SportsX — Privacy Policy

Version: 1.1 Effective Date: 2026-05-14 Last Updated: 2026-05-14 Jurisdiction: Province of Ontario, Canada (Phase 1) Operator: Next Play AI Inc. ("Next Play AI," "we," "us," "our") Privacy Officer: privacy@nextplayai.xyz

PLAIN-LANGUAGE SUMMARY — PLEASE READ

What this policy covers. It explains how Next Play AI collects, uses, shares, stores, and protects your personal information when you visit our website, create an account, use the SportsX service, or sign documents through our service.

Three relationships. Your relationship with us depends on the role you are in:

Club operator, administrator, or staff member — we are directly responsible for your personal information.

Member, parent, or guardian using the service through a Club's invitation — the Club is the organization responsible for your information held in connection with that Club's programs; we process it on the Club's behalf.

Member or parent / guardian holding a SportsX Member Account — we are directly responsible for the information you provide to your Member Account (your contact details, household and child profiles, summaries of documents you have signed, summaries of your participation and payments, and your consent preferences). This information is held under separate Member Account Terms and stays with us if any Club stops using the service.

Where your data is stored. Primarily in Canada (Amazon Web Services, Montréal). Some processing occurs in the United States (AI inference, error monitoring, edge security). The full list is in Section 7.

Your rights under PIPEDA and PHIPA. You have the right to know what personal information we have, ask us to correct it, withdraw consent, request deletion, and complain to a regulator. See Section 11.

Children. If you are under 18, a parent or guardian must consent before any personal information is submitted. See Section 13.

Health information. If you have a concussion history, allergy, or medical condition recorded through our service, that information is treated as Personal Health Information under Ontario's PHIPA. See Section 14.

Questions. Email our Privacy Officer at privacy@nextplayai.xyz.

Complaints. You can complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for health-information matters, the Information and Privacy Commissioner of Ontario (ipc.on.ca).

SECTION 1 — WHO WE ARE

Next Play AI Inc. is a Canadian corporation headquartered in Oakville, Ontario, Canada. We operate the SportsX software-as-a-service platform (the "Service"), which is used by Ontario youth sports clubs to manage member registration, intake of consents and signed documents, scheduling, attendance, payments, and communications.

This Privacy Policy applies to:

our public website at https://www.sportsx.ai and any sub-domains;
the SportsX web application;
any mobile application we publish;
any account-creation, registration, and signing flow we operate;
any communication you send us by email, contact form, or phone.

This Privacy Policy does not apply to:

websites or services operated by Clubs themselves (those are governed by the Club's own privacy policy);
third-party websites or services we link to;
any data you provide directly to a Club outside our Service.

SECTION 2 — THREE ROLES, THREE LEVELS OF RESPONSIBILITY

Under Canadian privacy law, an organization that decides why and how personal information is collected is the "controller" (PIPEDA) or "health information custodian" (PHIPA, where personal health information is involved). An organization that handles personal information on behalf of another organization is a "processor" (PIPEDA) or "agent" (PHIPA).

Our role depends on which of three relationships you are in. Many Members will be in two of these relationships at once — one with their Club (because they participate in Club programs) and one directly with us (because they hold a SportsX Member Account). The two relationships are separate and complementary.

2.1 You are a Club Operator, Administrator, or Authorized User

If you operate a Club, administer a Club account, or are a staff member with login credentials ("Authorized User"), we are the controller of the personal information you provide to us directly to create and manage your relationship with us. This includes your contact information, billing information, account credentials, and the records of how you use the Service.

In this role, we make the decisions about how your personal information is used, and we have direct accountability to you under PIPEDA.

2.2 You are a Member, Parent, or Guardian — data collected through a Club

If you are an athlete, learner, parent, or guardian using the Service because a Club invited you to ("Member"), and you are providing information to the Club through the Service (for example, completing the Club's intake forms, signing the Club's PDSA / Liability Waiver / Parental Indemnity / Rowan's Law documents, providing health information for safe sport participation), the Club is the controller of that information, and we are the processor acting on the Club's behalf. The Club decides what information it collects, what it uses it for, and how long it keeps it. We process the information only on the Club's instructions and as described in our Data Processing Addendum with the Club.

In this role:

The Club's privacy policy governs how your personal information is used by the Club.
You should direct privacy requests (access, correction, deletion, withdrawal of consent) to the Club in the first instance.
If you direct a request to us instead, we will inform the Club and (with the Club's involvement) will help facilitate it. See Section 11.

For personal health information specifically (allergies, medical conditions, concussion history, emergency-contact medical authorizations), the Club is the health information custodian under PHIPA, and we are the Club's agent under PHIPA section 17.

2.3 You are a Member or Parent / Guardian holding a SportsX Member Account

If you create a SportsX Member Account (a platform-layer account directly with Next Play AI, governed by separate Member Account Terms), we are the controller of the information you provide to your Member Account. This information ("Member Account Data") is held by us independently of any Club, and includes:

your identification and contact information (name, date of birth, email, phone, postal address);
your household structure and profiles you create for any minor children for whom you have legal authority;
summaries of documents you have signed through the Service in connection with any Club (the document title, version, date signed, Club it was signed for, and validity status — but not the document body text, which is held by the Club as compliance archive);
summaries of your sports participation through any Club (Club name, sport category, program duration — but not the detailed attendance records or coach evaluations, which are Club-controlled);
summaries of your payments processed through the Service (amount, date, transaction ID, program — but not detailed financial reconciliation, which is Club-controlled);
your consent preferences (marketing, photo / video, AI-training opt-in if applicable).

In this role:

We are directly responsible for Member Account Data under PIPEDA.
You can access, correct, export, or delete your Member Account Data through the Account Privacy Console at any time.
Your Member Account is independent of any Club's relationship with us. If a Club terminates its agreement with us, your Member Account continues unaffected, and your Member Account Data continues to be held by us.
Personal Health Information is NOT held in the Member Account layer — it remains with your Club as Health Information Custodian under PHIPA. To exercise PHIPA rights, contact your Club.

Member Account Data is governed by the SportsX Member Account Terms (E1). For a copy, contact us at contact@nextplayai.xyz; it is also provided to you at Member Account creation.

2.4 You are a Website Visitor

If you visit our public website without creating an account (for example, to read marketing material), we are the controller of any limited information collected (such as cookies, IP address, and any contact form you submit). See Section 12 for cookies.

2.5 Why three roles, not one

The three-role framework reflects how SportsX is built. The Club uses our software to run its programs (Section 2.1, 2.2). You use our software, through the Club, to participate in those programs (Section 2.2). And you also use our software, directly, to maintain a portable sports-life record that travels with you across Clubs (Section 2.3). Each role has its own privacy framework and its own responsibilities.

SECTION 3 — WHAT THIS POLICY COVERS — A QUICK MAP

Section	Topic
4	Personal information we collect
5	How we use it
6	Legal basis under PIPEDA Schedule 1
7	Sharing — Service Providers and Subprocessors
8	Cross-border processing
9	Retention
10	Security
11	Your rights
12	Cookies
13	Children and minors
14	Personal Health Information (PHIPA)
15	Updates
16	Contact
17	Complaints
18	Definitions

SECTION 4 — PERSONAL INFORMATION WE COLLECT

4.1 When you visit our public website

Technical metadata: IP address, device type, browser, operating system, referring URL, pages visited, time on page
Cookies (see Section 12)
Contact form information if you submit it (name, email, message)

4.2 When you create or use an Authorized User account (Club operator / administrator / staff)

Identity: name, role at the Club, date of birth (if required for screening)
Contact: email, phone, work address
Account credentials: hashed password, multi-factor-authentication token
Billing: payment-method tokens (we do not store full card numbers — those are tokenized through Stripe), billing history, invoices
Audit-trail metadata: IP, timestamp, device fingerprint, document version hashes for any document you sign in your role

4.3 When you are a Member (athlete / learner / parent / guardian) — collected on behalf of the Club

Identity: full legal name, preferred name, date of birth
Contact: email, phone, postal address
Family relationship (for minor Members): parent or guardian name, relationship, contact, confirmation of legal authority to consent
Personal Health Information (where the Club's program design records it): allergies, medical conditions material to participation, current medications, concussion history, removal-from-sport / return-to-sport notations, emergency contact, emergency medical-treatment authorization
Program participation: enrolment, level, schedule, attendance, coach assignment, performance / progress notes, certifications, make-up class history
Financial: Stripe-tokenized payment-method, billing history, refund records
Documents and consents: signed PDSA / Course Contract, Liability Waiver, Parental Indemnity Agreement, Rowan's Law Code of Conduct, Rowan's Law Cognitive Resources Acknowledgment, PIPEDA Standalone Consent, Electronic Signature Consent, photo / video / case-study consent
Communications: transactional email and SMS, in-product chat (where the Club enables it), customer-support tickets
Audit-trail metadata: IP address, timestamp (UTC), device fingerprint, scroll-to-bottom completion timestamp (where the document type requires "reasonable steps" under the Occupiers' Liability Act), document version hash (SHA-256), email / SMS delivery confirmation IDs, signing method
Photo and video: profile photographs, program / event photos and videos (where consent is captured separately), case-study photos and videos (subject to separate consent under any agreement between the Club and Next Play AI)

4.4 What we deliberately do not collect

We do not collect, and the Club is contractually prohibited from uploading, the following sensitive identifiers:

Social Insurance Number
Full credit-card or bank-account number outside the tokenized Stripe / payment-processor flow
Driver's license, passport, or other government-issued identification number
Biometric data (fingerprint, facial geometry, voice print)
Sexual orientation, religion, ethnic origin, political opinion, or trade-union membership

If you discover that any of the above has been uploaded to the Service, please email privacy@nextplayai.xyz immediately.

SECTION 5 — HOW WE USE YOUR PERSONAL INFORMATION

We use personal information for the following purposes, depending on your relationship with us:

5.1 To provide the Service

Create and authenticate accounts
Process registrations, intake forms, and signed documents
Schedule programs, manage attendance, generate rosters
Route payments through Stripe Connect
Send transactional and operational communications (account verification, security alerts, document-delivery confirmations, scheduling reminders, payment receipts)
Provide customer support

5.2 To meet legal and regulatory requirements

Generate audit trails for electronically signed documents under the Electronic Commerce Act, 2000 (Ontario)
Retain signed documents and financial records for the periods required by Ontario law (see Section 9)
Cooperate with valid legal process (lawful court orders, subpoenas, regulator requests, law-enforcement requests with proper legal basis)
Operate our anti-fraud, anti-abuse, and account-security functions

5.3 To improve and protect the Service

Detect and respond to security incidents
Diagnose application errors (with limited content captured by Sentry — see Section 7)
Compile aggregated, irreversibly anonymized analytics on Service usage (no individual is identifiable; this is not personal information)

5.4 For our own communications (Authorized Users only — not Members)

Onboarding emails about your Club account
Product updates and new-feature announcements
Legal-update notices (changes in Ontario consumer or sports law)
Marketing emails (only with your express, separately captured opt-in consent under Canada's Anti-Spam Legislation; you can withdraw consent at any time)

5.5 What we do not do

We do not sell personal information to anyone, ever.
We do not use personal information for advertising targeting.
We do not use personal information you upload as a Club to train any general-purpose machine-learning model without the Club's prior written consent.
We do not use Member personal information for any purpose beyond the Club's instructions and as described in our Data Processing Addendum with the Club.

5.6 Note on cross-role processing

Where information you have provided appears in more than one role (for example, your name appears in your Member Account under Section 2.3 and is also collected by your Club in connection with your enrolment under Section 2.2), each instance is processed under the framework applicable to that role and is held by the corresponding party as controller / processor. The two instances are not automatically merged or cross-referenced for any purpose other than the minimum technical operation of the Service necessary to serve your participation in the Club's programs.

SECTION 6 — LEGAL BASIS UNDER PIPEDA SCHEDULE 1

Canadian privacy law is built around ten principles in Schedule 1 of the Personal Information Protection and Electronic Documents Act:

Principle	How we apply it
1 — Accountability	We have a designated Privacy Officer (privacy@nextplayai.xyz) and have implemented the policies, procedures, and security measures described in this Privacy Policy and our Data Processing Addendum.
2 — Identifying Purposes	The purposes for which we collect personal information are described in Section 5 and, for Member information, in the Club's PIPEDA Standalone Consent.
3 — Consent	Knowledge and consent are obtained before collection. For Members, the Club obtains consent through its PIPEDA Standalone Consent and any sport-specific waiver / parental indemnity. For Authorized Users, consent is obtained at account creation.
4 — Limiting Collection	Collection is limited to what is necessary for the stated purposes (see Section 4.4).
5 — Limiting Use, Disclosure, Retention	Use is limited to the stated purposes; disclosure is limited to the categories in Section 7; retention follows Section 9.
6 — Accuracy	Personal information is kept reasonably accurate, complete, and current. You can correct your information using your account or by contacting us.
7 — Safeguards	Technical and organizational security measures are described in our Data Processing Addendum, Schedule 4. Summary in Section 10.
8 — Openness	This Privacy Policy and our Subprocessor list (Section 7) are made publicly available.
9 — Individual Access	Access and correction rights are described in Section 11. PIPEDA generally requires response within 30 days.
10 — Challenging Compliance	You may complain to our Privacy Officer (Section 16) and, if not satisfied, to the OPC or IPC (Section 17).

SECTION 7 — SHARING — SERVICE PROVIDERS AND SUBPROCESSORS

We share personal information only as described in this section.

7.1 With your Club (if you are a Member)

If you are a Member, your personal information is collected on behalf of, and shared with, the Club that invited you. The Club's privacy policy governs what the Club does with it.

7.2 With our Service Providers (Subprocessors)

We engage the following Service Providers ("Subprocessors") to operate the Service. Each is bound by a written agreement that imposes data-protection obligations no less protective than those required by PIPEDA and PHIPA.

#	Subprocessor	Role	Country of processing
1	Amazon Web Services Canada, Inc.	Cloud hosting (compute, storage, database, backup)	Canada (Montréal primary, Calgary secondary backup)
2	Anthropic, PBC	Large-language-model inference for AI-assisted document generation and AI Agent workflows	United States
3	Stripe Payments Canada, Ltd.	Payment processing	Canada (with parent infrastructure in the United States)
4	Twilio SendGrid, Inc.	Transactional email delivery	United States
5	Twilio, Inc.	SMS delivery	United States
6	Cloudflare, Inc.	Content-delivery network, security at the network edge	Global edge nodes
7	Sentry, Inc. (Functional Software, Inc.)	Application error monitoring	United States

Phase 1 specifically does not use general-purpose marketing or analytics services such as Google Analytics 4, Meta Pixel, TikTok Pixel, HubSpot, or Segment for Member-facing analytics. We will update this list before adding any new Subprocessor and notify Clubs in accordance with our Data Processing Addendum.

7.3 With professional advisors

We may share personal information with our legal, accounting, audit, insurance, and IT-security advisors when reasonably necessary for them to provide their services. They are bound by professional confidentiality obligations.

7.4 With regulators or law enforcement

We may disclose personal information when required to do so by valid legal process (court order, subpoena, regulator request, law-enforcement request with proper legal basis) or to protect the safety of any person. Where legally permitted, we will notify the affected individual.

7.5 In a corporate transaction

If we are involved in a merger, acquisition, financing, corporate reorganization, or sale of all or substantially all assets, personal information may be transferred to the successor entity, subject to that entity assuming this Privacy Policy and providing notice. Any such transfer will comply with PIPEDA.

7.6 With your express consent

For any disclosure not described above, we will ask for your express consent.

SECTION 8 — CROSS-BORDER PROCESSING

8.1 Where your information is processed

Our primary hosting is in Canada (Amazon Web Services Canada, Montréal region). The primary database storing personal information is in Canada.

Some of our Subprocessors process limited categories of personal information outside Canada, primarily in the United States:

Anthropic processes prompts and Template inputs (which may contain personal information) in the US
Sentry stores error logs (which may incidentally include personal information) in the US
Cloudflare processes technical metadata (IP, headers) at edge nodes globally
Stripe processes payment data primarily in Canada with parent infrastructure in the US

8.2 Comparable level of protection

Each cross-border Subprocessor is bound by a written agreement that imposes data-protection obligations no less protective than those required by PIPEDA. We rely on contractual protections (rather than government-to-government transfer mechanisms, since Canadian law does not impose them in the way GDPR does).

8.3 Foreign-government access risk

Personal information processed outside Canada may be subject to lawful access requests by foreign government authorities. We cannot prevent such access where required by foreign law. The Office of the Privacy Commissioner of Canada has issued guidance acknowledging that cross-border transfers are permitted where comparable protection is in place; we believe our practices meet that standard.

8.4 Your right to know

This Privacy Policy is the public disclosure of our cross-border processing under PIPEDA Schedule 1 Principle 8 (Openness).

8.5 Member Account Data cross-border processing

Member Account Data held under Section 2.3 is processed by Authorized Subprocessors substantially identical to the list applicable to Club-controlled processing, with the exception that Anthropic, PBC and Stripe Payments Canada, Ltd. — which process data on the Club's behalf for AI workflows and payment processing — do not process Member Account Data. The Member Account Data Subprocessor list is maintained at the Member Account Terms (E1) Section 7.

SECTION 9 — RETENTION

We retain personal information only as long as necessary for the purposes for which it was collected, and as required by Ontario law.

9.1 During your active use of the Service

Active records are retained for the duration of your account or program participation.

9.2 After your account or program participation ends

Category	Retention period
Account login records, technical metadata	30 days (export window) + 60 days (deletion buffer)
Signed PDSA / Course Contract	Not less than 7 years from the date of the most recent program participation (CRA + general statute of frauds)
Signed Liability Waiver, Parental Indemnity, Rowan's Law documents, PIPEDA Consent, Electronic Signature Consent	Not less than 7 years from the date of the most recent program participation
Records involving minors	Until the minor reaches the age of majority (18) plus the limitation period applicable to a tort claim under the Limitations Act, 2002 (typically 2 years for adult tort claims, but the clock for a minor's claim does not start running until majority — meaning effective retention can extend significantly beyond age 20)
Personal Health Information (PHIPA-covered)	Per PHIPA, the Limitations Act, 2002, and any retention schedule the Club has adopted as health information custodian; minimum 10 years per PHIPA professional-misconduct context where applicable
Financial records	Minimum 7 years per the Income Tax Act and CRA guidance
Encrypted backup media	Standard backup-rotation cycle (typically 30–90 days); after which backup data is overwritten in the ordinary course
Anonymized aggregate data	Indefinitely (no longer personal information)

9.3 Member Account Data retention

Information held under Section 2.3 is retained for as long as your Member Account remains active. We do not apply a fixed retention schedule to Member Account Data; you control its retention through your Member Account. If your Account is inactive for 36 consecutive months, we will send a dormancy notice and may close the Account thereafter. On Account closure, Member Account Data is deleted from production systems within 30 days, with backups overwritten in the ordinary course within a further 30 days, and a limited audit ledger entry is retained for 7 years for compliance and fraud-prevention purposes (no Member Account Data content is retained beyond closure). See Member Account Terms (E1) Article 5.

9.4 Deletion on request

You can request deletion of your personal information using the rights described in Section 11, subject to the legal-retention requirements above. We will explain which items can be deleted and which must be retained, and we will delete items as soon as the legal-retention period ends.

SECTION 10 — SECURITY

We maintain technical and organizational security measures appropriate to the sensitivity of the personal information we hold. The full description is in our Data Processing Addendum, Schedule 4. Summary:

Encryption: TLS 1.2+ in transit; AES-256 at rest for production database, object storage, and backups
Access control: role-based access, multi-factor authentication for all our personnel, principle of least privilege, just-in-time access for production with audit logging
Network and infrastructure: VPC isolation, web-application firewall, DDoS protection, intrusion-detection
Application security: secure-development-lifecycle, code review, static security analysis, dependency vulnerability scanning, parameterized queries, rate limiting on sensitive endpoints
Resilience: daily encrypted backups, point-in-time recovery, multi-AZ deployment within Canada, documented incident-response plan
Audit logging: account creation, login, permission change, document signing (with scroll completion, IP, device, hash), data export, data deletion, payment events — retained at least 2 years
Personnel: confidentiality agreements, privacy and security training annually, background checks for elevated production access (subject to provincial employment-screening law), 24-hour access revocation on departure
Incident response: documented Security Incident response plan; 24-hour notification commitment to affected Clubs
Compliance posture: Security controls are reviewed and enhanced on a continuous basis; formal third-party certification programmes will be considered as our market scope expands.

No security system is perfect. If we discover a security incident affecting your personal information, we will follow the breach-notification process described in our Data Processing Addendum (24-hour notification to the affected Club, and the Club is responsible for notifying you and the regulator as required by PIPEDA's Breach of Security Safeguards Regulations). For our own breach notifications (where we are the controller — for example, an Authorized User account compromise), we will notify you and the OPC as required by PIPEDA.

SECTION 11 — YOUR RIGHTS

11.1 Rights you have under PIPEDA

You have the right to:

Know what personal information we hold about you, why, and to whom we have disclosed it;
Access your personal information (PIPEDA section 8 — generally responded to within 30 days);
Correct your personal information if it is inaccurate, incomplete, or out of date;
Withdraw consent for any future processing (subject to legal or contractual restrictions, such as a signed contract that cannot be unilaterally rescinded);
Request deletion of your personal information (subject to the legal-retention exceptions in Section 9.2);
Lodge a complaint with our Privacy Officer or with the regulator (Section 17).

11.2 Rights you have under PHIPA (for Personal Health Information)

For Personal Health Information, you also have:

Right of access under PHIPA section 53 (generally 30 days);
Right of correction under PHIPA section 55;
Right to know who has accessed your records under PHIPA section 12 (audit log).

11.3 How to exercise your rights

If you are a Member, your Club is the controller / health information custodian. Please direct requests to your Club in the first instance. You may also email us at privacy@nextplayai.xyz; we will inform the Club and help facilitate the request.

If you are an Authorized User, you may exercise your rights through your account settings, through our Account Privacy Console, or by emailing privacy@nextplayai.xyz.

Identity verification. Before responding to a request, we may need to verify your identity (for example, by confirming login from an authenticated session, by emailing a verification code to the address on file, or by other reasonable means). This is to protect your information from unauthorized access.

No charge. PIPEDA section 8 prohibits an unreasonable charge for access. We do not charge for routine access, correction, or withdrawal-of-consent requests. If a request is unusually complex or large, we may, after consultation with you, charge a reasonable cost-recovery fee.

Our response timelines. We aim to respond to access requests within 30 days of receipt. If we need more time, we will tell you why and when you can expect our response.

If we refuse a request. We will tell you in writing the reason for the refusal, the section of PIPEDA or PHIPA we rely on, and how to complain to the regulator.

