIV.ai expands to serve California schools, all California Consumer Privacy Act (CCPA) rights will apply in full.

If you have questions about your rights under a specific state law, contact us at zack@xciv.ai.

XCIV.ai uses third-party artificial intelligence services to power features such as scouting report generation, training plan creation, and document parsing. We disclose these subprocessors so you understand exactly which third parties may receive data when you use AI features.

We will update this list when we add or remove an AI subprocessor and provide notice to coaches as described in Section 12.

We may update this Privacy Policy as our Platform evolves or applicable laws change. When we make material changes, we will:

• —Post the updated policy with a new effective date
• —Send email notice to all registered coaches at least 14 days before changes take effect
• —For changes that materially affect how we handle Student Data, we will seek affirmative consent from school administrators where required by law

We archive prior versions of this policy. If you would like to review a previous version, contact us.

For privacy questions, data requests, or concerns about how we handle student athlete data: