Privacy Policy

1. Introduction

ChampionLogix ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our student-athlete development and compliance platform.

ChampionLogix uses an API-first, conduit architecture that allows educational institutions to maintain data ownership while providing unified oversight. We do not store Protected Health Information (PHI) unless explicitly agreed upon in a Business Associate Agreement (BAA).

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Organization information

2.2 Student-Athlete Data (Metadata Only)

For standard accounts, we store only metadata and non-identifiable information:

• Academic performance metadata (grades, GPA, subject-level data)
• Athletic performance statistics (times, scores, performance metrics)
• Compliance status flags (eligibility, requirements met)
• Wellness status indicators (general status flags, no medical details)
• Progress tracking and goal information

We do NOT store: Protected Health Information (PHI), medical diagnoses, treatment plans, detailed mental health records, or Social Security Numbers for standard accounts.

2.3 Enterprise Accounts and PHI

Enterprise accounts may choose to store PHI with a Business Associate Agreement (BAA). In such cases, PHI is encrypted, stored separately per institution, and subject to full HIPAA compliance procedures. All PHI handling is documented in the BAA.

2.4 Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, and time spent on the platform.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send technical notices, updates, and support messages
• Respond to your comments and questions
• Monitor and analyze usage patterns
• Detect, prevent, and address technical issues

4. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption in transit (HTTPS/TLS 1.2+)
• Encryption at rest for all data (Cloud SQL automatic encryption)
• Access controls and authentication (role-based access control)
• Regular security audits and monitoring
• HIPAA-grade security architecture
• Audit logging for all sensitive operations
• Private database instances (VPC-secured, no public IP)
• Rate limiting to prevent abuse and DoS attacks

Our API-first architecture allows educational institutions to integrate with existing school systems while maintaining data ownership. Institutions may choose to keep sensitive data in their own systems and connect via encrypted API connections.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

• With your explicit consent
• To comply with legal obligations
• To protect our rights and safety
• With service providers who assist in our operations (under strict confidentiality agreements)

5.1 Third-Party Services

We use the following services that may process your data:

• Google Cloud Platform: Hosting, database, and infrastructure services
• Resend: Email delivery services
• Stripe: Payment processing (payment information is handled by Stripe, not stored by us)
• OpenAI: AI processing (only if you use AI features, and only for non-PHI data)

All third parties are bound by data processing agreements and maintain appropriate security standards.

6. Your Rights

You have the right to:

• Access your personal information
• Correct inaccurate information
• Request deletion of your information
• Opt-out of certain communications
• Export your data
• Request data portability

6.1 Your Rights in Case of Data Breach

In the event of a data breach affecting your information, you have the right to:

• Be notified within 72 hours of discovery
• Receive free credit monitoring (if applicable)
• File a complaint with relevant authorities (HHS for HIPAA, state authorities for state laws)
• Receive detailed information about what data was affected

To exercise these rights, contact us at privacy@championlogix.com

7. Cookies and Tracking

We use cookies and similar technologies to enhance your experience, analyze usage, and assist with authentication. You can control cookies through your browser's settings.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Upon account deletion, we will delete your data within 30 days, except where required by law to retain it longer (e.g., audit logs for compliance purposes).

For Enterprise accounts with PHI storage, data retention is governed by the Business Associate Agreement and applicable HIPAA requirements.

9. Children's Privacy (COPPA Compliance)

Our services are designed for use by educational institutions and their authorized users. When used by schools, student data is collected and managed in accordance with FERPA (Family Educational Rights and Privacy Act) requirements.

COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA), which requires verifiable parental consent before collecting, using, or disclosing personal information from children under 13 years of age.

What Information We Collect from Children Under 13

• Name, date of birth, and contact information
• Academic and athletic performance data
• Health and wellness information (with explicit parental consent)
• School and team participation information

How We Obtain Parental Consent

Before collecting any personal information from a child under 13, we require verifiable parental consent through one of the following methods:

• Email verification: We send a verification link to the parent's email address
• Signed consent form: Parents can sign a consent document through the platform
• Other verifiable methods as required by COPPA

Parental Rights

Parents have the following rights regarding their child's information:

• Review: You can review all personal information we have collected about your child
• Delete: You can request deletion of your child's personal information at any time
• Refuse: You can refuse to permit further collection or use of your child's information
• Revoke: You can revoke your consent at any time

How to Exercise Your Rights

To review, delete, or revoke consent for your child's information, please contact us at:

• Email: privacy@championlogix.com
• Phone: [Your contact number]
• Mail: [Your mailing address]

Data Security

We maintain strict security measures to protect children's information, including:

• Encryption of data in transit and at rest
• Access controls limiting who can view children's information
• Comprehensive audit logging of all access to children's data
• Regular security assessments and updates

Third-Party Disclosure

We do not disclose personal information from children under 13 to third parties without verifiable parental consent, except as required by law or to protect the safety of the child.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at: