Privacy Policy

Gabriel Rao, d/b/a iWrestle ("we," "us," or "our") operates iWrestle, a wrestling video analysis platform available at iwrestle.app and through mobile applications (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal information from all users, with specific provisions for children under 13 years of age as required by the Children's Online Privacy Protection Act ("COPPA"), as amended effective June 23, 2025.

iWrestle is designed for wrestlers ages 10–20. Because we knowingly collect personal information from children under 13, we comply fully with COPPA and its 2025 amendments, with full compliance by April 22, 2026.

2.1 Information You Provide

When you create an account, upload videos, or use our Service, we collect:

• Account information: email address, password (hashed and salted, never stored in plain text), first name, and last name.
• Wrestler profile information: display name, competition level (youth, high school, college, open), weight class, and wrestling style preference (folkstyle, freestyle, or Greco-Roman).
• Wrestling videos: match footage you upload for analysis. Videos are processed by our analysis service and stored on secure third-party infrastructure (Mux for video hosting, Supabase for metadata).
• Payment information: if you purchase a subscription or analysis pack, payment is processed by Stripe. We do not store your credit card number, expiration date, or CVV on our servers.
• User-generated content: posts, reactions, and other content you create on the social feed.

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Device fingerprint: a non-reversible hash used to identify your device for security purposes (fraud prevention, rate limiting). This is not a tracking cookie and cannot be used to identify you personally.
• Usage data: pages visited, features used, time spent on the Service, and interactions with analyses. This is collected via Sentry for error monitoring and performance.
• Error and crash data: technical information about errors you encounter, collected via Sentry to improve the Service.

We do NOT collect: precise geolocation, biometric identifiers, social media handles, school names or addresses, browsing history outside the Service, or any information for behavioral advertising or profiling.

2.3 Information from Third-Party Services

We use the following third-party services that may process your data:

• Google Gemini (analysis): your uploaded wrestling video is sent to Google's Gemini API for analysis. Google's use of this data is governed by their API Terms of Service and Privacy Policy.
• Mux (video hosting): videos are stored and streamed via Mux's infrastructure.
• Supabase (authentication and database): your account data and analysis results are stored in Supabase's cloud infrastructure.
• Stripe (payments): payment processing is handled entirely by Stripe. We receive only a confirmation of payment status, not your card details.
• Sentry (error monitoring): anonymous error and performance data is sent to Sentry to help us fix bugs and improve reliability.

This section applies specifically to users under 13 years of age. iWrestle is designed for wrestlers ages 10–20, and we knowingly collect personal information from children under 13. We comply with COPPA (15 U.S.C. §§ 6501–6506) and the FTC's COPPA Rule (16 CFR Part 312), including all amendments effective June 23, 2025.

3.1 Verifiable Parental Consent

Before collecting any personal information from a child under 13, we require verifiable parental consent through one or more of the following FTC-approved methods:

• Credit or debit card verification: a small charge (refunded) to a parent's payment method to verify the parent's identity.
• Signed consent form: a consent form signed by the parent and returned via email or mail.
• Text Plus method: a text message to the parent's mobile number coupled with a confirmatory follow-up message, as permitted under the 2025 COPPA amendments.

The parent or legal guardian must complete the consent process before the child can use the Service. We retain records of parental consent for as long as the child's account is active.

3.2 Information We Collect from Children Under 13

We collect only the minimum personal information necessary to provide the Service:

• First name and last initial: used for display within the app. A child's full last name is never displayed publicly.
• Email address of the parent or guardian: used for account management and required COPPA notifications. We do not collect the child's email address.
• Age and weight class: used to provide age-appropriate analysis and accurate competition context.
• Competition level and wrestling style: used to tailor the analysis feedback.
• Wrestling videos: uploaded by the child (or parent) for analysis. Videos are stored securely and are not publicly accessible unless the child (with parental permission) chooses to share a specific analysis.

3.3 Information We Do NOT Collect from Children Under 13

We never collect the following from children:

• School name or address.
• Precise geolocation.
• Social media accounts or handles.
• Biometric identifiers (facial recognition, fingerprints, voiceprints).
• Any information for advertising, behavioral profiling, or sale to third parties.

3.4 How We Use Children's Information

Children's personal information is used solely to:

• Provide the Service: analyze uploaded wrestling videos and deliver technique feedback.
• Maintain the account: authenticate the child and link their analyses to their profile.
• Improve the Service: aggregate, de-identified usage data may be used to improve our analysis accuracy.

We do NOT use children's personal information for targeted advertising, behavioral profiling, or any purpose beyond providing and improving the core Service.

3.5 Disclosure of Children's Information

We do not sell, rent, or trade children's personal information. We disclose children's information only to the following third-party service providers, solely for the purpose of operating the Service:

• Google (Gemini API): receives the uploaded video for analysis.
• Mux: receives video files for hosting and streaming.
• Supabase: stores account data and analysis results.
• Sentry: receives anonymous error data.

Each of these providers is contractually prohibited from using children's personal information for any purpose other than providing their service to us. Under the 2025 COPPA amendments, we obtain separate verifiable parental consent before disclosing children's personal information to any third party for purposes that are not integral to the Service.

3.6 Parental Rights

Parents and legal guardians have the right to:

• Review: request a review of all personal information collected from their child.
• Delete: request deletion of their child's personal information and account at any time.
• Revoke consent: withdraw consent and terminate their child's account.
• Refuse further collection: direct us to stop collecting personal information from their child.
• Receive notification: receive notification of any material changes to our data practices.

To exercise any of these rights, contact us at privacy@iwrestle.app. We will process requests within 10 business days.

3.7 Data Retention for Children's Information

In compliance with the 2025 COPPA amendments, we maintain a written data retention policy for children's information:

• Account information: retained for the duration of the active account, plus 30 days after account deletion for recovery purposes, then permanently deleted.
• Wrestling videos: retained for 12 months from upload date, then automatically deleted. Users may delete videos at any time.
• Analysis results: retained for the duration of the active account, deleted within 30 days of account termination.
• Error and usage logs: retained for 90 days, then automatically purged.

We use collected information to:

• Provide and operate the Service: process video uploads, deliver analysis, maintain user accounts, and enable social features.
• Process payments: manage subscriptions and analysis credit purchases via Stripe.
• Improve the Service: fix bugs, improve analysis accuracy, and enhance features based on aggregate usage patterns.
• Communicate with you: send account-related emails (password resets, payment confirmations, analysis completion notifications). We do not send marketing emails without opt-in consent.
• Protect the Service: detect and prevent fraud, abuse, and unauthorized access through device fingerprinting and rate limiting.

We do NOT use personal information for targeted advertising. We do NOT sell, rent, or trade personal information to third parties. We do NOT build behavioral profiles for marketing purposes.

We implement and maintain a written information security program appropriate to the sensitivity of the data we collect. Our security measures include:

• Encryption: all data is encrypted in transit (TLS 1.2+) and at rest.
• Authentication: passwords are hashed using bcrypt with a minimum of 10 rounds. JWT tokens are used for session management.
• Access controls: production systems use role-based access controls. Database access is restricted to authenticated API routes with Row Level Security (RLS) enforced at the database level.
• Rate limiting: API endpoints are rate-limited to prevent abuse.
• Error monitoring: Sentry tracks application errors in real time, enabling rapid response to security incidents.
• Secure video processing: uploaded videos are stored on Mux's infrastructure, which is SOC 2 compliant.
• Environment isolation: production environment variables are managed securely and validated at runtime. No secrets are exposed in client-side code.

We review and update our security program at least annually.

We retain personal information only as long as reasonably necessary:

• Account data: retained while your account is active, plus 30 days after deletion for recovery.
• Videos: retained for 12 months from upload, then deleted. You may delete videos at any time.
• Analysis results: retained while your account is active, deleted within 30 days of account closure.
• Payment records: Stripe retains payment records per their data retention policy and applicable legal requirements. We retain only transaction confirmations.
• Error logs: retained for 90 days.
• Device fingerprints: retained for 24 hours for rate-limiting purposes, then discarded.

Depending on your jurisdiction, you may have the following rights:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate personal information.
• Deletion: request deletion of your personal information and account.
• Portability: request your data in a portable format.
• Opt-out: opt out of non-essential data collection.

To exercise any of these rights, contact us at privacy@iwrestle.app. We will respond within 30 days (10 business days for COPPA-related requests concerning children under 13).

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party service you interact with.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated Policy on the Service and, for children's accounts, by sending notice to the parent's email address on file. Continued use of the Service after changes constitutes acceptance of the updated Policy. We will obtain new verifiable parental consent for any material changes to how we collect, use, or disclose children's information.

If you have questions about this Privacy Policy, your personal information, or our COPPA compliance, contact us at:

Gabriel Rao, d/b/a iWrestle
Email: privacy@iwrestle.app
Website: iwrestle.app

If you believe we have collected personal information from a child under 13 without proper parental consent, please contact us immediately and we will take steps to delete the information.