SPORTSID, INC. PRIVACY POLICY

SportsID, Inc. ("SportsID," "Company," "we," "us," or "our") provides this Privacy Policy ("Policy") to explain how we collect, use, disclose, retain, and protect personal information when you access or use our websites, mobile applications, software platforms, application programming interfaces (APIs), and all related products and services (collectively, the "Services"). SportsID operates a comprehensive sports technology ecosystem serving youth athletes, coaches, teams, leagues, tournaments, and sports organizations across the United States.

This Policy applies to all users of the Services, including athletes, parents and legal guardians, coaches, team administrators, tournament organizers, league officials, and any other individuals who interact with the Services. We encourage you to read this Policy carefully and contact us at legal@sportsid.io with any questions.

This Policy is incorporated into and made part of the SportsID Terms of Use. By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, you must discontinue use of the Services immediately.

2.1 Services Covered

This Policy applies to personal information collected through:

• SportsID websites, web applications, and mobile applications
• CampID (camp registration and management)
• TournamentID (tournament organization and management)
• TeamID (team registration, roster management, and communications)
• CoachID (coach verification, certification tracking, and profiles)
• All other current and future SportsID platform modules
• Athletic performance tracking and analytics tools
• Sports verification and identity management services
• Registration and event management systems
• Customer support and help desk interactions
• Marketing and promotional communications
• API integrations and third-party platform connections

2.2 Exclusions

This Policy does not apply to:

• Information collected by third-party websites, applications, or services linked from or integrated with our Services (governed by their own privacy policies)
• Employment-related information about SportsID employees and job applicants (governed by a separate Employee Privacy Notice)
• Information we process solely as a service provider or processor on behalf of our business customers, where those customers act as the controller of such information
• Deidentified, aggregated, or anonymized information that cannot reasonably be used to identify any individual

We collect personal information through several channels: directly from you, automatically through your use of the Services, and from third-party sources.

3.1 Information You Provide Directly

Account and Profile Information

• Full legal name, display name, username, and password
• Email address, phone number, and mailing address
• Date of birth and age verification information
• Profile photographs and biographical information
• Emergency contact details
• Parent or legal guardian contact information (for minor users)

Sports and Athletic Information

• Sport(s) played, positions, and skill levels
• Team affiliations, club memberships, and league registrations
• Athletic achievements, statistics, and performance records
• Coaching certifications, qualifications, and background check results
• Medical clearances, physical examination records, and health information relevant to sports participation
• Training schedules, workout data, and practice attendance
• Recruiting profiles and academic eligibility information

Verification and Identity Information

• Government-issued identification documents (driver's license, passport, state ID)
• Birth certificates or age verification documents
• Academic transcripts and school enrollment records
• Citizenship and residency documentation
• Background check information and SafeSport certification status
• Proof of insurance or medical clearance documentation

Payment and Transaction Information

• Credit and debit card numbers, expiration dates, and security codes
• Bank account information for direct payments or refunds
• Billing name, address, and contact information
• Purchase history, transaction records, and subscription details
• Scholarship and financial aid application information

User Communications and Content

• Messages, comments, and communications sent through the Services
• Customer support inquiries, feedback, and complaint records
• Survey responses and user-generated content
• Audio or video recordings from virtual meetings or support calls (with notice and consent)
• Content uploaded to profiles, team pages, or shared forums

3.2 Information Collected Automatically

Device and Technical Information

• Internet Protocol (IP) address and device identifiers (IDFA, GAID, MAC address)
• Browser type, version, and language preferences
• Operating system, device model, and screen resolution
• App version, SDK identifiers, and software configuration
• Network connection type and internet service provider information

Usage and Activity Information

• Pages, screens, and features accessed within the Services
• Date and time stamps of access and interactions
• Click patterns, navigation paths, scroll depth, and session duration
• Search queries entered within the Services
• Referring URLs and exit pages
• Error logs and crash reports

Location Information

• Precise geolocation data (GPS coordinates) when you grant permission through your device settings
• Approximate location derived from IP address
• Event venue and facility check-in data
• Time zone and regional settings

Fitness and Performance Data

• Athletic performance metrics (speed, agility, strength measurements)
• Training session data from connected wearable devices or sensors
• Heart rate, respiration rate, and other biometric measurements from connected devices
• Sleep patterns, recovery data, and readiness scores (when provided or synced from third-party devices)
• Game and competition statistics

3.3 Information from Third-Party Sources

• Sports governing bodies and athletic associations (eligibility, certification, and sanctions data)
• Background check service providers and SafeSport registry data
• Schools, academic institutions, and clearinghouse organizations
• Social media platforms and publicly available sources (when you link accounts or provide consent)
• Payment processors and financial institutions (transaction verification)
• Identity verification and fraud prevention service providers
• Sports analytics and data aggregation partners
• Wearable device manufacturers and connected fitness platforms (with your authorization)

Certain categories of personal information receive heightened protection under applicable law. We process the following categories of sensitive personal information only as permitted by law and with appropriate safeguards.

4.1 Biometric Information

"Biometric information" means data generated by automated measurements of an individual's biological characteristics, including fingerprints, voiceprints, iris or retina scans, facial geometry scans, and any other unique biological patterns or identifiers used to identify a specific individual.

SportsID collects and processes biometric information in the following contexts:

• Facial recognition or facial geometry analysis for identity verification of coaches, officials, or other credentialed personnel
• Fingerprint or palm scan data for secure facility access at SportsID-managed events (where applicable)
• Voiceprint data for voice-authenticated customer support interactions
• Athletic biometric data from wearable sensors (heart rate variability, gait analysis, movement patterns) collected through connected devices with user authorization

Biometric Data Protections

In compliance with the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code Ch. 503), the Washington Biometric Identifier law (RCW 19.375), and all other applicable biometric data laws, SportsID adheres to the following:

• Written Notice and Consent. Before collecting biometric information, we provide written notice specifying the purpose and duration of collection, storage, and use. We obtain your informed, written consent (or, for minors, the written consent of a parent or legal guardian) before collecting, capturing, or otherwise obtaining biometric information.
• Purpose Limitation. We collect biometric information only for the specific purposes disclosed to you at the time of collection. We do not sell, lease, trade, or otherwise profit from biometric information.
• Retention and Destruction Schedule. We retain biometric information only until the earlier of: (a) the initial purpose for collection has been satisfied, or (b) three (3) years from the date of the individual's last interaction with the Services. Upon expiration of this retention period, we permanently destroy all biometric information using industry-standard methods within thirty (30) days.
• Security Standards. We protect biometric information using encryption at rest and in transit, access controls, and security measures that meet or exceed the standards used to protect other confidential and sensitive information.
• No Sale or Disclosure. We do not sell, lease, or trade biometric information. We do not disclose biometric information to third parties except: (i) with written consent, (ii) as required by law, regulation, or legal process, or (iii) to service providers bound by contractual obligations at least as restrictive as those described in this Policy.

4.2 Neural Data

"Neural data" means information that is generated by the measurement of the activity of an individual's central or peripheral nervous system, and that is not inferred from nonneunal information. This includes, where applicable, electroencephalography (EEG) data, functional near-infrared spectroscopy (fNIRS) readings, electromyography (EMG) data, and similar neurological measurements collected through neurotechnology devices.

In compliance with the California Consumer Privacy Act (as amended to include neural data protections, Cal. Civ. Code Section 1798.140(ae)), the Colorado Privacy Act (as amended, C.R.S. Section 6-1-1303(24)), and Connecticut's expanded sensitive data definitions effective July 1, 2026 (Conn. Gen. Stat. Section 42-515(27)), SportsID treats neural data as sensitive personal information subject to the following protections:

• We do not collect neural data without your prior, express, opt-in consent.
• We limit collection and processing of neural data to the specific purposes disclosed and consented to at the time of collection.
• We do not sell neural data under any circumstances.
• We do not use neural data for profiling, targeted advertising, or automated decision-making without separate, informed consent and the opportunity to opt out.
• We apply the highest level of technical and organizational security measures to neural data, including encryption, access controls, and compartmentalized storage.
• We permanently destroy neural data when it is no longer necessary for the purpose for which it was collected, or upon your request, subject to applicable legal retention requirements.

