Privacy policy.
Roster Rhythm is built by Spindlecode, LLC. This policy describes what data Roster Rhythm collects, why, and what we do (and never do) with it. It covers the Roster Rhythm iOS app, the Roster Rhythm Android app, and the web app at app.rosterrhythm.com.
Summary in plain language
- Roster Rhythm is built for youth sports teams. That means our users include coaches and parents who manage teams, and minors (the players themselves) whose information appears on those rosters.
- Player accounts for children under 13 are created and managed by a verified parent or legal guardian. We do not collect personal information from a child under 13 without verifiable parental consent.
- We collect what teams need to operate: roster info, schedules, scoring data, optional walk-up audio clips, and live-stream video that a coach or parent chooses to broadcast.
- We do not sell your data. We do not share it with advertisers. We do not include third-party advertising SDKs or behavioral tracking SDKs.
- You can delete any team, player, game, clip, or stream from inside the app. You can delete your whole account at any time from the app's Settings → Delete Account screen, or by emailing us. We also accept account-deletion requests through our contact page, which Google Play requires for apps that allow account creation.
Roles & how accounts work
Roster Rhythm has three account roles, each with different data flows:
- Coach / Team Admin. Creates and manages a team. Sees the full roster, schedule, scoring, streams, and parent contact info.
- Parent / Guardian. Joins a team via invite link, manages their own player(s), grants consent for any minor under 13 in their household, and chooses what information about their player is visible to other team members.
- Player. An athlete on a roster. Players 13 and older may have their own sign-in. Players under 13 do not have their own sign-in — their information is managed entirely by their parent or guardian on their behalf.
What we collect
Account data
- Coaches and parents: name, email address, profile picture (optional), and authentication tokens. Sign-in is via Sign in with Apple, Sign in with Google, or email + password.
- Players age 13+: name, jersey number, position, optional profile picture, and (if they sign in themselves) email address and authentication tokens.
- Players under 13: only what their parent or guardian chooses to enter — typically first name (or nickname), jersey number, position, age or birth year, and optionally a small profile picture. Children under 13 do not sign in directly; their information is entered and controlled by a parent who has provided verifiable consent.
Team & game data
- Roster, lineups, availability, and schedules that the team admin enters or imports.
- Scoring data: pitches, at-bats, goals, points, plays, substitutions, pitch counts, and other in-game events your coach records.
- Statistics derived automatically from scoring data — spray charts, batting averages, save percentages, leaderboards, and matchup breakdowns.
- Messaging: messages a coach or parent sends through the in-app team chat.
- Walk-up audio clips a parent or coach uploads for a player.
- Live-stream video a coach or parent broadcasts from the dugout or sideline. Streams are recorded only when the broadcaster chooses to save them; otherwise they are not retained after the stream ends.
- Photos a user explicitly uploads (team photos, action shots).
Device & technical data
- App diagnostics: crash logs, anonymized error reports, app version, OS version, and device model. We use these to fix bugs — not to identify or track individuals.
- Authentication metadata: session timestamps, IP address used to sign in (kept up to 90 days for abuse prevention), and the OAuth provider you used.
What we do NOT collect
- Your contacts, calendar, microphone audio outside of an explicit recording action, or any system data beyond what you grant the app at install time.
- Your precise location. We never request GPS. The only location-adjacent data we may show is the address of a scheduled game or practice that the coach types in.
- Browsing history, app usage outside Roster Rhythm, behavioral telemetry, click streams, session recordings, or advertising identifiers (IDFA / GAID).
- Audio or video from the device's microphone or camera unless the user explicitly starts a recording or stream.
Children's privacy (COPPA)
Because Roster Rhythm is built for youth sports, we expect many players to be under 13 years old. We comply with the United States Children's Online Privacy Protection Act (COPPA) and with equivalent laws in other regions (UK Age-Appropriate Design Code, GDPR-K, Canada's PIPEDA).
No direct collection from children under 13. Children under 13 cannot create their own Roster Rhythm account. A child's information appears in Roster Rhythm only when a parent, legal guardian, or authorized team admin (with that parent's documented consent) enters it.
