Privacy Notice
Effective Date: April 27, 2026
Operator: The Ready Collective, Inc., a Delaware corporation with principal offices in San Diego, California
Platform: Ready First (R1), available through the R1 mobile application
A note before you start reading
This Privacy Notice is long because it has to be. R1 is used by children, so we are subject to children’s privacy laws in every country where we operate. Each of those laws requires us to tell you specific things, in specific language. We have organized this document so that you can read only the parts that apply to you and your child.
If you read nothing else, read these four things:
- We do not sell your child’s data. Ever. Anywhere.
- We do not show your child advertising.
- We do not use your child’s individual data to train artificial intelligence models.
- You are in control. You can review, correct, delete, or take your child’s data with you at any time.
The rest of this document explains what data we collect, why, who sees it, how long we keep it, how we protect it, and the rights you have under the law of every jurisdiction where we operate.
Table of Contents
- Who this notice covers
- The information we collect
- How we use that information
- Who sees it, and who does not
- Sensitive personal information — the menstrual cycle observation flag
- Research participation and the National Youth Readiness Study
- How we protect your child’s data
- How long we keep data — the R1 retention schedule
- Your rights and how to exercise them
- R1 Constitutional Guardrails
- International transfers of personal data
- Children’s privacy — federal requirements (United States)
- Jurisdiction-specific addenda
- Operators on the platform — parents, coaches, teachers, and schools
- Third-party integrations
- How we tell you when this notice changes
1. Who this notice covers
This notice covers every person whose personal data is processed by The Ready Collective, Inc. through the R1 platform. That includes:
- Athletes ages 6 to 17. R1 is designed for youth athletes in this age range. The protections in this notice apply equally to every age within that range, with additional protections for athletes under 13 as required by law.
- Parents and legal guardians who register an athlete account, provide consent, and operate the parent-facing features of R1.
- Coaches, teachers, and school administrators who receive readiness data with the parent’s authorization.
- National Governing Body administrators who access aggregated, de-identified population insights.
- Visitors to www.youthreadyfirst.com who provide contact information, sign up for updates, or contact us through our contact page.
If you are a parent or legal guardian registering on behalf of a child, you confirm that you have the legal authority to do so. We rely on that confirmation, and we verify it through the verifiable parental consent mechanism described in Section 12.
2. The information we collect
We collect only the information we need to operate R1, deliver the readiness signal to your child, and meet our legal obligations. We do not collect biometric data. We do not collect government-issued identifiers, except temporarily and for the specific purpose of verifying that a person providing parental consent is the parent or legal guardian, in which case the identifier is checked and then deleted as described in Section 12.
2.1 Account and registration information
Provided by the parent or guardian at registration:
- The athlete’s first name and last initial (full last name is optional)
- The athlete’s date of birth
- The athlete’s gender (optional; required only if you elect Toggle 2 in the consent flow)
- The athlete’s sport, club, or team affiliation
- The parent or guardian’s full name, email address, and a method of contact
- The parent or guardian’s relationship to the athlete
If the athlete is enrolled through a National Governing Body or club partner, we may receive registration information directly from that partner under a written data processing agreement that limits the partner’s use of the information.
2.2 Daily check-in data
The athlete answers short yes-or-no behavioral questions each day, organized into three domains:
- Mind — confidence, focus, mood, and engagement
- Body — movement, soreness, fatigue, and load tolerance
- Energy — sleep, fueling, hydration, and recovery
We record the answers, the date, and the time of completion.
2.3 Habit completion data
When an athlete or parent marks a habit complete (such as drinking water, sleeping eight hours, or completing a warm-up), we record the habit, the date, and the time.
2.4 Parent-reported injury data
When a parent reports an injury, we record the type of injury, the date reported, the affected body region, and any notes the parent enters. We do not collect medical diagnoses or clinical records. R1 is not a medical tool and does not provide medical advice.
2.5 Engagement data
We record which screens the user opens, how long they spend on each, which features they use, and how often they return. We use this to operate the platform, understand whether features are useful, and detect bugs.
2.6 Technical data
We collect device type, operating system version, application version, language and region setting, IP address, anonymized device identifiers, and standard application logs. We use this to keep the platform running, detect security incidents, and meet our security obligations.
2.7 The readiness signal
R1 combines the data above into a daily readiness signal — Rebuilding, Rising, or Ready — across the Mind, Body, and Energy domains, and into a single Meta-State. The readiness signal is a derived output, not a separate data input. It is shown to the athlete, the parent, and any operator the parent has authorized.
2.8 Verifiable parental consent records
To comply with the federal Children’s Online Privacy Protection Act and equivalent laws in other jurisdictions, we collect and retain a record of the parent’s verifiable consent, the time of consent, the choices made, and the version of this notice in effect at the time. The verification method is described in Section 12.
