Privacy Policy

Pathways Rugby Ltd ("Pathways", "we", "us") operates the pathways.id platform for rugby player evaluation and development. This policy explains how we collect, use, and protect information when you use our platform.

We collect information you provide directly when using Pathways:

• Account information — name, email address, password (hashed, never stored in plaintext)
• Organization data — organization name, type, age groups, game format preferences
• Player data — names, dates of birth, positions, email addresses, profile photos, jersey numbers, physical measurements entered by coaches
• Evaluation data — pillar scores, sub-attribute scores, coach notes, evaluation dates
• Event data — event names, dates, squads, match results, lineup assignments
• Training data — session plans, drill selections, block configurations
• Play data — play definitions, movement paths, phase sequences
• Integrity data — cryptographic hashes, chain links, and sealed timestamps derived from evaluation data to maintain tamper-evident records

We use collected information to:

• Provide and maintain the Pathways platform
• Authenticate your identity and manage your session
• Display evaluations, player profiles, and development data within your organization
• Generate Pathways Ratings and development insights
• Send notifications about activity within your organization
• Compute cryptographic integrity hashes to create tamper-evident evaluation records

We do not sell your data to third parties. We do not use your data for advertising. We do not share player evaluation data between organizations without explicit consent.

Standardized evaluation scores may be visible to other verified organizations where the player is on their roster, subject to parental consent for minors. Coach notes and AI-generated insights are never shared across organizations.

Your data is stored in a PostgreSQL database hosted by Supabase on AWS infrastructure in the US East (Virginia) region. Player profile photos are stored in Supabase Storage.

We protect your data with:

• Encrypted connections (HTTPS/TLS) for all data in transit
• Encrypted storage at rest (AES-256)
• Session-based authentication with secure, httpOnly cookies
• Organization-scoped access controls preventing cross-organization data access
• Rate limiting on authentication endpoints
• SHA-256 cryptographic integrity chain on all submitted evaluations
• Automated security audit (187 assertions) run on every commit
• Pre-commit security hooks preventing deployment of unaudited code

Pathways uses only strictly necessary cookies for authentication and platform functionality. We do not use tracking cookies, analytics cookies, or third-party cookies.

• better-auth.session_token — authenticates your session (httpOnly, secure)

Because these cookies are required for the platform to function, no consent banner is needed under GDPR/ePrivacy regulations.

We retain your data for as long as your account is active. Player data is retained as long as at least one organization has an active roster entry for that player. Archived players remain in the database but are hidden from active views.

Submitted evaluations are part of a cryptographic integrity chain and are retained as permanent records. This is necessary for the chain's tamper-evidence to function and is a core feature of the platform. Players or their guardians may request context annotations on evaluations, but submitted scores are immutable by design.

If you wish to delete your account and all associated data, contact us at privacy@pathways.id.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Object to processing of your data

Please note that evaluation immutability means submitted pillar scores cannot be altered or deleted, as they are part of a cryptographic integrity chain. However, context annotations can be added to any evaluation. For minors, parents retain the right to contact us regarding their child's data.

To exercise any of these rights, email privacy@pathways.id. We will respond within 30 days.

The majority of Pathways users are youth athletes. We take the protection of children's data seriously.

• A COPPA-compliant parental consent flow is built into the platform for minors under 18
• Organizations are responsible for obtaining parental or guardian consent before entering any player data for minors
• Cross-organization visibility for minors requires explicit parental opt-in at enrollment
• We do not collect data directly from minors; all data is entered by coaches and organizations
• Parents or guardians can contact privacy@pathways.id at any time to access, review, or manage their child's data

We may update this policy from time to time. Material changes will be communicated via the platform or by email. Continued use of Pathways after changes constitutes acceptance of the updated policy.

For privacy-related questions or requests, contact us at: privacy@pathways.id

Pathways Rugby Ltd