Privacy Policy
Effective Date: April 7, 2026 | Last Updated: April 7, 2026
1. Introduction
CutoffIQ LLC ("CutoffIQ," "we," "us," or "our") operates the CutoffIQ platform (the "Service"), a progressive baseball education platform accessible at cutoffiq.com and related subdomains. This Privacy Policy describes how we collect, use, disclose, retain, and protect information about users of the Service, including athletes aged 4–22, coaches, and parents or legal guardians ("you" or "Users").
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must discontinue use of the Service immediately.
2. Definitions
- "Child" or "Minor" means any individual under the age of 13, as defined by the Children's Online Privacy Protection Act (COPPA).
- "Personal Information" means any information that identifies, relates to, describes, or is reasonably capable of being associated with a particular individual.
- "Parent" means a parent or legal guardian of a Child.
- "Processing" means any operation performed on Personal Information, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, dissemination, restriction, erasure, or destruction.
3. Information We Collect
3.1 Information You Provide Directly
| Data Category | Specific Data Elements | Purpose |
|---|---|---|
| Account Information | Full name, email address, password (hashed) | Account creation, authentication, communication |
| Profile Information | Birth year, grade level, playing position, handedness (left/right/switch) | Age-appropriate content delivery, personalized lesson progression |
| User Role | Player, Coach, or Parent designation | Role-based access control, feature gating |
| Team Information (Coaches) | Team name, player roster associations | Team management, progress monitoring |
3.2 Information Collected Automatically
| Data Category | Specific Data Elements | Purpose |
|---|---|---|
| Performance Data | Quiz answers, scenario responses, drill completions, scores, time-on-task, accuracy rates, attempt history | IQ score calculation, progress tracking, adaptive content delivery |
| Progress Data | Level progression, lesson completion status, badges earned, streak data, milestone achievements | Gamification, progress reporting to coaches and parents |
| Session Data | Session tokens (JWT), login timestamps, session duration | Authentication, security, session management |
| Device & Browser Data | IP address, browser type, operating system, device type, screen resolution | Service optimization, security monitoring, debugging |
3.3 Information from Third Parties
If you authenticate using Google OAuth, we receive your name, email address, and profile picture URL from Google. We do not receive or store your Google password. Google's privacy policy governs their handling of your data: https://policies.google.com/privacy.
4. Children's Privacy (COPPA Compliance)
CutoffIQ is designed for athletes as young as age 4. We take the privacy of children seriously and comply fully with the Children's Online Privacy Protection Act (COPPA) and its implementing regulations (16 CFR Part 312).
4.1 Parental Consent Requirement
We do not knowingly collect Personal Information from children under 13 without obtaining verifiable parental consent. Before a Child can create an account or use the Service:
- A Parent must create a parent account and provide consent for their Child's participation.
- We use a consent mechanism compliant with FTC guidelines, which may include email-plus verification, signed consent forms, or other FTC-approved methods.
- We will not condition a Child's participation on providing more information than is reasonably necessary for the activity.
4.2 Parental Rights Under COPPA
Parents of children under 13 have the right to:
- Review their Child's Personal Information collected by us;
- Request deletion of their Child's Personal Information;
- Refuse further collection or use of their Child's Personal Information;
- Revoke previously granted consent at any time.
To exercise any of these rights, contact us at [email protected] with the subject line "COPPA Parental Request." We will verify your identity as the Child's Parent before processing any request.
4.3 Data Minimization for Children
For users identified as under 13, we limit data collection to what is strictly necessary for the educational features of the Service. We do not:
- Display children's profiles publicly;
- Enable direct messaging or social features for children;
- Share children's Personal Information with third parties for marketing purposes;
- Use children's data for behavioral advertising.
5. Legal Bases for Processing (GDPR)
For Users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process Personal Information under the following legal bases:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance (Art. 6(1)(b)) | Account creation, lesson delivery, progress tracking, IQ score computation |
| Legitimate Interests (Art. 6(1)(f)) | Service improvement, security monitoring, fraud prevention, analytics |
| Consent (Art. 6(1)(a)) | Marketing communications (if implemented), cookie consent for non-essential cookies, COPPA parental consent for children |
| Legal Obligation (Art. 6(1)(c)) | Compliance with applicable laws, responding to lawful requests |
6. How We Use Your Information
We use collected information for the following purposes:
- Service Delivery: Providing age-appropriate baseball education content, computing IQ scores, tracking level progression, and awarding badges.
- Authentication & Security: Verifying identity, maintaining secure sessions, preventing unauthorized access, and detecting fraudulent activity.
- Personalization: Tailoring lesson content to the user's competitive level, position, and performance history.
- Progress Reporting: Enabling coaches to view team member progress and enabling parents to monitor their child's achievements.
- AI Content Generation: Using aggregated and anonymized performance data to improve AI-generated lesson content. Individual responses are not shared with AI systems in identifiable form.
- Service Improvement: Analyzing usage patterns, identifying bugs, improving content quality, and optimizing user experience.
- Communication: Sending transactional emails (password resets, account notifications), and with consent, promotional communications.
- Legal Compliance: Meeting regulatory obligations, responding to legal process, and enforcing our Terms of Service.
