Your students’ data is their data. Period.
We built Stroke Gained with the same security standards we would expect for our own swing footage and coaching data. Every layer of the platform is designed so that your information stays private, encrypted, and under your control.
How We Protect Your Data
Security is not an afterthought at Stroke Gained. These protections are built into the foundation of the platform, from database queries to video storage to session management.
Row Level Security
Every database table uses Supabase RLS policies. Coaches see only their own students. Students see only their own data plus feedback from their assigned coach. There is no way to query another user's records, even at the API level.
Secure Authentication
Supabase Auth with PKCE flow provides industry-standard session management. Passwords are never stored in plain text. Sessions expire automatically, and refresh tokens are rotated on every use to prevent token theft.
Signed URLs for Video Storage
Swing videos and media files are stored in private buckets. Every access URL is time-limited and signed with a unique token. There are no permanent public links to your swing footage. Once the URL expires, it cannot be reused.
No Data Selling, Ever
Your swing data, round history, and personal information are never sold, shared with advertisers, or used for AI model training outside of your own analysis. Your data exists to help you improve your golf game, full stop.
Scoped Access Controls
Access is role-based and scoped to the minimum necessary. Students see their own data plus their coach's feedback. Coaches see their student roster and submitted videos. Admins see aggregate analytics but not individual swing footage.
Encrypted at Rest and in Transit
All data is encrypted at rest using AES-256 on Supabase infrastructure hosted on AWS. All data in transit uses TLS 1.2 or higher. HTTPS is enforced on every endpoint with no exceptions.
What Data We Collect and Why
We only collect data that directly serves your golf improvement experience. Here is exactly what we store, and the specific reason for each category.
Account Information
What: Email address, display name, authentication credentials
Why: To create and manage your account, send transactional emails, and enable coach-student connections.
Swing Videos
What: Video files you upload for analysis
Why: To run AI swing analysis using TPI, TrackMan, and HackMotion reference data. Videos are stored in private buckets and are only accessible to you and your connected coach.
Round Data
What: Shot locations, scores, GPS coordinates during play
Why: To calculate strokes gained metrics, identify patterns in your game, and generate practice recommendations.
Device Information
What: Device model, OS version, app version
Why: To diagnose bugs, optimize performance for your device, and ensure compatibility with Apple Watch and Android features.
Usage Analytics
What: Feature usage patterns, session duration, navigation flow
Why: To understand which features are most valuable and where the experience can be improved. This data is aggregated and anonymized.
How Swing Videos Are Stored and Processed
When you upload a swing video for AI analysis, the file is transferred over HTTPS to a private storage bucket on Supabase (backed by AWS S3). The video is encrypted at rest and is never accessible via a public URL. When you or your coach need to view the video, a time-limited signed URL is generated that expires after a short window.
During analysis, the video is processed by our AI pipeline which references biomechanics data from TPI, TrackMan, and HackMotion research. The AI extracts pose estimation data and kinematic measurements from the video frames. This analysis data is stored alongside the video in your account. The original video file is never modified.
Your swing videos are never used to train AI models, shared with third parties, or made accessible to other users. If you delete a video from your account, the file and all associated analysis data are permanently removed from our storage within 30 days.
Third-Party Services We Use
We are transparent about every external service that handles your data. Each one is selected for its security posture and compliance certifications.
Supabase
Purpose: Database, authentication, and file storage
Security: SOC 2 Type II compliant, hosted on AWS with AES-256 encryption, GDPR-ready infrastructure.
Vercel
Purpose: Web application hosting and edge delivery
Security: SOC 2 Type II compliant, automatic HTTPS, DDoS protection, isolated serverless functions.
Expo / React Native
Purpose: Mobile application framework
Security: Open-source framework with regular security audits. No data is stored on Expo servers in production.
Resend
Purpose: Transactional email delivery
Security: SOC 2 Type II compliant, TLS encryption for all email transmission, no email content retention.
Account Deletion Policy
You can request full account deletion at any time by emailing bank@strokegained.com with the subject line “Delete My Account.” We will confirm your identity and process the deletion within 7 business days.
When your account is deleted, we permanently remove your profile information, swing videos, round data, practice history, and any coach-student connections. Aggregated, anonymized analytics data (such as feature usage counts) may be retained since it cannot be tied back to you.
If you are connected to a coach, your coach will be notified that the connection has ended, but they will not receive any of your data.
Questions about security or privacy?
We are happy to walk you through our infrastructure, policies, and data handling in detail. If you are a coach evaluating the platform for your students, we can provide additional documentation on request. Reach out anytime.