Security at PlayerFocus

PlayerFocus uses Supabase Auth for identity. Passwords are hashed with bcrypt — we never see or store plaintext passwords. Every authenticated request carries a short-lived JWT signed by Supabase, and sessions refresh automatically as long as the user stays active.

Coaches, parents, and directors are provisioned by their club’s director. There’s no public signup, so we don’t expose endpoints that unknown users can use to create accounts or probe the system.

Every row in our database is tagged with the academy it belongs to. Every query — reads, writes, updates, deletes — runs through Postgres Row-Level Security (RLS) policies that enforce that boundary at the database level, not just the application level.

In practice: a coach at Club A is mathematically unable to see or modify data belonging to Club B, even if they guess URLs or craft custom API calls. The database refuses the query.

Everything on playerfocus.ca is served over HTTPS with modern TLS. Data stored in Supabase is encrypted at rest using AES-256. Backups are encrypted with the same standard. Attached files (player photos, documents) live in Supabase Storage with signed-URL access that expires quickly.

Every account has a role: director, coach, or parent. Features and data visibility are enforced per role both in the UI and in the database:

• Directors see everything for their club.
• Coaches see only the teams and players they’re assigned to.
• Parents see only their own child’s reports and snapshots.

Transactional emails (invites, password resets, weekly reports) are sent via Resend from a verified sender on our own domain. Recipients can see exactly where an email came from, and we monitor bounces and complaints to keep deliverability healthy.

We watch platform health in real time and investigate anomalies quickly. If we ever become aware of a security incident that affects your club’s data, we’ll notify your director within 72 hours of discovery with what we know, what we’re doing about it, and what — if anything — you need to do.

If you’re a researcher and you think you’ve found a security issue, please tell us before telling anyone else. Write to security@playerfocus.ca with a clear reproduction path. We’ll acknowledge within two business days, and we’ll work with you in good faith on a fix.

No bug bounty program yet — but we thank researchers publicly (with permission) once fixes are deployed.

For any security-related question, reach us at security@playerfocus.ca.