Privacy Policy

Last updated: February 2026

1. What We Collect

Drilo collects the following categories of information:

Account Information: Email address, password (stored as a cryptographic hash, never in plain text), team name, and the invite code used to create your account.

Coaching Data: Practice plans, drill selections, observations, reflections, drill feedback and outcomes, practice runner activity, and personal drills you create.

Player Information: First names, age group, and any observations or development notes you record about your players. See Section 5 (Youth Athlete Data) for details.

Usage Data: Pages visited, features used, and basic interaction patterns within Drilo. This data is used only for product improvement.

Technical Data: IP address, browser type, and device information collected through standard server logs.

What this means:

We collect what we need to make Drilo work: your account info, the coaching data you create, basic info about your players that you enter, and standard technical data that every website collects.

2. Why We Collect It

  • Account information is used for authentication and account management
  • Coaching data powers Drilo's core features: practice composition, coaching memory, reflection, pattern detection, and drill scoring
  • Player information enables practice planning context, attendance tracking, and development observations
  • Usage data helps us understand how Drilo is used and where to improve it
  • Technical data supports security monitoring and basic troubleshooting

We do not use your data for advertising. We do not sell your data to third parties.

What this means:

Everything we collect serves the product. No ads, no data selling. Your coaching data makes Drilo's memory and planning features work. Usage data helps us improve.

3. Where Your Data Lives

Your data is stored in the United States:

  • Primary database: SQLite database hosted on Render (San Francisco, CA)
  • Backups: Encrypted and stored on Cloudflare R2 via Litestream continuous replication
  • No other locations: Your data is not transferred to or stored in any other countries or services
What this means:

Your data is stored in the US — on our main server and in encrypted backups. That's it. Nowhere else.

4. Who Can See Your Data

  • You: You can see all your own coaching data, observations, and player information
  • Other coaches: Cannot see your data. Each coach's data is completely isolated
  • Drilo administrator (Alex): Can access data for support, debugging, and service maintenance
  • Third parties: We do not share individual data with any third parties
  • Aggregated data: In the future, anonymized and aggregated usage patterns (never individual data) may be used to improve product features such as drill scoring. No individual coach's data would be identifiable in aggregated patterns
What this means:

Your data is private to you. Other coaches can't see it. Alex (the creator) can access it for support. We never share your individual data with anyone else.

5. Youth Athlete Data

Drilo stores limited information about youth athletes entered by coaches. This section explains what we store, why, and how it is protected.

What we store: Player first names only (no last names, contact information, addresses, photos, or other identifying information). Age group designation (e.g., "9-10U"). Practice observations and development notes written by the coach. Drill participation records from practice sessions.

How it is entered: All player information is entered exclusively by the coach. Players — who are minors — never create accounts, log in, interact with, or access Drilo directly. Drilo does not collect any information directly from children.

Why we store it: Player information enables core coaching features: knowing who attended practice, recording development observations over time, and tracking which drills players have participated in.

Who can see it: Only the coach who entered the information. Player data is never shared with other coaches, parents, leagues, or third parties. Player data is never included in any aggregated or anonymized analysis. The Drilo administrator can access it for support purposes only.

Your responsibility: As a coach, you are responsible for managing your relationship with players' parents and guardians regarding the information you record in Drilo. We encourage you to inform parents that you use a digital tool to track practice observations and player development.

Deletion: When you delete your account, all player data associated with your account is permanently deleted. You may also delete individual player records at any time through Drilo.

What this means:

You enter your players' first names and age group so Drilo can help you plan practices and track observations. Players never use the app themselves. Only you can see your players' information — we never share it with anyone. When you delete your account, all player data goes with it. As the coach, it's good practice to let parents know you use a tool to help organize practices.

6. Data Retention and Deletion

  • Active accounts: Your data is retained for as long as your account is active
  • Account deletion: Upon account deletion, all data (including player information, observations, practices, and personal drills) is permanently deleted within 30 days
  • Backups: Backup copies containing deleted data are purged on the next Litestream backup cycle following deletion
  • Data export: You may export all your data in JSON format before deleting your account
What this means:

Your data stays as long as you use Drilo. Delete your account and it's all gone within 30 days — including backups. You can export everything first.

7. Your Rights

You have the right to:

  • Access all data Drilo stores about you and your team
  • Export your data in JSON format at any time
  • Delete your account and all associated data
  • Correct any information by editing it within Drilo
  • Ask questions by contacting Alex directly at [email protected]
What this means:

You can see, export, correct, or delete your data anytime. If you have questions, reach out directly.

8. Security

Drilo implements the following security measures to protect your data:

  • Passwords are cryptographically hashed (never stored in plain text)
  • All connections use HTTPS encryption
  • Cross-Site Request Forgery (CSRF) protection on all forms
  • Rate limiting on authentication endpoints to prevent brute force attacks
  • Security headers including Content Security Policy, X-Frame-Options, and Strict Transport Security
  • Authentication required for all data access
  • Container security hardening in production

No system is perfectly secure. If you discover a security concern, please contact Alex immediately.

What this means:

We take security seriously — your password is encrypted, all connections are secure, and we have protections against common web attacks. No system is perfect, but we do our best.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes — particularly changes affecting how we collect, use, or share your data — we will notify you through Drilo and request your acceptance before you can continue using the service.

What this means:

If we change how we handle your data, we'll tell you and ask you to agree before continuing.

Terms of Service | Privacy Policy