Privacy Policy

This Privacy Policy explains how Summit Sports Consulting LLC (“Summit,” “we,” “us”) collects, uses, and shares personal information when you use our platform at summitrecruit.app(the “Service”).

Summit is a college recruiting platform for student-athletes. We help athletes research college programs, build a player profile, contact coaches, and track their recruiting progress. This policy describes the data behind those features in plain language.

Questions? Email recruit@summitsportsconsulting.com or write to us at the address in Section 16.

1. Who we are

Summit Sports Consulting LLC is a Montana-organized limited liability company. We are the “data controller” under applicable US privacy laws — meaning we determine why and how your personal information is processed.

Mailing address:
1001 S. Main St. STE 600, Kalispell, MT 59901, USA

2. Information we collect

From you, directly

• Account details:name, email, password (stored as a bcrypt hash — we never see the plaintext), date of birth, and (if you're under 18) a parent or guardian's email
• Athletic profile: sport, position(s), height, weight, dominant foot, club affiliation, club coach contact info, experience, accolades, highlight reel URLs, profile photo
• Academic profile: graduation year, GPA, grading scale, test scores, intended majors
• Location: city, state, country
• Recruiting workflow:the schools you're interested in, notes you write, communication logs, tasks, campus visit records, scholarship offer details (tuition, athletic aid, academic merit, etc.), showcase events

From Google OAuth (if you sign in with Google or connect Gmail)

• Email address, name, and profile picture from your Google account
• A Gmail refresh token, encrypted at rest with AES-256-GCM, that allows us to send emails on your behalf via the Gmail API

Summit's use of information received from Google APIs adheres to Google's API Services User Data Policy, including the Limited Use requirements.

From Stripe (if you subscribe to Pro)

• A Stripe customer ID and subscription ID, the renewal date, subscription status, and confirmation that a payment was processed
• We never see your full payment card number. Stripe handles all card data directly under PCI-DSS.

Automatically as you use the Service

• IP address, browser type, device type, and operating system
• Pages you visit and actions you take within the app
• Account activity: which schools you add to your list, emails you send, tasks you complete, profile updates

From email tracking

When you send an email to a coach through Summit, we embed an invisible tracking pixel in the message. When the recipient opens the email, we record the open time, the recipient's IP address, and their user agent. This data is shown to you (the sender) in your dashboard. See Section 11 for more on this disclosure.

About coaches in our directory

We maintain a directory of names, titles, email addresses, and phone numbers for college soccer coaches. This information is compiled from publicly available athletic department websites. Coaches did not actively opt in to inclusion. See Section 12 for how coaches can request removal.

3. How we use information

• To deliver and operate the Service (account access, search, profile management, email sending)
• To enforce plan limits (Free vs. Pro) and process subscription billing
• To send transactional email (account verification, parental consent, password reset)
• To detect, prevent, and respond to abuse, fraud, or security incidents
• To respond to support inquiries and legal requests
• To improve the Service through aggregated analytics
• To comply with legal obligations

We do not sell personal information. We do not use your data to train third-party AI models. We do not show you third-party advertising.

4. How we share information

We share data with a small set of named third-party processors that help us operate Summit. Each processes data on our behalf under a contractual obligation to protect it.

• Stripe — payment processing. Receives your name, email, and subscription state. Stripe acts as an independent data controller for billing and tax purposes. Stripe Privacy Policy
• Google (Gmail API) — used to send emails on your behalf when you connect your Gmail account.
• Supabase — our database is hosted by Supabase in Oregon, US. All your stored data lives there. Supabase Privacy
• Vercel — hosts the website itself. Receives request logs (URLs, IPs, user agents) for ~30 days for operational purposes. Vercel Privacy
• Resend — sends our system emails (verification, parental consent, support replies). Receives the recipient address and message content. Resend Privacy
• OpenStreetMap, unpkg.com — when you view the interactive map, your browser fetches map tiles and icons from these services. They see your IP address as part of normal HTTP requests.
• Cloudflare — DNS, registrar, and (in the future) web acceleration. Sees standard HTTP request metadata.

We may also disclose information when required by law, in response to valid legal process, to protect the rights and safety of Summit and its users, or in connection with a corporate transaction (merger, acquisition, or asset sale) where the acquirer agrees to honor this policy.

5. Data retention

• Active accounts: We retain your data for as long as your account is active.
• Soft-deleted accounts: When you delete your account, we mark it inactive and retain data for a 30-day grace period to allow recovery, then hard-delete.
• Email tracking events: Stored indefinitely so you can see historical open analytics.
• Coach directory: Retained until a removal request is fulfilled (see Section 12).
• Payment records: Stripe retains payment records per their own retention schedule, typically 7 years for tax purposes.