11.4 How to exercise your rights — choosing the right path

Because of the three-role framework described in Section 2, the path for exercising your rights depends on which information you are asking about:

Information type	Path	Why
Authorized User account data	Direct to Next Play AI	We are controller
Member data the Club holds (intake forms, signed compliance documents body text, attendance, PHI, coach notes)	Direct to the Club	Club is controller / custodian
Member Account Data (your profile, household, signing summaries, participation summaries, payment receipts, consent preferences)	Direct to Next Play AI	We are controller

Where a request concerns information that exists at both layers (e.g., the validity of an annual Rowan's Law signing — full document held by the Club, summary held by us), you may direct your request to either or both organizations; we will coordinate in good faith.

SECTION 12 — COOKIES AND SIMILAR TECHNOLOGIES

Our Cookie Policy (A3) describes the cookies we use, why, and how to manage them. Phase 1 uses a deliberately minimal cookie set: strictly-necessary cookies (session, security, CSRF) and limited functional cookies (login persistence, language preference). Phase 1 does not use marketing or third-party advertising cookies (no Google Analytics 4, Meta Pixel, TikTok Pixel, HubSpot, or Segment).

If we add analytics or advertising cookies in a future Phase, we will update the Cookie Policy and obtain consent through a cookie banner that complies with PIPEDA, the IPC's guidance on cookie use, and any other applicable Ontario authority guidance.

SECTION 13 — CHILDREN AND MINORS

The Service is used by youth athletes and learners, including those under 18.

For any Member under 18, we require that a parent or guardian with legal authority to consent complete the registration, sign the PDSA / Course Contract, sign any Liability Waiver, sign the Parental Indemnity Agreement, sign the Rowan's Law Code of Conduct (where applicable for athletes 26 and under), sign the Rowan's Law Cognitive Resources Acknowledgment (where applicable), and sign the PIPEDA Standalone Consent.

Under PIPEDA, the OPC has indicated that children under 13 generally lack capacity to provide meaningful consent and that parental / guardian consent is required for any non-trivial use of their personal information. For children between 13 and 18, capacity is assessed based on the maturity of the child and the nature of the information. Out of caution, the Service requires parental / guardian consent for all Members under 18.

For Personal Health Information of a minor, PHIPA contains additional provisions (the "capable minor" doctrine — minors aged 12 to 15 may have capacity to consent in certain medical contexts, and minors aged 16 and over generally do). The Service treats parental / guardian consent as the default for all minors and supplements with the minor's own assent where appropriate.

Children's Member Accounts. A Member Account for a person under 18 is created by their Parent / Guardian under the Member Account Terms (E1). The Parent / Guardian represents that they have legal authority for the minor and manages the minor's profile until the minor reaches the age of majority, at which point control transitions to the minor. Personal Health Information of a minor is held by the Club, not in the minor's Member Account.

If you are a parent or guardian and believe a child's personal information has been collected without your consent, please email privacy@nextplayai.xyz and we will investigate and, if appropriate, delete the information.

SECTION 14 — PERSONAL HEALTH INFORMATION (PHIPA)

If your Club records, through the Service, allergies, medical conditions material to participation, current medications, concussion history, removal-from-sport / return-to-sport notations, emergency contact, or emergency medical-treatment authorization, that information is Personal Health Information within the meaning of section 4 of Ontario's Personal Health Information Protection Act, 2004 ("PHIPA").

Roles under PHIPA:

The Club is the health information custodian (PHIPA section 3) and is directly responsible to you for the use, disclosure, and protection of your Personal Health Information.
We are the Club's agent under PHIPA section 17 and process Personal Health Information only on the Club's instructions, in accordance with our Data Processing Addendum.

Your PHIPA rights:

Access (section 53)
Correction (section 55)
Withdrawal of consent or imposition of conditions (section 19)
Audit log of who has accessed your records (section 12)

To exercise PHIPA rights, please contact your Club's Privacy Contact Person in the first instance. You may also email privacy@nextplayai.xyz.