4.3 Other Sensitive Personal Information

We treat the following as sensitive personal information, subject to enhanced protections including opt-in consent requirements where applicable under state law:

• Racial or ethnic origin
• Religious or philosophical beliefs
• Citizenship or immigration status
• Genetic data
• Health information (physical or mental health conditions, diagnoses, treatments)
• Sexual orientation or gender identity
• Precise geolocation data (within a radius of 1,750 feet or less)
• Social Security number, driver's license number, state identification card number, or passport number
• Financial account information (account numbers, access codes, or credentials)
• Contents of mail, email, and text messages (where we are not the intended recipient)
• Personal information of known children under the age of 16

SportsID uses artificial intelligence ("AI") and machine learning ("ML") technologies in connection with certain features of the Services. This section describes how we use AI/ML, the data involved, and your rights regarding automated processing.

5.1 AI/ML Applications

We use AI/ML technologies for the following purposes:

• Athletic Performance Analytics. Analyzing training data, game statistics, and biometric measurements to generate performance insights, trend analysis, and recommendations for athletes and coaches.
• Identity Verification. Using automated identity verification tools, including facial recognition technology, to confirm the identity of coaches, officials, and event personnel.
• Fraud Detection and Platform Integrity. Detecting fraudulent registrations, suspicious payment activity, and unauthorized access attempts through pattern recognition and anomaly detection.
• Content Moderation. Automated review of user-generated content for compliance with community guidelines and identification of harmful or prohibited content.
• Personalization and Recommendations. Generating personalized content recommendations, event suggestions, and training program recommendations based on user profiles and activity.
• Customer Support Automation. Using AI-powered chatbots and virtual assistants to provide initial customer support responses and route complex inquiries to human agents.
• Safety and Safeguarding. Analyzing communications and behavioral patterns to identify potential safeguarding concerns involving minor athletes.

5.2 Training Data Practices

When SportsID uses personal information to train, develop, or improve AI/ML models, we adhere to the following principles:

• Purpose Limitation. We train AI/ML models only for the purposes disclosed in this Policy.
• Data Minimization. We use the minimum amount of personal information necessary to achieve the training objective. Where possible, we use deidentified, aggregated, or synthetic data.
• No Third-Party Model Training. We do not provide your personal information to third parties for the purpose of training their AI/ML models without your express consent.
• Opt-Out Right. You have the right to opt out of having your personal information used for AI/ML model training, except where such use is strictly necessary for fraud prevention, security, or legal compliance. To exercise this right, contact legal@sportsid.io.
• Sensitive Data Restrictions. We do not use biometric information, neural data, health information, or children's personal information for AI/ML model training without express, opt-in consent.

5.3 Automated Decision-Making and Profiling

"Automated decision-making" means a decision made by technology without meaningful human involvement that produces a legal or similarly significant effect on you. "Profiling" means any form of automated processing used to evaluate, analyze, or predict aspects of your behavior, preferences, economic situation, health, personal preferences, interests, reliability, location, or movements.

In compliance with the California Consumer Privacy Act regulations on automated decision-making technology (effective January 1, 2026), the Colorado AI Act (effective February 1, 2026), the Minnesota Consumer Data Privacy Act profiling provisions, and the Connecticut expanded opt-out rights effective July 1, 2026, SportsID provides the following protections:

• Right to Notice. We provide clear notice when automated decision-making technology or profiling is used in connection with decisions that produce legal or similarly significant effects on you.
• Right to Opt Out. You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. This includes profiling used for eligibility determinations, recruiting evaluations, or scholarship assessments.
• Right to Access. You have the right to access information about the logic involved in automated decision-making, the categories of personal information used, and the output or result of such processing.
• Right to Contest. You have the right to contest adverse decisions made through automated processing and to request human review of such decisions.
• Right to Correction and Reevaluation. You have the right to correct inaccurate personal data used in profiling and to request reevaluation of the decision based on corrected data.

