Privacy Policy

Effective date: April 27, 2026
Last updated: April 27, 2026

This Privacy Policy describes how CommitBound LLC, a Colorado limited liability company ("CommitBound", "we", "us", or "our") collects, uses, and shares personal information when you use our website at commitbound.com, our mobile apps, and related services (collectively, the "Service").

We wrote this in plain English. If something is unclear, email us at privacy@commitbound.com.

1. Quick summary

We collect the information you give us (account data, profile, recruiting activity) plus a small amount of technical data needed to run the Service.
We use it to provide and improve CommitBound, send you notifications you opted into, and process payments through Stripe.
We do not sell your data. We do not run third-party ad tracking.
You can export, correct, or delete your data at any time by emailing us or using in-app controls where available.
CommitBound is designed for high school athletes aged 13 and older. We do not knowingly collect data from children under 13.

2. Information we collect

Information you provide

Account: email address, name, role (athlete/parent/college coach), high school graduation year.
Athlete profile: high school, club team, position(s), height, weight, city/state, GPA, test scores, athletic metrics (e.g., pitching velocity, exit velocity), honors, and a bio you write yourself.
Skill videos and photos: content you upload to your profile or to prove habit completion. You choose what to upload.
Coach and target school data: schools you add to your target list, coaches you contact, emails you send through our templates, and follow-up notes.
Payment details: handled by Stripe. We never see or store your full card number. We do see subscription status, the last four digits of your card, and your billing country.
Family Mode data: if your athlete invites you as a parent (or vice versa), we store the invitation token and the link between your accounts. Parents see an agreed-upon summary of their athlete's activity, nothing more.
Support messages: if you email us, we keep a record of the conversation so we can help.

Information collected automatically

Device and technical data: IP address, browser type, operating system, device type, app version, timezone, language.
Usage data: pages visited, features used, approximate session duration. Through PostHog (analytics), keyed to a random per-install identifier, never to your email.
Error reports: when something crashes, Sentry captures a stack trace so we can fix it. We actively scrub personal data (email, tokens) from these reports.
Push notification tokens: if you enable notifications, we store the device token issued by Apple (APNs) or Google (FCM) so we can deliver the notifications you requested.
Approximate location (mobile app only, opt-in): if you enable Tournament Mode, we use your phone's location to detect when you arrive at a tournament. We only read your location when the app is in use; we do not track continuous location. You can revoke access anytime in your device settings.

Information from third parties

Sign in with Google or Apple: if you use these to create an account, we receive your email and name from them. We do not receive your contacts, photos, or other data.
Email open/click signals: emails you send to coaches through our outreach templates use a tracked link so you can see when a coach opens your email. Coaches see a normal email; we capture the tracked link's open event.

3. How we use information

To provide, personalize, and improve the Service.
To calculate your Recruiting Readiness Score, track habit streaks, and surface recommended actions.
To display your public athlete profile (at commitbound.com/p/[your-token]) when you choose to share that link with coaches.
To send you the notifications you opted into (habit reminders, weekly digests, coach-response alerts) via email and push.
To process payments, handle subscriptions, and comply with tax and accounting requirements.
To detect abuse, enforce our Terms, and protect the safety of our users.
To power optional AI-assisted features (e.g., a composer that helps you draft coach replies). When you use one, we send relevant context to Google's Gemini API to generate suggestions. Per Google's API terms, that content is not used to train Google's models. You can choose not to use these features.

4. How we share information

We share information only in these cases:

With service providers (sub-processors)

Vendors who help us run the Service. They process data on our behalf and only for the purposes we set.

Supabase (PostgreSQL database and file storage, US region)
Vercel (web hosting, edge compute, CDN)
Stripe (payment processing; their privacy policy: stripe.com/privacy)
Resend (transactional email delivery: sign-in links, weekly digests, coach-response notifications)
Upstash (rate-limiting cache; stores only short-lived hashes of IPs and user IDs)
Sentry (crash reporting; PII is scrubbed before send)
PostHog (product analytics; keyed to a random per-install identifier, not email)
Google (Gemini API, only for optional AI-assisted features you invoke)
Apple (APNs, for push notification delivery on iOS)
Google Firebase (FCM, for push notification delivery on Android)
Cloudflare / Google Maps (map tiles and geocoding lookups; your IP address is visible to them when tiles load)

When you choose to share

When you share your public profile link with a coach, that coach (and anyone they forward the link to) can see the information on your public profile. You control what appears there.

With your linked family members

If you link an athlete account to a parent account (Family Mode), the parent can see a summary of the athlete's recruiting activity: score, streaks, target schools, upcoming tournaments, and outreach status. The parent does not see the content of your emails to coaches or messages from coaches. Either party can unlink the accounts at any time.

