1. Introduction
HenZoe LLC ("HenZoe," "we," "us," or "our") operates the HenZoe youth sports and activity club management platform, including our website at henzoe.com, our web application, and our mobile applications for iOS and Android (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, store, and protect personal information when you use the Service.
We are committed to protecting the privacy of all Users, with particular attention to the personal information of children. We comply with the Children's Online Privacy Protection Act ("COPPA"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws.
By creating an account or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use the Service.
2. Information We Collect
2.1. Account Information (All Users)
When you create a HenZoe account, we collect:
| Information | Required | Purpose |
|---|---|---|
| First and last name | Yes | Account identification and display |
| Email address | Yes | Authentication, communications, and account recovery |
| Password | Yes | Authentication (stored as a cryptographic hash — we never store or have access to plaintext passwords) |
| Phone number | No | Optional contact information |
| Date of birth | No | Optional profile information |
| Mailing address | No | Optional contact information (may include GPS coordinates if provided via map selection) |
| Profile photo | No | Visual identification within the platform |
2.2. Information About Children (Students/Players)
Parents, Guardians, and authorized Club staff may provide the following information about youth players:
| Information | Required | Purpose |
|---|---|---|
| First and last name | Yes | Identification in rosters, attendance, and assessments |
| Date of birth | Yes | Age-appropriate program placement and eligibility |
| Gender | Yes | Program organization and roster management |
| Profile photo | No | Visual identification by coaches and staff |
| Medical notes (e.g., allergies, asthma, injuries) | No | Safety during Club activities |
| Emergency contact (name, phone, relationship) | Yes | Contact in case of emergency during Club activities |
| Skill level and assessments | No | Assigned by coaches for development tracking |
| Achievements and awards | No | Recognizing accomplishments and milestones |
| Attendance records | No | Tracking participation in classes and sessions |
Important: All information about children is entered by parents, guardians, or authorized Club staff. Children do not create accounts, log in, or directly input information into the platform.
2.3. Communication Data
| Information | Source | Purpose |
|---|---|---|
| Chat messages | Users (in class channels and direct messages) | Facilitating communication between Club members |
| File attachments | Users (images, documents, up to 25 MB) | Sharing media within conversations |
| Announcements | Coaches and Admins | Club-wide and class-level communications |
2.4. Club and Program Data
- Class schedules, locations, and session details
- Enrollment records and class rosters
- Event details and RSVP responses
- Tryout registrations (child name, date of birth, gender, experience level)
- Volunteer duty sign-ups and assignments
- Membership plan selections (type, duration, price)
2.5. Payment Information
We store payment records including amount, date, status, and payment method label for record-keeping. HenZoe does not directly process, transmit, or store credit card numbers, bank account details, or other payment instrument data. Payment processing is managed by each Club through its own payment provider.
2.6. Automatically Collected Information
| Information | Purpose | Retention |
|---|---|---|
| Audit logs (user ID, action performed, timestamp, IP address, browser user agent) | Security monitoring, incident investigation, and regulatory compliance | 2 years |
| API request metrics (request path, response status, duration) | Service performance monitoring and reliability | Anonymized; no personal data retained |
2.6a. Website Visitors and Signup / Contact Forms
Separately from the in-product Service, when you visit our marketing website (henzoe.com) or submit a form there — such as the Club signup form or a contact / sales inquiry — we collect the information you choose to provide so we can respond to you and, where applicable, begin setting up your Club account:
| Information | Source | Purpose |
|---|---|---|
| Club name and chosen Club URL | You (signup form) | Creating and provisioning your Club account |
| Your name and email address | You (signup or contact form) | Sending your account setup invitation and responding to your inquiry |
| Country and selected plan / billing cycle | You (signup form) | Configuring your account and applicable pricing |
| Subject and message you submit | You (contact form) | Understanding and responding to your inquiry |
| Hashed source IP address of a signup request | Automatically | Abuse prevention and rate limiting (we store a one-way hash, not the raw IP) |
We use this information only to respond to you, evaluate and set up your account, and send directly related communications. The lawful bases are your consent and taking pre-contractual steps at your request. We retain unconverted signup or contact submissions only as long as needed to respond and for reasonable abuse-prevention and record-keeping; once a Club account is created, the information is governed by Section 8 (Data Retention). Our marketing website uses only strictly necessary cookies and no third-party analytics or advertising trackers, consistent with Sections 9.1–9.2.
