RepRoom

RepRoom Privacy Policy

Last updated: 5/4/2026 Effective date: 5/4/2026

Rep Room LLC ("RepRoom," "we," "us," "our") provides team management software for athletic programs. This Privacy Policy explains what information we collect, how we use it, who we share it with, how long we keep it, and the choices you have.

If you have questions, contact us at privacy@reproom.dev.

1. Who this policy applies to

This policy applies to everyone who uses RepRoom, including:

  • Athletic directors and institution administrators
  • Coaches and team administrators
  • Athletes (including under-13 athletes onboarded through the school-authorized path described in Section 2)
  • Anyone else invited to join a team or institution on RepRoom

RepRoom is organized around institutions. Every account on RepRoom belongs to an institution — which can be a school, college, athletic department, club program, or any program registered through RepRoom by its administrator. Whoever registers an institution becomes its Primary Administrator and is responsible for the institution's use of RepRoom.

The institution controls its data; RepRoom operates the service. For every institution on RepRoom, the institution is the controller of the data its members put into RepRoom. Decisions about what data to collect from members, how long to retain it, who within the institution can see it, and how requests from individuals are handled rest with the institution. RepRoom acts as the institution's service provider — sometimes called a "processor," or, in the school context, a "school official under FERPA." We process data on the institution's behalf and according to the institution's instructions, the terms of our agreement with them, and applicable law.

This Privacy Policy describes how RepRoom handles personal information in our role as service provider. Institutions executing the school-authorized under-13 onboarding path also enter into RepRoom's Data Privacy Agreement (DPA), available at reproom.dev/dpa, which governs the handling of institutional data and includes additional protections for under-13 athletes. If your institution has a separate written agreement with RepRoom (including the DPA, the Student Data Privacy Consortium National Data Privacy Agreement, or another negotiated agreement) that contains different or additional terms, that agreement controls to the extent the two conflict.

Athletes and other members: if you have questions about why a particular piece of data is collected, who within your institution can see it, or how to update or delete it, the first place to ask is your institution. We will assist your institution in responding to those requests.

A note about parents and guardians. RepRoom does not currently offer parent or guardian accounts. For under-13 athletes onboarded through the school-authorized path, parents and guardians may exercise rights regarding their child's information through the child's institution or by contacting us directly, as described in Section 2. We expect to introduce parent and guardian accounts in the future and will update this policy before we do.

2. Age requirements and under-13 athletes

Standard signup is for users age 13 and older. When you create a RepRoom account through our standard signup flow, you must confirm that you are at least 13 years old. We do not knowingly collect personal information from users under 13 through standard signup.

School-authorized onboarding for under-13 athletes. RepRoom offers a separate, school-authorized onboarding path for athletes under 13. This path operates under the school authorization exception of the Children's Online Privacy Protection Act (COPPA), under which a school or institution may consent to the collection of personal information from students under 13 on behalf of their parents, provided the data is used solely for educational purposes authorized by the institution.

How the school-authorized path works.

  • An institution administrator (such as an athletic director) signs RepRoom's Data Privacy Agreement (DPA) — available at reproom.dev/dpa — on behalf of the institution. The DPA authorizes RepRoom to act as a "school official" under the Family Educational Rights and Privacy Act (FERPA) where applicable, and provides the institution's COPPA consent for under-13 athletes.
  • A coach within that institution enables minor onboarding for a specific team in team settings.
  • The coach generates a claim code for each under-13 athlete and provides it to the athlete or their parent or guardian.
  • The athlete (or their parent or guardian) uses the claim code to set a username and password and access the Service. No email address, date of birth, or other contact information is collected from the under-13 user during account creation.

Information collected from under-13 athletes. For under-13 accounts created through the school-authorized path, RepRoom collects only:

  • The athlete's first and last name, provided by the coach
  • A username and password set during claim
  • Athletic content the athlete generates through normal use of the Service (workout logs, attendance check-ins, messages within the team, and similar)
  • Optional athletic profile information the coach or athlete chooses to add (such as jersey number or position)

We do not collect email addresses, phone numbers, dates of birth, photographs, or precise geolocation from under-13 athletes. Optional profile fields available to other users (height, weight, birthday, bio) are disabled for under-13 accounts.

Use of under-13 information. Personal information collected from under-13 athletes is used only to provide the Service to the athlete, their team, and their institution. We do not use under-13 information for marketing, advertising, profiling, behavioral targeting, or to train artificial intelligence or machine learning models. We do not disclose under-13 information except to the subprocessors listed in Section 6, as required by law, or as directed by the institution.

Parent and guardian rights for under-13 athletes. Parents and guardians of under-13 athletes have the right to:

  • Review the personal information RepRoom has collected from their child
  • Request deletion of their child's personal information
  • Refuse further collection or use of their child's personal information

To exercise these rights, contact the child's institution in the first instance. The institution will direct the request to RepRoom and we will respond within 30 days. Parents and guardians may also contact us directly at privacy@reproom.dev; we will verify the request with the institution before fulfilling it.