2.9 Special-category and sensitive personal information
The only category of special-category or sensitive personal information R1 collects is the optional menstrual cycle observation flag, described in detail in Section 5. The flag is collected only when the parent has explicitly elected Toggle 2 in the consent flow, and only when the athlete chooses to mark it on a given day.
2.10 Information we do not collect
R1 does not collect:
- Biometric data, including facial recognition, voice prints, fingerprints, retinal scans, or DNA
- Precise geolocation
- Government-issued identifiers, except temporarily for parental verification as described in Section 12
- Financial account information beyond what is needed to process subscription payments
- Health records, medical diagnoses, or clinical assessment data
- Images, videos, or audio recordings of athletes, except as voluntarily uploaded by an athlete or parent for a specific platform feature with a separate prompt and consent
- Information from data brokers or third-party advertising networks
3. How we use that information
We use the information described in Section 2 only for the purposes listed below. Each purpose is tied to a lawful basis under the laws that apply to you, summarized in the jurisdiction-specific addenda in Section 13.
| Purpose | Description | Categories of data used |
|---|---|---|
| Operate the platform | Authenticate users, deliver the daily check-in, calculate the readiness signal, deliver personalized programming | Account information, daily check-in data, habit data, injury data, engagement data, technical data |
| Show data to the parent and authorized operators | Provide parents, and any coach, teacher, or school the parent has authorized, with role-appropriate views of the athlete’s readiness | Account information, readiness signal, role permissions set by the parent |
| Improve the platform | Identify bugs, improve features, refine the readiness model | Engagement data, technical data, aggregated and de-identified check-in data |
| Generate population-level insights for sport governing bodies | Provide National Governing Bodies with aggregated, de-identified information about youth athlete readiness at the population level | Aggregated and de-identified check-in, habit, and engagement data only — never individual data |
| Conduct IRB-approved research, where the parent has elected Toggle 1 | Use de-identified data in studies under the oversight of an independent Institutional Review Board led by Dr. Alexandra Abbott, MD | De-identified check-in, habit, injury, engagement, and readiness signal data |
| Communicate with parents | Account notifications, security alerts, consent records, response to parent rights requests, occasional product updates | Parent contact information |
| Protect the platform and our users | Detect fraud, prevent abuse, respond to security incidents | Technical data, account information |
| Comply with the law | Respond to lawful requests, retain consent records, meet retention requirements | All categories as required |
We do not use any data category for any purpose other than those listed above. If we ever propose to add a new purpose, we will obtain a fresh consent for that purpose and we will not apply it retroactively to data collected before the new consent.
4. Who sees it, and who does not
4.1 Who we share data with
We share data only in the limited circumstances below. We do not sell data. We do not share data for advertising or marketing.
| Recipient category | What they see | Legal basis | Examples |
|---|---|---|---|
| The parent or guardian | All data about their own child | Parental authority; operator role | Always |
| Operators authorized by the parent | Role-appropriate views as configured by the parent | Parental authorization; legitimate interest in service delivery | Coaches, teachers, school administrators |
| National Governing Bodies and clubs | Aggregated, de-identified population data only — never individual data | Contractual; legitimate interest | USA Water Polo, US Soccer, AYSO, AAU partnerships |
| Service providers under written data processing agreements | Only the data needed to perform their service; cannot use it for any other purpose | Processor relationship under GDPR Art. 28, equivalent regimes elsewhere | Cloud hosting (AWS), authentication (Google), application performance monitoring, customer support tooling |
| IRB-approved research collaborators | De-identified data only, under written data use agreements, only when Toggle 1 has been elected | Explicit consent (Toggle 1); GDPR Art. 9(2)(j) scientific research basis | Academic partners on the National Youth Readiness Study |
| Law enforcement and regulators | Only what is required by valid legal process or to protect a child from harm | Legal obligation | Subpoena, court order, child-safety report |
4.2 Service provider list
A current, named list of our service providers — including the data each receives, the country where it is processed, and the data processing agreement governing the relationship — is published at www.youthreadyfirst.com/subprocessors. We will provide the list directly on request.
4.3 Who we do not share data with
We do not share individual data with:
- Advertisers, advertising networks, or advertising technology vendors
- Data brokers
- Insurance companies
- Marketing companies
- Social media platforms
- Artificial intelligence companies for the purpose of training or fine-tuning their models on your child’s data
- Any party not listed in Section 4.1
If we ever propose to add a new category of recipient, we will provide notice and seek fresh consent before doing so.
4.4 Separate verifiable parental consent for any third-party disclosure
Federal law (the COPPA Rule as amended in 2025) requires that if R1 ever discloses children’s personal information to a third party for purposes other than the operation of the platform, we obtain a separate verifiable parental consent for that disclosure. R1 is designed not to require such disclosures. If our practices ever change, we will obtain that separate consent before any such disclosure.
