Join

Privacy Policy

Future of Sports Labs Inc.

Last Updated: March 16, 2026

Global Scope

This Privacy Policy applies worldwide to all users of the FSP platform (“FSP” or the “Platform”), which is provided and controlled by Future of Sports Labs Inc., a Delaware corporation (“Future of Sports Labs,” “we,” “us,” or “our”). This Policy explains how we collect, use, share, and otherwise process the personal information of users and other individuals. We are committed to meeting or exceeding privacy requirements in every jurisdiction where we operate, including the Americas, Europe, Asia-Pacific, the Middle East, and Africa. We monitor evolving privacy laws globally and update our practices accordingly. If you do not agree with this Policy, you should not use the Platform.

1. Information We Collect

We collect information in the following categories:

1.1 Athletic Performance and Biometric Data

Before collecting any biometric data, We obtain your separate, written informed consent as required by applicable law, including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), the Washington My Health MY Data Act, and equivalent state or national laws. We maintain a publicly available written policy governing its retention and destruction schedule for biometric data, accessible at privacy.futureofsports.io/biometric-policy.

We collect the following categories of biometric data and biometric identifiers, limited to those necessary for the purposes described in this Policy:

  • Skeletal movement data
  • Body positioning and posture analysis
  • Gait and movement patterns
  • Joint angles and biomechanical measurements
  • Speed, velocity, and acceleration metrics
  • Reaction times
  • Facial geometry (solely for identity verification and anti-spoofing)

We do not collect biometric data beyond these enumerated categories without providing updated notice and obtaining fresh consent. FSP’s Edge AI analyzes this data in real time to verify skills and score performances. We will not sell, lease, trade, or profit from your biometric data except as expressly disclosed and consented to in accordance with applicable law.

1.2 Account Information

When you create an account, We collect your name, email address, date of birth, login credentials, and any additional profile preferences you configure or requested by FSP.

1.3 Competition and Performance Data

We collect your scores, rankings, challenge attempts, skill progression data, and, where you participate, celebrity challenge performance data plus any arena majors and any finals where you have qualified.

1.4 Device and Technical Information

We automatically collect your IP address, device type, browser fingerprints, behavioral and interaction data, and usage information. This information is used to operate, maintain, and improve the Platform.

1.5 Location Data

Where you enable location features, We collect GPS data for outdoor activities and arena positioning for indoor facilities. You control when location sharing is active through your device and account settings.

1.6 Payment Information

Transactions for competition fees, prize payouts and arena creator payouts, and subscriptions are processed by our licensed payment partners (including Stripe and Affirm). FSP receives only transaction confirmation data and anonymized transaction identifiers. Payment card data is handled in accordance with PCI DSS standards.

1.7 Connected Device Data

Where you choose to connect fitness wearables, smartwatches, or sports equipment, We collect data from those devices in accordance with the permissions you grant.

1.8 Programmatic Advertising and Telemetry Data

During verified sessions, our supply-side platform may transmit real-time telemetry data to third-party demand-side platforms (DSPs) and advertising exchanges via programmatic bid requests (including but not limited to OpenRTB protocols), for the purpose of serving contextual augmented reality advertisements. This telemetry may include your current physical activity type, movement velocity, calorie expenditure, fatigue index, skeletal fidelity score, and AR placement coordinates.

We will obtain your separate, freely given, opt-in consent before transmitting any biometric telemetry data (including skeletal fidelity scores and fatigue index) to DSPs or advertising exchanges. This consent is separate from your general platform consent, is not a condition of using the Platform, and may be withdrawn at any time through your Privacy Dashboard without loss of core platform access. Non-biometric session context (such as sport type and approximate activity level) may be used for contextual ad targeting without separate consent. You may opt out of all programmatic advertising data sharing at any time through your Privacy Settings.

1.9 Commerce and Attribution Data

When you use our commerce features, we collect:

  • Receipt images and OCR-extracted data (date, item, and vendor) from receipt scans
  • 3D object and logo recognition data from AR gear authentication scans
  • GPS and QR code data from Arena Geo-Scan check-ins
  • Purchase and click data from in-app affiliate commerce links

This data is used for commerce attribution, brand partner CPA verification, and SP minting, and may be shared with brand partners, advertisers, and other third parties for lawful commercial purposes.

In connection with the Golden Ticket Sweepstakes, We also offer an Alternative Method of Entry (AMOE) by physical mail. Where you submit a 3x5 index card as an AMOE entry, We collect only your name and return mailing address as printed on the card, solely to: (a) record your sweepstakes entry; (b) verify eligibility; and (c) contact you if you are selected as a winner. AMOE mail-in data is retained for 12 months from the close of the relevant sweepstakes season and then securely destroyed. It is not used for marketing, profiling, or any commercial purpose other than sweepstakes administration, and is not shared with third parties except as required to administer prizes or comply with applicable sweepstakes laws, including New York General Business Law §369-e and Florida Statutes §849.094.

1.10 Captain Program and Referral Network Data

Where you participate in the Captain Program or referral system, We collect and processes your referral chain data (up to three levels), Network Contribution Score (NCS) calculations, downstream participant activity and session data attributed to your referral network, tier placement and promotion/relegation history, and monthly payout records. This data is used for fraud detection, NCS recalculation, clawback or slashing actions, and other lawful commercial purposes.

