Applies to: Users and organizations located in the European Economic Area (EEA), the United Kingdom, and Switzerland.
Relationship to Main Policy: This Addendum supplements SpiralXO's global Privacy Policy. Where this Addendum conflicts with the global Privacy Policy, the terms of this Addendum take precedence for EEA, UK, and Swiss users.
Operated by: FieldIQ Holdings LLC, a Wyoming limited liability company.
Contact: privacy@spiralxo.com | legal@spiralxo.com
1. Scope and Application
Who This Addendum Applies To
This EU Privacy Policy Addendum applies to any individual or organization that accesses or uses SpiralXO from within the European Economic Area, the United Kingdom, or Switzerland. It supplements and, where it conflicts, supersedes SpiralXO's global Privacy Policy for those users.
Important: SpiralXO's European operations are restricted exclusively to B2B customers — registered business entities, sports clubs, schools, and football programs — purchasing on behalf of adult users aged 18 or older. SpiralXO does not serve individual consumers or organizations whose users include individuals under 18 in the European market. By accessing SpiralXO as a European customer, your organization warrants that all platform users are 18 years of age or older.
EU Representative
FieldIQ Holdings LLC has designated its European management team as its EU Representative pursuant to Article 27 of the GDPR, on the basis of the management team's residence in Germany. The EU Representative can be contacted at legal@spiralxo.com with the subject line “GDPR — EU Representative Inquiry.”
The lead supervisory authority for SpiralXO's processing activities, based on our management team's location in Germany, is the Federal Commissioner for Data Protection and Freedom of Information (BfDI). See Section 4 for full contact details.
2. Legal Basis for Processing
How We Determine Our Legal Basis
Under Article 6 of the GDPR, SpiralXO identifies a specific legal basis for each category of personal data we process. We do not rely on a generic or catch-all basis. The four legal bases we rely on are:
- Contract Performance (Article 6(1)(b)): Processing is necessary to perform the contract between SpiralXO and your organization, or to take steps prior to entering into that contract.
- Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate business interests, where those interests are not overridden by your rights and freedoms. Where we rely on this basis, a Legitimate Interests Assessment (LIA) has been conducted.
- Legal Obligation (Article 6(1)(c)): Processing is necessary to comply with a legal obligation applicable to SpiralXO.
- Consent (Article 6(1)(a)): You have given clear, specific, and freely withdrawable consent. We rely on consent only where no other basis applies — primarily for non-essential cookies. Consent is not used as a fallback for processing activities properly covered by contract performance or legitimate interests.
Legal Basis by Processing Activity
| Data / Processing Activity | GDPR Legal Basis |
|---|---|
| Account and registration data (organization name, admin contact, login credentials) | Contract Performance — necessary to create and manage your SpiralXO account |
| Coach, staff, and player profile data (name, email, role, team assignment, position) | Contract Performance — necessary to provide platform access and team coordination features |
| Platform usage data (login timestamps, features accessed, session duration) | Legitimate Interests — to operate, maintain, and improve the platform; to monitor security and detect fraud |
| Device and technical data (IP address, browser type, operating system) | Legitimate Interests — to ensure platform security, diagnose technical issues, and maintain performance |
| Football program content (playbooks, practice plans, depth charts) | Contract Performance — necessary to provide the core service your organization has contracted for |
| Communication data (messages sent through platform channels) | Contract Performance — necessary to provide the communication features of the platform |
| Billing and payment data (processed via Stripe) | Contract Performance and Legal Obligation — necessary to fulfil the subscription and comply with financial record-keeping requirements |
| Analytics and product usage patterns (aggregated, anonymized) | Legitimate Interests — to understand platform usage and improve features |
| Non-essential cookies and tracking technologies | Consent — active prior consent is obtained before placing non-essential cookies. Consent may be withdrawn at any time. |
| Support access and administrative logs | Legitimate Interests and Legal Obligation — to resolve support issues and maintain required security audit records |
3. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights in respect of your personal data processed through SpiralXO.
Right of Access (Article 15)
You have the right to obtain confirmation of whether we process personal data about you, and to receive a copy of that data along with information about how it is processed, the legal basis, retention periods, and third parties with whom it is shared.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data we hold about you, or completion of incomplete data.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data where: the data is no longer necessary for the purpose collected; you withdraw consent (where consent was the legal basis); you successfully object to processing; or the data has been unlawfully processed. This right is subject to legal and operational retention requirements described in Section 6.
Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your personal data in certain circumstances, such as while you contest the accuracy of the data or while we assess an objection you have raised.
Right to Data Portability (Article 20)
Where we process your personal data on the basis of contract performance or consent, and that processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON), and to request that we transmit it to another controller where technically feasible. To request a data export, contact privacy@spiralxo.com with the subject line “Data Portability Request — [Your Organization Name].”
Right to Object (Article 21)
You have the right to object at any time to processing based on legitimate interests. Upon receipt of an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
Right to Withdraw Consent (Article 7(3))
Where we process personal data on the basis of your consent (primarily non-essential cookies), you may withdraw consent at any time through our cookie preference centre without affecting the lawfulness of processing carried out before withdrawal.
Right Not to Be Subject to Automated Decision-Making (Article 22)
SpiralXO does not make decisions producing legal or similarly significant effects based solely on automated processing. Quiz tracking and usage analytics are informational tools for coaches and administrators only.
How to Exercise Your Rights
To exercise any of the above rights, contact us at privacy@spiralxo.com with the subject line “GDPR Rights Request — [Type of Request] — [Your Name / Organization].” We may ask you to verify your identity before processing your request. We will not charge a fee for reasonable requests.
Response Timelines
| Situation | Timeline |
|---|---|
| Standard response | Within 1 calendar month of receiving a valid request |
| Complex or high-volume requests | Up to 3 calendar months total, with written notice and explanation provided within the first month |
| Request deemed manifestly unfounded or excessive | We will notify you in writing with reasons. We may charge a reasonable fee or refuse to act. |
Right to Lodge a Complaint
If you believe SpiralXO has processed your personal data inconsistently with the GDPR, you have the right to lodge a complaint with the supervisory authority in your country of residence or the country where the alleged infringement occurred.
Based on our management team's location in Germany, our lead supervisory authority is:
The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Straße 153, 53117 Bonn, Germany
Website: www.bfdi.bund.de
Email: poststelle@bfdi.bund.de
You may also contact the supervisory authority in your own EU member state. We encourage you to contact us at privacy@spiralxo.com before filing a complaint so we can attempt to resolve the matter directly.
4. Data Breach Notification
Our Internal Response Process
SpiralXO maintains an internal data breach response procedure. Upon becoming aware of a personal data breach, we will immediately contain and assess the breach; document its scope, cause, and the categories of data affected; assess the risk to affected individuals; and notify the relevant supervisory authority and affected users within the timeframes below.
Notification to the Supervisory Authority (Article 33 GDPR)
Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, SpiralXO will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. Where notification cannot be made within 72 hours, it will be accompanied by a reasoned explanation of the delay.
The notification will include, to the extent available: the nature of the breach and categories of data affected; the name and contact details of our data protection contact (privacy@spiralxo.com); the likely consequences of the breach; and the measures taken or proposed to address it.
Notification to Affected Individuals (Article 34 GDPR)
Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, SpiralXO will notify affected individuals without undue delay via the email address associated with their account. The notification will describe in plain language: the nature of the breach; our data protection contact details; the likely consequences; the steps we have taken; and any recommended steps individuals should take to protect themselves.
Individual notification is not required where: (a) appropriate technical measures such as encryption render the data unintelligible; (b) subsequent measures ensure the high risk is no longer likely to materialise; or (c) direct notification would involve disproportionate effort, in which case a public communication will be used instead.
5. International Data Transfers
Overview
SpiralXO is operated by a US-based entity. All of SpiralXO's data servers and infrastructure are located in the United States, including our primary cloud hosting environment (Amazon Web Services, US regions). When personal data of EEA, UK, or Swiss users is transferred to and stored on these US-based servers, we ensure that appropriate safeguards are in place as required by Chapter V of the GDPR.
Transfer Mechanisms
- Standard Contractual Clauses (SCCs): We use the European Commission's 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers to vendors and sub-processors in the United States and other countries without an adequacy decision. SCCs are incorporated into our Data Processing Agreements with each relevant vendor.
- EU–US Data Privacy Framework (DPF): Where our vendors are certified under the EU–US Data Privacy Framework administered by the US Department of Commerce, transfers to those vendors may also rely on the DPF adequacy decision. We verify vendor certification before relying on this mechanism.
Vendor and Sub-Processor List
The following vendors process EEA personal data on our behalf. All data is stored and processed on servers located in the United States unless otherwise indicated.
| Vendor | Purpose | Server Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and data hosting | United States (US regions) | EU–US DPF + 2021 SCCs via AWS DPA |
| Stripe, Inc. | Payment processing | United States | EU–US DPF + 2021 SCCs via Stripe DPA (stripe.com/legal/dpa) |
| Google Analytics (Google LLC) | Platform usage analytics | United States | Consent-based. 2021 SCCs via Google DPA. Non-essential; requires active user consent before activation. IP anonymisation enabled for all EEA users. |
| Calendly | Demo and meeting scheduling | United States | 2021 SCCs via Calendly DPA (calendly.com/dpa). Data limited to name and email of demo requestees. |
| PostHog Inc. | Product analytics and session recording. Consent-based; activated only with active EEA user consent. Sensitive input fields masked. | United States | 2021 SCCs via PostHog DPA (posthog.com/dpa). Note: PostHog includes session recording functionality. EEA users must give explicit consent before PostHog activates. Session recordings access is restricted to SpiralXO product team only. |
Transfer Impact Assessment
Where we rely on SCCs as a transfer mechanism for transfers to the United States, we have assessed the relevant US legal framework and have implemented supplementary measures including encryption of data in transit and at rest, access controls, and contractual limitations on processing beyond the agreed purpose.
