CoDi Tennis · Australian Privacy Act 1988

Privacy Policy

Last updated: 30 May 2026

We take privacy seriously — especially because the platform handles information about children. This policy explains what we collect, why, how we keep it safe, and your rights to access, correct, or delete it.

1. Who we are

CoDi Tennis ("CoDi Tennis", "we", "us", "our") operates a tennis coaching platform at coaching.direct/tennis. We connect parents and independent coaches, manage bookings, process payments on behalf of coaches, and keep a record of each child’s coaching journey.

For Australian privacy law purposes, CoDi Tennis is the "APP entity" responsible for the personal information collected through the platform.

2. What we collect

From parents and players

• Account info: name, email, password (hashed — we never store the plaintext)
• Each child’s details: first name, age, current tennis level, optional preferences
• Bookings: which coach, which sessions, whether the child attended
• Payment details: card details are sent directly to Stripe — CoDi Tennis never sees or stores raw card numbers. We retain only the last 4 digits + card brand for receipts and a Stripe PaymentIntent ID for reconciliation.
• Phone number: optional at signup, required when you make your first coaching booking. Stored in international E.164 format. Used so your coach can contact you about booking-related matters (cancellations, weather, running late). Visibility:
  • You — always (it’s your number).
  • Coaches — only while you have a confirmed booking with that coach, AND for up to 12 months after the most recent session with them. This window covers the natural rebooking cycle (term-to-term + seasonal coaching patterns) while ensuring coaches lose access automatically when the working relationship ends — per Australian Privacy Principle 11.2.
  • CoDi Tennis admins — always, for support and trust-and-safety.
  • Other parents and unassociated coaches — never.
  CoDi Tennis itself retains your phone number for the standard 7-year tax-record retention window (Privacy Act §11) attached to your payment records. The 12-month coach-visibility window is a separate, tighter rule that applies to individual coaches as third-party data handlers.
• Coach feedback you receive: drill check-offs, session notes, parent-friendly summaries, your replies and reactions to those notes
• Browser data: timezone (so we show times in your local clock), session cookies for sign-in, and basic analytics (browser type, error reports) used to keep the platform reliable
• Sign-in history: each successful sign-in writes a row recording the time, the IP address, and the user-agent (browser + OS). You can review the last 20 sign-ins of your own account from /profile. We keep these rows to help you spot unauthorised access and to investigate suspicious activity if reported.
• Passkey (WebAuthn) credentials: when you set up Face ID / Touch ID / Windows Hello sign-in, we store the public key + a credential ID associated with your account. The private key never leaves your device. You can remove passkeys at any time from /profile.

From coaches

• Account info: name, email, password (hashed)
• Working with Children Check (WWCC) number, state, and expiry
• Coaching certification number, level, and expiry
• Optional Australian Business Number (ABN) and GST registration status
• Region and timezone (drives session-time display and per-region school-holiday calendar)
• Stripe Connect account ID — created when you onboard for payouts. Stripe holds your bank-account and identity-verification data; we only see the connected-account ID and the high-level state of your Stripe onboarding.
• Notes and drill check-offs you record about students assigned to you
• Public profile fields you choose to publish (added May 2026): if you turn on your public coach profile (/coach/share), there are two tiers of visibility. Preview tier — visible to anyone with your profile link or QR code, including anonymous visitors: your name, suburb, state, speciality, photo, and WWCC-verified badge. Full tier — only visible to signed-in CoDi users: your public bio, overall rating + review count, and (only if you tick the per-channel opt-ins) your phone number for calls, SMS, and your WhatsApp number. The email relay form on your profile (“Send a message”) also only appears for signed-in users. You can unpublish at any time and the link stops resolving immediately.
• Profile-view audit log: every time a signed-in user views your profile, we record the viewer’s account id, a one-way-hashed user-agent + IP, and the timestamp in our internal audit table. The viewer’s name and email are not shown to you. We retain this log so we can investigate abuse if a coach reports suspicious viewing patterns, and so we have a defensible record of who accessed coach contact details under Australian Privacy Principle 11.2.
• Parent messages sent to you via your public profile: when a signed-in parent uses the “Send a message” form on your public profile, we store the sender’s account id, the email address they typed (which may differ from their account email if they want replies elsewhere), optional name + phone, and the message body. We email the message to you, with replies going directly to the sender’s chosen email address. The audit row lets us rate-limit (3/hour per sender per coach) and block abusive senders. We do not share the sender’s details with anyone outside CoDi Tennis beyond delivering the message.