1.11 Sweepstakes and Prize Verification Data

Where you participate in Golden Ticket sweepstakes or win experience prizes, We collect identity verification data (via Plaid, Stripe Identity, or equivalent), government-issued ID, background check results (for in-person experiences), and contact and logistics information for prize fulfillment. This data is processed for KYC compliance, safety verification, and experience coordination, and is retained for seven years for legal and audit purposes.

1.12 Derived Data

We derive, compile, and create insights, analytics, benchmarks, statistical models, and derivative datasets from aggregated and anonymized user data (collectively, “Derived Data”). Derived Data must be genuinely anonymized such that no individual user can be identified or re-identified from it, whether alone or in combination with other reasonably available information. FSP owns the intellectual property rights in such anonymized Derived Data. We may use, share, license, or sell anonymized Derived Data for research, analytics, product development, commercial licensing, and other lawful purposes, consistent with the purposes for which the underlying personal data was collected and as required by applicable data protection law, including GDPR Article 5(1)(b) (purpose limitation). Where Derived Data is not fully anonymized, it remains personal data and is subject to all user rights and protections set out in this Policy. We will not use Derived Data to re-identify or attempt to re-identify any individual user.

2. How We Use Your Information

2.1 Platform Operations

We use your information to power real-time skill verification, analyze athletic performance, process biometric measurements, score competitions, and deliver personalized training insights through its Edge AI and to improve AI models.

2.2 Skill Verification and Analytics

Our AI analyses your biometrics, video, and performance metrics to verify skills by comparison against established athletic benchmarks. Results may vary based on lighting, camera positioning, equipment, sport type, and environmental factors; no specific accuracy rate is guaranteed. We generate personalized analytics, identifies areas for improvement, tracks your progress, and enables peer and benchmark comparisons.

We also create anonymized datasets and Derived Data from verification sessions to improve its AI systems and develop new performance assessment methods, consistent with the purposes described in this Policy.

2.3 Competitions and Challenges

We process your performance data, results, and rankings to operate tournaments, distribute rewards, maintain leaderboards, and ensure competitive integrity. Where you participate in celebrity challenges, FSP compares your performance against reference data provided by participating athletes.

2.4 Platform Improvement

We use anonymized and de-identified data to train and improve its AI models, enhance skill recognition, and develop new features. Usage data is also used to optimize the user experience, diagnose technical issues, and conduct product research.

2.5 Legal Compliance and Safety

We process data as necessary to comply with applicable law, including age verification, anti-money laundering requirements, tax obligations, and data protection mandates. We also use data to detect and prevent fraud, unauthorized activity, and security threats.

2.6 Communications

We use your contact information to provide customer support, deliver service notifications, and respond to inquiries. Where required by applicable law, We obtain your consent before sending marketing or promotional communications. You may manage your communication preferences through your account settings at any time.

2.7 Payment Processing

Our payment partners process transactions for competition fees, prize payouts, and subscriptions. Financial data is used solely for completing transactions, preventing fraud, satisfying legal obligations, and resolving disputes. Financial data is subject to enhanced security controls and shorter retention periods than other categories of data.

2.8 Legal Bases for Processing

We process your personal data on the following legal bases:

  • Consent — Where required by applicable law, We obtain your consent before processing sensitive data, including biometric data and biometric telemetry transmitted to advertising partners. You may manage and withdraw consent through your Privacy Dashboard at any time.
  • Contract Performance — Processing necessary to manage your account, operate competitions, and deliver the features and services you have signed up for.
  • Legitimate Interests — Platform security, fraud prevention, service improvement, and marketing to existing users, where such interests are not overridden by your privacy interests.
  • Legal Obligation — Processing required to comply with applicable law, including data retention mandates, regulatory reporting, and child protection requirements.
  • Commercial Data Activities — We process, shares, licenses, and otherwise exploits aggregated, de-identified, anonymized, pseudonymized, and Derived Data for commercial purposes based on legitimate interests and, where strictly required by applicable mandatory law, your consent. This includes sharing with data buyers, advertisers, researchers, and analytics companies for lawful commercial purposes.

3. AI and Automated Decision-Making

3.1 Overview

Our AI systems process athletic performance data, verify skills, analyze biometrics, and generate competition scores. Most AI processing occurs locally on your device or on edge servers, which minimizes data transmission and enhances privacy. AI decisions affect your skill verification results, competition rankings, performance scores, training recommendations, and eligibility for certain platform features.

3.2 Types of AI Processing

  • Skill Verification — We analyze video, sensor data, and biometric inputs to verify skills. Accuracy varies by sport and improves as the system processes additional data.
  • Performance Analytics — We generate personalized training insights and benchmark comparisons.
  • Competition Scoring — We automatically score competitions, ranks participants, and determines prize eligibility based on verified performance.
  • Content Moderation — We screen videos, images, and communications for policy violations.
  • Fraud Detection — We identify suspicious activity and unauthorized behavior to maintain competitive integrity.

3.3 Transparency

We are committed to transparency regarding its AI systems. Upon request, We will explain in plain language how its AI reached a specific decision affecting your skill verification, scores, or account. We publish general information about its AI systems and algorithms in its AI Transparency Center, which is updated quarterly. Where required by applicable law, including the EU AI Act, We provide additional documentation and impact assessments.

