1. Introduction
Parallax Ventures LLC ("Company," "we," "us") operates METTLE Arena ("Service"), a gamified athlete performance platform. This Privacy Policy explains how we collect, use, share, and protect your information — with special attention to the data of minor athletes.
We comply with the Children's Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), the Florida Information Protection Act (FIPA), and other applicable data protection laws.
2. Information We Collect
2a. Organization & Coach Data
- Organization name, sport type, and configuration preferences
- Coach/administrator name, email address, and role
- Billing information (processed and stored by Stripe — we do not store payment card numbers)
- Authentication credentials (managed by Firebase Authentication)
2b. Athlete Data
- Name, age or grade level, and team/group assignment
- Athletic performance data (meet results, times, events, rankings)
- Attendance records and check-in data
- Profile information entered by coaches or parents
2c. Data We Do NOT Collect From Athletes Under 13
- Email addresses
- Phone numbers
- Social media accounts or handles
- Precise geolocation data
- Photos or video (unless uploaded by a coach or parent)
- Behavioral or advertising tracking data
2d. Automatically Collected Data
- Device type and browser information
- IP address (used for security and abuse prevention only — not stored long-term)
- Pages visited and features used (aggregated analytics only)
- Push notification subscription tokens (with user consent)
3. How We Use Your Information
- Service operation: Tracking meet results, managing rosters, powering dashboards, and delivering notifications.
- Account management: Authentication, billing, organization administration.
- Communication: Transactional emails (welcome, receipts, invitations). We do not send marketing emails to athletes or parents without consent.
- Security: Detecting unauthorized access, preventing abuse, maintaining audit logs.
- Service improvement: Aggregated, anonymized usage analytics to improve features. No individual athlete data is used for this purpose.
4. Children's Privacy (COPPA Compliance)
METTLE Arena takes the privacy of children under 13 seriously and complies with the Children's Online Privacy Protection Act (COPPA). Below is a precise description of how the system enforces this — what the code does, not what it promises.
How verifiable parental consent works on METTLE
- Age gate at sign-in. When a child whose roster age is 12 or under signs into the athlete portal for the first time, the onboarding flow stops at a parent-consent step. No USA Swimming ID, performance data, journal entries, or other data is collected past this point until consent is granted.
- Email verification. The child enters their parent or guardian's email address. METTLE sends an email to that address containing a unique verification link. Only the parent's email is recorded at this point — no data about the child has been collected yet.
- Single-use link, 24-hour expiry. The verification link is single-use and expires 24 hours after sending. If the parent doesn't click within that window, the child can request a fresh link (rate-limited to three requests per hour per child to prevent inbox spam).
- Audit trail recorded at acceptance. When the parent clicks the link, METTLE records: the parent email, the timestamp of acceptance, the IP address the click came from, the user agent (browser type), and the version of this Privacy Policy in effect at the time. This record is the legal basis for the consent and is preserved indefinitely (audit-only, never deleted) unless the parent revokes.
- Onboarding continues only after grant. Until the consent record exists with status "granted", the athlete portal blocks all data collection and writes for that athlete. The child sees a waiting screen that auto-advances when the parent confirms.
What we collect about a child once consent is granted
- Name, age, and gender (already on the team roster supplied by your organization)
- USA Swimming ID, if the athlete has one
- Practice attendance, XP, streaks, journal entries, and best times that the athlete or coach enters
- Device-local preferences (theme, last-viewed tab) — never transmitted off-device
We do not collect: precise location, contact lists, biometrics, photos taken inside our app, browsing history, or any data from third-party advertising / tracking pixels. We do not run any third-party analytics on pages where children's data is shown.
Parental rights and revocation
- Review. Sign in to the parent portal at /parent to review every category of data we have about your child.
- Revoke consent. One-click revocation from the parent portal at any time. Revocation flips the consent record's status to "revoked" (audit preserved with reason + timestamp + revoker), blocks all further data collection for the child, and queues the child's data for deletion under the schedule below.
- Deletion timeline. Once consent is revoked or the child leaves the organization, athlete profile data is soft-deleted immediately (hidden from the app) and permanently purged from primary stores within 30 days. Backup tapes follow the standard 90-day retention. Audit records of who consented when are retained indefinitely as required by 16 CFR § 312.5(c).