2.7. AI Assistant (Zoe) Inputs
When you use the Service's AI assistant features (collectively, "Zoe"), the following information is processed in order to generate responses for you:
| Information | Source | Purpose |
|---|---|---|
| Your prompts and conversation history with Zoe | You | Generating responses to your requests |
| Account-visible context (schedules, rosters, messages, payments, student profiles, attendance, and other data your account is already authorized to see) | Existing Service data | Providing accurate, personalized responses scoped to what you can already access |
| Action confirmations (when you approve, modify, or decline a proposed action) | You | Executing or skipping the proposed action |
Zoe processing is performed using a combination of HenZoe's own systems and one or more underlying large language model ("LLM") providers acting as our sub-processors under contractual confidentiality and data protection terms. Zoe inputs are not used by HenZoe or by our LLM sub-processors to train general-purpose AI models. Zoe only proposes actions and seeks your explicit confirmation before executing any action that affects data; it does not act autonomously on your behalf without that confirmation. Zoe-generated output is AI-generated and may contain errors; please see Section 4.4 of our Terms of Service for important limitations on AI features.
2.7a. AI Moderation of Outbound Email
When a Coach, Club Admin, or the Zoe assistant composes an outbound email through the Service (see Section 4.3a of our Terms of Service), the message is automatically reviewed by an AI-based content moderation system before it is sent, to detect spam, advertising, and other content prohibited by our Terms.
| Information | Source | Purpose |
|---|---|---|
| Email subject and body text (for every outbound email, not only blocked ones) | The Coach, Admin, or Zoe composing the message | Automated screening for prohibited content before sending |
| Recipient context (that the recipient is a member of the sending Club) | Existing Service data | Confirming the email is sent only to Club members |
Outbound email content is processed for moderation by DeepSeek, an LLM provider acting as our sub-processor under contractual confidentiality and data protection terms, and is transmitted by Amazon Simple Email Service (SES), our email-delivery sub-processor (see Section 5.3). Email content processed for moderation is not used by HenZoe or by our sub-processors to train general-purpose AI models. We maintain an audit log of outbound email (sender, recipient count, subject, the moderation decision and reason, and timestamps) for security, abuse-prevention, and compliance purposes; this log is retained as described in Section 8.
2.8. Information We Do NOT Collect
We want to be clear about data we do not collect:
- No advertising cookies or behavioral tracking — We do not use cookies for advertising, retargeting, or cross-site tracking
- No third-party analytics — We do not use Google Analytics, Facebook Pixel, or similar third-party analytics services
- No device fingerprinting — We do not collect device fingerprints or use tracking pixels
- No biometric data — We do not collect fingerprints, facial recognition data, voiceprints, or other biometric identifiers
- No government-issued identifiers — We do not collect Social Security numbers, driver's license numbers, passport numbers, or similar government-issued identification
- No geolocation tracking — We do not passively track your device location (address data is only stored if voluntarily provided)
2.9. Mobile App Permissions
When you use our mobile applications for iOS and Android, certain features rely on permissions you grant through your device's operating system. We request a permission only when you use the related feature, and you can review or revoke any permission at any time in your device settings.
| Device permission | When we request it | Purpose |
|---|---|---|
| Camera | When you take a photo for a profile or to attach to a message | Capturing the image you choose to upload |
| Photo Library | When you choose an existing photo for a profile or message attachment | Selecting the image you choose to upload |
| Calendar | When you add a Club event or session to your device calendar | Writing the event you choose to your device calendar |
| Push Notifications | When you opt in to notifications | Delivering Club announcements, messages, and reminders to your device |
We do not access these device features in the background, and declining a permission does not prevent you from using the rest of the Service. Consistent with Section 2.8, we do not collect your device's precise location.