3.4 Your Rights Regarding AI Decisions

  • Human Review — You may request that a qualified human reviewer assess any AI decision that significantly affects you.
  • Appeals — You may challenge any skill verification result, score, or content moderation decision through FSP’s appeals portal within 24 hours of the decision. Appeals are reviewed by a human within 7 business days; complex cases are reviewed within 14 business days.
  • Explanation — You may request details about the data and logic that influenced a specific AI decision.
  • Correction — Where an AI decision was based on inaccurate data or a system error, We will correct the decision and update any affected results upon request.

3.5 AI Training

Where permitted by applicable law, We may use anonymized or pseudonymized performance data to train and improve its AI models. Where required by applicable law (including the GDPR), We will obtain your separate, freely given opt-in consent before using your personal data for AI training purposes. You may opt out of AI training use of your data at any time through your Privacy Dashboard, without loss of access to core platform features, though opting out may reduce the personalization of certain AI-powered features. Your participation in verified sessions is not conditioned on consent to AI training data use. Data already incorporated into trained models in a manner that cannot be separated will be subject to FSP’s standard anonymization and deletion processes to the extent technically feasible.

3.6 Fairness and Bias Mitigation

We regularly test our AI systems for bias with respect to race, gender, age, and disability. Independent auditors periodically review FSP’s AI for fairness and accuracy. We use diverse training data and monitors outcomes to promote equitable treatment across all users. Users who believe they have been subjected to unfair AI treatment may report their concern to FSP, which will investigate and respond within 30 days.

3.7 AI Updates

We will provide at least 30 days’ advance notice of material changes to its AI systems that affect scoring or decisions that significantly impact users. Notice will be provided through your preferred contact channels. Where material AI changes could affect historical results, We will offer options for retroactive review where technically feasible.

4. How We Share Your Information

4.1 Essential Service Providers

We share personal data with service providers that are necessary for platform operations, including cloud hosting providers (AWS, Microsoft Azure, Google Cloud Platform or any such platform), payment processors (Stripe, PayPal, Affirm), identity verification providers (such as Plaid, Stripe Identity), and customer support platforms (such as Zendesk, Intercom). These providers process data only as directed by FSP and are bound by Data Processing Agreements that include privacy safeguards, security requirements, and data subject rights obligations.

4.2 Sports Venues and Leagues

We partner with sports venues, leagues, and academies to provide competition and skill verification services. We may share your performance data with these partners as necessary for platform operations. Where required by applicable mandatory law, We will obtain your consent before sharing identifiable personal data with venue partners and will inform you of the recipients and purposes. You may manage your data sharing preferences for individual partners through your Privacy Dashboard, subject to applicable law. Opting out of certain sharing may limit your access to platform features.

4.3 Celebrity and Athlete Partners

Celebrity challenge participation may involve sharing your performance data with participating athletes for verification, leaderboard management, and promotional purposes. Where required by applicable mandatory law, We will obtain your consent before sharing identifiable performance data with celebrity partners. Participation in celebrity challenges is optional; opting out does not affect your access to standard competitions.

4.4 Research and Analytics Partners

We may share anonymized, de-identified, or Derived Data with research institutions, sports science organizations, and other third parties for research, analytics, product development, and commercial licensing purposes. Such data does not permit the identification of individual users. You may opt out of data sharing for these purposes to the extent required by applicable mandatory law, though doing so may affect certain platform features.

4.5 Marketing and Advertising Partners

Where strictly required by applicable mandatory law, We will obtain your explicit consent before sharing identifiable personal data with marketing partners for commercial purposes, including advertising, product development, and market research. We will inform you of the identity of such partners, the purposes of sharing, and the duration of their access. You may withdraw consent at any time through your Privacy Dashboard.

4.6 Programmatic Advertising Partners (DSPs)

During verified sessions, our supply-side platform may transmit real-time bid requests containing kinetic telemetry data to third-party DSPs and advertising exchanges for contextual AR advertising. We will obtain your separate, freely given, opt-in consent before transmitting biometric or sensitive telemetry data to DSPs. This consent applies globally. Non-biometric contextual data may be used for contextual targeting without separate consent. You may withdraw consent for biometric DSP telemetry sharing at any time through your Privacy Dashboard; withdrawal takes effect within 48 hours for future sessions. You may opt out of all programmatic advertising data sharing through Platform settings without loss of SP earning opportunities or core platform access.

4.7 Captain Program and Referral Network

Where you participate as a Captain, We process your referral chain data, NCS, downstream participant activity, tier placement, and payout records for tier calculations, fraud detection, and monthly payout processing. Where FSP determines that fraudulent activity has occurred within your referral network, the following process applies:

  • NCS Recalculation and Tier Demotion: We will notify you in writing at least 24 hours before any NCS recalculation and resulting tier demotion takes effect, except where immediate action is required to prevent ongoing fraud or financial harm, in which case notification will be provided simultaneously.
  • Fiat Clawbacks: We will provide at least 72 hours’ written notice before executing any fiat clawback, specifying the amount, basis, and supporting evidence. Clawback execution will be paused if you submit a dispute within that window.
  • Dispute Rights: You may dispute any NCS recalculation, tier demotion, or fiat clawback within 7 days of notification by submitting a written dispute to legal@futureofsports.io. A human reviewer will assess your dispute and provide a written determination within 14 business days.
  • Human Oversight: All fiat clawback decisions require human review and approval by a designated compliance officer before execution.

4.8 Sweepstakes and Prize Fulfillment Partners

For Golden Ticket sweepstakes and experience prize fulfillment, We share identity verification data with KYC providers, background check services (for in-person experiences), and experience fulfillment partners (including celebrity teams, venue operators, and merchandise providers). This sharing is necessary for prize verification, safety compliance, and logistics coordination. Failure to complete identity verification or background checks where required may result in forfeiture of prizes.

4.9 Commerce and Attribution Partners

We share commerce attribution data — including receipt OCR data, AR gear authentication results, Arena Geo-Scan check-in data, and in-app purchase data — with brand partners, advertisers, and affiliate networks for CPA verification, attribution reporting, and SP minting purposes. We may share deterministic attribution logs linking verified physical sessions to retail purchases with brand partners for campaign reporting. Such logs may include session identifiers, timestamps, calorie data, and purchase details, but will not include your name or contact information unless you have separately consented.

4.10 Legal Disclosures

We may disclose personal data where required by law, court order, regulatory request, or legal process. We will notify you of such disclosures where legally permitted, will provide only the minimum data necessary, and will challenge requests that appear overbroad or unlawful.

4.11 International Data Transfers

We operate globally. Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. We use legally approved safeguards for all international transfers, including adequacy decisions, Standard Contractual Clauses (SCCs), and other recognized transfer mechanisms. Where an adequacy decision is withdrawn, We will implement alternative protections within 30 days. We review all international transfer arrangements annually and updates them when privacy laws change.

4.12 Cookies and Tracking

We use the following categories of cookies and tracking technologies:

  • Essential Cookies — Required for platform functionality, including authentication, session management, and security. These cannot be disabled without disrupting core services.
  • Performance Cookies — Anonymous and aggregated data used to measure platform performance and improve AI systems.
  • Functional Cookies — Used to remember your preferences, language settings, and competition history.
  • Marketing Cookies — Used for targeted advertising and campaign measurement. Where required by applicable law, these require your consent.

You may update your cookie preferences at any time through your account settings or our cookie manager. Changes take effect within 48 hours. Non-essential third-party cookies require your consent where required by applicable law.

5. Your Privacy Rights

Depending on your location, you may have the following rights with respect to your personal data:

5.1 Right of Access

You may request confirmation of whether We process your personal data, and if so, a copy of that data together with information about the purposes of processing, the categories of data processed, recipients, retention periods, and the source of the data.

5.2 Right of Rectification

You may request correction of inaccurate or incomplete personal data through your account settings or by contacting FSP’s privacy team. We will respond within 30 days and notify relevant third parties of corrections where required by law.

5.3 Right of Erasure

You may request deletion of your personal data where we no longer require it for the purposes for which it was collected, where you have withdrawn consent, where the data was unlawfully processed, or where deletion is required by law. We may retain certain data for legal compliance, fraud prevention, or legitimate interests in accordance with applicable law. Competition data may be retained in anonymized form to preserve the integrity of historical leaderboards. Biometric data used for AI training will be deleted upon request unless it has already been anonymized in a manner that cannot be reversed.

5.4 Right to Data Portability

You may request a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format, including your profile, performance metrics, competition history, and settings. Certain AI-generated insights may be subject to technical limitations on portability.

5.5 Right to Restrict Processing

You may request that we temporarily suspend processing of your personal data while accuracy disputes, legality challenges, or objection reviews are pending.

5.6 Right to Object

You may object to processing of your personal data based on our legitimate interests, for direct marketing purposes, or for profiling. We will cease such processing unless it can demonstrate compelling legitimate grounds that override your interests or the processing is required for the establishment, exercise, or defense of legal claims. You may also object to automated decisions that significantly affect you, including AI-based skill verification and competition scoring, and request human review of any such decision.

5.7 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time through your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

5.8 Non-Discrimination

We will not discriminate against you for exercising your privacy rights to the extent required by applicable mandatory law. However, exercising certain opt-out rights may result in reduced platform functionality or loss of access to features that depend on the relevant processing activity. Exercising your data rights does not entitle you to a refund, except where required by applicable law.

5.9 How to Exercise Your Rights

You may exercise your privacy rights through your account dashboard, our privacy preference center, or by contacting the Data Protection Officer at legal@futureofsports.io. We will verify your identity before processing your request.

  • GDPR (EU/UK): We will respond within 30 days, extendable by a further 2 months for complex requests.
  • CCPA/CPRA (California): We will respond within 45 days, extendable by a further 45 days where reasonably necessary.
  • Other jurisdictions: We will respond within the timeframe required by applicable local law.

5.10 Compensation and Statutory Rights

We operate a data-driven business model in which the SP rewards, platform access, and competition infrastructure We provide constitute the consideration for your use of the Platform and FSP’s associated data processing activities described in this Policy. Nothing in this Policy limits any statutory right you have under applicable law, including:

  • Your right to compensation for damages caused by unlawful data processing under GDPR Article 82, CCPA Section 1798.150, LGPD Article 42, BIPA Section 20, or equivalent provisions in other jurisdictions;
  • Your right to bring complaints before data protection authorities; or
  • Any other right that cannot lawfully be waived or limited by contract.

