Privacy Policy
Last updated July 10, 2026
LH Sport Performance (“LHSP,” “we,” “us”) provides a recruiting-outreach service that helps athletes and families run organized, professional college-coach outreach. This policy explains what data we collect, how we use it, and the choices you have. It applies to our website and application.
Data we collect
We collect only what we need to operate the recruiting-outreach service:
- Athlete and client information — name, contact details, graduation year, position, measurables, statistics, academic information, video/schedule links, and target-school preferences provided by the athlete, a parent or guardian, or a designated advisor.
- Coach-directory data — professional contact information for college coaching staff (name, role, school, work email) used to target outreach. This is business-directory information, not consumer data.
- Account and authentication data — the email address, hashed password, and role for accounts used to sign in and administer the service. Passwords are stored only as salted cryptographic hashes; we never store plaintext passwords.
- Google / Gmail account identity — when a user connects a Gmail account, we receive the connected account’s email address and basic profile identity, plus an OAuth token that authorizes sending email on that user’s behalf. See our Google Data Use page for details.
- Operational records — outreach plans, sending schedules, delivery status, and reply-tracking metadata generated as the service runs.
Google user data and Gmail
Connecting Gmail is optional and used solely to send authorized recruiting outreach from the connected account. Specifically:
- We request the
gmail.sendscope (plusopenidandemailto identify the account). We use Gmail access only to send messages the user has authorized. - We do not request or use permission to read the Gmail inbox, and we do not read, scan, index, or store the contents of the connected mailbox. The application does not have mailbox-reading access.
- The Gmail OAuth refresh token is encrypted at rest (AES-256-GCM) and is used only to obtain short-lived send authorization.
- We do not sell Google user data, and we do not use Google user data for advertising or to train advertising or unrelated machine-learning models.
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
How we use data
- To build recruiting profiles and outreach plans for athletes.
- To match the right coaching-staff roles to an athlete's position and preferences.
- To prepare, review, schedule, and send authorized outreach through a connected email account.
- To track delivery and coach replies so follow-ups can be coordinated or stopped.
- To operate, secure, support, and improve the service.
We do not use athlete, client, or Google user data for advertising, and we do not sell personal data.
Service providers
We share data only with vendors that help us run the service, under their terms:
- Vercel — application hosting and content delivery.
- Supabase — managed PostgreSQL database storage.
- Google — Gmail API, used only to send user-authorized outreach from a connected account.
We may also disclose information if required by law or to protect the rights, safety, and security of our users and our service. We do not sell personal data to third parties.
Account security
- Passwords are stored only as salted cryptographic hashes.
- Session cookies are signed and transmitted over HTTPS.
- Gmail OAuth refresh tokens are encrypted at rest.
- Access to the administrative application is restricted to authorized accounts; the service is currently operated as an invitation-only private beta with no public registration.
Data retention
We retain information for as long as needed to provide the service and for legitimate business or legal purposes. When information is no longer needed, we delete or de-identify it. You may request deletion at any time (see below).
Disconnecting Gmail
You can disconnect a connected Gmail account at any time from within the application. Disconnecting revokes our stored authorization and prevents any future sending through that connection. You can also revoke access directly from your Google Account’s security settings under third-party access.
Data deletion requests
You may request deletion of your data, including any stored Gmail connection and encrypted token. See our Data Deletion page for how to make a request and what to expect.
Children and student data
Recruiting inherently involves student-athletes, some of whom may be minors. Where an athlete is a minor, information should be provided and outreach authorized by a parent, guardian, or designated advisor. Contact us if you believe data was provided without appropriate authorization and we will address it.
Changes to this policy
We may update this policy as the service evolves. Material changes will be reflected by the “last updated” date above.
Contact
Questions or requests: support@lhsportsperformance.com.