Skip to main content
Legal

Privacy Policy

Effective Date: May 29, 2026

Data Controller

Lorenzo Peluso (sole trader / ditta individuale, Italy)
Via Resistenza Partigiana 27/O, 97015 Modica (RG), Italia
P.IVA: IT01888280888 β€” REA: RG-485912
PEC: [email protected]
Contact: [email protected]

A formal EU/UK Article 27 representative has not been appointed at this time as the controller is established in the EU (Italy); requests from UK data subjects may be directed to [email protected].

This Privacy Policy explains how Athly AI (β€œwe,” β€œus,” or β€œour”) collects, uses, shares, and protects the personal data of users who access or use our AI-powered college sports recruiting platform at athlyai.com. We are committed to transparency and to protecting your privacy in compliance with the General Data Protection Regulation (GDPR), the Italian Data Protection Code, and other applicable data protection laws.

1. Information We Collect

1.1 Account & Profile

  • Full name, email, phone number
  • Date of birth & graduation year
  • Nationality & country of residence
  • Profile photo & action photos
  • Account credentials (hashed)

1.2 Athletic Information

  • Sport(s), position(s), jersey number
  • Team name, years of experience
  • Height, weight, physical stats
  • Performance stats (goals, assists, etc.)
  • Highlight videos & tagged clips

1.3 Academic Information

  • GPA (native system + US conversion)
  • SAT, ACT, TOEFL, Duolingo scores
  • Intended major & field of study
  • Academic honors & achievements

1.4 Recruiting Preferences

  • Recruiting goal & scholarship importance
  • Target divisions (NCAA, NAIA, NJCAA)
  • Preferred regions & target schools
  • Target start year for college

1.5 User-Generated Content

  • Emails composed & sent
  • Messages exchanged with coaches
  • AI assistant conversations
  • Email templates & drafts
  • Video tags, clips & highlight reels

1.8 Device & Technical

  • IP address & geolocation
  • Browser type & operating system
  • Device type & screen resolution
  • Pages visited & time spent
  • Referral source & UTM parameters
1.6 Email Delivery: Athlete-to-coach outreach emails are sent via Resend (resend.com) from your personal subdomain address (e.g. [email protected]). Coaches sending through our platform use addresses in the form [email protected]. We only send messages you explicitly compose and approve. We do not store Gmail OAuth tokens or access any Google mailbox. No Google API credentials are collected or retained.
1.7 Payment Data: Processed securely via Stripe. We do not store your full credit card number, CVV, or banking details. We retain only a transaction reference and subscription status.

1.9 Email Engagement Data

For emails sent through the Platform, we track: delivery status, open counts & timestamps, click counts & timestamps, and reply detection.

2. College Coach Data

Our platform includes a database of college coaching staff to help student-athletes identify and contact potential coaches. This section explains how we handle that data.

2.1 What Coach Data We Hold

  • Coach name and professional title/role
  • Institutional email address (e.g. [email protected])
  • Office phone numbers (where published on institutional staff directories)
  • School/university name and athletics program
  • Sport and division (NCAA D1, D2, D3, NAIA, NJCAA)

Personal mobile phone numbers are not collected. The phone numbers stored are office / staff-directory numbers as published by the institution itself.

2.2 Where Coach Data Comes From

All coach information is collected exclusively from publicly available sources, including official university athletics staff directory pages, publicly accessible school websites, and public athletic conference directories. We do not obtain coach data from private sources, social media scraping, or data brokers.

Effective April 22, 2026, every newly-collected or refreshed coach record stores the source URL and timestamp of collection. Pre-existing records collected prior to this date do not carry per-record provenance metadata; the categorical sources for those records are the publicly accessible NCAA, NAIA, and NJCAA athletic-department staff directories described above (primarily Sidearm and PrestoSports CMS platforms).

2.3 Legal Basis & Purpose

We process coach data under legitimate interest (GDPR Art. 6(1)(f)). The purpose is to facilitate direct contact between student-athletes and college coaches β€” which is the coaches' professional function. Coach contact information is institutional (not personal), published by universities for professional outreach, and used on our platform for its intended purpose. We have conducted a Legitimate Interest Assessment (LIA) documenting that this processing is necessary, proportionate, and balanced against coaches' rights.

2.4 Safeguards

  • We do not sell, rent, or share coach data with third parties
  • Rate limiting prevents excessive or abusive outreach
  • Quality controls ensure data accuracy and freshness
  • Only data necessary for recruiting contact is collected (data minimization)
2.5 Coach Opt-Out (Right to Object): If you are a coach and wish to have your information removed from our database, you may submit a removal request at athlyai.com/coach-removal or email us at [email protected]. To prevent abuse, removal is confirmed via a one-time link sent to your institutional email address on record β€” only the actual mailbox owner can complete the removal. Once you click the link, your record is hidden from search and outreach within 5 business days. This right is guaranteed under GDPR Article 21.