7. AI-Generated Content Disclosure
CutoffIQ uses artificial intelligence (specifically, the Anthropic Claude API) to generate educational lesson content, quiz scenarios, and situational drills. Key points regarding AI-generated content:
- AI-generated content is reviewed for accuracy and age-appropriateness before publication.
- Your individual quiz responses, performance data, and Personal Information are not sent to third-party AI providers in identifiable form.
- Aggregated, anonymized performance trends may be used to inform content generation prompts.
- The AI content generation system operates independently from user-facing data systems.
8. How We Share Your Information
We do not sell your Personal Information. We share information only in the following limited circumstances:
8.1 Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Railway (railway.app) | Cloud hosting, database hosting (PostgreSQL) | All data stored in the Service database |
| Google (OAuth) | Authentication | Authentication tokens; Google provides us name and email |
| Anthropic (Claude API) | AI content generation | Anonymized content prompts only; no Personal Information |
All service providers are contractually bound to protect your data and use it only for the purposes specified.
8.2 Coaches and Parents
If a Player is associated with a Team, their coach may view the Player's progress data (lesson completion, scores, level progression). Parents linked to a Player account may view their child's progress and achievement data.
8.3 Legal Requirements
We may disclose Personal Information if required to do so by law, regulation, legal process, or governmental request, or where disclosure is necessary to protect our rights, safety, or property, or the rights, safety, or property of others.
8.4 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or similar event, Personal Information may be transferred as part of the transaction. We will notify affected Users before their Personal Information becomes subject to a different privacy policy.
9. Data Retention
| Data Category | Retention Period | Justification |
|---|---|---|
| Account Information | Duration of account + 30 days after deletion request | Service delivery, fraud prevention |
| Performance & Progress Data | Duration of account + 90 days after deletion | IQ score integrity, historical records |
| Session Data | 30 days from session creation | Authentication, security monitoring |
| Server Logs | 90 days | Debugging, security incident investigation |
| Children's Data (under 13) | Deleted within 14 days of parental revocation of consent or account deletion | COPPA compliance |
| Backup Copies | Purged within 30 days of primary data deletion | Disaster recovery |
Upon expiration of the applicable retention period, data is permanently deleted or irreversibly anonymized.
10. Data Security
We implement industry-standard technical and organizational measures to protect your Personal Information, including:
- Passwords are hashed using bcrypt with appropriate cost factors;
- All data in transit is encrypted via TLS 1.2 or higher;
- Database connections use SSL encryption;
- Session tokens are signed JWTs with expiration enforcement;
- Role-based access controls limit data access to authorized personnel;
- OAuth tokens stored at rest are encrypted with AES-256;
- Regular security reviews and dependency audits are performed.
No method of electronic storage or transmission is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
11. Your Rights Under GDPR (EEA/UK/Swiss Residents)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and applicable local laws:
- Right of Access (Art. 15): Request a copy of the Personal Information we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate Personal Information.
- Right to Erasure (Art. 17): Request deletion of your Personal Information ("right to be forgotten").
- Right to Restrict Processing (Art. 18): Request limitation of processing of your Personal Information.
- Right to Data Portability (Art. 20): Receive your Personal Information in a structured, commonly used, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority.
To exercise any of these rights, email [email protected] with the subject line "GDPR Data Request." We will respond within 30 days.
11.1 International Data Transfers
CutoffIQ is based in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary measures where appropriate, and service provider agreements to ensure adequate protection for international data transfers.
12. Your Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of the categories and specific pieces of Personal Information we have collected, the categories of sources, business purposes for collection, and categories of third parties with whom we share data.
- Right to Delete: Request deletion of your Personal Information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate Personal Information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share (as defined by CCPA/CPRA) your Personal Information. Therefore, no opt-out mechanism is required.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive Personal Information to purposes authorized by the CPRA.
To submit a verifiable consumer request, email [email protected] with the subject line "CCPA Request." We will verify your identity before processing and respond within 45 days.
12.1 Categories of Personal Information Collected (CCPA Disclosure)
| CCPA Category | Examples | Sold? |
|---|---|---|
| A. Identifiers | Name, email, IP address | No |
| B. Personal Info (Cal. Civ. Code 1798.80(e)) | Name, email | No |
| C. Protected Classifications | Age/birth year | No |
| D. Commercial Information | Not collected (no payments yet) | No |
| F. Internet/Network Activity | Session data, browser type, usage patterns | No |
| K. Inferences | IQ score, skill level, performance trends | No |
13. Do Not Track Signals
CutoffIQ does not currently respond to "Do Not Track" (DNT) browser signals, as there is no universally accepted standard for DNT compliance. We do not engage in cross-site tracking of our Users.
14. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.
15. Changes to This Privacy Policy
We may update this Privacy Policy periodically. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page;
- Provide notice through the Service (e.g., a banner or in-app notification);
- For Children's accounts, notify the Parent via email and obtain renewed consent if required by COPPA.
Continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:
CutoffIQ LLCEmail: [email protected]
Subject Line: "Privacy Inquiry"
We will acknowledge receipt within 3 business days and provide a substantive response within 30 days (or 45 days for CCPA requests with proper notice of extension).