Privacy Policy

1. Overview

RosterCleared, LLC ("RosterCleared," "we," "us," or "our") operates the RosterCleared platform at rostercleared.com (the "Platform"), a software-as-a-service application that automates athletic eligibility tracking and physical form validation for high school athletic departments.

This Privacy Policy explains how we collect, use, disclose, and protect information when schools, school personnel, students, and parents ("you" or "Users") use our Platform. It applies to all users of the Platform, including Athletic Directors ("ADs"), athletic trainers, coaches, students, and parents or legal guardians.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you are a school administrator entering into a service agreement with RosterCleared on behalf of your institution, you represent that you have the authority to bind the institution to these terms.

IMPORTANT: Schools should consult their own legal counsel before relying on this policy.

2. Definitions

"School" — The educational institution that maintains an active account on the Platform. The School is the data controller for all student education records processed through the Platform.

"School Personnel" — Athletic Directors, athletic trainers, coaches, and other school staff authorized by the School to access the Platform.

"Student Data" — Any information directly related to an identifiable student that is maintained by or on behalf of a School, including but not limited to athlete records, physical form documents, and eligibility status.

"Physical Form" or "PPE Form" — A Pre-Participation Physical Evaluation form submitted to the Platform for AI-assisted validation.

"Validation Metadata" — Structured data outputs generated by our AI validation pipeline, including form completeness assessments, practitioner credential verification results, and medical flag labels. Validation Metadata does not include raw medical narratives or full-text transcriptions of physical forms.

"Medical Flag" — A categorical label (e.g., "asthma," "prior concussion," "cardiac concern") extracted by the AI pipeline to alert School Personnel to conditions that may require follow-up. Medical Flags are labels only — they do not contain clinical notes, treatment details, or diagnostic narratives.

"Tenant" — A School's isolated data environment within the Platform, enforced by row-level security policies at the database level.

3. Data Controller and Processor Roles

Schools as Data Controllers. Under FERPA and applicable state privacy laws, the School is the data controller for all Student Data processed through the Platform. Schools determine the purposes and means of processing Student Data and are responsible for obtaining any necessary consents, providing required notices to parents and eligible students, and ensuring their use of the Platform complies with applicable law.

RosterCleared as Data Processor (School Official). RosterCleared operates as a "school official" with a "legitimate educational interest" under FERPA (34 CFR § 99.31(a)(1)). We process Student Data solely on behalf of and under the direction of the School, for the purposes specified in our service agreement. We do not use Student Data for any purpose other than providing the Platform services to the School.

Processor Obligations. As a data processor, RosterCleared:

• Processes Student Data only as instructed by the School and as necessary to perform Platform services
• Does not use or disclose Student Data for any commercial purpose unrelated to the Platform services, including advertising, marketing to students, or building user profiles for non-educational purposes
• Does not sell Student Data to any third party
• Maintains appropriate technical and organizational security measures
• Returns or deletes Student Data upon termination of the service agreement, subject to the data retention terms in Section 10
• Provides the School with access to audit RosterCleared's compliance with this policy upon reasonable request

4. Information We Collect

We collect information in the following categories:

4.1 Account Information When School Personnel register for the Platform, we collect: email address, full name, role designation (e.g., Athletic Director, Coach, Athletic Trainer), and the School with which they are affiliated.

4.2 Athlete Records School Personnel enter athlete information into the Platform, including: first name, last name, grade level, sport enrollment, and eligibility status. This information is classified as Student Data under FERPA.

4.3 Physical Form Documents Authorized School Personnel or, where the School permits, students and parents, upload Pre-Participation Physical Evaluation (PPE) forms in PDF or image format. These documents may contain protected health information including the student's name, date of birth, medical history responses, physician examination findings, and practitioner credentials.

4.4 Validation Metadata Our AI validation pipeline generates structured metadata from submitted physical forms, including: - Completeness assessment (whether all required fields are filled) - Practitioner credential verification results (name, license presence, signature detection) - Medical flag labels (categorical labels only — see definition above) - Overall eligibility determination (Cleared, Flagged, Pending, Rejected)

We do not store raw medical text, clinical narratives, or full-text transcriptions of physical forms in our database. Only structured flag labels and validation results are persisted.

4.5 Usage and Technical Data We automatically collect standard technical data when you use the Platform, including: IP address, browser type, device information, pages visited, and timestamps. This data is used solely for security monitoring and Platform performance.