3. How We Use Your Information

  • Provide the Platform: Create profiles, connect with coaches, send emails, generate highlight reels
  • AI Personalization: Generate email drafts, coach recommendations, profile suggestions
  • Coach Research: AI-powered web research to personalize your outreach
  • Email Delivery: Send emails via Resend (resend.com) on your behalf from your @athlete.athlyai.com or @coach.athlyai.com address
  • Engagement Analytics: Track email delivery, opens, and clicks
  • Video Processing: Process, store, and optimize your highlight videos
  • Payments: Process subscriptions, manage billing, send invoices
  • Platform Improvement: Analyze usage patterns to improve performance and features
  • Communications: Service updates, recruiting tips, marketing (with opt-out)
  • Security & Compliance: Detect fraud, enforce Terms, comply with legal obligations

3. Legal Bases for Processing (GDPR)

Contract (Art. 6(1)(b))

Processing necessary to deliver the Platform: profile creation, email generation, coach discovery.

Consent (Art. 6(1)(a))

Optional features: email delivery via Resend, marketing communications, public profile visibility.

Legitimate Interests (Art. 6(1)(f))

Platform analytics, security monitoring, fraud prevention, service improvement.

Legal Obligation (Art. 6(1)(c))

Compliance with applicable laws, regulations, and legal processes.

4. AI Features & Data Processing

We are transparent about how your data is used by AI:

  • What AI accesses: Your athletic profile, academic information, recruiting preferences, and previous email history are provided to AI models to generate personalized content.
  • AI providers: We use Kimi (Moonshot AI), Google Gemini, and Groq (Llama). We use the paid API tiers of these providers; under their commercial terms, your data is not used to train their models. We periodically verify each provider's terms.
  • Coach research: AI compiles publicly available information about coaches and programs (such as official athletic department staff directories) to provide recruiting context.
  • No automated decisions: AI generates suggestions and drafts, but you always have final control. No decisions with legal or significant effects are made solely by automated processing.
  • Conversation history: AI assistant conversations are stored to provide context in future interactions. Deleted upon account deletion.

5. Email Delivery via Resend

Athly AI uses Resend (resend.com) as our transactional email delivery provider. Gmail is not used and no Google OAuth tokens are collected or stored.

Sending addresses
Athletes send from [email protected]. Coaches send from [email protected]. All addresses are subdomains of athlyai.com, authenticated with SPF, DKIM, and DMARC.
  • We only send emails you explicitly compose, review, and approve inside Athly AI
  • We do not send emails in the background, in bulk, or on any automated schedule without your action
  • We do not access or store credentials for any third-party email provider (Gmail, Outlook, etc.)
  • Email content is transmitted to Resend solely for delivery and is not used for advertising or model training
  • You may contact [email protected] to request deletion of your sending address and associated email logs
Resend processes email data as a sub-processor under a Data Processing Agreement. See Resend's Privacy Policy and Data Processing Agreement for details.

6. Data Sharing

We do not sell your personal information.

We may share limited data with:

College CoachesProfile information and communications when you send messages or enable your public profile.
Infrastructure ProvidersSupabase (database) and Cloudinary (media storage) to operate the Platform.
Payment ProcessorStripe processes your payment data under their own privacy policy.
AI ProvidersKimi (Moonshot AI), Google Gemini, and Groq receive profile data solely for real-time content generation. Not retained for training.
AnalyticsGoogle Analytics receives anonymized usage data.
Resend (resend.com)Transactional email delivery β€” outgoing emails sent via Resend from your @athlete.athlyai.com or @coach.athlyai.com address.
Legal AuthoritiesIf required by law, regulation, or legal process.

7. Data Security

  • Data encrypted in transit (TLS) and at rest
  • Row-Level Security (RLS) on all database tables
  • Passwords hashed (never stored in plain text)
  • Secure cloud infrastructure via Supabase (hosted on AWS, EU and US regions)
  • Regular security reviews and access controls
No system can guarantee 100% security. If we become aware of a data breach affecting your rights, we will notify you and relevant authorities within 72 hours as required by GDPR.

8. Data Retention

Active accountsData retained as long as your account is active and necessary to provide the Platform.
After deletionPersonal data removed within 30 days, except where legally required.
Billing & tax recordsBilling and tax records: 10 years (Italian fiscal law, Art. 2220 Codice Civile and Art. 22 D.P.R. 600/1973).
Email trackingEngagement metrics retained for the duration of your subscription.
AI conversationsRetained while account is active. Deleted upon account deletion.
Email sending logsDelivery status, open, and click data retained for the duration of your subscription. Deleted upon account deletion.

