SportsX — Cookie Policy

Version: 1.0 Effective Date: 2026-05-14 Last Updated: 2026-05-14 Jurisdiction: Province of Ontario, Canada (Phase 1) Operator: Next Play AI Inc. ("Next Play AI," "we," "us," "our") Privacy Officer: privacy@nextplayai.xyz

PLAIN-LANGUAGE SUMMARY — PLEASE READ

Phase 1 cookie posture: minimal. We use only the cookies that are strictly necessary to operate the SportsX service, plus a small set of functional cookies that remember your login session and language preference. We do not use marketing, advertising, or third-party tracking cookies in Phase 1. Specifically, we do not use Google Analytics, Meta Pixel, TikTok Pixel, HubSpot tracking, or Segment.

What you can do. You can block or delete cookies in your browser settings. Blocking strictly-necessary cookies will break login and security features. Blocking functional cookies will require you to log in more often.

If we add more cookies in a future Phase, we will update this Cookie Policy, display a cookie consent banner that asks for your consent, and we will not load non-strictly-necessary cookies until you consent.

Questions. Email our Privacy Officer at privacy@nextplayai.xyz.

SECTION 1 — WHAT THIS POLICY COVERS

This Cookie Policy describes how Next Play AI Inc. uses cookies, similar local-storage technologies, and tracking pixels (collectively, "Cookies") on:

our public website at https://www.sportsx.ai and any sub-domains;
the SportsX web application;
any mobile application we publish (where browser-equivalent local storage is used);
any account-creation, registration, and signing flow we operate.

This Cookie Policy is incorporated into, and should be read together with, our Privacy Policy (A2). Capitalized terms not defined here have the meanings given in our Privacy Policy.

This Cookie Policy does not cover:

websites operated by Clubs themselves (those are governed by the Club's own cookie policy);
third-party websites or services we link to.

SECTION 2 — WHAT COOKIES ARE

A "cookie" is a small text file that a website stores on your device (computer, tablet, phone) to remember information about you between page loads or visits. Similar technologies include local storage, session storage, and tracking pixels.

Cookies fall into broadly four categories:

Category	Purpose	Phase 1 use
Strictly-necessary	Cannot be disabled — required for the website / app to function (login, security, CSRF protection).	✅ Yes
Functional	Remember choices you make (language, login persistence) to give you a better experience.	✅ Limited use
Analytics	Help us understand how you use the service (e.g., page views, time on page) so we can improve it.	❌ Not used in Phase 1
Marketing / advertising	Build a profile of you for targeted advertising or measurement of advertising effectiveness.	❌ Not used in Phase 1

SECTION 3 — COOKIES WE USE IN PHASE 1

3.1 Strictly-necessary cookies

Cookie name (illustrative)	Purpose	Duration	First-party / third-party
`sx_session`	Authenticates your login session and prevents you from being logged out unexpectedly	Until you log out, or 24 hours of inactivity	First-party
`sx_csrf`	Prevents cross-site request forgery attacks (CSRF) on form submissions and state-changing actions	Session only (cleared when you close the tab / browser)	First-party
`cf_*` (Cloudflare)	Edge security, bot protection, DDoS mitigation	Up to 30 days	Third-party (Cloudflare) — service provider only, not used for marketing

3.2 Functional cookies

Cookie name (illustrative)	Purpose	Duration	First-party / third-party
`sx_lang`	Remembers your language preference (English / French in a future Phase)	12 months	First-party
`sx_remember_me`	Optional — keeps you logged in across browser sessions when you tick "Remember me" at login	30 days	First-party
`sx_consent_v`	Records the version of this Cookie Policy you have seen, so we can show you a notice if it changes materially	12 months	First-party

Note on cookie names: the exact cookie names listed above are illustrative. Implementation may vary; the table above is updated whenever the implementation changes.