5.4 AI Transparency

In compliance with the California AI Transparency Act (effective January 1, 2026) and applicable state disclosure requirements, SportsID:

• Clearly labels AI-generated content within the Services.
• Discloses when you are interacting with an AI system (such as a chatbot) rather than a human.
• Provides a high-level summary of training data categories upon request.
• Maintains records of AI system impact assessments for high-risk applications.

5.5 Data Protection Impact Assessments for AI

SportsID conducts Data Protection Impact Assessments (DPIAs) before deploying AI/ML systems that:

• Process sensitive personal information, biometric information, or neural data
• Make or substantially contribute to decisions producing legal or similarly significant effects on individuals
• Involve the profiling of minor athletes
• Use personal information for new purposes not disclosed at the time of collection
• Present a heightened risk of harm to consumers, including financial, reputational, or physical harm

These assessments evaluate the necessity and proportionality of processing, the risks to individuals, and the measures implemented to mitigate identified risks. Assessment records are maintained in accordance with applicable law and are available for review by state regulators upon lawful request.

We use personal information for the following purposes:

6.1 Service Delivery and Operations

• Creating, maintaining, and managing user accounts and profiles
• Processing registrations for camps, tournaments, teams, leagues, and other events
• Facilitating communications between athletes, coaches, teams, and event organizers
• Processing payments, refunds, and financial transactions
• Verifying identities, ages, eligibility, and credentials
• Generating athletic performance analytics and training insights
• Managing team rosters, schedules, and organizational data

6.2 Safety, Security, and Legal Compliance

• Conducting background checks on coaches, officials, and other personnel with access to minors
• Detecting and preventing fraud, unauthorized access, and other illegal activities
• Enforcing our Terms of Use, community guidelines, and acceptable use policies
• Complying with legal obligations, including child protection laws, tax regulations, and sports governance requirements
• Responding to lawful requests from law enforcement, regulators, and judicial authorities
• Protecting the safety and welfare of minor athletes, including safeguarding assessments

6.3 Communication and Support

• Sending transactional communications (registration confirmations, payment receipts, account alerts)
• Providing customer support and responding to inquiries
• Sending administrative notices about changes to the Services or this Policy
• Sending marketing and promotional communications (with consent or as permitted by law)

6.4 Improvement and Development

• Analyzing usage patterns to improve the Services, features, and user experience
• Conducting internal research and analytics
• Testing new features, tools, and platform capabilities
• Training and improving AI/ML models as described in Section 5

6.5 Personalization

• Customizing content, recommendations, and user experience based on your profile, preferences, and activity
• Delivering relevant event suggestions and training resources

We share personal information with third parties only as described in this Policy and as permitted or required by applicable law.

7.1 Service Providers and Processors

We engage service providers who process personal information on our behalf to perform functions including: cloud hosting and data storage, payment processing and fraud detection, identity verification and background checks, email delivery and communication platforms, analytics and performance monitoring, customer support tools, and AI/ML model hosting. All service providers are bound by data processing agreements that restrict their use of personal information to the purposes specified by SportsID and require them to implement appropriate security measures.

7.2 Sports Organizations and Partners

With your consent or as necessary to provide the Services, we share information with:

• Teams, leagues, and tournament organizers (roster information, registration data, eligibility status)
• Sports governing bodies and sanctioning organizations (eligibility verification, compliance reporting)
• Schools and academic institutions (academic eligibility, recruiting profile data, with appropriate consent)
• Coaching and officiating certification bodies (credential verification)
• Event venues and facility operators (registration lists, credential data for event access)

7.3 Legal and Regulatory Disclosures

We disclose personal information when required or permitted by law, including:

• In response to lawful requests by public authorities, including law enforcement, regulatory agencies, or judicial authorities
• To comply with legal obligations, such as mandatory reporting requirements for suspected child abuse
• To protect the rights, property, or safety of SportsID, our users, or the public
• In connection with legal proceedings, arbitration, mediation, or dispute resolution
• To enforce our Terms of Use and other agreements

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar corporate transaction, personal information may be transferred to the acquiring or successor entity. We will provide notice and, where required by law, obtain consent before such transfer occurs.