9. Cookies & Tracking Technologies

Essential

Authentication, session management, security. Cannot be disabled.

Analytics

Google Analytics cookies. Opt out via browser settings or the GA Opt-out Add-on.

Functional

Remember your preferences such as language and theme settings.

We do not use advertising or third-party tracking cookies.

For a full list of every cookie we use (name, provider, purpose, and duration), see our Cookie Policy. You can change your cookie preferences at any time from the Privacy Center.

10. International Data Transfers

Your data may be transferred to countries outside the EEA, including the US. We ensure appropriate safeguards through:

  • EU-US Data Privacy Framework certifications of our providers
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable

11. Children's Privacy

Athly AI is intended for users aged 16 and older. Users between 16 and 18 must have parental or guardian consent.

We do not knowingly collect data from anyone under the local digital-consent age (13 in the US under COPPA, 14 in Spain, 15 in France/Czechia, 16 in Italy/Germany/most of the EU). Accounts created by minors below the local digital-consent age require verifiable parental consent. If we learn we have collected data from a child below that age without parental consent, we will delete it promptly.

Given that we serve student-athletes (many aged 16-18), we take additional care to:

  • Minimize data collection to what is necessary for recruiting
  • Not share minor athletes' data with third parties for marketing
  • Provide clear controls for profile visibility and public information

12. Marketing Communications

With your consent, we may send marketing emails about updates, features, and recruiting tips. You may opt out at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Updating your communication preferences in account settings
  • Contacting us at [email protected]

Opting out of marketing does not affect transactional emails (subscription confirmations, security alerts, account notifications).

13. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

AccessArt. 15

Request a copy of your personal data

RectificationArt. 16

Correct inaccurate or incomplete data

ErasureArt. 17

Request deletion ("right to be forgotten")

Restrict ProcessingArt. 18

Limit processing in certain circumstances

Data PortabilityArt. 20

Receive data in JSON/CSV format

ObjectArt. 21

Object to processing based on legitimate interests

Withdraw Consent

Withdraw consent for email delivery, marketing, public profile

Lodge a Complaint

File with your local data protection authority

Take action now: Visit our Privacy Center to manage your data, or use these direct links:
β€’ Download my data or delete my account (in Settings)
β€’ Submit a Data Subject Access Request
β€’ Coach data removal
β€’ Email: [email protected] (30-day response time)

In Italy, you can also file a complaint with the Garante per la protezione dei dati personali.

14. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

Right to Know

You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete

You may request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, security, legal obligations).

Right to Correct

You may request correction of inaccurate personal information we maintain about you.

Right to Opt Out of Sale / Sharing

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising.

Right to Limit Use of Sensitive Data

We do not use or disclose sensitive personal information beyond what is necessary to provide our Platform. You have the right to limit our use if we ever expand into such uses.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights β€” no denial of service, different prices, or lower quality of service.

To exercise any of these rights, email [email protected] with the subject line β€œCCPA Request”. We will respond within 45 days. You may designate an authorised agent to make a request on your behalf by providing written authorisation.

We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age. Financial incentives, if any, will be separately disclosed and require your explicit opt-in.

15. Data Portability & Export

You can request a full export of your data at any time by contacting [email protected]. We will provide your data in JSON format including:

  • Complete athlete profile
  • Email history & templates
  • AI conversation logs
  • Video tags & reel metadata
  • Coach interaction history
  • Engagement analytics

16. Third-Party Services & Sub-processors

ServicePurposeLocation & Transfer Mechanism
SupabaseDatabase & AuthEU / US β€” Standard Contractual Clauses (AWS via Supabase)
StripePaymentsUS β€” EU-US Data Privacy Framework
ResendEmail DeliveryUS β€” Resend DPA (Standard Contractual Clauses)
CloudinaryMedia StorageUS β€” EU-US Data Privacy Framework
Google AnalyticsAnalyticsUS β€” EU-US Data Privacy Framework
Kimi (Moonshot AI)AI GenerationUS β€” Standard Contractual Clauses
Google GeminiAI GenerationUS β€” EU-US Data Privacy Framework
GroqAI GenerationUS β€” Standard Contractual Clauses
VercelHosting & CDNGlobal β€” Standard Contractual Clauses

Each sub-processor is bound by data processing agreements that ensure GDPR compliance.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide at least 15 days' notice via email or a prominent notice on the Platform. Continued use after changes constitutes acceptance of the updated policy.

18. Data Protection Contact

For any questions about this Privacy Policy, your data, or to exercise your rights:

Privacy inquiries

[email protected]

General support

[email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Β© Athly AI. All rights reserved. This Privacy Policy is publicly available at athlyai.com/privacy and may be updated periodically.

Privacy Policy | Athly AI