4.6 Information We Do NOT Collect We do not collect Social Security numbers, financial information, biometric data, or geolocation data. We do not use cookies for advertising or cross-site tracking.

5. AI Processing and Automated Decision-Making

5.1 How AI Is Used Physical forms submitted to the Platform are processed through a six-stage AI validation pipeline powered by the Anthropic Claude API. The stages are:

1. Document Verification — The system confirms the uploaded document is a valid PPE form before further processing.
2. Completeness Check — The AI reviews the form to verify that all required fields (student information, medical history, physician examination, signatures) are present and filled.
3. Insurance Format Validation — The system verifies that insurance information matches expected formats.
4. Practitioner Credential Verification & Physical Validity — The AI identifies the signing practitioner's name, checks for license number and signature presence, and verifies that the physical is within the applicable validity window.
5. Medical Flag Extraction — The AI identifies medical conditions noted on the form and outputs categorical flag labels (e.g., "asthma," "prior concussion") for review by School Personnel.
6. Status Determination — Based on the outputs of stages 1–5, the system assigns an overall eligibility status.

5.2 What the AI Does NOT Do The AI does not make final eligibility decisions. All AI outputs are recommendations presented to authorized School Personnel, who retain full authority to override any automated determination. The AI does not diagnose medical conditions, recommend treatments, or make clinical judgments.

5.3 Human Oversight Every AI-generated status can be manually overridden by authorized School Personnel through the Platform's override function. All overrides are audit-logged with the identity of the person who made the change, the timestamp, and the reason provided.

5.4 AI Data Handling When a physical form is sent to the Anthropic Claude API for processing: - The form content is transmitted via encrypted API call (TLS 1.2+) - Anthropic does not use API inputs to train its models (per Anthropic's commercial API terms) - We do not retain the raw AI response containing full form text — only the structured validation outputs are stored in our database - Each pipeline stage logs its structured result to an audit trail

5.5 AI Limitations Disclosure AI-assisted validation is a tool to support — not replace — professional judgment. The AI may produce errors, miss information, or misclassify conditions. Schools are responsible for ensuring that qualified personnel review flagged forms and make final eligibility determinations in accordance with their institutional policies and state athletic association requirements.

6. How We Use Information

We use the information we collect for the following purposes only:

• Providing Platform services — validating physical forms, tracking eligibility status, managing rosters, and generating reports for authorized School Personnel
• Maintaining audit trails — logging all form status changes, AI validation results, and manual overrides for accountability and compliance purposes
• Providing technical support — responding to support requests from School Personnel
• Improving the Platform — analyzing aggregated, de-identified usage patterns to improve Platform performance and reliability (never using identifiable Student Data)
• Security and fraud prevention — monitoring for unauthorized access, security threats, and abuse

We do not: - Sell, rent, or lease Student Data or any personal information to third parties - Use Student Data for advertising, marketing, or behavioral profiling - Use Student Data to build profiles for non-educational commercial purposes - Share Student Data with third parties except as described in Section 7 - Use Student Data for any purpose not authorized by the School

7. Third-Party Sub-Processors

We use the following third-party service providers (sub-processors) to operate the Platform. Each sub-processor processes data only as necessary to provide their specific service:

Supabase, Inc. - Purpose: Database hosting (PostgreSQL), user authentication, and file storage - Data processed: All Platform data, including Student Data, account information, and uploaded physical form documents - Location: United States - Security: Data encrypted at rest (AES-256) and in transit (TLS 1.2+); row-level security (RLS) policies enforce tenant isolation at the database level

Anthropic, PBC - Purpose: AI-powered form validation (Claude API) - Data processed: Physical form content transmitted for validation processing only - Location: United States - Security: Data transmitted via encrypted API calls; Anthropic does not use commercial API inputs to train its models; no persistent storage of form content by Anthropic beyond the API request lifecycle

Vercel, Inc. - Purpose: Application hosting and content delivery - Data processed: Technical/usage data (IP addresses, request logs); application code - Location: United States (edge network) - Security: TLS encryption; SOC 2 Type 2 certified

Resend, Inc. - Purpose: Transactional email delivery (e.g., magic link authentication, notifications) - Data processed: Email addresses of School Personnel - Location: United States

We do not share Student Data with any sub-processor for purposes beyond what is described above. We require all sub-processors to maintain appropriate security measures and to process data only as instructed.

We will update this section if we add or change sub-processors and will notify Schools of material changes.

8. FERPA Compliance

RosterCleared is designed to support School compliance with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and its implementing regulations at 34 CFR Part 99.