To the extent permitted by applicable law and consistent with the foregoing, you acknowledge that SP rewards and platform access represent the commercial consideration for FSP’s use of anonymized and aggregated Derived Data as described in this Policy, and you do not have a separate entitlement to additional monetary compensation for such uses beyond the SP and platform benefits provided. This paragraph does not apply to your biometric data, for which separate consent and applicable statutory rights govern.

5.11 Authorized Agents

Where permitted by applicable law, an authorized agent may submit privacy rights requests on your behalf. We will verify the agent’s authority and your identity before processing any such request.

6. Data Monetization Acknowledgment

You acknowledge and agree that: (a) We operate a data-driven business model in which anonymized and aggregated performance data, commerce attribution data, and Derived Data have commercial value; (b) where you have provided consent, We may license anonymized Skeletal Interaction Minutes (SIM) and other de-identified performance data to third-party AI companies, sports analytics firms, gaming studios, biomechanical research labs, and other data buyers; (c) where you have separately consented, FSP’s programmatic advertising systems may transmit kinetic telemetry during verified sessions to advertising exchanges and DSPs; (d) the SP rewards, platform access, and competition infrastructure provided by FSP constitute the commercial consideration for your use of the Platform and FSP’s associated data processing activities described in this Policy; and (e) nothing in this Policy limits any statutory right you have under applicable law, including rights to compensation for unlawful data processing under GDPR Article 82, CCPA Section 1798.150, BIPA Section 20, LGPD Article 42, or equivalent provisions in other jurisdictions.

7. Protection of Minors

7.1 Age Requirements and Parental Consent

The minimum age of digital consent varies by jurisdiction: 13 in the United States (COPPA), 16 in the European Union (GDPR), 18 in the United Kingdom (UK Children’s Code), and equivalent ages in other jurisdictions. Where a user is below the applicable age of digital consent, FSP requires verified parental or guardian consent before collecting any personal data. FSP verifies parental consent through credit card checks, digital signatures, video calls, or government ID confirmation.

7.2 Enhanced Protections for Minors

Accounts belonging to minors are subject to the following protections by default:

  • Highest privacy settings applied automatically
  • Collection limited to the minimum data necessary for platform access
  • No sale, licensing, or commercial sharing of identifiable personal data, except as required for platform operations or as permitted by applicable children’s privacy laws including COPPA and the GDPR
  • No transmission of biometric or performance telemetry to third-party DSPs or advertising exchanges via programmatic bid requests
  • Programmatic AR advertising during minor users’ sessions uses only contextual targeting based on sport type and session context — not biometric telemetry or behavioral profiling
  • Location sharing disabled
  • Third-party sharing restricted
  • Celebrity challenges blocked unless specifically authorized by a parent or guardian

Collection of biometric data from minors requires separate parental consent with clear, age-appropriate explanations of the data collected and the purposes of collection.

7.3 Parental and Guardian Controls

Parents and guardians may review, modify, or delete their child’s personal data at any time through FSP’s parental control dashboard or by contacting FSP directly. We provide real-time privacy dashboards for parents and guardians showing data collected, sharing arrangements, and platform usage. Parents and guardians may revoke consent or suspend their child’s account at any time; revoking certain consents may limit the child’s access to platform features. Account deletion requests will be completed within 30 days unless legal retention obligations apply.

7.4 Minors in Competitions

Minors may participate in age-appropriate competitions with parental consent and in accordance with the protections required by applicable law, including COPPA, the GDPR, and the UK Children’s Code. We apply additional bias testing and human oversight to AI decisions affecting minor users. Use of minor users’ data for AI training requires parental consent where mandated by applicable law and is subject to technical safeguards against individual identification.

7.5 Data Retention for Minors

Personal data relating to minor users is retained for a maximum of three years or until the user turns 18, whichever is shorter, unless legal obligations require longer retention. Parental consent records are retained for five years after the minor reaches the age of majority. Parents and guardians may request immediate deletion of all data associated with their child’s account; We will complete such deletion within 30 days unless legal retention obligations apply.

7.6 Applicable Law

We comply with COPPA in the United States, the GDPR in the European Union, the UK Children’s Code in the United Kingdom, the DPDP Act in India (requiring parental consent for users under 18), and equivalent children’s privacy laws in all other jurisdictions where We operate.

8. International Data Transfers

As a global platform, We may transfer your personal data to and process it in countries outside your country of residence, including the United States, for the purposes described in this Policy. We ensure that all international transfers are subject to legally approved safeguards, including adequacy decisions, Standard Contractual Clauses, and other recognized mechanisms. Biometric and sensitive data is subject to additional geographic restrictions based on applicable law.

All partners receiving EU or UK personal data have executed Standard Contractual Clauses with additional protections. Where an adequacy decision is withdrawn, We will implement alternative protections within 30 days. We review all international transfer arrangements annually and updates them as privacy laws evolve. We maintain records of all transfers for regulatory review upon request.

You may object to international transfers of your personal data, to the extent this does not prevent the provision of essential platform services. Where applicable law requires local data processing, We will honor such requirements, which may result in certain services being unavailable.

We maintain technical and organizational measures to protect against excessive government access to user data in all processing locations. Where legally permitted, We will notify you of government requests for your data. We challenge government requests that are overbroad or not supported by applicable law.