5. Sensitive personal information — the menstrual cycle observation flag
What it is
The menstrual cycle observation flag is a single optional yes-or-no daily marker that allows a female athlete to indicate that she is on her period on a given day. It is enabled only when the parent has explicitly elected Toggle 2 in the consent flow.
Why it exists
Sleep, hunger, recovery, and energy can vary across the menstrual cycle. The flag allows R1 to compare the athlete’s existing Energy domain data on flagged days versus other days, so the athlete can see her own patterns. The clinical lead on this feature is Dr. Alexandra Abbott, MD, board-certified pediatric orthopedic physician.
What it is not
- It is not a medical tool. R1 does not diagnose, predict, or treat any condition.
- It is not cycle tracking. We do not store cycle length. We do not predict ovulation, fertility, pregnancy, or any other physiological event.
- It is not shared with anyone other than the athlete and the parent. It is not visible to coaches, teachers, schools, or National Governing Bodies.
- It is not used in research without separate explicit consent under Toggle 1.
Legal classification
The menstrual cycle observation flag is information about health, and it is treated as one of the most sensitive categories of personal data under every privacy regime where R1 operates:
- United States: Sensitive personal information under the California Consumer Privacy Act and similar state laws; subject to heightened protections for minors under the Children’s Online Privacy Protection Act amended Rule.
- European Economic Area: Special-category data under GDPR Article 9. We process it only on the basis of the parent’s explicit consent under Article 9(2)(a), and where the athlete is over the age of digital consent in their member state, with the athlete’s own explicit consent.
- United Kingdom: Special-category data under the UK GDPR and Data Protection Act 2018, processed under Schedule 1, Part 1, Condition 1 (explicit consent).
- Brazil: Sensitive personal data under the LGPD Article 5(II), processed under Article 11(I)(a) (explicit specific consent).
- Canada (Quebec): Sensitive information under Law 25, processed only with specific, express, free, and informed consent.
- Australia: Sensitive information under the Privacy Act 1988, processed only with consent.
- New Zealand: Sensitive information under the Privacy Act 2020, processed under Information Privacy Principle 1 with consent.
- India: Sensitive personal data under the Digital Personal Data Protection Act 2023, processed with verifiable consent.
- Japan, South Korea, Singapore: Special-care-required, sensitive, or equivalent classifications under each regime; processed with explicit consent.
Withdrawal
You can withdraw Toggle 2 consent at any time from the parent settings menu. On withdrawal:
- The flag is disabled within 60 seconds.
- All historical flag data is deleted within 30 days.
- A confirmation email is sent to the parent’s verified email address.
- Withdrawal does not affect any other data or any other consent.
6. Research participation and the National Youth Readiness Study
What the study is
The Ready Collective is conducting a two-year prospective cohort longitudinal study targeting approximately 100,000 youth athletes ages 6 to 17. The study examines whether sustained patterns of low or unstable readiness across Mind, Body, and Energy predict youth sport dropout at 12 and 24 months. The first national data set to test this question does not yet exist; the study creates it.
IRB oversight
The study is overseen by an independent Institutional Review Board led by Dr. Alexandra Abbott, MD, a board-certified pediatric orthopedic physician. The IRB is independent and is not affiliated with any single institution for purposes of IRB oversight. The IRB’s role is to protect the rights and welfare of the children in the study.
How research participation works
Research participation is governed by Toggle 1 in the consent flow. It is off by default. The parent can elect or decline it without affecting platform access. The athlete is asked separately, in age-appropriate language, whether they agree to be in research; the athlete’s dissent overrides parental election where the athlete has the capacity to assent.
What data is used in research
Only de-identified data is used. The athlete’s name, contact information, and other direct identifiers are removed before data is used in any research analysis. Where Toggle 2 has also been elected, the menstrual flag is included in research only with separate explicit consent recorded at the time the parent elected Toggle 1.
Lawful basis for research processing
| Jurisdiction | Lawful basis |
|---|---|
| United States | Parent’s verifiable consent under COPPA; child’s assent under the Common Rule (45 CFR 46 Subpart D) |
| European Economic Area | Explicit consent under GDPR Article 6(1)(a) and, for special-category data, Article 9(2)(a). Article 9(2)(j) and Article 89 safeguards apply where the data is processed for scientific research. Article 89 safeguards include pseudonymization, access controls, and purpose limitation. |
| United Kingdom | Same as EEA, under UK GDPR and DPA 2018 |
| Brazil | Specific consent for research purposes under LGPD Article 7(IV) and Article 11(II)(c) |
| Canada and Quebec | Express consent under PIPEDA and Law 25; ethics review consistent with the Tri-Council Policy Statement |
| Australia | Consent under Australian Privacy Principle 6, and consistent with the National Statement on Ethical Conduct in Human Research |
| Other jurisdictions | Explicit consent and the ethics-review safeguards of the local regime |
Withdrawal from research
You can withdraw Toggle 1 consent at any time. Withdrawal removes the athlete from any future research. Data already analyzed in completed studies cannot be retrieved (this is a research integrity requirement under every regime listed above), but no further use of the athlete’s data in new research will occur after withdrawal.