- Email contact. For revocation, deletion, or any other parental request, email privacy@mettlearena.com with subject line "COPPA Request — <child's full name>". We respond within 5 business days.
Other safeguards
- No advertising. Children's data is never used for advertising, ad targeting, or sold to any third party for any purpose.
- No behavioral tracking. No cookies, pixels, or tracking technologies build behavioral profiles of minors.
- No public exposure. Cross-club leaderboards are opt-in only, and the opt-in is gated behind both parental consent and an explicit per-feature toggle.
5. How We Share Information
We share data only in these limited circumstances:
- Within your organization: Coaches and administrators within the same organization can view athlete data for their teams.
- Service providers: We use trusted third parties to operate the Service:
- Firebase (Google) — authentication and database
- Stripe — payment processing
- Resend — transactional email delivery
- Vercel — hosting and deployment
- Legal obligations: We may disclose data when required by law, court order, or government request.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your data may transfer to the successor entity, subject to the same privacy protections.
We do NOT sell personal information. We do NOT share data with advertisers. We do NOT allow third-party tracking on our platform.
6. Data Security
- All data is encrypted in transit (TLS 1.2+) and at rest.
- Authentication is managed by Firebase Authentication with secure session handling.
- Organization data is scoped — one organization cannot access another's data.
- Access to production systems is limited to authorized personnel with multi-factor authentication.
- We maintain audit logs of data access and administrative actions.
- Security rules enforce server-side access only for sensitive collections (no direct client-side database reads).
7. Data Retention & Deletion
- Active accounts: Data is retained for the duration of the subscription.
- Cancelled accounts: Organization data is retained for 90 days after cancellation for recovery purposes, then permanently deleted.
- Legal holds: Data subject to a legal hold will be preserved until the hold is released.
- Data export: Organizations may request a full data export at any time.
- Individual deletion: Individual athlete records can be deleted upon request from the organization administrator or parent/guardian.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you or your child
- Correct inaccurate data
- Request deletion of your data
- Export your data in a portable format
- Opt out of non-essential communications
- Withdraw consent for data processing (where consent is the legal basis)
To exercise any of these rights, contact privacy@mettlearena.com. We will respond within 30 days.
9. California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the CCPA and CPRA:
- Right to Know: What personal information we collect, use, disclose, and sell
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information we hold about you
- Right to Opt Out of Sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information (such as minor athlete data) to only what is necessary to provide the Service
- Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights
To exercise any right, contact privacy@mettlearena.com. We will verify your identity and respond within 45 days. You may also designate an authorized agent to make a request on your behalf.
10. Data Breach Notification (FIPA Compliance)
In the event of a security breach affecting your personal information, we will:
- Notify affected individuals within 30 days of discovering the breach, as required by the Florida Information Protection Act (FIPA)
- Provide a description of the breach, the types of data involved, and steps we are taking to address it
- Notify the Florida Department of Legal Affairs if the breach affects 500 or more individuals
- Offer identity protection services if the breach involves sensitive personal information
11. Cookies & Tracking
We use only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics that identify individual users. Aggregated, anonymous usage data may be collected for Service improvement.
12. Sub-Processors
We use the following sub-processors to operate the Service:
| Provider | Purpose | Data Processed |
|---|---|---|
| Firebase (Google) | Authentication, database | User credentials, org data, athlete records |
| Stripe | Payment processing | Billing info, subscription status |
| Resend | Transactional email | Email addresses, message content |
| Vercel | Hosting, CDN | Request logs, IP addresses |
| Upstash (Redis) | Caching, rate limiting | Session tokens, org slugs |
We will notify organizational customers at least 30 days before adding a new sub-processor. You may object by contacting privacy@mettlearena.com.
13. Third-Party Links
The Service may contain links to third-party websites (e.g., Stripe for billing management). We are not responsible for the privacy practices of external sites. We encourage you to review the privacy policies of any third-party services you interact with.
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or a prominent notice within the Service at least 30 days in advance. The "Last Updated" date at the top reflects the most recent revision.
15. Do Not Sell or Share My Personal Information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. No action is required on your part, but if you have questions, contact privacy@mettlearena.com.
16. Contact Us
For privacy questions, data requests, or COPPA-related inquiries:
Parallax Ventures LLC
Fort Lauderdale, FL
privacy@mettlearena.com
For urgent privacy concerns involving children's data, please include "COPPA URGENT" in your email subject line for priority handling.