3. Why we collect it

• To provide the booking, payment, and progress-tracking features
• To connect parents with verified coaches
• To send transactional notifications (booking confirmations, reminders, refund updates)
• To keep the platform safe (fraud detection, abuse prevention, audit logs of admin actions)
• To meet our legal obligations (tax reporting, child-safety compliance)

We do not use your information to sell to third parties, run targeted advertising, or train AI models on private data.

4. Children’s information

Most students on the platform are under 18 — many under 13. The parent account holder is the controller of their child’s information. Older students (typically 14+) can have their own login if a parent explicitly enables it; until that point, only the parent can view, edit, or download their child’s data.

Coaches see information about students assigned to them only — no cross-coach visibility into other coaches’ students. Admins (CoDi Tennis staff) can read all student data for support and trust-and-safety reasons, but actions are logged.

5. Who we share it with

See /legal/subprocessors for the canonical, dated list of every third-party processor we share data with — including role, data categories, hosting location, and the contractual safeguard in force. Summary below.

• Stripe — payment processing. Stripe is the merchant of record for payment-card data; CoDi Tennis acts as agent. Stripe’s privacy policy: stripe.com/au/privacy
• Resend — transactional email delivery. Email subjects and bodies pass through Resend so reminders and confirmations land in your inbox. Resend’s privacy policy: resend.com/legal/privacy-policy
• Supabase — our database and authentication provider. All data is hosted in their AU/AP region. Supabase’s privacy policy: supabase.com/privacy
• Vercel — application hosting + content delivery. Vercel’s privacy policy: vercel.com/legal/privacy-policy
• Google Analytics 4 (added May 2026) — anonymised pageview + conversion events. We send `page_view`, `sign_up`, `first_booking`, and `drill_pack_purchase` events. IP addresses are anonymised at the network layer (Google’s `anonymize_ip=true` flag) so we receive city-level location but never the full IP. No kid names, no email addresses, no admin pages, and no `/junior/progress` or `/junior/pathway` data is tracked. Used solely to understand which marketing channels are working. Google’s privacy policy: policies.google.com/privacy
• Sentry (added April 2026) — error monitoring. When the app errors, a stack trace + browser environment + the page URL goes to Sentry so we can fix the bug. Sensitive form values are scrubbed; email addresses are masked; no kid PII is sent. Sentry’s privacy policy: sentry.io/privacy/
• Australian regulators, when legally required — ATO for tax reporting; child-safety authorities if there’s a serious incident.

6. Where we store your data

Database records are hosted in Supabase’s Sydney region. Application servers run on Vercel’s edge network with the primary deployment region also in Sydney. Some service providers (Stripe, Resend) may transit data through other regions to deliver their services.

7. How long we keep it

• Active account data: kept while you have an active account.
• Inactive accounts: held indefinitely unless you request deletion via /profile — we don’t currently auto-anonymise inactive accounts. Automated anonymisation after a defined dormancy window is on our roadmap; until it ships, please use the in-app Delete account action if you no longer want your account retained.
• Payment records: retained for 7 years to meet Australian tax/BAS retention obligations. Personal identifiers (name, email) are stripped at the time of account deletion; the financial row itself stays for tax-audit purposes.
• Audit logs: retained while the account they relate to remains active. Auto-pruning of historic audit logs is on our roadmap; today, an admin would manually purge if required.
• Backups: rolling 30-day point-in-time recovery via Supabase. Older snapshots are deleted on schedule.

8. Your rights

Under Australian privacy law, you can:

• Access a copy of the personal information we hold about you (or your child)
• Correct any information that is wrong — many fields you can edit yourself in /profile; otherwise email us
• Delete your account and have your personal information removed (subject to retention obligations for tax records)
• Withdraw consent for marketing communications at any time via /profile notification preferences
• Make a complaint to us, and if not resolved, to the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, email us at privacy@coaching.direct. We respond within 30 days.

9. How we keep it safe

• HTTPS everywhere — TLS 1.2+ via Let’s Encrypt
• Row-level security (RLS) policies in the database — your data is fenced from other users by default
• Passwords hashed with bcrypt; we cannot recover them, only reset them
• Two-factor authentication: mandatory for coaches and admins (TOTP via an authenticator app like Google Authenticator or 1Password). Parents can secure their account with a passkey (Face ID / Touch ID / Windows Hello) from the Profile page — passkeys are phishing-resistant and we recommend turning one on.
• Service-role keys (used by background jobs) are server-only and never sent to the browser
• Audit logs of admin actions for trust-and-safety review
• Regular dependency security updates

10. Cookies

We use session cookies to keep you signed in and a cookie to remember your last-activity timestamp (so we can sign you out automatically after inactivity, by role: 30 minutes for admins, 4 hours for coaches, 12 hours for parents/players). These windows are deliberately short for the roles that can see other people’s data; you can always sign back in.

We do not use third-party advertising cookies or cross-site tracking pixels.

11. Notifiable data breaches

Australia’s Notifiable Data Breaches (NDB) scheme — Part IIIC of the Privacy Act 1988 — requires us to notify both the Office of the Australian Information Commissioner (OAIC) and any affected individuals if we become aware of an eligible data breach (one likely to result in serious harm).

• Detection: Sentry error monitoring + Supabase audit logs + Stripe Radar fraud signals + manual incident reports to security@coaching.direct.
• Triage: any suspected breach is assessed within 72 hours by an CoDi admin to determine whether it meets the “serious harm” threshold under the Act.
• Notification: where the threshold is met, we notify the OAIC and affected individuals as soon as practicable, typically within 7 days of confirmation, via email to the affected account holder plus a public statement on this site where appropriate.
• Containment + remediation: every confirmed incident triggers a written post-mortem, root-cause fix, and where relevant a password-reset prompt for affected users.
• Report a suspected breach: security@coaching.direct. Security researchers should refer to our /.well-known/security.txt for the disclosure policy.

12. AI features (form analysis on video)

CoDi Tennis is building an AI-assisted form analysis feature: a coach uploads a short video of a student playing a stroke, the platform extracts body-pose data from the video frames, and an AI model returns technical feedback plus recommended drills from our catalogue. The feature is not yet live; this section pre-discloses the data flow so consent is informed before it launches.

• What is captured: a short video clip (typically under 30 seconds), the resulting pose-skeleton data points (joint angles, limb positions), and the AI’s text feedback + drill recommendations.
• Who can upload: only the coach assigned to the student. Parents will be asked to grant separate, explicit consent per child before any video of that child can be uploaded; consent is recorded on the child’s profile and can be revoked at any time.
• Where it is processed: pose extraction runs on-device in the coach’s browser using open-source pose models — raw video does not leave the device for pose extraction. Only the resulting pose-skeleton numbers + the stroke type are sent to our AI provider (Anthropic, the maker of Claude) for analysis. We do not send the video itself, the child’s name, or any other identifying information to the AI provider.
• Retention: video clips, when stored, are retained for 12 months for coach review and progress comparison, then deleted. Pose data + AI feedback attach to the student progress record and follow the standard §7 retention schedule. Parents can request earlier deletion at any time via privacy@coaching.direct.
• No model training: video, pose data, and AI outputs are never used to train AI models — neither ours nor any third party’s. Our contract with Anthropic disables training on submitted content.
• Biometric posture: pose data is geometric only (joint coordinates from video frames). It is not face recognition, fingerprinting, or any other identifying biometric template; we cannot identify a child from the pose data alone.

13. Changes to this policy

If we change this policy, we’ll update the "Last updated" date at the top and, for substantive changes, notify account holders via email at least 14 days before the change takes effect.

14. Contact us

Privacy questions, access/deletion requests, or complaints: privacy@coaching.direct

General support: support@coaching.direct

This policy is drafted to comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles. If anything is unclear, please contact us — we’ll explain or clarify.