If a parent or guardian refuses further collection of their child's information, the institution may not be able to provide the child with continued access to the Service.

Verification. Before providing personal information to a parent or guardian who contacts us directly, we will take reasonable steps to verify the identity of the requester, typically by confirming the request with the child's institution.

Users between 13 and the age of majority. Users older than 13 but under the age of majority in their jurisdiction are still considered minors. We encourage parents and guardians to be aware of their child's use of RepRoom and to contact us at privacy@reproom.dev with any questions.

Discovery of unauthorized under-13 accounts. If we learn that we have collected personal information from a user under 13 outside the school-authorized path described above, we will promptly delete the account and the associated personal information. If the report comes from a third party rather than the user or their parent, we may attempt a single confirmation contact before deletion; if we do not receive a response within a reasonable period, we will proceed with deletion.

If you are a parent or guardian and you believe your child under 13 is using RepRoom outside the school-authorized path, please contact us at privacy@reproom.dev and we will take action as described above.

3. Information we collect

We collect information in four ways: information you give us directly, information others provide about you, information generated through your use of RepRoom, and information collected automatically.

Information you provide directly. When you create an account or use RepRoom, you may provide:

  • Account information: your name, email address, phone number (optional), and password (which we store as a bcrypt hash — never in plain text)
  • Your role on RepRoom (institution administrator, coach, or athlete)
  • Athletic profile information: birthday, height, weight, class year, jersey number, position, bio, and similar profile details (most of these are optional, and several are disabled for under-13 accounts as described in Section 2)
  • Content you submit: workouts you log, messages you send, attendance check-ins, and other actions you take in the app
  • Institution information: when you register an institution, the institution's name, type, time zone, and estimated team and athlete counts
  • Billing information: when an institution subscribes, billing contact information and payment method, processed by our payment provider (see Section 6); RepRoom does not store full payment card numbers

Information others provide about you. Because RepRoom is built around teams and institutions, others on your team or institution may add information about you:

  • A coach may record performance stats, attendance, notes, jersey number, position, and similar information about an athlete on their team
  • An institution administrator or coach may invite a user to join an institution or team, which involves submitting that person's name and email
  • A coach may import roster information that includes names, emails, and athletic profile details for athletes joining the team
  • For under-13 athletes, a coach provides the athlete's first and last name when generating a claim code, as described in Section 2

Information generated through your use of RepRoom. As you use RepRoom, the service generates:

  • Workout logs and stat history
  • Attendance records
  • Messages and message thread participation
  • Event check-in tokens (used briefly and then expired)

Information collected automatically. When you use RepRoom, our infrastructure providers (see Section 6) automatically collect technical information needed to operate the service securely:

  • Standard server logs (IP address, user agent, timestamps, request paths)
  • Authentication session cookies issued when you sign in
  • Diagnostic information used to detect and prevent abuse

What we do not collect. We do not use advertising trackers, third-party analytics pixels, or behavioral profiling tools. If we add product analytics in the future, we will update this policy and disclose what we collect before turning it on.

4. How we use information

We use the information described in Section 3 for the following purposes:

To operate RepRoom for you and your institution. We use account, profile, team, and institutional information to authenticate users, display rosters, deliver announcements, schedule and run calendars, log workouts, track attendance, send messages, and provide the other features of the service.

To support institutions. We use institutional information to enable administrators to manage their teams, members, and settings, and to support the institution's oversight responsibilities within RepRoom.

To process payments. We use billing information to set up subscriptions, charge subscription fees, generate receipts, and manage renewals and cancellations through our payment provider.

To send you transactional and account messages. We use email addresses and account information to send messages necessary to operate the service — such as account confirmations, billing notifications, invitations to join an institution or team, password resets, and security alerts. We do not send marketing messages without separate consent. We do not send any messages of any kind directly to under-13 athletes.

To maintain security and prevent abuse. We use account, session, and technical information to authenticate users, enforce rate limits, detect abuse, investigate incidents, and protect users and the service.

To improve RepRoom. We use aggregated and de-identified information to understand how RepRoom is used and to improve the service. Aggregated and de-identified information cannot reasonably be used to identify any individual.

To comply with legal obligations. We use information as necessary to comply with applicable law, respond to lawful requests from public authorities, and enforce our Terms of Service.

Three things we do not do with your information:

  1. We do not sell personal information. We have never sold personal information and we do not share it with third parties for them to use for their own marketing or advertising.

  2. We do not use student or athlete information for advertising. RepRoom does not display advertising in the service, and we do not use student or athlete data — including any data from under-13 athletes — to target ads on or off RepRoom.

  3. We do not use your data to train artificial intelligence or machine learning models. We do not use the personal information of RepRoom users — including coaches, athletes, institutional members, or under-13 athletes — as training data for AI or ML systems, whether developed by RepRoom or by third parties.

5. Visibility within RepRoom

RepRoom is built around teams and institutions, and what you see — and what others can see about you — depends on your role. Understanding this is important.

Coaches. Coaches of a team can see all roster, profile, performance, attendance, message, and announcement content for that team. Athletes who join a team should expect that the coaches of that team will be able to see information they enter into the team's RepRoom workspace.

Athletes. Athletes see content scoped to themselves and to the groups, tags, and positions they belong to within their team. Athletes do not see other athletes' private profile fields or stats unless those have been marked visible to teammates by the athlete or by a coach.

Institution administrators. Institution administrators (such as athletic directors or designated administrators) can access content across all teams within their institution, including messages. This visibility is intentional. It exists to support the institution's oversight, compliance, and safety responsibilities — for example, investigating reports of misconduct, responding to legal requests, or auditing use of the service.

This means: if you use RepRoom messages, you should not treat them as private from your institution's administrators. If you need a private channel for a sensitive conversation, RepRoom is not the right tool.

We disclose this visibility:

  • Here, in this Privacy Policy
  • To users at signup when they join an institution
  • To institutions, who we encourage to disclose it directly to their members, including the parents and guardians of under-13 athletes

Other RepRoom personnel. A small number of authorized RepRoom personnel may access institutional data when necessary to operate, support, or secure the service — for example, to investigate a reported bug, respond to a support request, or investigate a security incident. Access is limited to what is needed for the specific task, and material access is logged.

6. Who we share information with (subprocessors)

We use a small number of vetted service providers ("subprocessors") to operate RepRoom. We do not share personal information for any other purpose, except as required by law or as described elsewhere in this Policy.

ProviderPurpose
SupabasePostgreSQL database hosting; the primary store for all application data
VercelApplication hosting and serverless function execution
UpstashRedis-based rate limiting and abuse prevention
ResendTransactional email delivery (account, billing, invitations, notifications)
StripePayment processing and subscription billing

A current and detailed subprocessor list — including the categories of data each subprocessor processes and the regions where they operate — is maintained at reproom.dev/subprocessors.

Notice of changes. When we add a new subprocessor that processes the data of an institutional customer, and the customer's agreement requires advance notice, we will provide notice (typically by email to the institution's designated contact) at least 30 days before the change takes effect, unless a shorter timeline is required for security or legal reasons.

Subprocessor obligations. We require our subprocessors to maintain data protection standards consistent with this Policy and applicable law, and to process personal information only on our instructions and for the purposes we have engaged them.

Other disclosures. In addition to subprocessors, we may disclose information when:

  • Required by law, court order, subpoena, or other valid legal process
  • Necessary to protect the rights, safety, or property of RepRoom, our users, or the public
  • Part of a business transaction such as a merger, acquisition, or sale of assets, in which case we will require the recipient to honor the commitments in this Policy or notify users before the change takes effect

7. International data transfers

RepRoom is operated from the United States. Personal information collected through RepRoom is processed in the United States. Our subprocessors may process data in the United States or in other regions depending on their infrastructure; current locations are listed at reproom.dev/subprocessors.

If you access RepRoom from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have data protection laws that differ from those in your country.

8. Data retention and deletion

We retain personal information only as long as we need it for the purposes described in this Policy, or as required by law.

While your account is active. We retain account, profile, team, and content data for as long as your account is active and your institution is using RepRoom.

When you delete your account. When you request account deletion (from your account settings, or by contacting us), we deactivate your account immediately. You will no longer be able to sign in, your account is removed from active rosters, and your athletic profile (including any height, weight, birthday, and similar personal information you provided) is deactivated alongside your account.

If you are a head coach, the teams you lead and their rosters are deactivated together with your account. If you are the sole Primary Administrator of an institution, you must transfer that role to another administrator before deleting your account, so that the institution does not lose its administrative contact.

Some content you contributed to a team — such as messages you sent, announcements you authored, and stats you recorded — may remain visible in context to other team members for historical and audit purposes, with your name suppressed where the system supports it. We retain this content to preserve the integrity of shared team history and to support institutions' record-keeping obligations.

If you would like your personal information (such as your email address and remaining historical attribution) permanently removed beyond standard deactivation, contact privacy@reproom.dev. We will fulfill verifiable removal requests within 30 days, except where we are required to retain information for legal, accounting, fraud-prevention, or security reasons.

Under-13 athlete deletion. Parents, guardians, or institutions may request immediate deletion of an under-13 athlete's account and personal information by contacting privacy@reproom.dev or by routing the request through the institution. We will permanently delete the under-13 user's account and personal information within 30 days of a verified request, except for content (such as messages sent to teammates) that is retained in shared team history with the athlete's name suppressed.

When an institution leaves RepRoom. When an institution's contract or use of RepRoom ends, we will return or delete the institution's data on the timeline specified in the institution's agreement with us — typically within 30 to 60 days after the end of the relationship. Until that data is deleted, we will not use it for any purpose other than securely storing it pending deletion.

Backups. We retain encrypted daily backups of our database for up to 7 days for disaster recovery, in line with our database provider's backup retention. Deletion requests are honored against active data immediately and against backups when those backups roll off in the normal course.

Logs. We retain security and audit logs for at least 90 days to support investigations, compliance, and abuse prevention. These logs may include personal information such as IP addresses and account identifiers.

9. Your choices and rights

Depending on where you live and your relationship to RepRoom, you may have rights regarding your personal information, including the right to:

  • Access — request a copy of the personal information we hold about you
  • Correct — ask us to fix inaccurate or incomplete information
  • Delete — ask us to delete your account and personal information
  • Portability — receive your information in a structured, machine-readable format
  • Object or restrict — limit how we process your information in certain cases
  • Opt out of "sale" or "sharing" for cross-context behavioral advertising — RepRoom does not sell or share personal information for these purposes

How to exercise your rights.

  • If your access to RepRoom comes through an institution (such as a school, athletic department, or any program registered through RepRoom), your institution is the controller of your data. Direct your access, correction, deletion, or portability requests to your institution in the first instance. We will support the institution in responding to your request and, where required, fulfill the request on the institution's behalf.

  • For RepRoom-managed requests, you can:

    • Delete your account at any time from your account settings
    • Update your profile at any time from your account settings
    • Request a copy of your personal information by emailing privacy@reproom.dev — we are working on a self-service data export and will update this Policy when it is available
    • Email us at privacy@reproom.dev for any other requests

We will respond to verifiable requests within 30 days, or within the timeframe required by applicable law. We may need to verify your identity before responding to certain requests.

FERPA. If you are a student, parent, or guardian of a student whose data is in RepRoom because of a school's use of RepRoom, you have rights under the Family Educational Rights and Privacy Act (FERPA). Direct FERPA requests to your school in the first instance. We will support the school's response.

COPPA — parents and guardians of under-13 athletes. Parents and guardians of under-13 athletes onboarded through the school-authorized path have the rights described in Section 2, including the right to review their child's personal information, request its deletion, and refuse further collection or use. Direct these requests to the child's institution or to privacy@reproom.dev.

California residents. California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, delete, correct, and limit the use and disclosure of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise these rights, contact privacy@reproom.dev.

Other states. Residents of other states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, and others) have similar rights. To exercise them, contact privacy@reproom.dev.

No retaliation. We will not deny you service, charge you a different price, or provide a different level of quality because you exercised your privacy rights.

10. Security

We use industry-standard practices to protect personal information, including:

  • Encryption in transit for all connections to RepRoom (TLS)
  • Encryption at rest for our database, provided by our database host
  • Password hashing using bcrypt — passwords are never stored in plain text
  • Role-based access control enforced at multiple layers of the application
  • Rate limiting on sensitive endpoints to prevent abuse
  • Audit logging of sensitive actions, retained for at least 90 days
  • Limited internal access to production data, restricted to authorized personnel for specific purposes such as support and incident response

A more detailed description of our security practices, including our subprocessors, hosting regions, incident response process, and vulnerability reporting, is available at reproom.dev/security.

Incident response. If we discover a security incident affecting your personal information, we will notify affected institutional customers within 72 hours of confirming the incident, and we will notify affected individual users on a timeline consistent with applicable law and our contractual obligations. We will provide a summary of root cause, scope, and remediation.

No system is perfectly secure, and we cannot guarantee absolute security. If you discover a vulnerability, please report it to security@reproom.dev.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service, or applicable law. When we do:

  • We will post the updated Policy at this URL with a new "Last updated" date
  • For material changes — such as changes to the categories of information we collect, how we use it, who we share it with, or the rights available to you — we will provide reasonable advance notice (typically by email to account holders or by in-app notice) at least 30 days before the change takes effect, unless a shorter timeline is required by law or to address a security or legal risk
  • For non-material changes — such as clarifications, formatting, or contact information updates — we will simply post the updated Policy and update the "Last updated" date

If you continue to use RepRoom after a change takes effect, your continued use is subject to the updated Policy. If you do not agree to the change, you may delete your account.

12. Contact

If you have questions about this Policy, or if you would like to exercise any of the rights described above, contact us:

Rep Room LLC 320 N Putnam St, Bennington, Kansas 67422

Email: privacy@reproom.dev

For security issues, contact security@reproom.dev.

For questions about our Terms of Service or other legal matters, contact legal@reproom.dev.