9. Competitions and Challenges

9.1 Data Processing in Competitions

When you join a competition, your performance data will be collected, processed, and shared with other participants, judges, or third parties as necessary for platform operations. Where required by applicable mandatory law, We will obtain your consent for specific data processing activities related to competition participation. Competition-specific consent is separate from your general platform consent where required by law. Withdrawing competition consent may require you to withdraw from ongoing competitions where your data is required for scoring.

9.2 Data Collected During Competitions

During competitions, We collect detailed performance data, including biometric measurements, movement analysis, skill execution metrics, reaction times, and sport-specific data required for accurate scoring. FSP’s AI handles real-time scoring, skill verification, fraud detection, and rankings. You may request human review of any AI decision that affects your competition results. You may request deletion of your competition history, subject to FSP’s right to retain data for competition integrity, fraud prevention, and legal compliance.

9.3 Celebrity Challenges

Celebrity challenges involve sharing your performance data with participating athletes for verification, promotional, and leaderboard purposes. Where required by applicable mandatory law, We will obtain your consent for specific data sharing activities. Participation in celebrity challenges is optional; opting out does not affect your access to standard competitions. Celebrity athletes are bound by data processing agreements governing their use of participant data. We may share aggregated, de-identified, or Derived Data with celebrity partners for lawful purposes without restriction.

9.4 Competition Analytics and Sharing

We create anonymized analytics from competition data for platform improvement and research purposes. Individual users cannot be identified from such analytics. Sharing of individual performance data with venues, leagues, or sponsors may occur as part of platform operations or for lawful commercial purposes; where required by applicable mandatory law, We will obtain your consent and inform you of the recipients and purposes. You may exercise opt-out rights to the extent provided by applicable mandatory law through your Privacy Dashboard.

9.5 Competition Data Rights

Competition data is subject to our standard retention schedules unless you request deletion, request extended retention, or applicable law requires retention. You may access, obtain portable copies of, and correct all competition data associated with your account. Where deletion of your data would affect the accuracy of historical leaderboards, We will pseudonymize your data rather than delete it, to preserve competition records while protecting your privacy.

9.6 Fair Play and Non-Discrimination

We regularly audit our AI systems for bias related to race, gender, age, and disability. You may use FSP’s appeals process to request human review of any scoring, skill verification, or eligibility decision. We do not use competition data to profile or discriminate against users on the basis of protected characteristics.

10. Data Security

10.1 Technical Safeguards

We protect your personal data using industry-standard AES-256 encryption at rest and TLS 1.3 or higher in transit. Multi-factor authentication is required to access sensitive data. FSP’s Edge AI processes biometric data locally on your device where technically feasible, minimizing data transmission. Independent security firms conduct audits and penetration testing at least annually and following any material system update or incident.

10.2 Organizational Safeguards

Access to personal data is restricted to our personnel who require it for legitimate operational purposes, enforced through role-based access controls. All personnel with access to personal data receive privacy and security training upon joining FSP and annually thereafter. Third-party service providers must meet or exceed FSP’s security standards and are subject to regular audits and contractual breach notification requirements. FSP’s Data Protection Officer oversees security compliance across all regions.

10.3 Incident Response

We maintain documented incident response procedures with defined escalation paths and notification timelines that comply with all applicable legal requirements. Encrypted backups are stored in multiple locations and tested for restoration quarterly. Vendors are assessed for security compliance before engagement and may be terminated immediately for failure to meet required standards.

10.4 AI Security

AI training data is subject to privacy-preserving techniques including pseudonymization and differential privacy. FSP’s AI systems are protected against adversarial attacks and unauthorized access. Comprehensive audit trails and logging support FSP’s obligations to provide explanations of AI decisions.

10.5 Monitoring

We continuously monitor its systems for unusual access patterns and potential threats, with automated alerts and response protocols. Where required by applicable law, We will notify you of data security incidents within 72 hours of becoming aware of them. Security policies are reviewed regularly and critical patches are implemented immediately upon availability.

10.6 Certifications

We maintain ISO 27001, SOC 2 Type II, and other internationally recognized security certifications. Cross-border data transfers are subject to additional encryption and access controls. We conduct regular compliance assessments to verify adherence to GDPR, CCPA/CPRA, and other applicable privacy law requirements.

11. Data Retention

11.1 General Approach

We retain personal data only for as long as necessary to deliver its services, comply with applicable law, resolve disputes, enforce its agreements, and pursue legitimate commercial interests, including data monetization, commercial licensing, and exploitation of Derived Data. Retention periods vary by data category and applicable law. We review its retention schedules regularly.

11.2 SP Inactivity Flush

If your account records no verified physical session for a continuous period of 180 days, your SP (Skill Points) balance will be reset to zero in accordance with FSP’s Inactivity Flush policy. The Inactivity Flush does not automatically trigger deletion of your personal data; the SP flush clock and the account data retention clock operate independently. You may reactivate flushed SP by paying a $10 processing fee or completing 3 Truth Pass sessions within 24 hours. Reactivation does not affect the retention or deletion status of your personal data.