7. How we protect your child’s data
Information security program
The Ready Collective maintains a written information security program, with a designated security coordinator who reports directly to the Chief Executive Officer. The program includes:
- Encryption of data in transit (TLS 1.3 or equivalent) and at rest (AES-256 or equivalent)
- Role-based access control with least-privilege defaults
- Multi-factor authentication for all employee and contractor access to systems handling children’s data
- Annual third-party security risk assessments
- Vendor security review before onboarding any service provider that handles children’s data, and annual re-assessment
- Continuous logging and monitoring of access to children’s data
- Documented incident response procedures, including breach notification
The program is reviewed annually and updated as the regulatory and threat landscape changes.
Breach notification
If we determine that a security incident has compromised personal information, we will notify affected parents and the relevant regulators within the timeframes required by the law of each jurisdiction. For most U.S. states, this is without unreasonable delay. For the European Economic Area, this is within 72 hours of becoming aware. For Brazil, within a reasonable timeframe under LGPD Article 48. For India, within 72 hours under DPDP. The notice will describe what happened, what data was affected, what we are doing about it, and what you can do to protect yourself.
Limits of security
No system is perfectly secure. We cannot guarantee that a determined attacker will never compromise our defenses. We can guarantee that we will operate a program at or above the standard of care for organizations handling children’s data, that we will maintain insurance appropriate to the risk, and that we will tell you promptly if something goes wrong.
8. How long we keep data — the R1 retention schedule
The COPPA Rule as amended in 2025 (16 CFR § 312.10) requires us to publish a specific retention schedule for each category of personal information we collect from children. Equivalent obligations apply under GDPR Article 5(1)(e), the UK Children’s Code Standard 8, and other regimes. The schedule below is that disclosure.
| Category | Retention period | Trigger for deletion |
|---|---|---|
| Account and registration information | Active account + 90 days | Account closure, parent deletion request, or 24 months of inactivity, whichever comes first |
| Daily check-in data, habit data, injury data | Active account + 12 months | Account closure or parent deletion request |
| Engagement and technical data | 18 months | Rolling deletion |
| Readiness signal | Active account + 12 months | Account closure or parent deletion request |
| Menstrual flag data (Toggle 2) | While Toggle 2 is active; deleted within 30 days of Toggle 2 withdrawal or account closure | Toggle 2 withdrawal, account closure, or parent deletion request |
| Verifiable parental consent records | Account lifetime + 7 years | Statute of limitations period for COPPA enforcement |
| De-identified data used in IRB-approved research | Per the IRB-approved protocol; typically the lifetime of the study + 10 years for replication purposes | Per protocol |
| Aggregate and de-identified data for population insights | Indefinite (no longer constitutes personal data once de-identified to the standard described in Section 4) | Not applicable |
| Security logs | 12 months | Rolling deletion |
| Records required by law (tax, regulatory, litigation hold) | As required by the applicable law | Expiry of the legal obligation |
When the retention period expires, we delete the data or de-identify it to a standard that prevents re-identification. De-identified data is not personal data under the regimes that apply to R1 and is retained as described in the table.
A parent can request deletion at any time, and we will honor the request within the timeframes in Section 9, subject only to the legal-obligation rows in the table.
9. Your rights and how to exercise them
You have rights over your child’s personal information. The specific rights depend on where you and your child live. The table below summarizes the rights we honor for every user, regardless of location, plus the additional rights granted by specific regimes.
| Right | What it means | Available to |
|---|---|---|
| Access | Get a copy of the personal information we hold about your child | Every user |
| Correct | Fix information that is inaccurate or incomplete | Every user |
| Delete | Delete the personal information we hold about your child, subject only to legal retention obligations | Every user |
| Portability | Receive your child’s data in a structured, commonly used, machine-readable format | Every user |
| Restrict processing | Pause certain types of processing | EEA, UK, Brazil, India |
| Object to processing | Object to processing based on legitimate interests | EEA, UK, Brazil |
| Withdraw consent | Withdraw any consent you have given | Every user |
| Opt out of sale | We do not sell data, but the right is preserved | California, Colorado, Connecticut, and other state-law jurisdictions |
| Opt out of targeted advertising | We do not advertise, but the right is preserved | All US state-law jurisdictions that grant it |
| Opt out of profiling | We do not engage in solely automated decision-making with legal or similarly significant effects | EEA, UK, California, Colorado |
| Non-discrimination | We will not retaliate against you for exercising any right | Every user |
| Lodge a complaint with a regulator | Contact the data protection authority where you live | Every user with a regulator in their jurisdiction |
How to exercise a right
There are three ways:
- In-app: Open the parent settings menu, choose “Privacy & Data,” and select the right you want to exercise. This is the fastest method.