3. Lawful Basis for Processing
We process personal information based on the following lawful bases:
| Lawful Basis | Applicable Processing Activities |
|---|---|
| Consent | Account creation, parental consent for children's data (COPPA), acceptance of Terms of Service |
| Performance of contract | Providing the Service as described in our Terms of Service |
| Legitimate interest | Security monitoring, fraud prevention, service improvement, and maintaining audit trails |
| Legal obligation | Compliance with COPPA, CCPA/CPRA, tax and accounting requirements, and responding to lawful government requests |
4. How We Use Your Information
We use personal information for the following purposes:
| Purpose | Data Used |
|---|---|
| Providing and operating the Service | Account information, student data, enrollment, scheduling |
| Enabling in-app communication | Chat messages, announcements, notifications |
| Tracking player development | Skill assessments, achievements, attendance |
| Sending invitations and notifications | Email address |
| Ensuring player safety | Medical notes, emergency contacts (shared with coaches) |
| Maintaining platform security | Audit logs, IP addresses, login records |
| Processing memberships | Payment records, plan selections |
| Improving service quality | Anonymized, aggregated usage metrics |
We do NOT use your information to:
- Serve advertisements of any kind
- Build marketing or behavioral profiles
- Sell, rent, lease, or trade personal data to third parties
- Make automated decisions that produce legal or similarly significant effects without human review and confirmation (the AI assistant features described in Section 2.7 propose actions for your review and require your explicit confirmation before executing any action that affects data)
- Train general-purpose AI models on your data or your child's data
- Engage in cross-site tracking or retargeting
5. How We Share Your Information
5.1. Within Your Club
Your information is accessible to authorized members of your Club based on their role:
| Role | Accessible Information |
|---|---|
| Coaches (assigned to your child's class) | Student names, DOB, gender, medical notes, emergency contacts, skill assessments, attendance, parent contact details |
| Club Admins | All user and student information within their organization |
| Other Parents (in the same class) | Your name and profile photo in class channels and chat. They cannot see your email, phone, address, or your child's medical information |
| Co-Parents (if invited by you) | Student profile data based on permissions you grant (profile, enrollment, RSVPs, and/or chat) |
5.2. Between Clubs (Tenant Isolation)
Your information is never shared between different Clubs. Each Club operates as a separate tenant with strict data isolation. No Club can access the data of any other Club.
5.3. With Service Providers (Sub-Processors)
We engage the following third-party service providers to operate the Service. These providers process data on our behalf pursuant to data processing agreements and are obligated to protect your information:
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, computing, and storage | All data (encrypted at rest using AES-256 and in transit using TLS) |
| AWS Cognito | User authentication and identity management | Email, name, password hash |
| AWS Simple Email Service (SES) | Transactional and Club operational email delivery (including outbound email composed by Coaches and Admins) | Recipient email address, email subject and body content |
| DeepSeek | AI content moderation of outbound email composed by Coaches, Admins, and Zoe | Email subject and body text (when an outbound email is composed); not used for AI model training |
| AWS S3 / CloudFront | Delivery of application static assets and internal usage reporting | Application assets; no user-uploaded media |
| Cloudflare, Inc. | Storage and global delivery of user-uploaded media (chat attachments, profile and student photos, Club logos, achievement badges, and AI assistant uploads) via Cloudflare R2 storage and a media-delivery worker | Uploaded files and associated technical metadata |
| AWS AppSync | Real-time messaging (WebSocket) | Chat messages and channel data |
| Google OAuth | Optional third-party sign-in | Email and name (only when user elects Google sign-in) |
| Google Maps API | Location selection for class venues | Location coordinates and addresses |
| Large Language Model (LLM) provider(s) | Powering AI assistant features (Zoe) | Your prompts and the account-visible context required to generate a response (see Section 2.7); not used for AI model training |
5.4. Legal Requirements
We may disclose personal information if we reasonably believe that disclosure is necessary to:
- (a) Comply with applicable law, regulation, legal process, or governmental request;
- (b) Enforce our Terms of Service or other agreements;
- (c) Protect the rights, property, or safety of HenZoe, our Users, or the public; or
- (d) Detect, prevent, or address fraud, security, or technical issues.
Where permitted by law, we will make reasonable efforts to notify affected Users before disclosing their information in response to a legal request.
5.5. Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or other business transfer, personal information may be transferred as part of that transaction. We will notify affected Users prior to their information becoming subject to a different privacy policy and will provide the opportunity to opt out where required by law.
5.6. With Your Consent
We may share your information for purposes not described in this Privacy Policy only with your prior, explicit consent.
6. Children's Privacy (COPPA Compliance)
HenZoe takes the privacy of children seriously. This section describes our practices regarding the personal information of children under 13, in compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and the FTC's COPPA Rule, 16 C.F.R. Part 312.
6.1. Operator Information
HenZoe LLC is the operator of the Service for purposes of COPPA. Our contact information is:
HenZoe LLC Email: contact@henzoe.com Phone: (949) 810-6886 Address: 2108 N ST, STE N, Sacramento, CA 95816, United States
6.2. No Direct Collection from Children
HenZoe does not allow children to create accounts, log in, post messages, or directly provide personal information through the Service. All children's data is entered by:
- (a) A parent or legal guardian, OR
- (b) Authorized Club staff (Coaches or Admins) acting with parental knowledge and consent.
6.3. Parental Consent
Before a Parent adds a child (Student) to the platform, they must review and accept our Parental Consent Agreement, which describes the specific categories of information collected about the child, the purposes for which it is used, and who has access to it. Parents provide verifiable consent by checking a dedicated consent checkbox during account setup or student registration after reviewing the full consent disclosure.
6.4. Parental Rights Under COPPA
Parents and legal guardians have the right to:
- Review all personal information collected about their child by logging into the Parent portal
- Edit their child's profile, medical notes, and emergency contact information at any time
- Delete their child's profile and associated personal data by removing the Student from the platform or by contacting their Club Admin
- Revoke consent for further collection of their child's information by removing the Student from the platform or by contacting us
- Request a complete copy of their child's data by emailing contact@henzoe.com with the subject line "COPPA Data Request"
6.5. How Children's Data Is Used
Children's data is used exclusively to:
- Enable Club staff to manage Club programs, classes, and rosters
- Allow coaches to track attendance, skills, and player development
- Provide parents with visibility into their child's participation and progress
- Ensure child safety through accessible medical notes and emergency contact information
Children's data is never used for advertising, marketing, profiling, or any purpose unrelated to the Club's programs and activities.
6.6. Retention and Deletion of Children's Data
Children's data is retained only for as long as the Student profile is active. When a Student is removed from the platform, their profile and personally identifiable data are deleted. Anonymized attendance and assessment summaries may be retained by the Club for historical program records.
6.7. Filing a COPPA Complaint
If you believe we have collected personal information from a child in violation of COPPA, please contact us immediately at contact@henzoe.com. You may also file a complaint with the Federal Trade Commission at www.ftc.gov/complaint or by calling 1-877-FTC-HELP (1-877-382-4357).
7. Data Security
We implement comprehensive security measures to protect your information:
| Security Measure | Description |
|---|---|
| Encryption in transit | All data transmitted between your device and our servers is encrypted using TLS 1.2+ (HTTPS) |
| Encryption at rest | All data stored in our databases and file storage is encrypted using AES-256 encryption provided by AWS |
| Authentication | User accounts are secured through AWS Cognito with industry-standard password hashing (bcrypt/SRP). Multi-factor authentication is supported where enabled |
| Access control | Multi-tenant data isolation ensures each Club's data is completely separated at the database level. Role-based access controls restrict data visibility based on User roles |
| Audit logging | All significant actions are logged for security monitoring, incident investigation, and compliance |
| Invite-only access | Users can only join the platform through authorized invitations, preventing unauthorized account creation |
| Infrastructure security | Hosted on AWS with SOC 2 Type II, ISO 27001, and FedRAMP-certified infrastructure |
No method of electronic storage or transmission is 100% secure. While we implement commercially reasonable security measures, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Active user accounts | Retained as long as the account remains active |
| Deleted user accounts | Personal data deleted upon account removal; anonymized records retained where required for Club operations |
| Student profiles | Retained as long as the profile is active; personal data deleted when profile is removed |
| Chat messages | Retained while account is active; soft-deleted messages retained temporarily for content moderation review |
| Audit logs | Retained for two (2) years for security and compliance purposes |
| Outbound email audit log (sender, recipient count, subject, moderation decision and reason, timestamps) | Retained for two (2) years for security, abuse-prevention, and compliance purposes |
| File uploads | Deleted when the associated message or profile is deleted |
| Invitation records | Expired invitations retained for ninety (90) days, then permanently deleted |
| Payment records | Retained in accordance with applicable tax, accounting, and legal requirements as determined by each Club |
9. Cookies and Tracking Technologies
9.1. Cookies We Use
HenZoe uses only strictly necessary cookies required for the Service to function. These include:
- Authentication tokens — To maintain your logged-in session
- Security tokens — To prevent cross-site request forgery (CSRF) and ensure secure requests
9.2. Cookies We Do NOT Use
We do not use:
- Advertising or marketing cookies
- Third-party analytics cookies
- Social media tracking cookies
- Cross-site tracking cookies
- Persistent behavioral tracking cookies
9.3. Do Not Track Signals
HenZoe does not track Users across third-party websites. Because we do not engage in cross-site tracking, our Service does not respond to "Do Not Track" browser signals, as there is no tracking to disable.
