This Privacy Policy explains how CSM Inc., a Michigan corporation ("CSM," "we," "us," "our," or "ParentEdge"), collects, uses, shares, and safeguards information when you use parentedge.com and our services (the "Service").

By using the Service, you acknowledge that you have read this Privacy Policy. If you do not agree, do not use the Service.

1. Information We Collect

1.1 Information You Provide

Account information. When you sign up, we collect your email address and a password (stored using industry-standard secure hashing by our authentication provider, Supabase). If you choose to sign in with Google, we receive your email address and basic profile information from Google.
Athlete information. You voluntarily provide information about up to four minor athletes in your legal care. For each athlete you may share: name, birthday, gender, height, weight, school, social handles, and personality observations. For each sport the athlete plays (up to three per athlete): sport, position, experience level, jersey number, team and coach names, season status and schedule, goals, and model athletes. You may also record date-anchored events (games, practices, tournaments) and injury observations. The Athlete does not create their own account and does not directly interact with the Service.
Conversational input and observations. Messages and observations you submit through the chat interface or voice input, including notes about practices, games, behaviors, and developmental moments. After each exchange, the Service may surface structured profile-update proposals — short suggestions to capture something you mentioned (e.g., a new goal, a change in season phase). Proposals are saved only when you accept them; the original suggestion record includes a brief rationale that may quote your words.
Generated content. AI-generated outputs (practice plans, coaching notes, summaries, drill recommendations, Athlete Cards, etc.) produced on your behalf, including PDF copies if you generate them, and cached share images if you enable public sharing.
Profile assets. Optional uploaded images such as athlete avatars and team logos.
Account-level preferences. Your first name, timezone, and which athlete + sport you most recently viewed.
Payment information. When you subscribe, our payment processor (Stripe, Inc.) collects and stores your billing details. We do not see or store your full payment card number. We retain a subscription status flag, customer identifier, and billing period information returned by Stripe.
Consent records. When you sign up or accept updated terms, we record the agreement event, the document versions you accepted, the timestamp, your IP address, and your browser user-agent string, for audit purposes.
Communications. If you contact us by email or other channel, we retain those communications and any information you share in them.

1.2 Information Collected Automatically

Usage data. Basic technical information including IP address, browser type, device type, operating system, referring page, and timestamps. We use this for authentication, security, abuse prevention, and rate-limiting.
Cookies and local storage. We use first-party cookies necessary for authentication (keeping you signed in) and HTML local storage for product-state preferences (such as remembering that you dismissed a notice). We do not use third-party advertising trackers, social media pixels, or cross-site tracking.

1.3 Voice Input

If you use the in-chat voice input feature, your spoken audio is transcribed by your browser's built-in speech recognition service. On Chromium-based browsers (Google Chrome, Microsoft Edge, and others), the audio is transmitted by your browser to Google's speech recognition servers for transcription, before the resulting text returns to your device. We do not receive, store, or process the audio itself — we only receive the resulting text after you submit it as a message. Google's processing of audio is governed by Google's own privacy policy.

1.4 Information We Do Not Collect

We do not currently use any third-party web analytics, advertising platforms, social media trackers, or behavioral profiling tools. We do not collect biometric data, precise location data, or financial information beyond what is described above.

2. How We Use Information

We use the information described above to:

Provide, operate, and maintain the Service, including generating AI outputs personalized to the Athlete based on the information you provide;
Authenticate your account and protect against unauthorized access;
Detect, prevent, and respond to abuse, fraud, and other security incidents;
Apply rate limits and ensure fair usage;
Process subscription payments and manage your billing relationship;
Send you transactional communications, such as password reset emails, account notifications, billing receipts, and security alerts;
Respond to your support requests and other inquiries;
Improve the Service in aggregate, non-identifiable ways (for example, by reviewing anonymized usage patterns);
Comply with legal obligations and enforce our Terms.

We do not sell your personal information. We do not use your content to train AI models. We do not share your information with advertisers, data brokers, or other commercial third parties.

3. Who We Share Information With

We share information only with the following categories of service providers and recipients, each of whom is subject to confidentiality and data-protection obligations:

Recipient	Purpose	What is shared
Supabase, Inc.	Database, authentication, and file storage	Account credentials, athlete profile data, observations, generated outputs, uploaded images and PDFs
Anthropic, PBC	AI inference (Claude API) to generate Outputs	System prompt, athlete profile context, recent observations, conversation history, and your current message. Anthropic does not use customer API data to train its models by default under its commercial terms. Inputs and outputs may be retained briefly (typically up to 30 days) for abuse review per Anthropic's policy. Prompt-cache reads are short-lived (5-minute TTL).
Vercel Inc.	Application hosting and content delivery	Request metadata, logs, IP address, user-agent
Stripe, Inc.	Subscription payment processing	Payment information, billing email, transaction details. Stripe retains invoice records under its own legal obligations (typically several years for tax compliance); these are not held by us and remain on Stripe's systems after you delete your account.
Resend, Inc.	Transactional email delivery (password resets, receipts, admin notifications)	Your email address and message content. Short-lived delivery logs auto-expire.
Google LLC	(a) Google OAuth single-sign-on if chosen. (b) Browser-side speech recognition for voice input on Chromium browsers.	(a) Google account email, basic profile. (b) Audio you speak via the voice input feature, transmitted by your browser, not by us.
Law enforcement / legal compliance	To comply with valid legal process or to protect rights, property, or safety	Information as required by applicable law

We do not share your information with advertisers, social networks, data brokers, or other third parties beyond what is described above.

3.1 ParentEdge Staff Access

A short, named list of ParentEdge staff (configured in our deployment environment) can access account data through a private administrative console for the purposes of providing customer support, fulfilling data-rights requests under Section 5, investigating misuse, and meeting legal obligations. Every administrative action is recorded in an internal audit log that captures the staff member's identity, the action taken, and the affected account.

For audit-trail integrity, our administrative-action log retains records of actions taken on accounts even after the account itself is deleted. These retained records do not contain the deleted account's personal information — they reference the original account identifier (which is otherwise meaningless once the account is gone) and the type of action performed.

4. Children's Privacy

The Service is intended exclusively for use by parents and legal guardians who are at least 18 years of age. We do not knowingly collect personal information directly from children under 13. The Athlete whose information you provide does not create an account, does not log in, and does not directly interact with the Service.

You voluntarily provide information about the minor Athlete in your care. By doing so, you represent that you are the parent or legal guardian and have the legal authority to share that information. The Service is designed for athletes ages 6 and older; we ask that you not use the Service to provide information about children under age 6.

Information about minors is treated with the same care as adult personal information and is not shared, sold, or used for marketing purposes. If you believe a child has directly used the Service without parental authorization, or that we have inadvertently collected information directly from a child, please contact privacy@parentedge.com and we will promptly delete the information.

If you are a minor whose information has been shared with the Service by a parent or guardian and you have reached the age of majority (or the age of consent for data processing in your jurisdiction), you may contact us at privacy@parentedge.com to make a data-rights request directly. We will honor such requests after verifying your identity, which typically requires coordinating with the account holder.

5. Your Rights and Choices

Depending on your location, you may have the following rights with respect to your personal information:

Access. Request a copy of the personal information we hold about you.
Correction. Request correction of inaccurate or incomplete information. Most account and profile fields can be edited directly within the Service.
Deletion. Request deletion of your account and associated personal data.
Portability. Request an export of your personal information in a portable, machine-readable format.
Objection or restriction. Object to or request that we restrict certain processing of your information.
Withdraw consent. Withdraw any consent you previously provided, where processing is based on consent.

California (CCPA / CPRA)

California residents have rights including the rights described above, plus the right to know the categories of personal information collected and the categories of third parties with whom we share it, and the right not to be discriminated against for exercising any of these rights. We do not sell or "share" personal information for cross-context behavioral advertising as those terms are defined under California law.

EU / UK / EEA Residents (GDPR / UK-GDPR)

Residents of the European Economic Area, the United Kingdom, or Switzerland have the rights described above. The legal bases on which we process your information are: (a) the performance of our contract with you (providing the Service); (b) compliance with legal obligations; (c) our legitimate interests in operating, securing, and improving the Service; and (d) your consent where applicable. You also have the right to lodge a complaint with a supervisory authority in your country.

How to exercise your rights

For most rights, the fastest path is in-app:

Access & portability. Sign in and use Account → Your data → Download my data. We'll build a ZIP archive of everything we hold for you in a portable, machine-readable format. One download per 24 hours.
Deletion. Sign in and use Account → Danger zone → Delete account. Deletion is immediate and irreversible. We recommend downloading your data first.
Correction. Most fields can be edited directly within the Service.

For any other request, including identity-verified requests from someone who has lost account access, an estranged co-parent, or a successor administrator of a deceased user, email privacy@parentedge.com. We will respond to verifiable requests within 30 days (extendable by an additional 60 days for complex requests, with notice). Your first request is free.

6. Data Retention

We retain your account information, athlete profile data, observations, and generated outputs for as long as your account remains active. Upon account deletion through the in-app flow, deletion is immediate: dependent records (athletes, conversations, generated outputs, events, injuries, goals, profile-update proposals, profile assets, usage logs) are deleted in the same transaction. The Stripe customer record is deleted; invoices remain on Stripe's systems under their own retention obligations (Section 3). Consent records are anonymized in place — the audit timestamp and document versions you accepted are retained, but the rows are no longer linked to an identifiable person.

Backups. Our infrastructure provider (Supabase) maintains point-in-time-recovery snapshots for approximately seven days on our current plan. Deleted data remains accessible in those backups during the retention window. If a backup is ever restored, we re-apply outstanding deletions from our internal deletion log so that account-deletion requests are honored even across recovery events.

Other systems' logs. Our application hosting provider (Vercel) retains function logs for approximately 30 days, after which they auto-expire.

Aggregated or fully anonymized data (e.g., total signups per day, total tokens consumed per call type) may be retained indefinitely. Anonymized consent records and our administrative-action audit log (Section 3.1) are retained as long as necessary to maintain a defensible audit trail.

7. Security

We use commercially reasonable administrative, technical, and physical safeguards to protect your information, including encryption in transit (HTTPS), encryption at rest (provided by our infrastructure partners), access controls, audit logging, and database-level row security to ensure that your data is accessible only to you. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security.

If we become aware of a security incident affecting your personal information, we will notify you and applicable regulators as required by law.

8. International Data Transfers

The Service is operated from the United States, and our principal service providers are located in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws different from those of your country. By using the Service, you consent to this transfer and processing.

Where required, we rely on standard contractual clauses or other approved transfer mechanisms with our sub-processors for cross-border transfers of personal information.

9. Publicly Shared Content (Athlete Card)

The Service allows you to optionally generate a sharable Athlete Card and to enable public sharing of that Card through a publicly accessible URL. Public sharing is off by default and is only enabled when you explicitly opt in through your account settings.

When you enable public sharing of an Athlete Card:

The Card becomes accessible to anyone who has the link, without requiring authentication or registration with the Service;
We instruct search engines not to index the page, but we cannot prevent crawlers, web archives, screenshot/preview services, or downstream parties that ignore those instructions from discovering, copying, or caching the contents;
Link-preview features on social platforms (iMessage, Slack, Discord, Facebook, X, LinkedIn, and others) may fetch and display the public share image — which is generated from the Card content — when the link is sent or posted;
Information contained in the publicly shared Card is no longer protected by the access controls and row-level security described elsewhere in this Policy.

You may disable public sharing at any time through your account settings. When sharing is disabled or the account is deleted, the public URL returns an HTTP 410 Gone response so that compliant crawlers will remove the page from their indexes. This does not retrieve copies that may have been saved, indexed, cached, or otherwise captured by third parties during the time the Card was public.

By enabling public sharing, you voluntarily and knowingly assume the risk of publicly disclosing information about a minor athlete in your care. Before enabling public sharing, you should review the contents of the Card and consider whether you are comfortable with that information being viewable by any member of the public, including individuals you cannot identify. We recommend reviewing the Card text before each share and using the toggle only when there is a specific recipient in mind.

We do not actively promote, index, list, or distribute publicly shared Cards. Any distribution of the share link or its contents is initiated by you or by the recipients of the link.

10. Third-Party Links and Content

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will provide notice by email or through the Service before the changes take effect. The "Last Updated" date at the top of this Policy indicates when it was last revised.

12. Contact

Privacy questions, data-rights requests, or concerns: privacy@parentedge.com

General support: support@parentedge.com

CSM Inc.
State of Michigan, United States