PRIVACY POLICY

Privacy Policy

Last Updated: July 12, 2026

This Privacy Policy describes how SpotBasket ("we," "us," or "our") collects, uses, and protects your personal information when you use our website, applications, and services (collectively, the "Services"). We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

1.1. Information You Provide

We collect information you directly provide when you:

  • Create an account: Name, email address, password, phone number, date of birth
  • Use our services: Training data, performance metrics, assessment results, preferences
  • Make purchases: Billing information, payment details (processed by Stripe/Paddle)
  • Contact us: Name, email, phone number, message content
  • Join academy programs: Student information, emergency contacts, medical information
  • Participate in surveys: Feedback, opinions, demographic information

1.2. Automatically Collected Information

When you use our Services, we automatically collect:

  • Device information: IP address, browser type, operating system, device identifiers
  • Usage data: Pages visited, features used, time spent, click patterns
  • Location data: General geographic location based on IP address (with your consent for precise location)
  • Cookies and tracking: See Section 7 for details

1.3. Information from Third Parties

We may receive information from:

  • Payment processors (Stripe, Paddle)
  • Social media platforms (if you connect your account)
  • Analytics providers (Google Analytics, Mixpanel)
  • Academy partners and coaches

2. How We Use Your Information

We use your personal information for the following purposes:

  • Service delivery: Provide, maintain, and improve our Services
  • Account management: Create and manage your account, authenticate users
  • Payment processing: Process transactions, billing, and refunds (where applicable)
  • Communication: Send updates, notifications, marketing materials (with your consent)
  • Personalization: Customize your experience, recommend content and programs
  • Analytics: Analyze usage patterns, improve our Services, conduct research
  • Safety and security: Detect fraud, prevent abuse, protect against security threats
  • Legal compliance: Comply with legal obligations, respond to legal requests
  • Customer support: Respond to inquiries, resolve issues, provide assistance

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on:

  • Consent: You have given explicit consent for specific purposes (e.g., marketing communications, location tracking)
  • Contract performance: Processing is necessary to fulfill our contract with you (e.g., providing Services you purchased)
  • Legitimate interests: Processing is necessary for our legitimate business interests (e.g., improving Services, fraud prevention), provided your rights don't override these interests
  • Legal obligation: Processing is required to comply with applicable laws

4. How We Share Your Information

We may share your information with:

4.1. Service Providers

  • Payment processors: Stripe, Paddle (for secure payment processing)
  • Cloud hosting: AWS, Google Cloud (for data storage and computing)
  • Analytics: Google Analytics, Mixpanel (for usage analysis)
  • Email services: SendGrid, Mailchimp (for communications)
  • Customer support: Zendesk, Intercom (for support tickets)

4.2. Business Partners

We may share information with academy partners, coaches, and franchisees to deliver Services. They are required to protect your information and use it only for authorized purposes.

4.3. Legal Requirements

We may disclose information when required by law, to enforce our terms, protect our rights, or ensure safety of users and the public.

4.4. Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

We do NOT sell your personal information to third parties for their marketing purposes.

5. International Data Transfers

Important: SpotBasket operates globally. Your personal information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws.

For EEA users, we ensure adequate protection through:

  • Standard Contractual Clauses approved by the European Commission
  • Data Processing Agreements with all service providers
  • Adequacy decisions where applicable

6. Data Retention

We retain your personal information for as long as necessary to:

  • Provide our Services to you
  • Comply with legal obligations (e.g., tax records, 7 years)
  • Resolve disputes and enforce agreements
  • Maintain business records

Typical retention periods:

  • Active account data: Duration of account plus 90 days
  • Inactive accounts: Deleted after 3 years of inactivity
  • Payment records: 7 years (legal requirement)
  • Marketing data: Until you unsubscribe
  • Analytics data: Up to 26 months

7. Cookies and Tracking Technologies

7.1. What Are Cookies

Cookies are small text files stored on your device. We use cookies and similar technologies (pixels, web beacons, local storage) to improve your experience and analyze usage.

7.2. Types of Cookies We Use

Essential Cookies

Required for basic functionality (login, security, navigation). Cannot be disabled.

Functional Cookies

Remember your preferences (language, region, settings). Enhance user experience.

Analytics Cookies

Help us understand how you use our Services (Google Analytics, Mixpanel). Data is aggregated and anonymous.

Marketing Cookies

Track your activity to show relevant ads. Used for retargeting and measuring campaign effectiveness.