3.3 Cookies set by Subprocessors performing service functions

Some Subprocessors enumerated in our Privacy Policy Section 7.2 and Data Processing Addendum (Schedule 2) set cookies in the course of performing their service function:

Subprocessor	Cookie role	Purpose
Cloudflare	`cf_*` cookies	Edge security and DDoS mitigation (strictly-necessary for service availability)
Stripe	`__stripe_*` cookies (loaded on payment pages only)	Fraud prevention during checkout (strictly-necessary for payment security)

These cookies are loaded for service-functional reasons (security and fraud prevention). They are not used for marketing, behavioural advertising, or cross-site tracking.

SECTION 4 — COOKIES AND TECHNOLOGIES WE EXPLICITLY DO NOT USE IN PHASE 1

To be clear about what is not present, the following cookies and tracking technologies are not used in Phase 1:

Technology	Used in Phase 1?
Google Analytics 4 (`_ga`, `_gid`, `_gat`)	❌ Not used
Meta (Facebook) Pixel (`_fbp`, `fr`)	❌ Not used
TikTok Pixel (`_ttp`, `_tt_*`)	❌ Not used
LinkedIn Insight Tag (`li_*`)	❌ Not used
Twitter / X Universal Tag	❌ Not used
HubSpot tracking (`__hstc`, `__hssrc`, `hubspotutk`)	❌ Not used
Segment.io tracking (`ajs_*`)	❌ Not used
Hotjar / FullStory / Mouseflow session-replay	❌ Not used
Google Tag Manager	❌ Not used
Cross-site tracking pixels of any kind	❌ Not used
Browser fingerprinting beyond what is necessary for security	❌ Not used

If, in a future Phase, we choose to introduce any of the technologies listed above, we will:

Update this Cookie Policy with the specific cookie name, purpose, duration, and Subprocessor;
Display a cookie consent banner at your next visit that asks for your consent in a form that complies with PIPEDA, the Office of the Privacy Commissioner of Canada Guidance on Online Consent, and the Information and Privacy Commissioner of Ontario guidance on cookie use;
Default to "off" — non-strictly-necessary cookies will not load until you consent;
Allow easy withdrawal of consent at any time through a "Cookie Settings" link in the website footer.

SECTION 5 — DO NOT TRACK AND GLOBAL PRIVACY CONTROL

Some browsers transmit a "Do Not Track" (DNT) signal, and some browsers and extensions support the "Global Privacy Control" (GPC) signal.

In Phase 1, our deliberately minimal cookie posture means the practical effect of DNT or GPC on your experience is limited — we do not run analytics or marketing tracking that DNT / GPC would normally suppress.

If we introduce analytics or marketing cookies in a future Phase, we will honour DNT and GPC signals as instructions to default the relevant categories to "off" without requiring you to interact with the cookie banner.

SECTION 6 — HOW TO MANAGE COOKIES

You can control cookies through your browser settings.

6.1 Browser controls

Chrome: Settings → Privacy and Security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Cookies and website data
Edge: Settings → Cookies and site permissions → Cookies and site data
Mobile browsers: check the equivalent Privacy / Security section in your browser's settings

6.2 Effect of blocking cookies

If you block…	Effect
Strictly-necessary cookies	The service will not work — login and signing will fail
Functional cookies	The service will work, but you will need to log in more often and re-set your language preference each time
Cookies entirely	Same as blocking strictly-necessary — service will not work

6.3 Mobile / app local storage

Where the SportsX mobile application uses browser-equivalent local storage (e.g., for session persistence), you can clear it through the operating system's app-management settings (for example, on iOS: Settings → SportsX → "Clear data"; on Android: Settings → Apps → SportsX → Storage → Clear storage).