For legal reasons

We may disclose information if required by law, subpoena, or court order, or if we believe disclosure is necessary to protect the rights, property, or safety of CommitBound, our users, or the public. If a legal request targets your data and we're allowed to tell you, we will.

In a business transfer

If CommitBound is acquired, merged, or sold, your information may be transferred to the new owner, subject to the terms of this policy.

We do not:

Sell your personal information.
Share your profile data with colleges or coaches without you sharing it first.
Use advertising cookies or third-party ad networks.
Build marketing profiles based on your activity.

5. Cookies and similar technologies

We use a small number of cookies and similar tools to make the Service work:

Essential session cookie (authentication). You can't sign in without it.
Preferences cookie (remembers UI preferences like light/dark mode if applicable).
PostHog analytics: keyed to a random per-install identifier, not to your email. You can opt out in Settings (or via browser Do Not Track signals, which we honor).

We do not use third-party advertising cookies, retargeting pixels, or similar tracking.

6. Data retention

Active accounts: we keep your data as long as your account is active.
Account deletion: when you request deletion, we soft-delete your account immediately and hard-delete all personal data (including uploaded videos and photos) within 30 days.
Payment records: Stripe retains billing history per their retention policies (typically at least 7 years for tax/audit compliance).
Anonymized analytics: aggregate, non-identifying data (e.g., "X% of users completed at least one habit in week 2") may be retained indefinitely to help us improve the Service.
Backups: encrypted backups are retained for up to 30 days before being overwritten, per our hosting provider's policy.

7. Your rights and choices

You have the right to:

Access the personal data we hold about you.
Correct inaccurate data (most fields are self-editable in the app).
Delete your account and all associated personal data.
Export your data in a portable format (JSON or CSV on request).
Opt out of marketing communications by clicking the unsubscribe link in any marketing email. Transactional emails (sign-in links, billing receipts) cannot be opted out without closing your account.
Opt out of push notifications in your device settings or in-app settings.
Revoke location permission in your device settings. Tournament Mode will then require manual activation.

To exercise any of these rights, email privacy@commitbound.com. We respond within 30 days.

California residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act: the right to know what personal information we collect, sell, or share (we do not sell or share personal information for cross-context behavioral advertising); the right to correct inaccurate information; the right to delete; the right to limit the use of sensitive personal information; and the right to non-discrimination for exercising these rights. Exercise any of these by emailing privacy@commitbound.com.

EU / UK / EEA residents (GDPR / UK GDPR)

If you are in the European Economic Area, the UK, or Switzerland, you have rights under the GDPR (and UK GDPR) including access, rectification, erasure, restriction, portability, and objection. We process your data under these legal bases: performance of a contract (providing the Service to you), legitimate interests (securing the Service, improving features), and consent (for marketing and optional analytics). You have the right to withdraw consent at any time and to lodge a complaint with your local supervisory authority. The data controller is CommitBound LLC, a Colorado limited liability company (contact details below).

8. Data security

All traffic is encrypted in transit via TLS.
Data at rest in our database is encrypted per our hosting provider's standard encryption.
Mobile app auth tokens are stored in the iOS Keychain or Android Keystore (not plain storage).
Access to production data is restricted to necessary personnel, authenticated via SSO with multi-factor authentication.
We audit third-party dependencies regularly and follow OWASP guidelines for API security.

No system is perfectly secure. If we learn of a breach affecting your personal data, we will notify you and relevant regulators within the timeframes required by law.

9. Children's privacy

CommitBound is intended for student-athletes aged 13 and older. We do not knowingly collect personal information from children under 13. If you are under 13, please do not create an account or submit any personal information.

If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible. If you believe a child under 13 has provided us with personal information, email privacy@commitbound.com and we will investigate and delete.

For users aged 13 to 17, we strongly recommend that a parent or guardian review this policy, our Terms of Service, and any app-wide features (such as Family Mode) before the user signs up.

10. International users and data transfers

CommitBound operates from the United States and stores data in the US. If you access the Service from outside the US, your data will be transferred to and processed in the US. For transfers from the EU/EEA or UK, we rely on Standard Contractual Clauses or the EU-U.S. Data Privacy Framework where applicable.

11. Third-party links

The Service may contain links to third-party sites (e.g., a college program's website). We're not responsible for those sites' privacy practices. Check their privacy policies before providing information.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date above reflects the most recent revision. For material changes, we will notify you via email and via an in-app banner at least 14 days before the change takes effect. If you don't agree with the changes, you can delete your account before they take effect.

13. Contact

Questions, requests, or complaints about privacy? Email privacy@commitbound.com.

For general support, email support@commitbound.com.