- Email: Write to privacy@readycollective.org. Include the athlete’s first name, the parent’s email of record, and a description of the right you want to exercise.
Verification
To protect against unauthorized requests, we verify that the requester is the parent of record before we act on any request that involves personal information. Verification typically uses the email address of record plus a confirmation step. For deletion requests on accounts where Toggle 2 was elected, we apply additional verification because of the sensitivity of the data.
Response time
We respond to most requests within 30 days. For complex requests, we may extend the response time by an additional 60 days and we will tell you within the first 30 days that we are doing so. For requests under GDPR Article 12, we respond within one month with a possible two-month extension. For requests under India’s DPDP Act, we respond within the timeframe set by the Data Protection Board.
If we deny a request
If we cannot honor a request — for example, because we are required to retain consent records for a statutory period — we will tell you why and we will tell you how to appeal the decision. You may also lodge a complaint with the data protection authority in your jurisdiction.
10. R1 Constitutional Guardrails
These commitments are built into R1. They are not toggles. They are not changeable. They apply to every child on the platform.
We will never compare your child to other children. R1 measures your child against their own patterns. There are no leaderboards. No rankings. No “your child is below average” alerts. Comparison is a tool of elite sport. It is not a tool for child development.
We will never penalize your child for missed days. A child who skips R1 for a day, a week, or a month comes back to the same R1 they left. No streaks lost, no badges revoked, no guilt language. R1 is designed to support consistency, not to punish absence.
We will never sell your child’s data. Not to advertisers. Not to data brokers. Not to insurance companies. Not to anyone. R1 is funded by subscriptions and philanthropy.
We will never use your child’s individual data to train artificial intelligence models for any purpose other than improving R1 itself, and we will never share your child’s data with third-party AI providers for training.
We will default to the most protective settings. If we have to choose between convenience and your child’s privacy, we choose privacy. If a feature requires a tradeoff, we ask you. We do not decide for you.
These guardrails are part of our binding contractual commitment to every parent who uses R1. They are repeated in our Terms of Service. A change to any of them requires fresh consent from every existing user.
11. International transfers of personal data
Where personal data is transferred from one country to another for processing, we apply the legal mechanism required by the country of origin.
| Origin | Mechanism |
|---|---|
| European Economic Area | Standard Contractual Clauses (2021/914 and any successor); supplementary measures where required by Schrems II analysis |
| United Kingdom | UK International Data Transfer Agreement, or the EU SCCs with the UK Addendum |
| Brazil | International transfer mechanism under LGPD Articles 33–36, including standard contractual clauses approved by ANPD |
| Switzerland | Swiss Federal Data Protection and Information Commissioner SCCs |
| Canada | Comparable level of protection assessed under PIPEDA Principle 4.1.3 |
| Quebec | Privacy Impact Assessment under Law 25 Section 17 |
Transfer impact assessments are conducted before any new transfer route is opened and are reviewed annually.
12. Children’s privacy — federal requirements (United States)
R1 is directed in part to children under 13 and is treated as a service subject to the Children’s Online Privacy Protection Act (COPPA) and the FTC’s amended COPPA Rule (16 CFR Part 312, including the 2025 amendments effective April 22, 2026).
Verifiable parental consent
We obtain verifiable parental consent before collecting personal information from a child under 13. The verification methods we use, in order of preference:
- Payment-card transaction. For paid-tier signups, the parent’s completion of a payment transaction at registration constitutes a verifiable consent method approved by the Federal Trade Commission under 16 CFR § 312.5(b)(2).
- Government-issued ID verification. For free-tier signups, including the 100,000 Founding Scholars in the National Youth Readiness Study, we use a vetted third-party verification service. The parent submits a government-issued ID; the service confirms the document and the parent’s identity; the document is deleted from the verification service within minutes of confirmation. The Ready Collective receives only a verification token, not a copy of the document.
- Email-plus. For low-risk re-consent flows where no new disclosure to a third party is implicated, we use an email confirmation method that requires the parent to take an additional step beyond clicking a link.
Parent rights under COPPA
Parents may, at any time:
- Review the personal information we have collected from their child
- Refuse to permit further collection or use of the child’s information
- Direct us to delete the child’s personal information
To exercise these rights, follow the procedures in Section 9.
Direct notice
This Privacy Notice serves as the direct notice to parents required by 16 CFR § 312.4(c). At each consent event, the parent receives a timestamped email containing a copy of this Notice as it exists at that time, the choices the parent made, and instructions for changing those choices.
Mixed-audience analysis
R1 is directed primarily to children, including children under 13. We do not rely on the mixed-audience exemption under 16 CFR § 312.2 to defer parental consent.