11.3 Retention Schedule

  • Athletic performance and biometric data: 7 years maximum, or until account deletion, whichever occurs first
  • Skill verification video and images: 3 years from capture (subject to active disputes)
  • AI training datasets (pseudonymized): 5 years
  • Competition results and rankings: 5 years from competition end
  • Celebrity challenge data: 3 years from completion
  • Prize and reward records: 7 years (tax and audit requirements)
  • Account and profile data: active period plus 2 years after last activity
  • Financial transaction data: 7 years (financial regulations)
  • Customer support records: 3 years from last interaction
  • Precise location data: 1 year (or until anonymized for analytics)
  • Device identifiers: 2 years from last activity or account deletion
  • Venue check-in data: 18 months from visit
  • Minor user data: 3 years maximum, or until the user turns 18 plus 1 year, whichever is shorter
  • Parental consent records: 5 years after the minor reaches adulthood
  • Sweepstakes and prize verification data: 7 years (legal and audit requirements)
  • Self-exclusion data: duration of exclusion period plus 7 years (regulatory compliance)
  • AMOE mail-in data: 12 months from close of relevant sweepstakes season

11.4 Deletion Process

We automatically delete expired data on a monthly cycle, with quarterly deep reviews. Where your account becomes inactive, We will provide 30 days’ notice before initiating automatic deletion. Account deletion requests are completed within 30 days, with written confirmation provided upon completion. Selective deletion of specific data categories may be requested where technically and legally feasible.

We will not delete data subject to active legal holds, ongoing disputes, fraud prevention investigations, or safety investigations. Anonymized data that cannot be linked to any individual may be retained indefinitely for research, platform improvement, and lawful commercial purposes, including licensing and sale to third parties. Legal holds pause normal deletion schedules until resolved. We maintain deletion logs and audit trails and will provide written verification of deletion within 60 days of a deletion request.

12. Consent Management

Where our processing of your personal data is based on consent, we adhere to the following standards:

  • Consent requests are presented in clear, plain language without manipulative design patterns, pre-checked boxes, or confusing options.
  • Where consent is required, each processing activity requires your active opt-in. We do not assume consent from inaction or continued use of the Platform, except as permitted by applicable law.
  • Accepting and declining consent options receive equal visual prominence.
  • Separate consent is provided for: biometric data collection; biometric telemetry transmitted to DSPs; performance analytics; AI training use; marketing communications; and third-party data sharing, where required by applicable law.
  • Where you withdraw consent for a consent-based processing activity, We will cease that processing for future data. Withdrawal takes effect immediately in your Privacy Dashboard.
  • Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Your Privacy Dashboard provides a single interface to view all active consents, their scope and duration, and the identity of any third parties with access to your data under each consent. You may download your consent history and export your preference settings at any time.

For users below the age of digital consent in their jurisdiction, parental consent is required and managed through FSP’s parental control dashboard, in accordance with COPPA, the GDPR, the UK Children’s Code, the DPDP Act, and equivalent applicable law. We maintain comprehensive consent records for regulatory review.

13. Jurisdiction-Specific Privacy Rights

13.1 European Union (GDPR)

We process the personal data of EU residents in accordance with the General Data Protection Regulation (GDPR). EU residents have the rights described in Section 5, including rights of access, rectification, erasure, restriction, portability, and objection. Biometric data requires explicit consent; this consent may be withdrawn at any time. We conduct Data Protection Impact Assessments for high-risk processing activities and maintains Records of Processing Activities as required. Cross-border transfers use adequacy decisions or Standard Contractual Clauses. EU residents may file complaints with their local data protection authority.

13.2 United Kingdom (UK GDPR)

UK residents receive equivalent protections under UK GDPR and the Data Protection Act 2018. International transfers use ICO-recognized mechanisms. Users under 13 require parental consent; users under 18 are subject to enhanced protections under the UK Children’s Code.

13.3 California (CCPA/CPRA)

California residents have the right to know, delete, correct, and limit the use of sensitive personal information, and to opt out of the sale or sharing of personal information, to the extent required by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). As required by CCPA Section 1798.135, We provide a “Do Not Sell or Share My Personal Information” link on its website homepage and in its app settings. To exercise this right, visit: [INSERT URL: e.g., privacy.fsp.com/do-not-sell] or navigate to Account Settings > Privacy > Do Not Sell or Share. Opting out of the sale or sharing of personal information will not affect your access to core platform features or your ability to earn SP. Where FSP transmits kinetic telemetry to DSPs via OpenRTB for advertising purposes, such transmission constitutes “sharing” under the CCPA and is subject to this opt-out. We have assessed its status under California’s data broker registration requirements; [INSERT: confirm registration status before publication]. Biometric data is processed only for the stated purposes with your consent, which you may limit at any time.

13.4 Other US State Privacy Laws

We comply with applicable US state privacy laws, including the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), and equivalent laws in Oregon, Montana, Delaware, Iowa, New Hampshire, and other states with applicable privacy legislation. Residents of these states have rights to access, correct, delete, and obtain copies of their personal data, and to opt out of targeted advertising, sale of personal data, and profiling with significant legal effects, to the extent provided by applicable law.

