Privacy Policy
Last Updated: December 2, 2025
Effective Date: December 2, 2025
1. Introduction
Welcome to TeamOps ("we," "our," or "us"). TeamOps is a youth hockey team management platform designed to help teams, coaches, parents, and players organize team operations, track medical compliance, manage events, and communicate effectively.
We are committed to protecting the privacy of all our users, especially children. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Services").
Please read this Privacy Policy carefully. By accessing or using TeamOps, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not access or use our Services.
2. Our Commitment to Security & Compliance
TeamOps maintains rigorous security and privacy standards. We comply with the following frameworks and regulations:
Privacy Regulations
| Regulation | Description |
|---|---|
| HIPAA | Health Insurance Portability and Accountability Act - protecting medical information |
| GDPR | General Data Protection Regulation - EU data protection |
| COPPA | Children's Online Privacy Protection Act - protecting children under 13 |
| PIPEDA | Personal Information Protection and Electronic Documents Act - Canadian privacy law |
| CASL | Canada's Anti-Spam Legislation - electronic communications consent |
Security Standards & Frameworks
TeamOps implements controls aligned with industry standards including:
| Standard | Description |
|---|---|
| SOC 2 Type II | Service Organization Control - security, availability, processing integrity, confidentiality, and privacy (controls implemented, audit planned) |
| NIST CSF | National Institute of Standards and Technology Cybersecurity Framework |
| ISO 27017 | Information security controls for cloud services (controls implemented, audit planned) |
| ISO 27018 | Protection of personally identifiable information (PII) in public clouds (controls implemented, audit planned) |
| OWASP Top 10 | Protection against the most critical web application security risks |
| MASVS | Mobile Application Security Verification Standard |
3. Definitions
- "Personal Information" means information that identifies, relates to, describes, or could reasonably be linked to you or your household.
- "Protected Health Information (PHI)" means individually identifiable health information as defined under HIPAA.
- "Child" or "Children" means individuals under the age of 13 (or applicable age of digital consent in your jurisdiction).
- "Parent" includes legal guardians.
- "Team Administrator" means managers, coaches, or trainers with administrative access to team data.
- "Sensitive Personal Information" includes medical information, health data, and information about children.
4. Information We Collect
4.1 Information You Provide Directly
Account Information:
- Name (first and last)
- Email address
- Date of birth
- Password (encrypted and hashed; we never store plaintext passwords)
Player Profile Information:
- Jersey number
- Position (forward, defense, goalie)
- Skill level
- Location (city, state/province, country)
- Preferred hand
- Profile photo (optional)
Protected Health Information (HIPAA-Protected):
- Blood type
- Health card number and province
- Insurance provider and policy number
- Allergies, medications, and medical conditions
- Emergency contact information (name, relationship, phone)
- Family doctor and dentist information
- Concussion and neurological history
- Vision, hearing, and dental information
- Respiratory and cardiac history
- Medical clearance documents
- Insurance card images
- Injury reports and return-to-play protocols
Team Information:
- Team name, season, and age group
- League affiliation (GTHL, RSEQ, etc.)
- Team logo and colors
- Roster information
Communications:
- Chat messages and attachments
- Announcements
- Support tickets
- Comments and reactions
Event and Attendance Data:
- Event responses (present, absent, no response)
- Game lineups and shift assignments
- Availability status
Operational Data:
- Carpool information
- Budget tracking (no payment processing)
- Coach disclosures and compliance records
4.2 Information Collected Automatically
Device Information:
- Device type (iOS or Android)
- Device identifiers (anonymized)
- Operating system version
- App version
Usage Information:
- Features accessed
- Time spent in the app
- Actions taken (events created, messages sent)
- Error logs (stripped of personally identifiable information)
Push Notification Tokens:
- Device tokens for delivering notifications (stored securely, deleted on logout)
4.3 Information from Third Parties
We may receive information from:
- Team Administrators who add you to a team
- Parents who create accounts for their children
- Integration partners (if applicable)
5. How We Use Your Information
We use the information we collect to:
Provide and Maintain Services:
- Create and manage your account
- Enable team management features
- Facilitate communication between team members
- Track attendance and manage events
- Process injury reports and medical compliance
Safety and Compliance:
- Manage medical records for player safety (HIPAA-compliant)
- Track concussion protocols and return-to-play plans
- Ensure compliance with league requirements (Hockey Canada, GTHL)
- Maintain emergency contact information for player safety
- Support Return-to-Play (RTP) protocols
Communications (CASL-Compliant):
- Send push notifications about team activities (with your consent)
- Deliver announcements and messages
- Respond to support requests
- We do NOT send unsolicited commercial electronic messages
Improve Our Services:
- Analyze usage patterns to enhance features
- Debug and fix technical issues (without exposing PII)
- Develop new features based on user needs
Legal Compliance:
- Comply with applicable laws and regulations
- Respond to legal requests
- Enforce our terms of service
- Report suspected child abuse as required by law
6. Children's Privacy (COPPA Compliance)
TeamOps is designed for youth sports teams, and we take children's privacy extremely seriously.
6.1 Verifiable Parental Consent
We do not knowingly collect personal information from children under 13 without verifiable parental consent.
For users under 13:
- A parent or guardian must create and manage the account
- The child's account is linked to the parent's account
- The child's account remains in "dormant" status with limited functionality until they turn 13
- Parents have full control over their child's data
- We obtain parental consent through the parent's registration and account creation process
6.2 Parental Rights
Parents of children under 13 have the right to:
- Review all personal information collected from their child
- Request deletion of their child's personal information
- Refuse further collection or use of their child's information
- Consent to collection without consenting to disclosure to third parties
To exercise these rights, contact us at: salvatorepapia@proinvest.trade
We will respond to parental requests within 30 days and verify the identity of the requesting parent before disclosing or deleting any child's information.
6.3 Information Collected from Children
When a parent creates an account for a child, we collect only information necessary for team participation:
- Name
- Date of birth (for age-appropriate access controls)
- Jersey number and position
- Medical information (as provided and authorized by parent)
- Attendance records
- Team communications (supervised by Team Administrators)
6.4 How We Protect Children's Information
- Accounts for children under 13 are controlled exclusively by parents
- Children under 13 cannot directly communicate with strangers
- We do NOT use children's information for behavioral advertising
- We do NOT share children's information with third parties for marketing
- All children's data is encrypted at rest and in transit
- Team Administrators are responsible for appropriate supervision of team communications
6.5 Minors Age 13-17
For users between 13 and 17:
- Certain features (like Team Finder) are restricted
- Parents/guardians retain oversight through linked accounts
- Medical information requires parental authorization
6.6 California Minors
California residents under 18 may request removal of publicly posted content. Submit requests to salvatorepapia@proinvest.trade with subject line "California Minor Content Removal."
7. Health Information Protection (HIPAA Compliance)
TeamOps handles Protected Health Information (PHI) in compliance with HIPAA requirements.
7.1 PHI Safeguards
Administrative Safeguards:
- Designated Privacy Officer responsible for HIPAA compliance
- Workforce training on PHI handling
- Access management and authorization procedures
- Incident response procedures for potential breaches
Physical Safeguards:
- Data center security (via Supabase infrastructure)
- Device and media controls
- Facility access controls
Technical Safeguards:
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.3)
- Access controls and audit logging
- Automatic session timeout (30 minutes of inactivity)
- Unique user identification
- Integrity controls
7.2 PHI Access
Access to PHI is strictly limited to:
- The individual player (or parent for children under 18)
- Team Trainers with legitimate medical oversight responsibilities
- Team Administrators with medical compliance duties
- Healthcare providers as authorized by the user
7.3 PHI Disclosure
We will NOT disclose PHI without authorization except:
- For treatment, payment, or healthcare operations
- As required by law
- For public health activities
- To prevent serious threats to health or safety
- For law enforcement purposes (with appropriate legal process)
7.4 Your HIPAA Rights
You have the right to:
- Access your health records
- Request corrections to your health information
- Receive an accounting of PHI disclosures
- Request restrictions on certain uses
- Receive confidential communications
- File a complaint if you believe your rights have been violated
8. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal information based on:
Contractual Necessity (Article 6(1)(b)):
- Processing necessary to provide our Services
Legitimate Interests (Article 6(1)(f)):
- Improving and securing our Services
- Communicating with users about team activities
- Preventing fraud and abuse
Legal Obligation (Article 6(1)(c)):
- Compliance with applicable laws
Consent (Article 6(1)(a)):
- Marketing communications
- Processing of special category data (health information) under Article 9(2)(a)
- Collection of children's data
Vital Interests (Article 6(1)(d)):
- Emergency medical situations where consent cannot be obtained
9. How We Share Your Information
9.1 Within Your Team
Your information is shared with your team as necessary for team operations:
- Team Administrators (managers, coaches) can view roster information and attendance
- Trainers can access medical information for player safety
- Parents can view their children's information
- Team Members can see basic roster information and team communications
Team Administrators are responsible for the appropriate use and protection of player data within their teams.
9.2 Service Providers
We share information with service providers who help us operate our Services:
| Provider | Purpose | Data Shared | Compliance |
|---|---|---|---|
| Supabase | Database, authentication, storage | All account and team data (encrypted) | SOC 2, GDPR |
| Expo | Push notifications | Device tokens only | Privacy Policy compliant |
| Cloud infrastructure | Data hosting | Encrypted data at rest | ISO 27001 |
All service providers are contractually obligated through Data Processing Agreements (DPAs) to:
- Protect your information
- Use it only for the services they provide to us
- Comply with applicable privacy laws
- Implement appropriate security measures
9.3 Legal Requirements
We may disclose your information if required by law, legal process, or governmental request, or to:
- Protect the safety of any person
- Protect our rights and property
- Investigate potential violations of our terms
- Report suspected child abuse or neglect (mandatory reporter obligations)
9.4 Business Transfers
If TeamOps is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will:
- Notify you before your information is transferred
- Ensure the receiving entity honors this Privacy Policy
- Give you the option to delete your account before transfer
9.5 We Do NOT Sell Your Information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Ever.
This applies to all users, including California residents under CCPA. We have not sold personal information in the preceding 12 months and do not intend to do so.
10. Data Retention
We retain your information for as long as necessary to:
- Provide our Services
- Comply with legal obligations
- Resolve disputes
- Enforce our agreements
Retention Periods:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Active accounts | While account is active | Service provision |
| Inactive accounts | 3 years after last activity | Legal compliance |
| Deleted accounts | 30 days after deletion request | Recovery window |
| Medical records | 7 years | Healthcare regulations |
| Injury reports | 7 years | Legal/insurance requirements |
| Concussion records | 10 years | Long-term health tracking |
| Chat messages | 3 years or until deleted | Service provision |
| Audit logs | 7 years | Compliance requirements |
Secure Deletion: When data is deleted, we use secure deletion methods compliant with NIST guidelines to ensure data cannot be recovered.
11. Data Security (SOC 2 / ISO 27017 / ISO 27018 / OWASP / MASVS)
We implement comprehensive security measures aligned with our compliance frameworks:
11.1 Technical Safeguards
Encryption:
- All data encrypted in transit (TLS 1.3)
- All data encrypted at rest (AES-256)
- Database-level encryption via Supabase
- Secure key management
Access Control:
- Row Level Security (RLS) ensuring users only access authorized data
- Role-based access control (RBAC)
- Strong password requirements and session management
- JWT-based session management
- 30-minute inactivity timeout
- Session invalidation on logout
Application Security (OWASP Top 10 / MASVS):
- Protection against SQL injection
- Cross-site scripting (XSS) prevention
- Cross-site request forgery (CSRF) protection
- Secure authentication and session management
- Input validation and sanitization
- Secure file upload handling
- API security and rate limiting
- Regular security assessments and penetration testing
Mobile Security (MASVS):
- Secure local storage (hardware-backed encryption where available)
- Certificate validation via platform security
- Anti-tampering measures
- Secure inter-process communication
- Code protection measures
11.2 Organizational Safeguards
- Security awareness training for all personnel
- Background checks for employees with data access
- Incident response procedures
- Regular security audits and assessments
- Vendor risk management program
- Business continuity planning
11.3 Infrastructure Security (NIST CSF)
Following the NIST Cybersecurity Framework:
- Identify: Asset management, risk assessment
- Protect: Access control, awareness training, data security
- Detect: Continuous monitoring, anomaly detection
- Respond: Response planning, analysis, mitigation
- Recover: Recovery planning, improvements, communications
11.4 Incident Response
In the event of a data breach:
- We will investigate immediately
- Notify affected users within 72 hours (GDPR requirement)
- Notify regulators as required by law
- Provide information about the breach and steps to protect yourself
- Take steps to prevent future incidents
12. Your Privacy Rights
12.1 All Users
All users have the right to:
- Access your personal information
- Correct inaccurate information
- Delete your account and associated data
- Export your data in a portable format (JSON/CSV)
- Opt-out of non-essential communications
- Withdraw consent at any time
12.2 California Residents (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: Request disclosure of personal information collected, used, disclosed, and sold
- Right to Delete: Request deletion of personal information
- Right to Correct: Request correction of inaccurate information
- Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell your data)
- Right to Limit Use of Sensitive Information: Limit use of sensitive personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
Submitting Requests:
- Email: salvatorepapia@proinvest.trade
- In-app: Settings > Privacy > Data Requests
- Response time: Within 45 days (extendable to 90 days with notice)
Authorized Agents: You may designate an authorized agent to make requests on your behalf with proper verification.