Personal information categories under the amended Rule
The amended Rule’s expanded definition of “personal information” includes biometric identifiers and government-issued identifiers. As stated in Section 2, R1 does not collect biometric data, and government-issued identifiers are collected only temporarily for parental verification under Section 12, are not retained by The Ready Collective, and are deleted by the verification service within minutes of confirmation.
13. Jurisdiction-specific addenda
13.1 California
For California residents, the following additional disclosures apply under the California Consumer Privacy Act (CCPA) as amended by the CPRA, the California Age-Appropriate Design Code Act (Cal. Civ. Code § 1798.99.28–40, partially in effect since the Ninth Circuit mandate of April 3, 2026), and the California Digital Age Assurance Act (effective January 1, 2027).
Categories of personal information collected — see Section 2. Categories under the CCPA: identifiers, commercial information, internet or other electronic network activity information, geolocation (general only), audio-visual information (only as separately consented), professional information (parent only), inferences (the readiness signal), and sensitive personal information (the menstrual flag, where Toggle 2 has been elected).
Sources — directly from the parent and child user, and where applicable, from the National Governing Body or club partner that registered the athlete.
Business purposes — see Section 3.
Sale or sharing — we do not sell or share personal information.
Sensitive personal information — the menstrual flag, where elected. We do not use sensitive personal information for purposes other than those listed in Section 3, and we honor a request to limit the use of sensitive personal information.
Age-Appropriate Design Code compliance — R1 is operated as a service likely to be accessed by children under 18. We apply the highest privacy default settings to all minor accounts, conduct age estimation through the parent’s verified consent and the athlete’s date of birth (subject to the additional safeguards of the Digital Age Assurance Act when it takes effect on January 1, 2027), provide age-appropriate notices throughout the platform, display a clear and persistent monitoring indicator to a minor whenever an authorized operator (parent, coach, teacher, or school) is reviewing their data, and provide privacy-rights tools accessible to the parent in the parent settings menu and to the athlete (where age-appropriate) in the athlete settings menu.
Global Privacy Control — we honor the Global Privacy Control signal as an opt-out request under the CCPA.
Consumer rights — California residents may exercise the rights listed in Section 9 and the additional CCPA rights to know, delete, correct, opt out of sale or sharing (we do not sell or share), opt out of certain uses of sensitive personal information, and limit the use of sensitive personal information.
Authorized agent — California residents may designate an authorized agent to exercise rights on their behalf. The agent must provide written authorization and proof of identity.
13.2 New York
For New York residents, additional protections apply under the New York Child Data Protection Act (N.Y. Gen. Bus. Law Art. 32-A) and the SAFE for Kids Act.
R1 obtains informed consent from a parent or guardian for any user under 18 before processing personal data, regardless of whether the data would also be subject to COPPA. R1 does not present an addictive feed to minor users and does not send notifications to minors during overnight hours, consistent with the SAFE for Kids Act and the New York Attorney General’s proposed implementing rules.
13.3 Other US states
The following states grant additional rights to residents through state privacy laws or age-appropriate design codes. We honor the rights granted by each, as summarized below. The full list of applicable rights is in Section 9.
- Maryland: Maryland Age-Appropriate Design Code (Md. Code Ann., Com. Law § 14-4601 et seq.). Default privacy settings, no profiling of minors except for service delivery, no precise geolocation collection. No data protection impact assessment publication is required because the relevant provision is currently subject to litigation, but we maintain a DPIA internally and provide it to the Maryland Attorney General on request.
- Connecticut: Connecticut Data Privacy Act minor amendments (SB 3). Heightened consent for minors aged 13 to 16 for targeted advertising, sale, and certain profiling. We do none of these.
- Colorado: Colorado Privacy Act § 6-1-1308.5. Minor consent and design obligations applied as described above.
- Texas: Texas SCOPE Act (Tex. Bus. & Com. Code Ch. 509) and Texas App Store Accountability Act (SB 2420). Verifiable parental consent obtained via Section 12 methods.
- Utah: Utah Social Media Regulation Act and App Store Accountability Act. R1 does not function as a regulated social media platform under the Utah definitions.
- Florida: HB 3 account restrictions for minors. R1 does not permit users under 14 to hold an account without parental consent and does not permit users 14 or 15 to hold an account without parental consent, consistent with HB 3 (subject to the outcome of pending litigation).
- Illinois: Biometric Information Privacy Act (740 ILCS 14). R1 does not collect biometric identifiers as defined by BIPA.
- Nebraska: Age-Appropriate Online Design Code (May 30, 2025).
- Vermont: Age-Appropriate Design Code Act (effective January 1, 2027).
- South Carolina: Age-Appropriate Design Code (HB 3431, effective February 5, 2026). The annual third-party audit required by SC AADC is conducted by [auditor name to be inserted at the time of operation in South Carolina] and the public report is posted at the South Carolina Attorney General’s website on or before July 1 of each year following operation.
- Louisiana: Act 481 (effective July 1, 2026).
