Privacy Policy

This Privacy Policy applies to:

• —Coaches and staff who register for and use XCIV.ai accounts
• —Organizations (schools, athletic programs, AAU teams) that access the Platform under institutional subscriptions
• —Student athletes whose information is entered into the Platform by authorized coaching staff

The Platform is not intended for direct use by students or parents. If you are a student or parent with questions about data entered about a student athlete, please contact your school's athletic department or reach us at zack@xciv.ai.

We collect information in three ways: information you provide directly, information about student athletes entered by authorized coaches, and limited technical information collected automatically.

Account and coach information:

• —Name, email address, and password (hashed)
• —School or organization name and role (head coach, assistant, etc.)
• —Billing information (processed by our payment provider; we do not store full card numbers)

Player and team data (entered by coaches):

• —Player names, jersey numbers, positions, grade levels
• —Performance statistics (points, rebounds, assists, etc.)
• —Coachability notes and qualitative assessments
• —Strengths, weaknesses, and playing style profiles
• —AI-generated training program content
• —Roster membership and team assignments

Opponent and scouting data (entered by coaches):

• —Opponent school names, team tendencies, and set plays
• —Opponent player profiles (names, positions, tendencies)
• —Scouting session notes and game plan content

Uploaded documents:

• —Scouting PDFs, schedule documents, and other files uploaded for AI parsing
• —Parsed data extracted from uploaded documents

Technical and usage data (collected automatically):

• —IP address, browser type, and device information
• —Pages visited, features used, and session duration
• —Error logs and performance diagnostics

The XCIV.ai iOS application is part of the Platform and is governed by this Privacy Policy. The mobile application is designed for use by coaches and authorized staff only.

Device permissions:

The iOS application requests the following device permissions only when needed for a specific feature you initiate:

• —Camera: Used to capture photos of whiteboards, scouting notes, or printed materials for upload to your account. Used only when you tap a capture button.
• —Photo Library: Used to attach existing images to player profiles or game plans. Read access only; we do not modify your photo library.
• —Notifications: Used to deliver practice reminders and account alerts. You may disable at any time in iOS Settings.

No tracking, no advertising identifiers:

The XCIV.ai iOS application does not use the App Tracking Transparency framework because it does not track you across apps or websites owned by other companies. The application does not contain advertising SDKs, behavioral analytics tools, or third-party tracking pixels of any kind. The Apple Identifier for Advertisers (IDFA) is not collected.

Account deletion:

You may delete your account and all associated data directly within the iOS application at any time via Settings → Account → Delete Account. Deletion requests are processed within 30 days. See Section 09 for additional rights.

The iOS application is distributed through the Apple App Store. Your download and installation are also subject to Apple's applicable terms; however, your use of XCIV.ai itself is governed by this Privacy Policy and our Terms of Service.

We treat all player information as sensitive — whether or not it technically qualifies as a “student education record” under FERPA. This conservative approach protects students and our partner schools.

What we do with Player Data:

• —Store it securely and use it only to deliver the specific Platform features your organization has contracted for
• —Keep it completely isolated within your organization — no other school or program can see your players' data
• —Retain it only as long as your account is active, or as required by law or your school's data agreement

What we never do with Player Data:

• —Sell it, rent it, or share it with advertisers, data brokers, or third-party analytics firms
• —Use it to profile, target, or market products to student athletes or their families
• —Use it as training data to build AI models for other organizations without explicit consent
• —Share it with other schools, coaches, or athletic programs

Coachability notes: These are among the most sensitive data points in the Platform. Coachability notes are visible only to the coach who created them and authorized staff within your organization. We strongly recommend treating these notes as professional coaching records that reflect observable athletic behavior, not personal character assessments.

We share information only in these limited circumstances:

• —Service providers: We use third-party vendors (hosting, payment processing, AI model APIs) that access data solely to provide services on our behalf. All vendors are bound by data processing agreements that prohibit secondary use of your data.
• —Legal requirements: We may disclose information if required by a valid court order, subpoena, or applicable law. We will notify affected schools or coaches of any such request when legally permitted to do so.
• —Safety: We may disclose information if we believe in good faith that disclosure is necessary to prevent imminent harm to a person.
• —Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify you and you will have the right to request deletion before any transfer to a new entity takes effect.
• —With your consent: We will share data in other circumstances only with your explicit written consent.

We do not share information with: data brokers, advertising networks, analytics companies (other than aggregated usage data), other schools or athletic programs, or any third party for their independent commercial use.

We implement technical and organizational measures to protect your data, including:

• —Encryption of data in transit (TLS) and at rest
• —Multi-tenant data isolation — each organization's data is scoped and inaccessible to others at the database level
• —Access controls and authentication requirements for all staff who access Platform infrastructure
• —Regular security reviews and vulnerability assessments
• —Audit logging for administrative access to production data

Breach notification: In the event of a confirmed data breach affecting your organization's data, we will notify you within 72 hours of discovery. Notification will include the nature of the breach, data affected, and steps we are taking to remediate.

Data deletion requests for individual student athletes can be submitted at any time by emailing zack@xciv.ai with the subject line “Data Deletion Request.” We will confirm receipt and complete deletion within 30 days.

