This Privacy Policy describes how SpotBasket ("we," "us," or "our") collects, uses, and protects your personal information when you use our website, applications, and services (collectively, the "Services"). We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations.
By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.
1. Information We Collect
1.1. Information You Provide
We collect information you directly provide when you:
- Create an account: Name, email address, password, phone number, date of birth
- Use our services: Training data, performance metrics, assessment results, preferences
- Make purchases: Billing information, payment details (processed by Stripe/Paddle)
- Contact us: Name, email, phone number, message content
- Join academy programs: Student information, emergency contacts, medical information
- Participate in surveys: Feedback, opinions, demographic information
1.2. Automatically Collected Information
When you use our Services, we automatically collect:
- Device information: IP address, browser type, operating system, device identifiers
- Usage data: Pages visited, features used, time spent, click patterns
- Location data: General geographic location based on IP address (with your consent for precise location)
- Cookies and tracking: See Section 7 for details
1.3. Information from Third Parties
We may receive information from:
- Payment processors (Stripe, Paddle)
- Social media platforms (if you connect your account)
- Analytics providers (Google Analytics, Mixpanel)
- Academy partners and coaches
2. How We Use Your Information
We use your personal information for the following purposes:
- Service delivery: Provide, maintain, and improve our Services
- Account management: Create and manage your account, authenticate users
- Payment processing: Process transactions, billing, and refunds (where applicable)
- Communication: Send updates, notifications, marketing materials (with your consent)
- Personalization: Customize your experience, recommend content and programs
- Analytics: Analyze usage patterns, improve our Services, conduct research
- Safety and security: Detect fraud, prevent abuse, protect against security threats
- Legal compliance: Comply with legal obligations, respond to legal requests
- Customer support: Respond to inquiries, resolve issues, provide assistance
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process your personal data based on:
- Consent: You have given explicit consent for specific purposes (e.g., marketing communications, location tracking)
- Contract performance: Processing is necessary to fulfill our contract with you (e.g., providing Services you purchased)
- Legitimate interests: Processing is necessary for our legitimate business interests (e.g., improving Services, fraud prevention), provided your rights don't override these interests
- Legal obligation: Processing is required to comply with applicable laws
4. How We Share Your Information
We may share your information with:
4.1. Service Providers
- Payment processors: Stripe, Paddle (for secure payment processing)
- Cloud hosting: AWS, Google Cloud (for data storage and computing)
- Analytics: Google Analytics, Mixpanel (for usage analysis)
- Email services: SendGrid, Mailchimp (for communications)
- Customer support: Zendesk, Intercom (for support tickets)
4.2. Business Partners
We may share information with academy partners, coaches, and franchisees to deliver Services. They are required to protect your information and use it only for authorized purposes.
4.3. Legal Requirements
We may disclose information when required by law, to enforce our terms, protect our rights, or ensure safety of users and the public.
4.4. Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
We do NOT sell your personal information to third parties for their marketing purposes.
5. International Data Transfers
Important: SpotBasket operates globally. Your personal information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws.
For EEA users, we ensure adequate protection through:
- Standard Contractual Clauses approved by the European Commission
- Data Processing Agreements with all service providers
- Adequacy decisions where applicable
6. Data Retention
We retain your personal information for as long as necessary to:
- Provide our Services to you
- Comply with legal obligations (e.g., tax records, 7 years)
- Resolve disputes and enforce agreements
- Maintain business records
Typical retention periods:
- Active account data: Duration of account plus 90 days
- Inactive accounts: Deleted after 3 years of inactivity
- Payment records: 7 years (legal requirement)
- Marketing data: Until you unsubscribe
- Analytics data: Up to 26 months
7. Cookies and Tracking Technologies
7.1. What Are Cookies
Cookies are small text files stored on your device. We use cookies and similar technologies (pixels, web beacons, local storage) to improve your experience and analyze usage.
7.2. Types of Cookies We Use
Essential Cookies
Required for basic functionality (login, security, navigation). Cannot be disabled.
Functional Cookies
Remember your preferences (language, region, settings). Enhance user experience.
Analytics Cookies
Help us understand how you use our Services (Google Analytics, Mixpanel). Data is aggregated and anonymous.
Marketing Cookies
Track your activity to show relevant ads. Used for retargeting and measuring campaign effectiveness.
7.3. Managing Cookies
You can control cookies through your browser settings or our cookie consent tool. Note that disabling cookies may limit functionality. To opt out of Google Analytics, visit: https://tools.google.com/dlpage/gaoptout
8. Your Privacy Rights
8.1. GDPR Rights (EEA Users)
If you're in the EEA, you have the right to:
- Access: Request copies of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restriction: Limit how we process your data
- Portability: Receive your data in a machine-readable format
- Object: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time (doesn't affect prior processing)
- Lodge a complaint: File a complaint with your local data protection authority
8.2. CCPA Rights (California Residents)
California residents have the right to:
- Know: What personal information we collect, use, and share
- Delete: Request deletion of your personal information
- Opt-out: Opt out of sale of personal information (we don't sell your data)
- Non-discrimination: Not be discriminated against for exercising your rights
8.3. All Users
Regardless of location, you can:
- Update your account information
- Unsubscribe from marketing emails
- Disable cookies (except essential ones)
- Close your account
9. How to Exercise Your Rights
To exercise any of your privacy rights, please contact us:
[email protected]
Please include:
- Your full name and email address associated with your account
- Description of your request (access, deletion, correction, etc.)
- Proof of identity (to prevent unauthorized access)
We will respond to your request within 30 days (or as required by applicable law). For complex requests, we may extend this period by an additional 30 days with notification.
10. Data Security
We implement industry-standard security measures to protect your personal information:
- Encryption: TLS/SSL encryption for data transmission, AES-256 for data at rest
- Access controls: Role-based access, multi-factor authentication
- Infrastructure security: Firewalls, intrusion detection, regular security audits
- Secure payments: PCI DSS compliant payment processing
- Employee training: Regular security awareness training
- Incident response: Procedures for detecting and responding to breaches
While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
11. Children's Privacy
Our Services are not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages without parental consent. Academy programs for minors require parental consent and are handled in compliance with applicable laws including COPPA (Children's Online Privacy Protection Act).
If you believe we have collected information from a child without proper consent, please contact us immediately at [email protected]
12. Do Not Track Signals
Some browsers have a "Do Not Track" (DNT) feature. Currently, there is no industry standard for DNT signals, and we do not respond to DNT browser signals. However, you can control tracking through our cookie consent tool and browser settings.
13. Third-Party Links
Our Services may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party sites you visit.
14. Changes to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Posting the updated policy on this page
- Updating the "Last Updated" date
- Sending email notification (for significant changes)
- Displaying a prominent notice on our website
Your continued use of our Services after changes indicates acceptance of the updated policy. We recommend reviewing this page periodically.
This Privacy Policy is effective as of December 14, 2025.
© 2026 SpotBasket. All rights reserved.