13.5 Other Jurisdictions

We comply with applicable privacy laws in all jurisdictions where it operates, including: Japan (APPI); South Korea (PIPA); Singapore (PDPA); India (DPDP Act 2023); China (PIPL and Cybersecurity Law); South Africa (POPIA); UAE (DIFC/ADGM data protection regulations); New Zealand (Privacy Act 2020); Thailand (PDPA); Philippines (Data Privacy Act 2012); Malaysia (PDPA 2010); Hong Kong (PDPO); Taiwan (PDPA); Indonesia (UU PDP); Vietnam (Decree 13/2023/ND-CP); Argentina (PDPL); Mexico (LFPDPPP); Chile (Law 19,628); Colombia (Law 1581 of 2012); Saudi Arabia (PDPL); Israel (Privacy Protection Law); Qatar (Law No. 13 of 2016); Bahrain (Law No. 30 of 2018); Nigeria (NDPR and Data Protection Act 2023); Kenya (Data Protection Act 2019); Egypt (Law No. 151 of 2020); Switzerland (nFADP); Turkey (KVKK); Russia (Federal Law No. 152-FZ); Brazil (LGPD); Canada (PIPEDA); and Australia (Privacy Act 1988 and Australian Privacy Principles). Residents of these jurisdictions have the rights specified under applicable local law. Where multiple jurisdictions’ laws apply, We comply with the applicable requirements in each jurisdiction.

14. Third-Party Services and Integrations

We utilize third-party service providers across the following categories: (i) cloud infrastructure and data hosting (AWS, Microsoft Azure, Google Cloud Platform); (ii) payment processing (Stripe, PayPal, Apple Pay, Affirm); (iii) analytics and performance measurement (Google Analytics, Adobe Analytics); (iv) content delivery and media streaming (Cloudflare, AWS CloudFront); (v) customer support (Zendesk, Intercom); (vi) security and fraud prevention (device fingerprinting and identity verification providers); (vii) marketing and advertising platforms; and (viii) AI model training and machine learning services (Roboflow).

All third-party service providers are bound by Data Processing Agreements that include privacy safeguards, security requirements, data subject rights obligations, and breach notification requirements. Third-party processors are prohibited from using FSP user data for their own business purposes unless explicitly authorized by users or pursuant to separate commercial arrangements for anonymized, de-identified, or Derived Data. FSP periodically reviews third-party privacy practices but is not responsible for the data practices of third parties who receive data from FSP. We will notify users of material changes to third-party integrations through privacy policy updates and account notifications.

You may view active third-party integrations and understand data sharing purposes through your Privacy Dashboard. Where required by applicable law, you may withdraw consent for non-essential third-party processing through Platform settings, which may result in reduced platform functionality.

15. Updates to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in our data processing practices, applicable law, regulatory requirements, or platform services. When FSP makes material changes to this Policy, it will provide at least 30 days’ advance notice through your registered email address, prominent in-app notifications, and website banners. Material changes include, without limitation: introduction of new data collection practices; changes to third-party data sharing; modifications to user rights or opt-out procedures; changes to data retention periods; and updates to the legal bases for processing.

For non-material changes such as clarifications or updates to contact information, We will update the “Last Updated” date at the top of this Policy and may provide notice through the Platform.

For changes that require explicit consent under applicable privacy law, including new purposes for processing sensitive personal data or biometric information, We will obtain your affirmative consent before implementing such changes. All Policy updates will include a clearly stated effective date. Updated policies will not apply retroactively to data collected under prior versions, unless required by law or with your explicit consent. We maintain an archive of prior Privacy Policy versions, accessible on its website for at least three years.

16. Contact Information and Data Protection Officer

For all privacy-related questions, concerns, requests, or regulatory inquiries, contact our Data Protection Officer (DPO):

Email: legal@futureofsports.io (attention: DPO)

Mail: FSP Data Protection Officer, Future of Sports Labs Inc, Princeton, New Jersey, USA

Our DPO operates independently and reports directly to our executive leadership to ensure impartial handling of privacy matters and regulatory compliance. We will acknowledge privacy inquiries within 72 hours and provide substantive responses within the timeframes required by applicable law.

17. Dispute Resolution and Complaints

17.1 Internal Complaint Process

Users may submit privacy-related complaints to our DPO at legal@futureofsports.io, through the in-app privacy complaint form, or by written correspondence. We will acknowledge receipt within 72 hours and provide a substantive response within 30 days, or within the shorter period required by applicable law. Complex complaints requiring third-party coordination may take up to 60 days; We will provide status updates every 14 days.

17.2 Escalation

Where a user is unsatisfied with our initial response, the user may request escalation to our Privacy Review Board within 30 days of receiving the initial response. The Privacy Review Board will provide a final determination within 45 days of the escalation request. Users retain the right to pursue external remedies at any time, regardless of the status of internal proceedings.

17.3 Regulatory Authorities

  • European Union and EEA: Users may file complaints with their local data protection authority or the lead supervisory authority (edpb.europa.eu).
  • United Kingdom: Information Commissioner’s Office (ico.org.uk or 0303 123 1113).
  • California: California Privacy Protection Agency (privacy.ca.gov).
  • Brazil: Autoridade Nacional de Proteção de Dados (gov.br/anpd).
  • Other jurisdictions: Contact our global privacy team at legal@futureofsports.io for referral to the applicable regulatory authority.

17.4 Alternative Dispute Resolution

Privacy-related disputes are also subject to the governing law, binding arbitration, and class action waiver provisions in our Terms of Service, where applicable. We participate in binding arbitration for privacy disputes where required by law or where mutually agreed, subject to applicable consumer protection requirements. Nothing in this Policy limits users’ rights to pursue legal remedies in courts of competent jurisdiction under applicable privacy and consumer protection law.