- Alabama: App Store Accountability Act (HB 161, February 17, 2026).
13.4 European Economic Area
For users in the European Economic Area, the General Data Protection Regulation (Regulation (EU) 2016/679) applies. The Ready Collective is the controller for personal data processed through R1.
Lawful bases for processing
| Purpose | Article 6 basis | Article 9 basis (where applicable) |
|---|---|---|
| Operate the platform | Article 6(1)(b) — performance of a contract with the parent | Not applicable |
| Show data to parent and authorized operators | Article 6(1)(b); Article 6(1)(f) for operator views | Not applicable |
| Improve the platform | Article 6(1)(f) — legitimate interests, balanced against the interests of the minor; LIA available on request | Not applicable |
| NGB population insights | Article 6(1)(f) on aggregated, de-identified data | Not applicable |
| IRB-approved research (Toggle 1) | Article 6(1)(a) explicit consent; Article 9(2)(j) and Article 89 safeguards | Article 9(2)(a) explicit consent for any special-category data |
| Menstrual flag (Toggle 2) | Article 6(1)(a) explicit consent | Article 9(2)(a) explicit consent |
| Communicate with parents | Article 6(1)(b); Article 6(1)(c) for legal notifications | Not applicable |
| Protect the platform | Article 6(1)(f) | Not applicable |
| Comply with the law | Article 6(1)(c) | Article 9(2)(g) where applicable |
Age of digital consent — The age of digital consent in the parent’s member state determines whether the minor’s own consent is required in addition to the parent’s. We apply the strictest standard relevant to each user. For all member states, we obtain parental consent for users under 16; for users between the local age of digital consent and 18, we additionally obtain the minor’s own consent for any consent-based processing.
Data Protection Officer — The Ready Collective has appointed a Data Protection Officer. The DPO is reachable at dpo@readycollective.org.
EU Representative — Our EU Representative under GDPR Article 27 will be appointed before EEA users are accepted.
Right to lodge a complaint — You have the right to lodge a complaint with the supervisory authority in the EEA member state of your habitual residence, place of work, or place of the alleged infringement.
Automated decision-making — We do not engage in solely automated decision-making with legal or similarly significant effects on the data subject. The readiness signal is presented as information; it does not produce legal or significant effects on its own.
13.5 United Kingdom
For users in the United Kingdom, the UK GDPR and the Data Protection Act 2018 apply, and we operate consistently with the Information Commissioner’s Office Children’s Code (Age-Appropriate Design Code).
Children’s Code standards — we have assessed R1 against each of the 15 Children’s Code standards and apply each to the platform. A summary of the assessment is published at www.youthreadyfirst.com/uk-childrens-code and is provided directly on request.
UK Representative — our UK Representative under the UK GDPR will be appointed before UK users are accepted.
Right to lodge a complaint — you have the right to lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk).
Online Safety Act 2023 — we operate consistent with the children’s safety duties under Part 3 of the Online Safety Act 2023. R1 is not a regulated user-to-user service or search service, but where children’s safety duties are relevant, we apply them.
13.6 Canada (federal) and Quebec
For Canadian residents outside Quebec, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. For Quebec residents, Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) applies in addition.
Privacy Officer — The Ready Collective has designated a Privacy Officer accountable for our personal information practices in Canada. The Privacy Officer is reachable at privacy@readycollective.org.
Quebec specific:
- Cross-border transfers from Quebec are subject to a Privacy Impact Assessment under Law 25 Section 17. Assessments are completed before any new transfer is opened.
- Consent for sensitive information is express and obtained separately from other consents, consistent with Law 25 Section 12.
- Quebec residents have the right to data portability and the right to refuse decisions based exclusively on automated processing.
13.7 Australia
For users in Australia, the Privacy Act 1988 (as amended in 2024 and 2025) and the Australian Privacy Principles apply. R1 is operated consistent with the Privacy Act and, when finalized, the Children’s Online Privacy Code being developed by the Office of the Australian Information Commissioner.
APP 1 transparency — this Privacy Notice serves as the open and transparent management of personal information statement required by APP 1.
APP 6 use and disclosure — we use and disclose personal information only for the primary purposes for which it was collected, or for related secondary purposes the user would reasonably expect.
Cross-border disclosures — transfers outside Australia are subject to APP 8. We take reasonable steps to ensure that overseas recipients comply with the APPs.
Right to lodge a complaint — you have the right to lodge a complaint with the Office of the Australian Information Commissioner (www.oaic.gov.au).
13.8 New Zealand
For users in New Zealand, the Privacy Act 2020 applies. The Information Privacy Principles (IPPs) govern our collection, use, and disclosure. You have the rights set out in IPP 6 (access) and IPP 7 (correction). You may lodge a complaint with the Privacy Commissioner (www.privacy.org.nz).
