Compliance isn't an afterthought. It's our architecture.
Every decision we make starts with one question: how does this protect the kids in your care? Five regulations. Built in from day one.
Every major regulation. Built in, not bolted on.
We don't treat compliance as a checkbox. These are architectural constraints.
COPPA
Under 13Children's Online Privacy Protection Act · United States
Children under 13 require verifiable parental consent before we collect any data. Guardian approval gates all account creation for this age group.
GDPR Art. 8
Under 16General Data Protection Regulation, Article 8 · EU / EEA
Children 13-15 in EU/EEA require parental consent. Our locale-aware consent flows adapt automatically based on the child's country of residence.
UK Children's Code
Under 18Age Appropriate Design Code · United Kingdom
Children under 18 receive age-appropriate design and maximum privacy by default. No dark patterns. Data minimization enforced throughout.
CCPA/CPRA
Under 16California Consumer Privacy Act / Privacy Rights Act · California, USA
Children under 16 must opt-in to any data sale. We don't sell data — period. California residents have full DSAR rights.
KOSA
Under 17Kids Online Safety Act · United States
Duty of care for users under 17. No harmful content recommendations, no behavioral advertising for minors, transparent algorithms.
Guardian-routed messaging
Messages to your youngest players always go through a parent first. No exceptions.
All messages blocked
Parents communicate on their behalf
Guardian approval required
Direct messages need guardian review before delivery
Guardian-visible
Messages visible in parent's feed
Standard messaging
Direct messaging enabled
Age group is determined at registration and automatically enforced throughout the platform. Guardians can upgrade a child's age category with verification — never downgrade without admin approval.
Your data, protected at every tier
Not all data is equal. We encrypt and protect each type appropriately.
Most Protected
Passwords, API keys, encryption keys
Child PII
Child personal data, health info, guardian links
Adult PII
Adult personal data, payment details, messages
Club Data
Events, rosters, schedules
Accountability you can trust
Every action that touches personal data is logged. Immutably.
- Append-only audit logs with hash-chain integrity
- Every PII access and modification is logged
- DSAR deletion and portability workflows built in
- Safeguarding records retained until age 25+7
- Guardian consent changes are immutably recorded
- Auth events logged for every account
DSAR-ready by default
When a family requests their data or deletion under GDPR or CCPA, we have automated workflows for that. No manual scrambling. No compliance exposure.
See how ClubOS protects your community.
Every club on ClubOS gets the same compliance architecture. No upgrades required.