7.5 With Your Consent

We share personal information with third parties when you provide express consent or direct us to do so, such as when you choose to share your athletic profile with college recruiters or connect your account with a third-party application.

7.6 No Sale of Personal Information

SportsID does not sell personal information for monetary or other valuable consideration as defined under the California Consumer Privacy Act (CCPA), the Colorado Privacy Act, the Connecticut Data Privacy Act, or any other applicable state privacy law. SportsID does not share personal information for cross-context behavioral advertising unless you have opted in to such sharing.

8.1 Cookies and Similar Technologies

We use cookies, pixels, web beacons, local storage, and similar technologies to operate the Services, remember your preferences, analyze usage, and improve your experience. The categories of cookies we use include:

• Strictly Necessary Cookies. Required for core functionality, including authentication, security, and session management. These cannot be disabled.
• Functional Cookies. Enable personalization features, such as language preferences and display settings.
• Analytics Cookies. Help us understand how users interact with the Services, which pages are visited most, and how users navigate the platform.
• Advertising Cookies. Used by advertising partners to deliver relevant advertisements and measure ad performance. We deploy these only with your consent.

8.2 Your Cookie Choices

You can manage your cookie preferences through our cookie consent banner displayed upon first visit, your browser settings, and mobile device settings. We honor Global Privacy Control (GPC) signals and other universal opt-out mechanisms as required by applicable state law. When we detect a GPC signal, we treat it as a valid opt-out of the sale or sharing of personal information and of targeted advertising.

8.3 Do Not Track Signals

We respond to "Do Not Track" browser signals and Global Privacy Control signals as required by applicable law. When we receive such a signal, we disable non-essential tracking technologies and do not share personal information for targeted advertising purposes.

SportsID serves youth athletes and recognizes the importance of protecting the privacy of minors. We comply with the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA) where applicable, and all state laws providing enhanced protections for children's personal information.

9.1 Children Under 13

• We obtain verifiable parental consent before collecting personal information from children under the age of 13, as required by COPPA.
• We collect only the minimum personal information necessary for the child to participate in sports activities and use the Services.
• We do not condition participation on the disclosure of more personal information than is reasonably necessary.
• Parents and legal guardians have the right to review their child's personal information, request correction or deletion, and withdraw consent for further collection at any time.

9.2 Minors Ages 13 to 17

• Minor accounts are created with privacy-by-default settings, limiting the visibility of profile information and restricting contact from unknown users.
• We do not sell or share the personal information of known minors for targeted advertising.
• We do not engage in profiling of minors that produces legal or similarly significant effects without parental or guardian consent and an assessment of potential harms.
• We prohibit targeted advertising directed to users we know to be under the age of 18, in compliance with the Maryland Online Data Privacy Act, Colorado Privacy Act amendments, Connecticut Data Privacy Act amendments, and other applicable state laws.
• We conduct Data Protection Impact Assessments for any processing activity that presents a heightened risk of harm to minors.

9.3 Parental Rights and Controls

Parents and legal guardians of minor users have the following rights:

• Access to all personal information collected about their child
• Correction of inaccurate information
• Deletion of their child's personal information and account
• Withdrawal of consent for collection and use of their child's information
• Control over communication preferences and notification settings
• Review and approval of any sharing of their child's information with third parties

To exercise these rights, contact legal@sportsid.io or use the parental controls available within your account settings.

9.4 Age Verification

We use age verification processes to apply appropriate privacy protections based on the user's age. These processes include self-reported date of birth, parental confirmation for accounts identifying the user as under 18, and additional verification steps as required by applicable law.

