Privacy Policy
This Privacy Policy explains what information we collect when you use playback, how we use it, where it goes, and the rights you have over it. We've tried to write it plainly. If anything is unclear, email us.
1. Who this applies to
playback is operated by adults — parents, guardians, coaches — who journal about kids' sports games. playback is not designed for use by children. The app has no children-facing interface, no advertising, no in-app social network, and no public profile. Kids' names, photos, and game details are entered by the adult account holder ("you").
If you're under 13 (US) or under 16 (EU/EEA/UK), please don't create a playback account. If we learn we've collected personal information from a child without verified parental consent, we'll delete it.
2. What we collect
2.1 Information you provide
- Account info (only if you sign in for cloud sync): your email address, plus an authenticated session token issued by Supabase Auth. Sign-in via Apple or Google delivers a one-time identity token; we keep your email and a stable user ID.
- Kid profile data you enter: kid's first name (or nickname), default sport, optional emoji.
- Game journal entries you create: date, sport, opponent, score, highlight, reflection, tags, optional confidence/effort ratings, optional venue label and coordinates, optional photo annotations.
- Media you attach: photos, video clips, voice recordings.
- Co-parent invites you generate or redeem (a 22-character token, kid ID, expiry).
- Print order metadata (if you place an order via Stripe Payment Link): product, year, kid, total price.
- Support correspondence you send to support@r7labs.io.
2.2 Information collected automatically
- Crash reports and error logs via Sentry, with PII scrubbing applied (we strip email addresses and Authorization headers before transmission).
- Approximate device/OS info in crash reports (model, OS version, app version) for debugging.
- Subscription state stored locally on the device (free / trial / pro tier and trial start date).
2.3 Information we do NOT collect
- We don't run third-party advertising or analytics SDKs.
- We don't track you across other apps or websites.
- We don't sell, rent, or trade personal information.
- We don't read your photo library beyond the items you explicitly attach.
- We don't access your location unless you tap "Add venue" on a game.
3. Why we collect it
| Purpose | Lawful basis (GDPR) |
|---|---|
| Provide the journaling app on your device | Contract |
| Sync your data across your devices when signed in | Contract |
| Render family-share pages from your share links | Contract |
| Email you a one-time login code | Contract |
| Crash reporting and bug fixing | Legitimate interest |
| Process subscription payments (when applicable) | Contract |
| Comply with legal obligations | Legal obligation |
4. Where your data goes (sub-processors)
We use the following service providers. Each receives only the data necessary for its function.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database (Postgres), authentication, Edge Functions | US |
| Amazon Web Services (S3) | Media storage | us-east-1 |
| OpenAI | AI memory polish and voice transcription. Only used when you supply your own OpenAI API key in Settings. Your key stays on your device and is sent directly to OpenAI; we never see it. | US |
| Sentry | Crash reporting with PII scrubbing | US |
| Apple | Sign In with Apple (if you choose it) | US |
| Sign In with Google | Authentication (if you choose it) | US |
| Stripe | Payment processing for print orders (if you place one) | US |
| Apple App Store / Google Play | App distribution and in-app subscription billing | US |
We do not transfer personal data to any country without an adequate-protection framework or equivalent safeguards.
5. How long we keep it
- Local device data stays on the device until you delete it or uninstall the app.
- Cloud-synced data stays in our database while your account is active. When you request deletion (see §7), we delete it within 30 days.
- Media in S3 follows the same lifecycle as cloud-synced data.
- Crash reports are retained for 90 days, then automatically purged.
- Support correspondence is retained for 24 months for service quality.
- Family-share links stay live until you revoke them or they expire.
6. Sharing
We share personal information only in these cases:
- With the sub-processors listed above, and only as needed to operate the Service.
- With co-parents you invite. When you generate an invite code and someone redeems it, that person gains read/write access to the specified kid's games. You can remove their access at any time from Settings → Children.
- Via family-share links you create. A share link renders a public, unindexed HTML page. Anyone with the link can view its contents. You can revoke any share link from within the app.
- For legal reasons, if compelled by valid legal process, or to protect the safety of users.
We never share personal information for advertising or marketing by third parties.
7. Your rights
Wherever you live, you can:
- Access the data we hold about you. Settings → Export your data gives you a JSON or CSV download.
- Correct inaccurate data by editing it in the app.
- Delete your account and all associated cloud data by emailing support@r7labs.io with the subject "Delete my account". We'll confirm and delete within 30 days.
- Object to or restrict processing — email us.
- Withdraw consent at any time by signing out and uninstalling the app.
- Lodge a complaint with your local data protection authority. EU/EEA/UK residents can find theirs at edpb.europa.eu.
We respond to privacy requests within 30 days.
8. Children's privacy (COPPA, GDPR-K)
playback is intended for adult account holders journaling about kids in their care. We don't knowingly collect personal information directly from children under 13.
- Kids never log in. The app has no children-facing screens.
- A kid's name, photo, and game details are entered by the parent/guardian.
- We treat any kid-related information you enter as the parent's data, used only to provide the journaling Service.
- If you believe a child has used the app without parental supervision, email support@r7labs.io and we'll delete any associated data.
9. Security
We use industry-standard safeguards: TLS 1.2+ for data in transit, encryption at rest at Supabase and AWS, scoped IAM policies, row-level security in Postgres, and signed presigned URLs for media access. No system is perfectly secure; if we ever experience a breach affecting your data, we'll notify you within 72 hours of becoming aware.
10. Changes to this policy
If we change this policy materially, we'll notify you in the app and update the "Last updated" date above. Continued use of the Service after a change constitutes acceptance of the revised policy.
11. Contact
Questions, requests, or concerns: support@r7labs.io
r7labs
playback.kids