6. Your privacy rights

Depending on where you live, you may have the following rights. We honor these rights for all US users regardless of state:

• Right to know. What personal information we hold about you. Email recruit@summitsportsconsulting.com; we respond within 45 days.
• Right to delete.Use the “Delete account” feature in your settings, or email us. Some data may be retained where required by law (e.g. tax records).
• Right to correct. Edit your profile in the app, or email us for fields not editable directly.
• Right to opt out of “sale” or sharing. We do not sell or share personal information for cross-context behavioral advertising. There's nothing to opt out of.
• Right to non-discrimination.We won't penalize you for exercising any of these rights.

California residents have additional rights under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), including the right to limit use of sensitive personal information. Virginia, Colorado, Connecticut, Utah, and other state laws grant substantially similar rights.

7. Security

We protect your data using industry-standard practices:

• HTTPS/TLS encryption for all data in transit
• Bcrypt password hashing (we never store plaintext passwords)
• AES-256-GCM encryption at rest for sensitive credentials (Gmail refresh tokens)
• Postgres database encryption at rest via Supabase
• Per-IP rate limiting on auth and mutation endpoints
• Strict Content Security Policy, frame-ancestors blocking, and other HTTP security headers
• Server-side validation of all user input via Zod schemas

No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you and the appropriate authorities as required by law.

8. Children under 13

Summit is not directed at children under 13. Account creation requires a date of birth confirming the user is at least 13. We do not knowingly collect personal information from anyone under 13. If we learn that an under-13 user has provided personal information, we delete it and (where we can identify them) notify the parent/guardian.

9. Minors aged 13 to 17

Athletes aged 13–17 may use Summit only with verifiable parental or guardian consent. Our consent process:

• During signup, the minor provides a parent/guardian email address
• We send an email to that address with a description of Summit, what data we collect from minors, and a consent link
• The minor's account is restricted (cannot access the dashboard) until the parent/guardian clicks the consent link
• Consent links are valid for 7 days and can be re-sent on request
• Parents/guardians may revoke consent at any time by emailing us; we deactivate the account and delete the minor's data on request
• Parents/guardians have all the same access, correction, and deletion rights as the athlete with respect to their child's data

10. Email tracking disclosure

When you (the athlete) send an email to a coach through Summit, the message body contains an invisible 1×1-pixel image hosted on our server. When the recipient opens the email, their email client downloads that image, which causes our server to record the open time, the recipient's IP address, and their user agent.

This is the same mechanism used by mainstream business email tools (e.g. Mailchimp, HubSpot, Yesware) to provide “read receipt” functionality. We disclose it explicitly here because the recipients (coaches) do not separately consent to being tracked.

If you (as the sender) prefer not to use tracking, you can disable it per-email in a future update; or for now, send emails directly through Gmail outside of Summit.

11. Coach directory

Summit maintains a directory of college soccer coaches with names, titles, email addresses (where publicly listed), and phone numbers. This information is compiled from publicly available athletic department websites. We do not represent that the information is current or accurate.

Coaches who would like their information removed can email recruit@summitsportsconsulting.com or use the form at /coaches/remove. We respond and process removal requests within 14 days.

12. International users

Summit is operated from the United States and intended for users in the United States. We do not currently offer the Service to users in the European Union, the United Kingdom, or other regions with comprehensive data protection regulations. If you create an account from outside the US, your data is processed in the US under US law.

13. Cookies and similar technologies

We use a single session cookie set by our authentication system to keep you logged in. We do not use analytics cookies, advertising cookies, social media trackers, or third-party tracking pixels on Summit pages.

14. Third-party links

Summit may include links to third-party websites (e.g. college athletic department sites, social media). We are not responsible for the privacy practices of those sites. Read their privacy policies before sharing personal information with them.

15. Changes to this policy

We may update this Privacy Policy from time to time. For material changes— such as adding new third-party processors, expanding the categories of data we collect, or changing how we share information — we will notify you by email and via an in-app banner at least 30 days before the change takes effect, and may require you to re-accept the policy. For minor edits (clarifications, typo fixes), we will simply update the “Effective” date above.

Last reviewed by counsel: not yet (this policy reflects standard SaaS practices but has not been independently reviewed; users should treat as a good-faith disclosure rather than legal advice).

16. How to contact us

For questions, complaints, or to exercise your privacy rights, contact us at:

Summit Sports Consulting LLC
1001 S. Main St. STE 600, Kalispell, MT 59901, USA
Email: recruit@summitsportsconsulting.com

See also our Terms of Service.