Depending on your state of residence, you have certain rights regarding your personal information. SportsID honors the following rights for all users, regardless of location, to the extent required by applicable law.

10.1 Access and Portability

You have the right to confirm whether we process your personal information and to access a copy of such information in a portable, machine-readable format. This includes the right to know the categories and specific pieces of personal information collected, the sources of collection, the purposes of processing, and the categories of third parties with whom information has been shared.

10.2 Correction

You have the right to request correction of inaccurate personal information we maintain about you.

10.3 Deletion

You have the right to request that we delete personal information we have collected from or about you, subject to exceptions permitted by law (such as information retained for legal compliance, fraud prevention, or exercising or defending legal claims).

10.4 Opt-Out Rights

You have the right to opt out of the following:

• Sale of personal information (we do not sell personal information, but you may exercise this right at any time)
• Sharing of personal information for cross-context behavioral advertising
• Targeted advertising based on personal information obtained from your activities across other websites or applications
• Profiling in furtherance of decisions that produce legal or similarly significant effects
• Use of personal information for AI/ML model training (as described in Section 5.2)
• Use of sensitive personal information for purposes beyond what is necessary to provide the Services

10.5 Right to Limit Use of Sensitive Personal Information

California residents have the right to limit the use and disclosure of sensitive personal information to purposes necessary to provide the Services, as specified under the CCPA/CPRA.

10.6 Right to Non-Discrimination and Non-Retaliation

We will not discriminate against you or retaliate in any manner for exercising any of your privacy rights. This means we will not deny you the Services, charge different prices, provide a different level of quality, or suggest that you will receive different treatment for exercising your rights.

10.7 Authorized Agents

You may designate an authorized agent to submit privacy rights requests on your behalf. The authorized agent must provide written authorization signed by you and, in some cases, we will require you to verify your identity directly before processing the request.

10.8 Right to Appeal

If we decline to take action on your privacy rights request, you have the right to appeal that decision. To file an appeal, contact legal@sportsid.io with the subject line "Privacy Rights Appeal." We will respond to your appeal within the timeframe required by applicable law (typically 45 to 60 days). If your appeal is denied, you have the right to contact your state attorney general's office or the applicable regulatory authority.

10.9 Exercising Your Rights

To submit a privacy rights request, contact us at:

• Email: legal@sportsid.io
• Phone: 1.404.900.6900
• Online: www.sportsid.io/privacy-request

We will verify your identity before processing any request. Verification may require you to provide information matching our records, confirm your email address, or provide government-issued identification. We respond to verified requests within 45 days (or as required by applicable law), with the possibility of a 45-day extension for complex or voluminous requests, with notice to you.

The following state-specific disclosures supplement the rights described in Section 10 and apply to residents of the identified states.

11.1 California (CCPA/CPRA)

The California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code Section 1798.100 et seq.), provides California residents with specific privacy rights.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: identifiers, personal information under Cal. Civ. Code Section 1798.80(e), characteristics of protected classifications, commercial information, biometric information, internet or electronic network activity information, geolocation data, sensory data, professional or employment-related information, education information, inferences drawn from the above, and sensitive personal information (including government identifiers, financial account information, precise geolocation, racial or ethnic origin, biometric data for identification, health information, and neural data).

Business and Commercial Purposes

We use and disclose personal information for the business and commercial purposes described in Sections 6 and 7 of this Policy.

Sale and Sharing

SportsID does not sell personal information for monetary consideration. SportsID does not share personal information for cross-context behavioral advertising.

Retention

We retain each category of personal information for the periods described in Section 13 of this Policy.

11.2 Colorado

The Colorado Privacy Act (C.R.S. Section 6-1-1301 et seq.) provides Colorado residents with rights to access, correct, delete, and obtain portable copies of personal data, and to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

11.3 Connecticut

The Connecticut Data Privacy Act (Conn. Gen. Stat. Section 42-515 et seq.) provides Connecticut residents with rights to access, correct, delete, and port personal data, and to opt out of targeted advertising, the sale of personal data, and profiling.