8.1 School Official Exception RosterCleared processes Student Data as a "school official" with a "legitimate educational interest" under FERPA § 99.31(a)(1). Our service agreement with each School establishes the conditions under which we access Student Data, consistent with the School's annual FERPA notification to parents.

8.2 FERPA Commitments RosterCleared commits to the following:

• We use Student Data solely for the purpose of providing the Platform services authorized by the School
• We do not re-disclose Student Data to additional third parties except to the sub-processors identified in Section 7, and only as necessary to provide Platform services
• We maintain direct control over Student Data and do not permit sub-processors to use Student Data for their own purposes
• We comply with FERPA's data security requirements by implementing the technical and organizational measures described in Section 9
• We support Schools in responding to parental or eligible student requests to inspect and review education records by providing data export functionality
• We return or delete Student Data upon termination of the service agreement, consistent with Section 10

8.3 Parental and Eligible Student Rights Parents of students under 18, and students who are 18 or older ("eligible students"), have the right under FERPA to: - Inspect and review their education records - Request correction of records they believe are inaccurate or misleading - Consent to disclosure of records (with exceptions)

Because the School is the data controller, these requests should be directed to the School. RosterCleared will cooperate with Schools in fulfilling such requests.

8.4 Directory Information RosterCleared does not treat any Student Data as "directory information." All Student Data is treated as protected education records regardless of whether the School has designated certain categories as directory information.

9. Virginia-Specific Compliance

For Schools operating in Virginia, RosterCleared is designed to align with the following requirements:

9.1 Virginia Student Data Privacy Act RosterCleared's practices align with the Virginia Student Data Privacy Act and related Virginia Department of Education guidance regarding the use of technology providers that process student education records.

9.2 VHSL Compliance Requirements For member schools of the Virginia High School League (VHSL), RosterCleared supports compliance with VHSL eligibility requirements, including the requirement that all student-athletes submit a valid Pre-Participation Physical Evaluation (PPE) form prior to athletic participation. The Platform's validation pipeline is designed to verify the completeness and validity of PPE forms consistent with VHSL standards.

Note: RosterCleared does not make final eligibility determinations. The Athletic Director or designee retains sole authority over eligibility decisions in accordance with VHSL rules and regulations.

9.3 Other State Laws As RosterCleared expands to serve schools in additional states, we will evaluate and address applicable state student data privacy laws, including but not limited to state-specific student data privacy acts, breach notification requirements, and athletic association regulations. Schools are encouraged to inform us of state-specific requirements applicable to their institution.

10. Data Storage and Security

10.1 Multi-Tenant Architecture RosterCleared uses a multi-tenant architecture with strict data isolation between Schools. Each School's data is logically separated at the database level using row-level security (RLS) policies. These policies ensure that:

• No School can access another School's data through the Platform
• School Personnel can only access data for the School to which they are assigned
• Coaches see only athletes enrolled in their assigned sport
• Athletes and parents see only their own records

10.2 Encryption - Data at rest: All database records and stored files are encrypted using AES-256 encryption - Data in transit: All data transmitted between users, the Platform, and third-party services is encrypted using TLS 1.2 or higher - File storage: Uploaded physical form documents are stored in private, encrypted cloud storage with access restricted to authorized users within the uploading School's account

10.3 Access Controls - Role-based access control (RBAC) limits data access based on user role (AD, Coach, Trainer) - Authentication is handled via Supabase Auth with email-based magic link sign-in - API routes validate user identity and role on every request - Administrative access to production systems is limited to authorized RosterCleared personnel

10.4 Audit Logging All significant actions on the Platform are logged, including: - Form uploads and status changes - AI validation pipeline results - Manual overrides of eligibility status (including who, when, and stated reason) - Account creation and role assignments

10.5 Incident Response RosterCleared maintains an incident response process for suspected data breaches or unauthorized access. In the event of a security incident involving Student Data, we will: - Investigate the incident promptly - Notify affected Schools without unreasonable delay, and in no event later than required by applicable law (Virginia law requires notification without unreasonable delay) - Cooperate with Schools in their own notification obligations to parents and regulatory authorities - Document the incident and remediation steps taken

11. Data Retention and Deletion

11.1 Active Accounts We retain Student Data for the duration of the School's active subscription and service agreement.

11.2 Post-Termination Upon termination or expiration of a School's service agreement: - The School may request a full export of its data in a machine-readable format within 30 days of termination - We will delete all Student Data associated with the School within 60 days of termination, unless a longer retention period is required by law or requested by the School in writing - Deletion includes athlete records, physical form documents, validation metadata, and audit logs - We will confirm deletion in writing to the School's designated contact

11.3 Individual Deletion Requests Authorized School Personnel may request deletion of individual athlete records or physical form documents at any time by contacting phil@rostercleared.com. We will process such requests within 30 days.

11.4 Backup and Residual Data Deleted data may persist in encrypted backups for up to 90 days before being permanently purged. During this period, backup data is not accessible through the Platform and is subject to the same security protections as active data.

11.5 De-Identified Data We may retain aggregated, de-identified data that cannot reasonably be used to identify any individual student for purposes of Platform analytics and improvement. Such data is not considered Student Data or education records under FERPA.

12. Your Rights and How to Exercise Them

12.1 School Personnel Authorized School Personnel may: - Access, export, and download all data associated with their institution through the Platform dashboard - Request correction of inaccurate account information - Request deletion of their personal account upon leaving their institution - Contact us at phil@rostercleared.com for assistance with any of the above

12.2 Parents and Eligible Students As described in Section 8.3, parents and eligible students have rights under FERPA to inspect, review, and request correction of education records. Because the School is the data controller: - Requests to access or correct Student Data should be directed to the School - The School will coordinate with RosterCleared as needed to fulfill such requests - RosterCleared will respond to School-authorized requests within 30 days

12.3 California Residents If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). However, Student Data processed by RosterCleared on behalf of Schools is exempt from the CCPA to the extent it is covered by FERPA. For questions about your rights, contact phil@rostercleared.com.

12.4 Virginia Residents Virginia residents may have rights under the Virginia Consumer Data Protection Act (VCDPA). Student Data processed on behalf of Schools may be exempt to the extent covered by FERPA. For questions, contact phil@rostercleared.com.

13. Children's Privacy

RosterCleared is designed for use by Schools and School Personnel. The Platform processes Student Data on behalf of Schools in their capacity as educational institutions.

COPPA Considerations: To the extent the Children's Online Privacy Protection Act (COPPA) applies, RosterCleared relies on the School to provide consent for the collection of student information, consistent with the FTC's guidance permitting schools to consent on behalf of parents in the educational context. We do not collect personal information directly from children under 13 without the School's authorization.

We do not knowingly collect personal information from children outside the educational context. If we become aware that we have collected personal information from a child under 13 without appropriate school authorization, we will delete that information promptly.

14. Health Information Practices

14.1 Nature of Health Data Processed Physical forms submitted to the Platform may contain health information, including medical history responses and physician examination findings. This information is processed solely for the purpose of athletic eligibility validation.

14.2 HIPAA Applicability RosterCleared processes physical forms on behalf of Schools, not healthcare providers. In most cases, PPE forms submitted through the Platform are education records under FERPA, not protected health information (PHI) under HIPAA. However: - If a School also operates as a HIPAA-covered entity, we will enter into a Business Associate Agreement (BAA) upon request - We are pursuing BAA agreements with our sub-processors (Supabase, Anthropic) as part of our compliance roadmap

14.3 Health Data Minimization We practice data minimization for health information: - Raw medical narratives, clinical notes, and full examination findings are NOT stored in our database - Only categorical medical flag labels are persisted (e.g., "asthma" — not "Patient reports moderate persistent asthma, currently managed with daily inhaler") - Physical form documents are stored in encrypted file storage accessible only to authorized School Personnel within the uploading School's account - AI processing extracts structured metadata only; raw form text is not retained after processing

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material Changes: For material changes that affect how we handle Student Data, we will: - Notify all active School accounts via email at least 30 days before the changes take effect - Post the updated policy on the Platform with a revised "Last Updated" date - Where required by our service agreement or applicable law, obtain School consent before implementing material changes

Non-Material Changes: For minor changes (e.g., formatting, clarifications that do not alter meaning), we will update the policy and revise the "Last Updated" date without advance notice.

Schools that do not agree with material changes may terminate their service agreement in accordance with its terms.

16. Contact Information

For privacy-related questions, data access requests, or concerns about this policy:

Privacy Inquiries Email: phil@rostercleared.com

General and Sales Inquiries Email: sales@rostercleared.com

Mailing Address RosterCleared, LLC Attn: Privacy Richmond, VA

Response Time: We will acknowledge privacy-related inquiries within 5 business days and provide a substantive response within 30 days.

To report a suspected data breach or security incident, contact phil@rostercleared.com with "URGENT: Security Incident" in the subject line.