SECTION 7 — INTERACTION WITH OUR PRIVACY POLICY

This Cookie Policy is part of our overall privacy framework. The metadata captured through cookies (such as IP address and session identifier) is treated as personal information in our Privacy Policy and is governed by the Privacy Policy's:

legal basis under PIPEDA Schedule 1 (Privacy Policy Section 6)
sharing with Service Providers (Privacy Policy Section 7)
cross-border processing disclosure (Privacy Policy Section 8)
retention periods (Privacy Policy Section 9)
security measures (Privacy Policy Section 10)
your rights (Privacy Policy Section 11)

For the avoidance of doubt: cookie data falls within the Privacy Policy's coverage.

SECTION 8 — COOKIES IN B2B MEMBER-FACING FLOWS

8.1 When you sign a document through the Service

When you sign a PDSA, Liability Waiver, Parental Indemnity, Rowan's Law Code of Conduct, Rowan's Law Cognitive Resources Acknowledgment, PIPEDA Standalone Consent, or Electronic Signature Consent through the Service, the strictly-necessary cookies described in Section 3.1 are loaded to operate the signing flow.

The audit-trail elements captured (IP address, timestamp, device fingerprint, document version hash, scroll-to-bottom completion) are described in detail in our Data Processing Addendum, Schedule 4, and in the Electronic Signature Consent (C1). These elements are necessary to give the signed document the reliability required by section 11(2) of the Ontario Electronic Commerce Act, 2000.

8.2 No cookies for analytics during the Member intake flow

To be explicit: when a Member or parent is in the registration / signing flow, no analytics or marketing cookies are loaded. Only strictly-necessary cookies and the audit-trail elements run. This is by design — the Member's signing experience must not be conditioned on analytics or behavioural tracking.

SECTION 9 — UPDATES

We may update this Cookie Policy from time to time to reflect changes in our cookie use, our Subprocessor list, or applicable law.

Material changes (such as introducing analytics or marketing cookies) will trigger:
- update to this policy and to the "Last Updated" date at the top
- email notice to Authorized Users
- cookie consent banner at next site visit
- in-product banner at next login
- at least 30 days' notice for material adverse changes
Non-material changes (such as renaming a cookie or adjusting cookie duration without changing what data is collected) will be reflected by updating the "Last Updated" date at the top.
The current version is always available at our public website at https://www.sportsx.ai/cookies.

If you would like to see prior versions of this Cookie Policy, contact us at privacy@nextplayai.xyz.

SECTION 10 — CONTACT

Privacy Officer
Next Play AI Inc.
Attention: Privacy Officer
2030 Bristol Cir, Unit 210, Oakville, ON, Canada, L6H 6P5
Email: privacy@nextplayai.xyz
Legal: legal@nextplayai.xyz

We aim to respond to cookie-related inquiries within five (5) business days of receipt.

SECTION 11 — COMPLAINTS

If you are not satisfied with our response to a cookie-related inquiry, you may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) under PIPEDA. Full contact details are in our Privacy Policy Section 17.

SECTION 12 — DEFINITIONS

"Cookie" has the meaning in Section 2.

"Service" means the SportsX software-as-a-service platform operated by Next Play AI Inc.

"Subprocessor" has the meaning in our Privacy Policy Section 7.2 and Data Processing Addendum.

"Strictly-necessary cookie" means a cookie without which the basic functionality of the Service would not work — for example, login authentication and CSRF protection.

"Functional cookie" means a cookie that remembers choices you have made (such as language preference) so that the Service is more convenient for you on subsequent visits.

"Analytics cookie" means a cookie that helps the operator of the Service understand how the Service is used, for the purpose of improving it.

"Marketing / advertising cookie" means a cookie that builds a profile of you for the purpose of targeting advertising or measuring the effectiveness of advertising.

ELECTRONIC ACKNOWLEDGMENT

By using the Service, you acknowledge that you have read this Cookie Policy and understand which cookies are loaded on your device and why. If you do not agree with this Cookie Policy, you can disable cookies in your browser, or you can choose not to use the Service.

Cookie Policy v1.0 — effective 2026-05-14. Phase 1 jurisdiction: Ontario only. The English text governs in all cases. French translation will be made available in a future Phase consistent with the AODA accessibility plan.