Verifiable parental consent. When a parent first adds a child under 13 to a team in Roster Rhythm, the parent must complete a verifiable consent step. We currently use the "credit card / online payment authorization" method: a $0.00 (or small refundable) charge to a parent-controlled payment instrument confirms that the consenting party is a parent or guardian. We retain the consent timestamp and method but not the full payment-instrument details.
What other users see about a child. By default, other parents on the same team see only the child's first name (or nickname), jersey number, and position. A parent can opt in to share a profile picture, last name, or age. Coaches see everything the parent has chosen to share, plus anything they themselves recorded (scoring stats, pitch counts).
No marketing to children. We never show advertising to children — or to anyone — in Roster Rhythm. We do not send marketing email to children. Push notifications to a child's device are limited to game/practice reminders and team-chat messages from people on the same roster.
Parental control. A parent can, at any time, review what Roster Rhythm has stored about their child, edit or remove specific items, revoke consent, and delete the child's profile entirely. Use the Settings → My Players screen in the app, or email privacy@rosterrhythm.com from the address you used to consent.
Live streaming & recordings
Live streams are broadcast and stored only when an authorized coach or parent on the team initiates them. Streams default to "team-only" visibility — the URL is accessible only to people invited to the team. A team admin may switch a specific stream to "shareable link" mode for extended family who aren't team members.
We never make a team's stream publicly searchable, and we never use stream content to train machine-learning models. A parent of a minor on the team can request that their child be excluded from streamed broadcasts; the team admin will receive that preference and is expected to honor it.
Where data is stored
Data is stored on Spindlecode-operated servers in the United States (AWS infrastructure). All traffic between your device and our backend is over HTTPS / TLS 1.2+. Backups are encrypted at rest. Video clips and walk-up audio are stored in private S3 buckets accessible only via signed URLs that expire.
Who has access
Spindlecode engineering staff can technically access stored data when responding to bug reports or account-deletion requests. We don't sell, rent, or share your data with advertisers, data brokers, or third parties. We don't use it to train machine-learning models.
We use a small set of vetted service providers strictly to operate the app: AWS (hosting), Apple and Google (app distribution and Sign in with Apple / Google), Stripe (for the consent-verification charge and any future paid features), and Sentry (crash reporting, configured to scrub personally identifying information). These providers are bound by contract to use the data only on our behalf.
App Store & Play Store disclosures
For Apple's "App Privacy" nutrition label, the data linked to your identity is: contact info (name, email), user content (photos, audio, video you upload), identifiers (user ID), and diagnostics (crash data). We do not use any of it for tracking. We do not share it with third parties for advertising.
For Google Play's "Data Safety" section, we declare collection of personal info (name, email), photos and videos, audio files, app activity (in-app actions), and app info and performance (crash logs, diagnostics). All data is encrypted in transit, and users can request deletion via the app or by emailing us. Some data is shared with the service providers listed above strictly to operate the service.
Your rights & deletion
Wherever you live, you can:
- See everything we've stored about you or a player you manage — open Settings → My Data in the app.
- Edit or remove individual items (players, games, clips, streams, messages).
- Delete your account and all associated data. In the app: Settings → Account → Delete Account. By web: visit our contact page and email privacy@rosterrhythm.com from the address you signed in with. We complete deletions within 30 days; most are processed within 7.
- For users in the EU, UK, California, and other jurisdictions with data-protection laws — exercise your statutory rights of access, correction, portability, restriction, and objection by emailing privacy@rosterrhythm.com.
Cookies and similar technologies
The web app uses browser localStorage / sessionStorage to keep you signed in (your JWT) and to remember preferences. We don't use cookies for tracking, and we don't drop any first- or third-party advertising cookies. Marketing pages on rosterrhythm.com are static and load no analytics or ad scripts.
Changes
If we make material changes to this policy, we'll update the "Last updated" date at the top and, where the change affects existing data handling, notify signed-in users from within the app the next time they open it.
Contact
Email privacy@rosterrhythm.com with any privacy question, deletion request, or correction. We respond within 7 days. For all other questions see the contact page.