10. Your Privacy Rights
10.1. Rights Available to All Users
Regardless of your location, you may exercise the following rights with respect to your personal information:
| Right | Description |
|---|---|
| Access | Request a copy of the personal information we hold about you |
| Correction | Request correction of inaccurate or incomplete information |
| Deletion | Request deletion of your personal information, subject to legal retention requirements. You can delete your account directly in the app via the avatar menu (select Delete my account), or contact us at the address below |
| Portability | Request your personal data in a structured, commonly used, and machine-readable format |
| Withdraw consent | Withdraw your consent for data processing at any time (this does not affect the lawfulness of processing prior to withdrawal) |
To exercise any of these rights, contact us at contact@henzoe.com. We will respond to your request within thirty (30) days. We may request verification of your identity before processing your request.
10.2. California Residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
- Right to know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
- Right to delete — You may request deletion of your personal information, subject to certain exceptions.
- Right to correct — You may request correction of inaccurate personal information.
- Right to opt out of sale/sharing — We do NOT sell or share (as defined under CCPA/CPRA) your personal information. No opt-out is necessary.
- Right to limit use of sensitive personal information — We use sensitive personal information only for the purposes disclosed in this Privacy Policy. No limitation request is necessary.
- Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Categories of personal information we collect (as defined by the CCPA/CPRA): Identifiers, personal information under Cal. Civ. Code § 1798.80(e), characteristics of protected classifications (age, gender), internet or other electronic network activity (audit logs), and education information (skill assessments, attendance).
Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of authorization and may also require you to directly verify your identity with us.
To submit a CCPA/CPRA request, email contact@henzoe.com with the subject line "CCPA Request" or call (949) 810-6886.
10.3. Virginia, Colorado, and Connecticut Residents
If you are a resident of Virginia (VCDPA), Colorado (CPA), or Connecticut (CTDPA), you have rights similar to those described in Section 10.1, including the right to access, correct, delete, and obtain a portable copy of your data. You also have the right to opt out of targeted advertising, the sale of personal data, and profiling — however, we do not engage in any of these activities.
To exercise your rights, contact us at contact@henzoe.com. If we deny your request, you have the right to appeal by contacting us at the same email address with the subject line "Privacy Rights Appeal."
11. International Data Transfers
HenZoe is hosted on Amazon Web Services infrastructure located in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States. By using the Service, you consent to this transfer and acknowledge that U.S. data protection laws may differ from the laws in your jurisdiction.
12. Third-Party Links
The Service may contain links to third-party websites or services (such as Google Maps). We are not responsible for the privacy practices, content, or security of any third-party website. We encourage you to review the privacy policies of any third-party sites you access through or in connection with the Service.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date and version number at the top of this document
- Notify Users through the Service with a prominent notice
- Require re-acceptance of the updated Privacy Policy for continued use of the Service
We encourage you to review this Privacy Policy periodically.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
HenZoe LLC Email: contact@henzoe.com Phone: (949) 810-6886 Address: 2108 N ST, STE N, Sacramento, CA 95816, United States
For COPPA-related inquiries or to exercise parental rights regarding your child's data, please email contact@henzoe.com with the subject line "COPPA Request."
For CCPA/CPRA requests, please email contact@henzoe.com with the subject line "CCPA Request" or call (949) 810-6886.
© 2026 HenZoe LLC. All rights reserved.