Skip to main content
Mettle Arena

COPPA Disclosure

Effective 2026-05-25

What COPPA is, and why this page exists

The U.S. Children’s Online Privacy Protection Act (COPPA) adds protections for kids under 13 who use online services. Swim clubs routinely include athletes under 13, so Mettle Arena implements COPPA-required protections by design.

This page is the formal disclosure required by COPPA. It also describes how parents grant, view, or revoke consent inside the product.

Who the “parent” is

For COPPA purposes, the parent is the legal parent or guardian who enrolls the athlete in the club. Mettle relies on the club’s existing relationship with the family to identify the correct parent for each athlete. We don’t collect parents directly off the open internet.

What we collect from athletes under 13

The same categories we collect from any athlete:

  • Name and age (provided by the club from its registration data).
  • Practice attendance.
  • Swim times (personal bests).
  • Meet entries.
  • Optionally and only with the athlete tapping through the prompt: daily check-in (energy, mood, freshness, sleep, soreness scales) and wearable health data when a wearable is connected.
  • Push notification subscription endpoint when the athlete opts in to notifications.

We do not collect:

  • Photos, videos, or any facial-recognition material.
  • Open-ended text fields the athlete can fill with personal info — coach communication is structured (broadcasts, reactions, structured journal prompts).
  • Location data beyond what’s in the IP address used for rate limiting.
  • Social-media identifiers, contacts, or anything outside Mettle.

How we get parental consent

Before an athlete under 13 can record personal performance data (best times, daily check-in, wearable readings), Mettle requires verifiable parental consent. The flow:

  1. The club imports the athlete’s roster entry. Mettle automatically flags the athlete as under 13 based on the age the club provided.
  2. The coach contacts the parent — directly or via an existing channel the club uses — to confirm consent.
  3. The coach records the parent’s consent inside Mettle. The record includes the consent date, the consent version that was agreed to, and an attestation by the coach that the parent confirmed.
  4. Mettle’s server-side gate (the “COPPA gate”) then allows the athlete to use the features that require consent. Without a valid consent record on file, those features are blocked with a clear “parent consent required” message.

The fail-closed posture is deliberate: if the system can’t verify consent — because the record is missing, the network is down, or anything else — the athlete is blocked rather than permitted. We’d rather fail safe than fail open.

How parents review or revoke consent

Any parent can contact their club’s head coach to review the consent record on file, change which features are enabled, or revoke consent entirely. The coach updates the record from inside Mettle; the change propagates to the COPPA gate within 30 seconds.

Revoking consent immediately blocks new data collection from the athlete and triggers deletion of the data within 30 days. We retain the consent record itself (showing date granted and date revoked) as part of the audit log.

Parents who can’t reach their coach can contact us directly at legal@mettlearena.com and we’ll route the request to the appropriate club administrator and verify it’s honored.

Who can see the athlete’s data

  • The athlete and the athlete’s coaches.
  • Parents/guardians linked to the athlete by the club, mediated by the athlete’s privacy preferences (daily check-in details are granular-share by default OFF, even from parents, so the athlete decides when to share what).
  • Mettle staff investigating a specific operational issue, with audit-log trail.

We do not sell or rent any data, and we never share data across clubs.

Third parties we share with

Mettle uses a small number of operational service providers to deliver the product. None of them receive identifying information about specific minors except as strictly necessary to deliver the requested service:

  • Google Firebase / Cloud Firestore — primary data storage. Hosted in the United States.
  • Vercel — application hosting. Also U.S.
  • Apple / Google / Mozilla push services — push notification delivery. They receive only the device’s push endpoint and the message payload (e.g. “Pat just hit a new PR”). They don’t receive birthdate or other identifying data.
  • Stripe — payment processing for the clubs. Stripe never receives athlete data; only club billing contacts.

Data retention

Performance and attendance data is retained for the lifetime of the club’s account plus 90 days after termination. Audit logs (including consent records) are retained for 24 months. When a parent revokes consent, the athlete’s associated data is deleted within 30 days; the consent record itself is retained as described above.

Contact for COPPA inquiries

For questions about this disclosure or to file a COPPA-specific request:

We aim to respond within 5 business days.