Privacy Policy

1. Overview

RosterRec (“the Service”), operated by BearForge LLC (“BearForge”, “we”, “us”, “our”), is committed to protecting the privacy of our users, especially children. This Privacy Policy describes what data we collect, how we use it, how we protect it, and your rights.

By using the Service, you agree to the practices described in this Privacy Policy. This policy applies to the RosterRec platform at rosterrec.com and all related services.

2. Information We Collect

Personal Information (Adults)

We collect information you provide when registering for an account or using the Service:

• Full name and display name
• Email address (used for login and notifications)
• Phone number (optional, used for SMS notifications)
• Password (stored as a one-way bcrypt hash — we cannot see or recover your password)
• Job title and role within an organization (for staff members)
• Notification and language preferences

Student and Player Information (Minors)

Information about children is entered by parents, guardians, coaches, or authorized school personnel — never by the children themselves:

• First and last name
• Date of birth (optional)
• Jersey number and shirt size (sports context)
• Playing positions and game statistics
• Grade level and classroom assignment (school context)
• Profile photo (optional, uploaded by a parent or coach)
• Parent/guardian notes (e.g., allergies, special needs)

Organization and Team Data

• Organization, school, and team names, logos, colors, and settings
• Game schedules, locations, and results
• Chat messages, wall posts, and photo comments
• Broadcasts and announcements
• Practice plans, lineup assignments, and bench time tracking
• Digital form responses and electronic signatures

Automatically Collected Information

• IP address (for rate limiting, security, and ESIGN compliance)
• Browser type and user agent (for ESIGN audit trail)
• Login timestamps and session information

3. How We Use Your Data

• Provide the Service: Display rosters, schedules, lineups, photos, messages, forms, and other features to authorized users
• Team and Classroom Management: Generate lineup suggestions, track bench time for fairness, manage classroom communications
• Communication: Send transactional emails and SMS (password resets, welcome emails, form notifications, broadcast announcements, wall post alerts, snack reminders)
• Electronic Signatures: Process and store ESIGN-compliant electronic signatures with audit trail (typed name, timestamp, IP address, document hash)
• Compliance: Maintain audit logs, message archives, and signature records for school district compliance requirements
• Security: Rate limiting, abuse prevention, and fraud detection
• Improvement: Understand usage patterns to improve the Service (using only aggregated, de-identified data)

4. Data Access and Sharing

Your data is shared only with authorized members of your team, classroom, or organization:

• Within your team: Coaches see full roster data. Parents see the roster and their own child’s details. Private messages are visible only to sender and recipient.
• Within your classroom: Teachers see all members. Parents see classroom posts, signups, and their own messages.
• Within your organization: Organization administrators can see team and classroom data across their org. School administrators have access to all communications for compliance.
• Tenant isolation: Data from one organization is never visible to another organization. Data from one team is never visible to another team.
• Public team pages: If enabled, only basic team info (name, logo) is shown. No player names, contact info, or personal data is displayed publicly.

Third-Party Service Providers

We share data with a limited number of service providers solely to operate the Service:

• Amazon Web Services (AWS): Server hosting and infrastructure
• Google Workspace: Transactional email delivery (noreply@rosterrec.com)
• Twilio: SMS message delivery

These providers process data on our behalf under strict agreements and do not have the right to use your information beyond what is necessary to provide their services to us. No personally identifiable information is shared with any other third parties.

Legal Disclosure

We may disclose information when required by law, valid legal process, or to protect the rights, property, or safety of our users or others.

5. Children’s Privacy and COPPA Compliance

RosterRec is designed for use by adults (parents, guardians, coaches, and school personnel). We take children’s privacy extremely seriously.

• No child accounts: Children do not create accounts. There is no child-facing interface. All student and player information is entered and managed by adults.
• No direct collection from children: We do not knowingly collect personal information directly from children under 13 (or any age).
• School consent: For school-related use, schools and teachers may consent to the collection of student information on behalf of parents for educational purposes, as permitted by the FTC under COPPA.
• Parental rights: Parents may review, request correction of, or request deletion of their child’s information at any time by contacting their school, coach, or by emailing us.
• No advertising: We do not use student data for advertising, marketing, or any purpose beyond the stated educational and team management features.
• Photos: Photos of minors should only be uploaded by parents, guardians, or authorized coaches/teachers. Photos are visible only to authorized team or classroom members.

If you become aware that a child has provided personal information to RosterRec without appropriate consent, please contact us immediately at tyler@rosterrec.com and we will take appropriate action.

6. FERPA Compliance

When used by schools and school districts, RosterRec may process Education Records as defined by the Family Educational Rights and Privacy Act (FERPA). In this context, BearForge LLC acts as a “school official” with a “legitimate educational interest” under the school’s authorization.

• Education Records are used solely to provide the Service and are never shared with unauthorized third parties
• Education Records are never sold or used for advertising
• School and district administrators have access to all communications and data within their organization for compliance purposes
• Schools may request a complete data export (CSV format) at any time
• Upon termination of a school agreement, data export is available for 90 days before deletion processing begins

Schools are responsible for complying with FERPA notification requirements and obtaining any necessary parental consent. RosterRec supports this by providing message archiving, audit trails, and data export capabilities.

7. Electronic Signatures

When you sign a document electronically through RosterRec, we collect and permanently retain the following for compliance and audit purposes:

• Your typed legal name
• The exact text of the document and acknowledgment you accepted
• A SHA-256 hash of the document content (proves the document was not altered after signing)
• Your IP address and browser user agent at the time of signing
• The date and time of signing
• Your relationship to the child (if applicable) and your signing authority at the time

Signature records are immutable and cannot be modified or deleted. This is required for compliance with the ESIGN Act and Kansas UETA.

8. Data Security

We implement physical, technical, and administrative safeguards to protect your information:

• Passwords are hashed using bcrypt (cost factor 12) — we cannot see or recover passwords
• All data transmitted over HTTPS with TLS encryption
• Role-based access control enforced server-side on every request
• Uploaded files processed through a 7-layer security pipeline (extension whitelist, MIME validation, magic bytes verification, size limits, metadata stripping, UUID filenames, scoped directories)
• User-generated text filtered for profanity before storage
• Rate limiting on all authentication and sensitive endpoints
• All admin and coach actions are audit logged with user ID, action, target, and timestamp
• Server hardened with firewall (UFW), fail2ban, SSH key authentication, and automatic security updates
• Database backups with point-in-time recovery

No system is perfectly secure. If we discover a security breach affecting your personal information, we will notify affected users and any required authorities as promptly as possible.

9. Data Retention

• Active accounts: Data is retained while your account is active and the associated team or organization exists.
• Individual account deletion: Upon request, account data is deleted within 90 days, except for audit logs and any data required by law or district agreements.
• School and district accounts: Data associated with school district accounts is retained for 7 years per district compliance requirements, unless otherwise specified in the district’s agreement with BearForge LLC. Districts may request a full data export prior to deletion.
• Message archiving: All messages (team chat, classroom chat, direct messages, broadcasts) use soft delete — messages are hidden from the user interface but retained in the database for compliance and archival purposes.
• Electronic signatures: Signature records are retained permanently as required for legal compliance.
• Audit logs: Retained for security and compliance purposes for the duration of the associated organization’s account plus 7 years.

10. Your Rights

You have the right to:

• Access: Request a copy of your personal data
• Correction: Update inaccurate information through the app or by contacting us
• Deletion: Request deletion of your account and associated data (subject to retention requirements)
• Data Portability: Request your data in a standard format (CSV/JSON)
• Withdraw Consent: Opt out of optional communications at any time via notification settings or by texting STOP for SMS
• Restrict Processing: Request that we limit how your data is used

To exercise any of these rights, contact us at tyler@rosterrec.com. We will respond within 30 days.

11. Cookies

We use essential cookies only — specifically a session cookie for authentication (NextAuth.js). We do not use tracking cookies, advertising cookies, or third-party analytics cookies within the application.

Our marketing website (rosterrec.com landing page) uses Google Analytics for understanding visitor traffic. No personally identifiable information is collected through analytics on the marketing site.

12. Notification Preferences

You can control how you receive notifications from RosterRec:

• Email: Enabled by default. Can be toggled off in notification settings.
• SMS: Opt-in only. Requires providing a phone number. Text STOP to unsubscribe at any time.
• Language: Notification templates are available in English and Spanish. You can set your preferred language in notification settings.

Manage your preferences at rosterrec.com/settings or from the settings link in any sidebar.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email or in-app notification. The “Last updated” date at the top reflects the most recent revision. Your continued use of the Service after the revised policy becomes effective constitutes acceptance.

14. Contact

For privacy questions, data requests, or concerns:

BearForge LLC
Andover, Kansas
Email: tyler@rosterrec.com
Phone: (316) 416-5234