11.4 Virginia

The Virginia Consumer Data Protection Act (Va. Code Section 59.1-575 et seq.) provides Virginia residents with rights to access, correct, delete, and obtain portable copies of personal data, and to opt out of targeted advertising, the sale of personal data, and profiling.

11.5 Texas

The Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Chapter 541) provides Texas residents with rights to access, correct, delete, and port personal data, and to opt out of targeted advertising, the sale of personal data, and profiling. SportsID also complies with the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code Chapter 503) regarding all biometric data collected from Texas residents.

11.6 Oregon

The Oregon Consumer Privacy Act (ORS Section 646A.570 et seq.) provides Oregon residents with rights to access, correct, delete, and port personal data, and to opt out of targeted advertising, the sale of personal data, and profiling. Effective January 1, 2026, Oregon prohibits the sale of personal data when the controller has actual knowledge or willfully disregards that the consumer is under 16 years of age, and prohibits the sale of data that identifies past or present precise geolocation (within a radius of 1,750 feet) that is linked or linkable to a consumer.

11.7 Montana

The Montana Consumer Data Privacy Act (Mont. Code Ann. Section 30-14-2801 et seq.) provides Montana residents with rights to access, correct, delete, and port personal data, and to opt out of targeted advertising, the sale of personal data, and profiling. SportsID complies with Montana's 2025 amendments adding enhanced children's privacy provisions.

11.8 Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland

Residents of these states have rights under their respective comprehensive privacy laws, which took effect between January 1, 2025 and October 1, 2025. These rights include, to the extent provided by each state's law: the right to access, correct, and delete personal data; the right to data portability; the right to opt out of targeted advertising, the sale of personal data, and profiling; and the right to appeal a denied privacy request.

The Maryland Online Data Privacy Act (effective October 1, 2025) requires data minimization as a default principle and prohibits the sale of sensitive data, including precise geolocation data. The Minnesota Consumer Data Privacy Act (effective July 31, 2025) grants consumers the right to question profiling decisions, review data used in profiling, correct inaccurate data for reevaluation, and obtain information about the categories of third-party data recipients.

11.9 Indiana, Kentucky, and Rhode Island

The Indiana Consumer Data Protection Act, the Kentucky Consumer Data Protection Act, and the Rhode Island Data Transparency and Privacy Protection Act all took effect on January 1, 2026. Residents of these states have rights to access, correct, delete, and obtain portable copies of personal data, and to opt out of targeted advertising, the sale of personal data, and profiling. Sensitive data (including health information, biometric identifiers, precise geolocation, and children's data) requires opt-in consent. SportsID conducts data protection impact assessments for high-risk processing activities as required by each law. Penalties for noncompliance are up to $7,500 per violation in Indiana and Kentucky and $10,000 per violation in Rhode Island. Rhode Island provides no cure period for violations.

11.10 Utah and Arkansas

The Utah Consumer Privacy Act and the Arkansas Social Media Safety Act (with comprehensive privacy provisions effective July 1, 2026) provide residents of those states with consumer privacy rights. SportsID will honor all applicable rights under these laws as they take effect.

11.11 Illinois

SportsID complies with the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) with respect to all biometric identifiers and biometric information collected from Illinois residents. Our specific obligations and your rights regarding biometric data are described in Section 4.1 of this Policy.

11.12 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) and/or the UK GDPR.

Legal Bases for Processing

We process personal data on the following legal bases: performance of a contract (to provide the Services you request), your consent (for marketing, sensitive data processing, and cookies), our legitimate interests (for platform security, analytics, and fraud prevention, balanced against your rights and freedoms), and compliance with legal obligations.

Additional GDPR Rights

In addition to the rights listed in Section 10, EEA, UK, and Swiss residents have the right to: restrict processing of personal data, object to processing based on legitimate interests, withdraw consent at any time, and lodge a complaint with a supervisory authority.

International Transfers

When we transfer personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses approved by the European Commission (or the UK equivalent), the EU-U.S. Data Privacy Framework (where applicable), or other approved transfer mechanisms.