California "Shine the Light" Law: We do not share personal information with third parties for their direct marketing purposes.
12.3 European Users (GDPR)
Users in the EEA, UK, and Switzerland have the following rights:
- Right to Access (Article 15): Obtain a copy of your personal data
- Right to Rectification (Article 16): Correct inaccurate data
- Right to Erasure (Article 17): Request deletion ("right to be forgotten")
- Right to Restrict Processing (Article 18): Limit how we use your data
- Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
- Right to Object (Article 21): Object to processing based on legitimate interests
- Right to Withdraw Consent (Article 7): Withdraw consent at any time
- Rights Related to Automated Decision-Making (Article 22): We do not engage in solely automated decision-making
Data Protection Officer: salvatorepapia@proinvest.trade
Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.
12.4 Canadian Users (PIPEDA / Quebec Law 25)
Canadian users have rights under PIPEDA and, for Quebec residents, Law 25:
- Right of Access: Access your personal information held by us
- Right to Challenge Accuracy: Request correction of inaccurate information
- Right to Withdraw Consent: Withdraw consent for data collection (subject to legal or contractual restrictions)
- Right to Complaint: File a complaint with the Office of the Privacy Commissioner of Canada
Quebec Residents (Law 25):
- Right to data portability
- Right to be informed about automated decision-making
- Enhanced consent requirements
- Right to de-indexation (removal from search results)
Privacy Officer: salvatorepapia@proinvest.trade
13. Electronic Communications (CASL Compliance)
We comply with Canada's Anti-Spam Legislation (CASL):
Express Consent Required:
- We only send commercial electronic messages (CEMs) with your express consent
- You can withdraw consent at any time via unsubscribe links or app settings
Transactional Messages: The following messages do not require consent:
- Account verification and security alerts
- Team event notifications (part of service)
- Medical compliance reminders
- Direct responses to your inquiries
Message Requirements: All our electronic messages include:
- Clear identification of TeamOps as sender
- Valid contact information
- Simple unsubscribe mechanism
14. International Data Transfers
TeamOps is operated from Canada. If you access our Services from outside Canada, your information may be transferred to, stored, and processed in Canada or other countries where our service providers operate.
For EEA/UK Users: We ensure appropriate safeguards for international transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) addendum
- Adequacy decisions where applicable
- Supplementary security measures as needed
For Canadian Users: Cross-border transfers comply with PIPEDA and applicable provincial legislation.
Data Localization: Where required by applicable law or upon request, we can ensure your data remains within specific geographic boundaries.
15. Third-Party Links and Services
Our Services may contain links to third-party websites or services (e.g., league websites, arena information). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.
16. Push Notifications
We may send push notifications about:
- Team events and schedule changes
- Messages from team members
- Medical compliance reminders (return-to-play updates)
- Emergency communications
- Important system announcements
Your Control:
- You can disable push notifications in your device settings
- You can customize notification preferences in app settings
- Essential security notifications may still be delivered
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy in the app with the revision date
- Sending a notification to your registered email
- Displaying a prominent in-app notice
- Requiring acknowledgment for significant changes
30-Day Notice: For material changes affecting your rights, we will provide at least 30 days' notice before the changes take effect.
Your continued use of the Services after changes constitutes acceptance of the updated policy. If you do not agree with changes, you may delete your account before they take effect.
18. Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
TeamOps Privacy Team
Mailing Address: ProInvest Analytics Inc. Toronto, Ontario, Canada
For GDPR Inquiries:
- Data Protection Officer: salvatorepapia@proinvest.trade
For HIPAA Inquiries:
- Privacy Officer: salvatorepapia@proinvest.trade
- Subject Line: "HIPAA Privacy Request"
For COPPA/Children's Privacy Inquiries:
- Email: salvatorepapia@proinvest.trade
- Subject Line: "Children's Privacy Request"
For Canadian Privacy Inquiries:
- Privacy Officer: salvatorepapia@proinvest.trade
Response Time: We aim to respond to all privacy inquiries within 30 days. Complex requests may require up to 45 days with notice.
19. Accessibility
This Privacy Policy is available in:
- English
- French (Francais)
Our policy is designed to meet WCAG 2.2 AA accessibility standards. If you need this policy in an alternative format (large print, audio, etc.), please contact us.
This Privacy Policy reflects our commitment to protecting your privacy and complying with global privacy regulations. For questions, please contact salvatorepapia@proinvest.trade.