SECTION 15 — UPDATES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in law, our Service, or our Subprocessor list.

Material changes will be communicated by email (to Authorized Users) and by an in-product banner at next login. We will provide at least 30 days' notice for material adverse changes.
Non-material changes (such as Subprocessor list updates that do not change the categories of personal information processed or the countries of processing) will be reflected by updating the "Last Updated" date at the top of this policy.
The current version is always available at our public website at https://www.sportsx.ai/privacy.

Change Log

v1.0 → v1.1 (2026-05-03) — Three-Role Framework

Coordinated change with E1 (NEW), A1 v1.2, A4 v1.2, B6 v1.1.

Plain-Language Summary — restructured "two relationships" into "three relationships."
Section 2 — REWRITTEN. Replaces two-role framework with three-role framework adding §2.3 Member Account Data direct relationship.
Section 5 — added cross-role processing note (§5.6).
Section 8 — added Member Account Data cross-border processing disclosure (§8.5).
Section 9 — added Member Account Data retention disclosure (§9.3).
Section 11 — added dual-path rights-exercise table (§11.4).
Section 13 — added Children's Member Accounts paragraph.

SECTION 16 — CONTACT

Privacy Officer
Next Play AI Inc.
Attention: Privacy Officer
2030 Bristol Cir, Unit 210, Oakville, ON, Canada, L6H 6P5
Email: privacy@nextplayai.xyz
Legal: legal@nextplayai.xyz

We aim to respond to privacy inquiries within five (5) business days of receipt.

SECTION 17 — COMPLAINTS

If you are not satisfied with our response to a privacy inquiry or request, you may complain to the regulator with appropriate jurisdiction.

17.1 Office of the Privacy Commissioner of Canada (OPC)

For complaints under PIPEDA:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, QC K1A 1H3
Toll-free: 1-800-282-1376
Website: priv.gc.ca

17.2 Information and Privacy Commissioner of Ontario (IPC)

For complaints under PHIPA (Personal Health Information):

Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
Toll-free: 1-800-387-0073
Website: ipc.on.ca

You may also have remedies in the courts of Ontario; PIPEDA section 14 provides a right of application to the Federal Court following an OPC investigation in certain circumstances, and the Privacy Act and Ontario common-law privacy torts (such as intrusion upon seclusion, recognized in Jones v. Tsige, 2012 ONCA 32) may provide additional remedies.

SECTION 18 — DEFINITIONS

"Authorized User" means a person we authorize to access the Service through a Club's account, including the Club's operators, administrators, staff members, and front-desk personnel.

"Club" means a youth sports organization that has subscribed to the Service.

"Member" means an athlete, learner, parent, or guardian using the Service because a Club has invited them to.

"Member Account Data" means personal information held under Section 2.3 in connection with a SportsX Member Account, as further specified in the Member Account Terms (E1) and the Data Processing Addendum (A4) section 1.14.

"Personal Health Information" has the meaning given in section 4 of PHIPA.

"Personal Information" has the meaning given in PIPEDA (information about an identifiable individual).

"PHIPA" means the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sch. A.

"PIPEDA" means the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.

"Service" means the SportsX software-as-a-service platform operated by Next Play AI Inc., including the public website, web application, mobile application (where published), and any related communications and signing flows.

"Service Providers" or "Subprocessors" has the meaning in Section 7.2.

ELECTRONIC ACKNOWLEDGMENT

By using the Service, by creating an account, or by signing any document through the Service, you acknowledge that you have read this Privacy Policy and understand how your personal information is collected, used, shared, stored, and protected. If you do not agree with this Privacy Policy, please do not use the Service.

Privacy Policy v1.1 — effective 2026-05-14. Phase 1 jurisdiction: Ontario only. The English text governs in all cases. French translation will be made available in a future Phase consistent with the AODA accessibility plan.