6. Data Retention
Retention Principles
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in compliance with the storage limitation principle under Article 5(1)(e) of the GDPR.
Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and profile data | Duration of subscription + 90-day grace period, then deleted or anonymized | Contract Performance |
| Football program content (playbooks, plans, depth charts) | Duration of subscription + 90-day grace period, then deleted | Contract Performance |
| Communication data | Duration of subscription + 90-day grace period, then deleted | Contract Performance |
| Billing and payment records | 7 years from transaction date | Legal Obligation (tax and accounting law) |
| Platform usage and access logs | 12 months rolling, then anonymized | Legitimate Interests (security and performance) |
| Support impersonation and admin access logs | 3 years, then deleted | Legal Obligation / Legitimate Interests (security audit) |
| Cookie consent records | 3 years from date of consent | Legal Obligation (demonstrating lawfulness of consent) |
| Anonymized and aggregated analytics | Indefinite (no personal data retained) | Legitimate Interests (product improvement) |
Upon account termination, active user access is disabled immediately. A 90-day grace period is provided for account recovery or data export. After this period, personal data is deleted or irreversibly anonymized, subject to longer retention obligations set out above.
You may request early deletion of specific data at any time by contacting privacy@spiralxo.com. Requests are processed in accordance with Section 3 response timelines, subject to applicable legal retention obligations.
7. Cookies and Tracking Technologies
Our Approach to Cookie Consent
For users accessing SpiralXO from the EEA, UK, or Switzerland, we operate a consent-first cookie framework in compliance with the EU ePrivacy Directive and the GDPR:
- Essential cookies are placed automatically as they are strictly necessary for the platform to function.
- Non-essential cookies (analytics) are blocked by default and only activated after you provide active, informed consent through our cookie preference centre.
- Pre-ticked boxes and consent inferred from continued platform use are not used.
- You may withdraw or modify consent at any time through the cookie preference centre, accessible at the bottom of every platform page.
Cookie Categories
| Category | Provider | Retention | Consent Required |
|---|---|---|---|
| Essential | SpiralXO (first-party) | Session / up to 1 year | No — strictly necessary |
| Analytics | Google Analytics (Google LLC, US) | Up to 2 years | Yes — active prior consent required |
| Functional / Preferences | SpiralXO (first-party) | Up to 1 year | Yes — active prior consent required |
Google Analytics cookies are used to understand platform usage in aggregate. IP anonymisation is enabled for all EEA users. No cross-site tracking or advertising data is shared. Analytics cookies are only activated upon your explicit consent and all data is transferred to Google's US servers under 2021 SCCs (see Section 5).
8. Data Controller and Processor Roles
Role Clarification
| Party | Role |
|---|---|
| Your Organization (Customer) | Data Controller — you determine which users you invite, what content you upload, and how you use the platform. You are responsible for ensuring you have a lawful basis to share your users' personal data with SpiralXO. |
| SpiralXO / FieldIQ Holdings LLC (as your service provider) | Data Processor — we process personal data on your organization's behalf in accordance with your instructions and our Data Processing Agreement. We do not use your users' data for our own purposes beyond what is necessary to provide and improve the platform. |
| SpiralXO (for its own operational data) | Independent Data Controller — for data processed for our own purposes (security monitoring, fraud prevention, anonymized product analytics), SpiralXO acts as an independent Data Controller. |
Data Processing Agreement (Article 28 GDPR)
GDPR Article 28 requires the controller–processor relationship to be governed by a written Data Processing Agreement (DPA). SpiralXO's standard EU DPA covers: the subject matter, duration, nature, and purpose of processing; the types of personal data and categories of data subjects; SpiralXO's obligations as processor including security, sub-processor management, and assistance with data subject rights; sub-processor authorization and notification; and data return and deletion on termination.
European customers are required to execute a DPA with SpiralXO at or before subscription. To request our standard EU DPA, contact legal@spiralxo.com with the subject line “GDPR DPA Request — [Organization Name].”
9. Contact Us
Privacy Enquiries and Data Subject Requests
FieldIQ Holdings LLC — EU Privacy
Email: privacy@spiralxo.com
Please include “GDPR” and the nature of your enquiry in the subject line.
Legal and EU Representative Enquiries
Email: legal@spiralxo.com
Subject line: “GDPR — EU Representative Inquiry”
Lead Supervisory Authority
Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Straße 153, 53117 Bonn, Germany
Website: www.bfdi.bund.de
Email: poststelle@bfdi.bund.de
By using SpiralXO from within the EEA, UK, or Switzerland, you acknowledge that you have read and understood this EU Privacy Policy Addendum and agree to the processing of your personal data as described herein.
This Addendum was last updated January 26, 2026. FieldIQ Holdings LLC — 30 N. Gould St., Sheridan, WY 82801 — privacy@spiralxo.com