SidelineWorks

Privacy Policy

Last updated: May 17, 2026

Our Commitment. SidelineWorks is built for schools, by people who understand that student-athlete health information is among the most sensitive data an institution manages. We treat it that way.

1. What Data We Collect

SidelineWorks collects only the data necessary to support athletic training documentation and return-to-play decisions:

  • Student-athlete information: name, grade, sport, team membership, and school affiliation.
  • Injury and treatment records: injury type, body part, evaluation notes, treatment plans, rehabilitation milestones, and return-to-play clearance status.
  • User account information: name, email address, role (athletic trainer, coach, administrator, or parent/guardian), and school affiliation.
  • Usage metadata: page views, feature interactions, and timestamps — never tied to individual student health records for analytics.
  • Device and connectivity info: session tokens, sync queue metadata for offline entry support.

2. How We Use Data

  • Clinical documentation. Enable athletic trainers to document evaluations, track recovery, and manage return-to-play protocols.
  • Communication. Notify coaches, parents, and administrators of status changes within the care team — not via third-party platforms.
  • Dashboard analytics. Aggregated, de-identified statistics for school administration (e.g., "12 active cases this week"). No individual health data is shared in aggregate views.
  • Service improvement. Usage patterns help us improve UI/UX — always reviewed in aggregate, never at the individual record level.

3. HIPAA Awareness

Under development. SidelineWorks is designed with HIPAA compliance as an architectural goal. A formal Business Associate Agreement (BAA) process is in active development.

SidelineWorks is a school-based athletic training documentation platform. Schools using SidelineWorks should evaluate whether the service constitutes a Business Associate under HIPAA. We provide:

  • All data encrypted in transit (TLS 1.3 minimum).
  • Access controls — role-based permissions (AT, coach, parent, admin).
  • Authentication via school-managed credentials (SSO available; see section 8).
  • Logical separation of school data (tenant isolation at the school ID level).
  • On-path to support BAAs for covered entities.

Note: Most scholastic athletic training departments are not covered entities under HIPAA. SidelineWorks's design is still privacy-first: your data is your data.

4. FERPA Considerations

Student health records maintained by a school may be "education records" under FERPA. SidelineWorks is a school-directed service — the school maintains control over all records stored in the system. Data is stored within the school's tenant and is not shared, sold, or transmitted to third parties for non-essential purposes.

Parents and eligible students have the right to inspect and review education records under FERPA. Contact your school's SidelineWorks administrator to exercise this right.

5. Data Storage & Security

  • Encryption at rest. Database-level encryption on all stored records.
  • Encryption in transit. All API and web traffic via TLS 1.3. HTTP Strict Transport Security enforced at the edge.
  • Authentication. Bearer token with JWT for API access. Production deployments support SSO (SAML/OIDC) for school-managed identity.
  • Access logging. All access to student health records is logged with user ID, timestamp, and action type.
  • Data isolation. Each school's data is scoped by school_id. Role-based access (AT, coach, parent, admin) enforces least privilege.
  • Backups. Encrypted daily backups with point-in-time recovery capability.

6. Data Retention

SidelineWorks retains student-athlete records for the duration of the school's subscription plus a reasonable wind-down period. Schools may request data deletion at any time. De-identified archival records may be retained for product improvement after explicit school authorization.

7. Data Sharing

SidelineWorks does not sell student data. Data is shared only:

  • Within the care team as configured by the school (ATs, coaches, parents, administrators).
  • With infrastructure providers (hosting, database, CDN) under data processing agreements.
  • When required by law or valid legal process (with prompt notice to the school when permitted).

8. Authentication & Identity

Production deployments support Single Sign-On (SSO) via SAML 2.0 or OpenID Connect, allowing schools to use their existing identity provider (Google Workspace, Microsoft Entra ID, Clever, ClassLink, or custom SAML/OIDC). This ensures that offboarding a user from the school's directory automatically revokes SidelineWorks access.

9. Offline Data & Sync

SidelineWorks supports offline entry with local storage (service worker + IndexedDB sync queue). Entries made offline are stored locally on the device and synced when connectivity returns. Offline data is encrypted in local storage and never persists beyond the sync window.

10. Parent & Guardian Access

Parent/guardian accounts provide visibility into their student-athlete's status, treatment plan, and timeline. Parent accounts are scoped to their linked children only and cannot view other students' records. Parent accounts require verification through the school's registration process.

11. Changes to This Policy

Schools will be notified of material changes to this Privacy Policy via email at least 30 days before changes take effect. Continued use of SidelineWorks after changes indicates acceptance. Minor clarifications and corrections may be made without prior notice.

12. Contact

For privacy-related inquiries, data access requests, or to initiate a BAA discussion: