Trust & Security
Privacy & security documentation
Privacy and security documentation for individual users and institutions. Includes review materials commonly requested by school districts, colleges, and universities evaluating software vendors.
Documents
Review documents
Commonly requested documents for district, school, college, and university privacy and security review. Click any to download the PDF.
Also see planning resources →Data Privacy Summary
Overview of how user and athlete data is handled, protected, and governed.
Download PDF ↓
Security Overview
Technical and operational security practices and architecture summary.
Download PDF ↓
Data Retention Policy
How long data is retained, deletion procedures, and lifecycle controls.
Download PDF ↓
Incident Response Summary
Breach notification procedures and incident response framework.
Download PDF ↓
Privacy
Data privacy
For institutional accounts, APEX processes data at the direction of the contracting organization. For individual users, APEX is the data controller and our Privacy Policy governs data handling.
Your data is not sold.
APEX does not sell personal data or use it for advertising purposes under any circumstances — whether you are an individual user or part of an institution.
Athletes control their own data.
Athletes can grant or revoke data-sharing consent with coaching staff at any time. Athlete performance data stays with the athlete — even if they leave a program. Institutions retain ownership of coaching content (programs, configurations, targets).
Not a medical system.
APEX is a coach workflow platform. It does not provide medical advice, diagnosis, or treatment.
Governance
Responsible use in athletics
APEX is a coach workflow and accountability platform. Institutions remain in control of how it is applied.
- APEX supports training operations and team visibility — it does not make medical decisions.
- For institutional accounts, the organization controls which data is collected, who can access it, and how platform workflows are applied. Individual users manage their own settings.
- APEX does not replace sports medicine judgment, institutional policy, or athlete notice and consent processes.
- Institutions adopting APEX should maintain written policies, stakeholder education, and periodic review practices for performance technologies.
Security
Technical security
Infrastructure and access controls designed for institutional athletics environments.
- Supabase Auth for authentication and session management.
- Row-level security (RLS) policies enforce data isolation at the database layer.
- Role-based access controls and tenancy scoping across school, team, coach, and athlete access paths.
- Data encrypted in transit (TLS) and at rest (AES-256).
- Consent-gated access — coaching staff can only view athlete-generated data when the athlete has granted sharing consent.
- Operational logging supports reliability and auditability.
- Administrative write paths use controlled server-side service-role access.
Infrastructure
Subprocessors
All subprocessors are US-based. Institutional customers receive thirty (30) days' notice before any new subprocessor is added.
Full subprocessor list →| Vendor | Purpose | Location |
|---|---|---|
| Supabase | Database, Authentication & File Storage | United States |
| Vercel | Hosting & Deployment | United States |
| Anthropic | AI-Powered Nutritional Estimation & Coaching Analytics | United States |
| OpenAI | AI-Powered Meal Plan Generation | United States |
| Stripe | Payment Processing | United States |
| PostHog | Product Analytics & Usage Monitoring | United States |
| Resend | Email Delivery | United States |
Compliance
Regulatory alignment
Designed to support privacy reviews under FERPA and state student data privacy laws when APEX is used by educational institutions under contract. For individual users, APEX complies with applicable consumer privacy laws including the CCPA.
- FERPAFamily Educational Rights and Privacy Act
- NY §2-dNew York Education Law §2-d
- SOPIPACalifornia Student Online Personal Information Protection Act
- MAMassachusetts Student Data Privacy Regulations
- TXTexas Student Privacy Protections (Education Code)
Planning Resources
Institutional guidance resources
Article-style resources to support athletics, sports medicine, IT, and compliance stakeholders as institutions define their own internal policies and implementation practices.
Responsible Use of Athlete Performance Data
Practical principles for transparency, governance, role-based access, and multidisciplinary oversight.
Read article→
DataData Categories Collected
Plain-language summary of data categories, operational purpose, and typical access context.
Read article→
PolicySample Institutional Policy Template
Adaptable policy framework institutions can use for planning stakeholder roles and oversight boundaries.
Read article→
FAQInstitutional FAQ
Quick answers for coaches, sports medicine, IT, and compliance reviewers evaluating platform use.
Read article→
Privacy & Security Contact
Questions about privacy or security?
For individual users, institutional reviews, or IT and compliance teams.