7.3. Managing Cookies

You can control cookies through your browser settings or our cookie consent tool. Note that disabling cookies may limit functionality. To opt out of Google Analytics, visit: https://tools.google.com/dlpage/gaoptout

8. Your Privacy Rights

8.1. GDPR Rights (EEA Users)

If you're in the EEA, you have the right to:

  • Access: Request copies of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent at any time (doesn't affect prior processing)
  • Lodge a complaint: File a complaint with your local data protection authority

8.2. CCPA Rights (California Residents)

California residents have the right to:

  • Know: What personal information we collect, use, and share
  • Delete: Request deletion of your personal information
  • Opt-out: Opt out of sale of personal information (we don't sell your data)
  • Non-discrimination: Not be discriminated against for exercising your rights

8.3. All Users

Regardless of location, you can:

  • Update your account information
  • Unsubscribe from marketing emails
  • Disable cookies (except essential ones)
  • Close your account

9. How to Exercise Your Rights

To exercise any of your privacy rights, please contact us:

[email protected]

Please include:

  • Your full name and email address associated with your account
  • Description of your request (access, deletion, correction, etc.)
  • Proof of identity (to prevent unauthorized access)

We will respond to your request within 30 days (or as required by applicable law). For complex requests, we may extend this period by an additional 30 days with notification.

10. Data Security

We implement industry-standard security measures to protect your personal information:

  • Encryption: TLS/SSL encryption for data transmission, AES-256 for data at rest
  • Access controls: Role-based access, multi-factor authentication
  • Infrastructure security: Firewalls, intrusion detection, regular security audits
  • Secure payments: PCI DSS compliant payment processing
  • Employee training: Regular security awareness training
  • Incident response: Procedures for detecting and responding to breaches

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. Children's Privacy

Our Services are not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages without parental consent. Academy programs for minors require parental consent and are handled in compliance with applicable laws including COPPA (Children's Online Privacy Protection Act).

If you believe we have collected information from a child without proper consent, please contact us immediately at [email protected]

12. Do Not Track Signals

Some browsers have a "Do Not Track" (DNT) feature. Currently, there is no industry standard for DNT signals, and we do not respond to DNT browser signals. However, you can control tracking through our cookie consent tool and browser settings.

13. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party sites you visit.

14. Mobile Application (SpotBasket App)

This section describes practices specific to our mobile application (the "App"), available on the Apple App Store and Google Play. It supplements the sections above.

14.1. Anonymous Use and Accounts

You can use the core features of the App without creating an account. If you choose to register or link the App to a SpotBasket Network profile, we collect the account data described in Section 1 (such as your name and email). A locally-generated device identifier is used to store your progress on your device and, where you enable it, to sync that progress to our servers.

14.2. Camera, Video and Motion Data

Training features (including shot tracking and shot analysis) use your device camera and motion sensors to detect the ball, the rim and your movement. This visual analysis is performed on your device. Video you record is stored on your device and is not uploaded to our servers unless you explicitly save, share, or submit it (for example, for a skills evaluation). We do not use the camera for facial recognition or identity verification.

14.3. Performance and Fitness Data

To provide training feedback and statistics, the App processes performance data you generate — such as shots attempted and made, accuracy, technique metrics, streaks and activity history. This data is stored on your device and, if you have an account, may be synced so it is available across your devices.

14.4. Purchases and Subscriptions

In-app purchases (including virtual coins and premium "Pro" features) are processed by the Apple App Store or Google Play together with our payments partner (RevenueCat). We receive the purchase and entitlement information needed to unlock content and prevent fraud; we do not receive or store your full payment card details.

14.5. Push Notifications

With your permission, we send push notifications (for example, training reminders, challenges and account activity) using our notifications provider (OneSignal). You can turn notifications off at any time in your device settings.

14.6. Diagnostics and Analytics

We collect limited technical and usage data (such as app version, device model, crash logs and feature usage) to keep the App stable and to improve it. See Section 7 for more on analytics and tracking technologies.

14.7. Device Permissions

The App may request the following permissions, each of which you control in your device settings:

  • Camera — to record and analyze your training and shots
  • Motion & fitness — to measure movement during drills
  • Photos / media storage — to save or share your clips
  • Notifications — to send reminders and updates

14.8. Deleting Your App Data

You can remove locally-stored data by deleting the App, and you can request deletion of any account-linked data at any time — from within the App or via our data deletion page. See Sections 8–9 for your broader privacy rights and how to exercise them.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

  • Posting the updated policy on this page
  • Updating the "Last Updated" date
  • Sending email notification (for significant changes)
  • Displaying a prominent notice on our website

Your continued use of our Services after changes indicates acceptance of the updated policy. We recommend reviewing this page periodically.

16. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy Team: [email protected]

General Inquiries: [email protected]

Data Protection Officer (EU): [email protected]

This Privacy Policy is effective as of December 14, 2025.

© 2026 SpotBasket. All rights reserved.

© 2026 SpotBasket. All rights reserved.