Legal

Privacy Policy

Effective Date: February 7, 2025

This Privacy Policy explains how Athly AI (“we,” “us,” or “our”) collects, uses, shares, and protects the personal data of users who access or use our AI-powered college sports recruiting platform at athlyai.com. We are committed to transparency and to protecting your privacy in compliance with the General Data Protection Regulation (GDPR), the Italian Data Protection Code, and other applicable data protection laws.

1. Information We Collect

1.1 Account & Profile

Full name, email, phone number
Date of birth & graduation year
Nationality & country of residence
Profile photo & action photos
Account credentials (hashed)

1.2 Athletic Information

Sport(s), position(s), jersey number
Team name, years of experience
Height, weight, physical stats
Performance stats (goals, assists, etc.)
Highlight videos & tagged clips

1.3 Academic Information

GPA (native system + US conversion)
SAT, ACT, TOEFL, Duolingo scores
Intended major & field of study
Academic honors & achievements

1.4 Recruiting Preferences

Recruiting goal & scholarship importance
Target divisions (NCAA, NAIA, NJCAA)
Preferred regions & target schools
Target start year for college

1.5 User-Generated Content

Emails composed & sent
Messages exchanged with coaches
AI assistant conversations
Email templates & drafts
Video tags, clips & highlight reels

1.8 Device & Technical

IP address & geolocation
Browser type & operating system
Device type & screen resolution
Pages visited & time spent
Referral source & UTM parameters

1.6 Gmail API Data: If you connect your Gmail, we request only the gmail.send scope. We use Gmail solely to send messages you compose and approve. We do not read, store, scan, or analyze your inbox, drafts, contacts, or any other Gmail content. We do not use Gmail data for advertising or profiling.

1.7 Payment Data: Processed securely via Stripe. We do not store your full credit card number, CVV, or banking details. We retain only a transaction reference and subscription status.

1.9 Email Engagement Data

For emails sent through the Platform, we track: delivery status, open counts & timestamps, click counts & timestamps, and reply detection.

2. How We Use Your Information

Provide the Platform: Create profiles, connect with coaches, send emails, generate highlight reels

AI Personalization: Generate email drafts, coach recommendations, profile suggestions

Coach Research: AI-powered web research to personalize your outreach

Email Delivery: Send emails via Gmail or AWS SES on your behalf

Engagement Analytics: Track email delivery, opens, and clicks

Video Processing: Process, store, and optimize your highlight videos

Payments: Process subscriptions, manage billing, send invoices

Platform Improvement: Analyze usage patterns to improve performance and features

Communications: Service updates, recruiting tips, marketing (with opt-out)

Security & Compliance: Detect fraud, enforce Terms, comply with legal obligations

3. Legal Bases for Processing (GDPR)

Contract

Contract (Art. 6(1)(b))

Processing necessary to deliver the Platform: profile creation, email generation, coach discovery.

Consent

Consent (Art. 6(1)(a))

Optional features: Gmail integration, marketing communications, public profile visibility.

Legitimate Interests

Legitimate Interests (Art. 6(1)(f))

Platform analytics, security monitoring, fraud prevention, service improvement.

Legal Obligation

Legal Obligation (Art. 6(1)(c))

Compliance with applicable laws, regulations, and legal processes.

4. AI Features & Data Processing

We are transparent about how your data is used by AI:

What AI accesses: Your athletic profile, academic information, recruiting preferences, and previous email history are provided to AI models to generate personalized content.

AI providers: We use Google Gemini, Groq (Llama), and other AI models. Your data is sent solely for real-time content generation and is not used to train their models.

Coach research: AI performs web searches (via Perplexity AI) to find publicly available information about coaches and programs.

No automated decisions: AI generates suggestions and drafts, but you always have final control. No decisions with legal or significant effects are made solely by automated processing.

Conversation history: AI assistant conversations are stored to provide context in future interactions. Deleted upon account deletion.

5. Gmail API Disclosure & Limited Use

This section specifically addresses our compliance with Google's policies:

We request only the gmail.send scope — the minimum required to send emails you compose

We use Gmail data solely to send messages that you explicitly generate and approve

We do not read, store, or analyze your inbox or any Gmail content

We do not use Gmail data for advertising, marketing, or profiling

We do not share Gmail data with any third parties except as strictly necessary

We do not allow humans to read your Gmail data unless: (a) explicit consent, (b) security necessity, (c) legal requirement, or (d) aggregated and anonymized

Athly AI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use of user data requirement.

We do not sell your personal information.

We may share limited data with:

College CoachesProfile information and communications when you send messages or enable your public profile.

Infrastructure ProvidersSupabase (database), AWS (email delivery), Cloudinary (media storage) to operate the Platform.

Payment ProcessorStripe processes your payment data under their own privacy policy.

AI ProvidersGoogle Gemini, Groq, and others receive profile data solely for real-time content generation. Not retained for training.

AnalyticsGoogle Analytics receives anonymized usage data.

Gmail (Google)Only for authorized email delivery when you connect your Gmail.

Legal AuthoritiesIf required by law, regulation, or legal process.

7. Data Security

Data encrypted in transit (TLS) and at rest

Row-Level Security (RLS) on all database tables

OAuth tokens stored in encrypted form

Passwords hashed (never stored in plain text)

Secure cloud infrastructure via Google Cloud

Regular security reviews and access controls

No system can guarantee 100% security. If we become aware of a data breach affecting your rights, we will notify you and relevant authorities within 72 hours as required by GDPR.

8. Data Retention

Active accountsData retained as long as your account is active and necessary to provide the Platform.

After deletionPersonal data removed within 30 days, except where legally required (tax records up to 10 years).

Email trackingEngagement metrics retained for the duration of your subscription.

AI conversationsRetained while account is active. Deleted upon account deletion.

Gmail tokensRevoked and deleted immediately when you disconnect Gmail or delete your account.

9. Cookies & Tracking Technologies

Essential

Authentication, session management, security. Cannot be disabled.

Analytics

Google Analytics cookies. Opt out via browser settings or the GA Opt-out Add-on.

Functional

Remember your preferences such as language and theme settings.

We do not use advertising or third-party tracking cookies.

10. International Data Transfers

Your data may be transferred to countries outside the EEA, including the US. We ensure appropriate safeguards through:

EU-US Data Privacy Framework certifications of our providers
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable

11. Children's Privacy

Athly AI is intended for users aged 16 and older. Users between 16 and 18 must have parental or guardian consent. We do not knowingly collect personal information from children under 16. If we learn we have collected such data without appropriate consent, we will delete it promptly.

Given that we serve student-athletes (many aged 16-18), we take additional care to:

Minimize data collection to what is necessary for recruiting
Not share minor athletes' data with third parties for marketing
Provide clear controls for profile visibility and public information

12. Marketing Communications

With your consent, we may send marketing emails about updates, features, and recruiting tips. You may opt out at any time by:

Clicking the unsubscribe link in any marketing email
Updating your communication preferences in account settings
Contacting us at hello@athlyai.com

Opting out of marketing does not affect transactional emails (subscription confirmations, security alerts, account notifications).

13. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

AccessArt. 15

Request a copy of your personal data

RectificationArt. 16

Correct inaccurate or incomplete data

ErasureArt. 17

Request deletion ("right to be forgotten")

Restrict ProcessingArt. 18

Limit processing in certain circumstances

Data PortabilityArt. 20

Receive data in JSON/CSV format

ObjectArt. 21

Object to processing based on legitimate interests

Withdraw Consent

Withdraw consent for Gmail, marketing, public profile

Lodge a Complaint

File with your local data protection authority

To exercise any of these rights, contact privacy@athlyai.com. We will respond within 30 days at no charge. In Italy, you can also file a complaint with the Garante per la protezione dei dati personali.

14. Data Portability & Export

You can request a full export of your data at any time by contacting privacy@athlyai.com. We will provide your data in JSON format including:

Complete athlete profile

Email history & templates

AI conversation logs

Video tags & reel metadata

Coach interaction history

Engagement analytics

15. Third-Party Services & Sub-processors

Service	Purpose	Data Processed	Location
Supabase	Database & Auth	Account & profile data	EU / US
Stripe	Payments	Payment & subscription	US (DPF)
AWS SES	Email Delivery	Email content & addresses	US (SCCs)
Gmail API	User Email Sending	Outgoing emails (send-only)	US (DPF)
Cloudinary	Media Storage	Photos, videos, reels	US (SCCs)
Google Analytics	Analytics	Anonymized usage data	US (DPF)
Google Gemini	AI Generation	Profile data for content	US (DPF)
Groq	AI Generation	Profile data for emails	US
Perplexity AI	Coach Research	Coach names & schools	US
Vercel	Hosting & CDN	Request logs, IPs	Global (SCCs)

Each sub-processor is bound by data processing agreements that ensure GDPR compliance.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide at least 15 days' notice via email or a prominent notice on the Platform. Continued use after changes constitutes acceptance of the updated policy.

17. Data Protection Contact

For any questions about this Privacy Policy, your data, or to exercise your rights:

Privacy inquiries

privacy@athlyai.com

General support

hello@athlyai.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.