SportsID implements and maintains a comprehensive information security program designed to protect personal information against unauthorized access, disclosure, alteration, destruction, and misuse.

12.1 Technical Safeguards

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
• Multi-factor authentication (MFA) for administrative and privileged access
• Role-based access controls and least-privilege access principles
• Network segmentation, firewalls, and intrusion detection/prevention systems
• Continuous security monitoring and logging
• Regular vulnerability assessments and penetration testing
• Secure software development lifecycle (SSDLC) practices

12.2 Organizational Safeguards

• Annual privacy and security training for all employees and contractors
• Background checks for employees with access to personal information
• Written information security policies and procedures
• Due diligence and contractual security requirements for all third-party service providers
• Periodic internal and external security audits

12.3 Cybersecurity Audit Program

In compliance with the CCPA cybersecurity audit regulations (effective January 1, 2026), SportsID conducts annual cybersecurity audits that evaluate the effectiveness of our security program, identify vulnerabilities, and verify compliance with applicable requirements. Audit findings inform our ongoing security improvement efforts.

12.4 Data Breach Notification

In the event of a data breach involving personal information, SportsID will:

• Investigate and contain the incident promptly
• Notify affected individuals and applicable regulatory authorities within the timeframes required by law (typically 30 to 72 hours depending on jurisdiction)
• Provide clear information about the nature of the breach, the categories of information affected, and the measures taken in response
• Offer appropriate remediation, such as credit monitoring, where warranted
• Document the incident and implement corrective measures to prevent recurrence

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

13.1 Retention Periods

13.2 Inactive Accounts

Accounts that have been inactive for three (3) years may be anonymized or deleted after reasonable notice to the account holder. Essential records may be retained longer as required by legal, regulatory, or sports governance obligations.

13.3 Backup and Recovery

Backup copies containing personal information are securely deleted within ninety (90) days of the applicable retention period's expiration.

SportsID operates primarily in the United States. If you are located outside the United States, your personal information will be transferred to and processed in the United States, where our servers, business operations, and service providers are located.

When we transfer personal information from jurisdictions that require specific transfer safeguards (including the EEA, UK, and Switzerland), we rely on the following mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement/Addendum
• The EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework (where applicable and maintained)
• Binding Corporate Rules (where applicable for intra-group transfers)
• Your explicit consent, where no other mechanism is available and after being informed of the risks

The Services may contain links to third-party websites, applications, or services. We may also offer integrations with third-party platforms (such as social media accounts, wearable device platforms, or recruiting services). This Policy does not apply to the practices of third parties that we do not own or control. We encourage you to read the privacy policies of every third-party service you access through or connect to our platform. SportsID is not responsible for the privacy practices or content of third-party services.

SportsID is committed to making this Privacy Policy accessible to all individuals, including those with disabilities. If you have difficulty accessing this Policy or need it in an alternative format, contact legal@sportsid.io or call 1.404.900.6900 and we will provide reasonable accommodations.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable laws and regulations. When we make material changes, we will:

• Post the updated Policy on our website with a revised effective date
• Send email notification to registered users at the email address associated with their account
• Provide prominent notice within the Services (such as an in-app banner or pop-up notification)
• Allow a reasonable period for review before changes take effect, except where immediate effectiveness is required by law

We encourage you to review this Policy periodically. Your continued use of the Services after the effective date of an updated Policy constitutes your acceptance of the changes.

If you have questions, concerns, or requests regarding this Privacy Policy or SportsID's privacy practices, please contact us:

For California residents: You may contact us at the above address and email for information about your CCPA/CPRA rights and our privacy practices. You may also contact the California Privacy Protection Agency at cppa.ca.gov.

For EEA/UK residents: Our EU/UK representative can be reached at legal@sportsid.io. You also have the right to lodge a complaint with your local supervisory authority.

This Privacy Policy is effective as of February 6, 2026, and applies to all users of SportsID's Services. By continuing to use our Services after this date, you acknowledge that you have read and understood this Policy.