13.9 Brazil
For users in Brazil, the Lei Geral de Proteção de Dados (LGPD, Lei 13.709/2018) applies.
Legal bases — see the table in Section 13.4. The LGPD-equivalent bases (Article 7 for personal data; Article 11 for sensitive personal data) are applied as follows: contract performance for platform operation; legitimate interests for improvement and security (with the LIA available); explicit specific consent for the menstrual flag and for research participation; legal obligation for compliance.
Children and adolescents — under LGPD Article 14, processing of children’s and adolescents’ personal data must be in their best interest. Specific consent of at least one parent or legal guardian is obtained for processing children’s data. We do not condition the participation of the child in any activity on the provision of personal data beyond what is strictly necessary.
DPO (Encarregado) — our Brazil DPO is reachable at dpo-br@readycollective.org. The DPO’s role under LGPD Article 41 is to receive communications, accept complaints, and orient employees on personal data protection.
Right to lodge a complaint — you may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).
13.10 India
For users in India, the Digital Personal Data Protection Act 2023 and the Draft Rules 2025 apply.
Verifiable parental consent — required for users under 18 under DPDP Section 9. We use the methods described in Section 12.
No tracking, no behavioral monitoring, no targeted advertising of children — DPDP Section 9(3) prohibits these. R1 does not engage in any of them.
Consent Manager — when the Indian Consent Manager regulatory framework is operational, parents in India will be able to manage R1 consents through any Data Protection Board-registered Consent Manager.
Data Protection Board — you may lodge a grievance with the Data Protection Board of India.
13.11 Singapore, Japan, South Korea
For users in these jurisdictions, the local equivalents apply: Singapore PDPA and the Advisory Guidelines on the PDPA for Children’s Personal Data; Japan APPI with consent for special-care-required personal information; South Korea PIPA and the Special Act on the Protection of Children and Youth Against Sexual Abuse to the extent relevant to platform conduct rules. The substantive protections of this Notice apply to all users in these jurisdictions, and rights may be exercised through the methods in Section 9.
14. Operators on the platform — parents, coaches, teachers, and schools
R1 is built around the recognition that operators — parents, coaches, teachers, and schools — see different parts of an athlete’s data based on the parent’s authorization. This section describes how operator access works.
Default: By default, only the parent and the athlete see the athlete’s data.
Authorization: The parent may authorize specific additional operators to see specific subsets of the data. For example:
- A coach may be authorized to see the athlete’s daily readiness signal but not the underlying check-in answers.
- A school may be authorized to see participation patterns but not domain-level scores.
- A teacher may be authorized to see only what the parent has explicitly enabled for that teacher.
Monitoring indicator: Whenever an operator is reviewing an athlete’s data, the athlete sees a clear and persistent monitoring indicator in the app. The indicator names the operator, the type of data being viewed, and the time of viewing. This implements the California Age-Appropriate Design Code Act monitoring-signal requirement (Cal. Civ. Code § 1798.99.31(a)(5)) and the analogous standard under the UK Children’s Code.
Sensitive data: The menstrual cycle observation flag is never visible to coaches, teachers, schools, or National Governing Bodies, regardless of the parent’s other authorizations.
Withdrawal: The parent may withdraw an operator’s access at any time from the parent settings menu. Withdrawal takes effect within 60 seconds.
15. Third-party integrations
R1 integrates with the following categories of third-party services. For each, we have a written data processing agreement that limits the third party’s use of any data we share to the specific purpose of providing the service.
| Category | Examples | Data shared |
|---|---|---|
| Cloud hosting | — | All platform data, encrypted at rest |
| Authentication | Google Auth | Email address and authentication tokens |
| AI movement assessment | Asensei | Only when an athlete uses the movement assessment feature; processed under a written DPA |
| Application performance monitoring | (vendor) | Technical logs, no personal data of children where avoidable |
| Customer support | (vendor) | Only the data needed to respond to a parent’s specific support request |
| NGB and club platform integrations | SportsEngine, TeamUnify, Sport:80, Sports Connect, PlayMetrics | Registration information only, in the direction the integration requires |
| Verifiable parental consent vendor | Yoti or equivalent | Government-issued ID at the verification step only; deleted immediately after verification |
| IRB-approved research collaborators | Specific institutions named in the IRB-approved protocol | De-identified data only, when Toggle 1 has been elected |
A current list of third-party processors is maintained at www.youthreadyfirst.com/subprocessors. We notify parents in advance of any addition of a new category of third-party processor.
16. How we tell you when this notice changes
We change this Notice when the law changes, when our practices change, or when we identify a way to make it clearer. When we change it:
- For changes that increase your rights or do not affect them materially: We update the Notice and the effective date.
- For changes that materially affect your rights or our practices: We give you at least 30 days’ advance notice by email and by in-app notification, and we describe the change in plain language. Where the change affects a consent you have given, we obtain a fresh consent before the change takes effect for you.