What we use on our public site

XCIV.ai uses cookies and similar tracking technologies on our public marketing pages only — the pages you visit before logging in. We use these tools to understand how visitors find and interact with our site, and to measure whether our advertising is working. The three tools we use are:

• —Meta Pixel (Meta Platforms, Inc.) — measures conversions from Meta ad campaigns and builds anonymized audiences for ad targeting.
• —Google Analytics 4 (Google LLC) — collects anonymized traffic and usage data to help us improve the site.
• —Google Ads Conversion Tracking (Google LLC) — measures whether visitors who click our ads complete actions like signing up or requesting a demo.

These tools may collect your IP address (anonymized), browser type, pages visited, time on page, and referral source.

What we do NOT do in the application

Advertising trackers, behavioral pixels, and third-party analytics tools are completely absent from the authenticated XCIV.ai application. No tracking tags fire on any page that requires a login or that displays student, roster, or coaching data. This is a hard technical rule, not a policy preference.

Platform cookies

We also use a minimal set of cookies necessary to operate the Platform:

• —Session cookies: Keep you logged in during your session. Expire when you close your browser.
• —Authentication tokens: Secure tokens that maintain your login across sessions. Expire after 30 days of inactivity.
• —Preference cookies: Remember settings like display preferences. Optional and deletable.

Your choices

When you first visit XCIV.ai, a cookie consent banner will appear. You may accept all tracking, decline non-essential tracking, or manage your preferences individually. If you decline, only essential cookies required for site functionality will be set. No advertising or analytics tags will fire until you accept.

You may also opt out at any time using these tools:

• —Google Analytics: Google Analytics Opt-out Add-on
• —Meta advertising: facebook.com/ads/preferences
• —Browser settings: blocking session cookies will prevent you from logging in to the Platform.

Cookies we set

As a coach or organization using XCIV.ai, you have the following rights regarding your data and the data of student athletes in your care:

To exercise any of these rights, contact us at zack@xciv.ai. We will respond within 30 days. We may need to verify your identity before processing requests involving student data.

Visitors to our public marketing site may update their cookie and tracking preferences at any time by clicking the “Manage Preferences” link in the site footer.

FERPA (Family Educational Rights and Privacy Act):

XCIV LLC operates as a “school official” under FERPA when providing services to schools that receive federal funding. This means:

• —Schools must execute a written Data Processing Agreement with us designating us as a school official before sharing student data
• —We operate under the direct control of the school with respect to student data use
• —We use student data only for the purpose specified in the contract — coaching and athletic program management
• —We do not re-disclose student data to third parties without school authorization

COPPA (Children's Online Privacy Protection Act):

XCIV.ai treats all data for athletes in grades K–8 as subject to COPPA protections. The Platform is operated as a tool for coaches and authorized organizational staff; we do not knowingly collect personal information directly from children under 13 through any user-facing surface.

Schools: When data about an athlete under 13 is entered by a school employee, that school provides the COPPA-required consent under the “school authorization” framework recognized by the FTC, in conjunction with the Data Processing Agreement executed between XCIV LLC and the school.

AAU and club programs: When data about an athlete under 13 is entered by an AAU or club organization, that organization represents and warrants to XCIV LLC that it has obtained verifiable parental consent (VPC) under COPPA, or that an applicable COPPA exception applies. Organizations bear sole responsibility for obtaining and documenting such consent.

If you believe a child's data has been entered without proper authorization or consent, contact us at zack@xciv.ai and we will delete it within 30 days.

XCIV.ai operates in Kansas and serves schools in Kansas, Nebraska, Colorado, and Oklahoma. Each state has enacted student data privacy laws with specific requirements. We comply with applicable state law in each jurisdiction we operate.

Kansas residents: XCIV LLC is a Kansas limited liability company. We comply with the Kansas Student Data Privacy Act (K.S.A. 72-6314 et seq.), including its restrictions on the sale of student data, requirements for school authorization before collection, and breach notification obligations. This Privacy Policy and our Terms of Service are governed by the laws of the State of Kansas.

Colorado residents: Colorado has enacted comprehensive student data privacy protections. We comply with the Colorado Student Data Transparency and Security Act, including explicit data breach notification requirements and restrictions on secondary use of student data.

Oklahoma residents: We comply with Oklahoma's Student Data Accessibility, Transparency, and Accountability Act, including data localization provisions. Schools in Oklahoma should inquire about our data storage practices for their specific requirements.

California residents: If XCIV.ai expands to serve California schools, all California Consumer Privacy Act (CCPA) rights will apply in full.

If you have questions about your rights under a specific state law, contact us at zack@xciv.ai.

XCIV.ai uses third-party artificial intelligence services to power features such as scouting report generation, training plan creation, and document parsing. We disclose these subprocessors so you understand exactly which third parties may receive data when you use AI features.

We will update this list when we add or remove an AI subprocessor and provide notice to coaches as described in Section 12.

We may update this Privacy Policy as our Platform evolves or applicable laws change. When we make material changes, we will:

• —Post the updated policy with a new effective date
• —Send email notice to all registered coaches at least 14 days before changes take effect
• —For changes that materially affect how we handle Student Data, we will seek affirmative consent from school administrators where required by law

We archive prior versions of this policy. If you would like to review a previous version, contact us.

For privacy questions, data requests, or concerns about how we handle student athlete data: