Privacy Policy

1. Introduction

Welcome to SpiralXO. We respect your privacy and are committed to protecting the personal information you share with us.

This Privacy Policy explains:

• What information we collect
• How we use that information
• How we protect it
• Your rights and choices

By using SpiralXO, you acknowledge this Privacy Policy. Where we rely on consent for specific processing activities (such as optional cookies where required by law), you may withdraw consent at any time.

SpiralXO is operated by FieldIQ Holdings LLC, a Wyoming limited liability company. If you have questions about this Privacy Policy, contact us at privacy@spiralxo.com.

Definitions

Throughout this document, the following terms have specific meanings:

“Organization” refers to the entity (such as a high school, football program, club, or other sports organization) that purchases and controls access to SpiralXO. Organizations are our customers and are responsible for managing user accounts, setting permissions, and ensuring compliance with applicable laws.

“User” refers to any individual who accesses or uses SpiralXO, including coaches, staff members, players, and administrators. Users access the platform through accounts created or authorized by an Organization.

“Minor” refers to any individual under the age of 18, regardless of location. Additional parental consent requirements may apply in certain jurisdictions for users under the age of 16 or 18, as specified by applicable state or regional laws.

“Availability Status” refers to the feature within SpiralXO that allows Organizations to track whether a player is available for practices, games, or other team activities. Availability Status is intended solely for scheduling and planning purposes and must indicate only general availability (such as “Available,” “Unavailable,” or “Limited”). It must not include medical diagnoses, health conditions, treatment details, or other protected health information.

2. Who We Serve

SpiralXO provides software to football organizations (such as high schools, programs, and clubs) to help them manage teams, planning, and coordination.

Important distinctions:

• Our customers are organizations, not individual users
• Organizations control access and determine who can use the platform
• All users must be 13 years of age or older
• We do not knowingly collect information from children under 13

Organizations are responsible for verifying user eligibility, including age requirements, before granting access to the platform.

3. Information We Collect

A. Organization & Account Information

When an organization creates an account, we collect:

• Organization name
• Organization email address
• Account credentials (encrypted and securely stored)
• Administrative contact information
• Billing information (if applicable)

B. Coach & Staff Information

When coaches or staff members are added to the platform, we collect:

• Name
• Email address
• Login credentials (encrypted and securely stored)
• Team and role assignments
• Platform activity data

C. Player Information (Ages 13+)

When players join the platform, we collect:

• Name
• Email address
• Login credentials (encrypted and securely stored)
• Team affiliation
• Role or position (if applicable)
• Platform usage data (time spent, features accessed, content viewed)

Player Availability Status: Organizations may enter player availability status (such as “Available,” “Unavailable,” or “Limited”) for scheduling and participation purposes only. Availability is intended for scheduling purposes only and should not include medical details. We do not collect diagnoses, treatment details, medical records, or health notes.

• SpiralXO is not a HIPAA-covered entity and does not provide medical services.
• Organizations must not upload Protected Health Information (PHI), clinical medical records, detailed diagnoses, treatment notes, or medical documentation into the platform.
• Availability status should not include specific medical conditions or health details (e.g., diagnoses, protocols, or treatment plans).
• We do not request, require, or process medical records or health data.
• If SpiralXO determines that prohibited health or medical information has been uploaded, we reserve the right to remove such data, restrict features, suspend accounts, or require corrective action.

D. Guardian/Parent Contact Information (Optional)

Organizations or users may optionally provide:

• Guardian name
• Guardian email address
• Guardian phone number

This information is:

• Entirely optional
• Used only for account-related or team coordination purposes
• Not used for marketing

E. Football Program Data

Organizations upload and manage their own content, including:

• Playbooks and practice plans
• Strategy materials
• Depth charts and personnel groupings
• Team schedules
• Internal communications

Your organization retains full ownership of this content.

F. Usage & Technical Data

We automatically collect certain information when you use SpiralXO:

• Login timestamps and session duration
• Features accessed and interaction patterns
• Time spent on different areas of the platform
• Device information (type, operating system, browser)
• IP address and general location data
• Error logs and diagnostic information

This data helps us:

• Operate and maintain the platform
• Monitor performance and security
• Improve functionality
• Troubleshoot technical issues

4. How We Use Your Information

We use the information we collect to:

Provide and Operate the Service

• Create and manage organization and user accounts
• Enable team coordination and planning features
• Facilitate communication within organizations
• Process and display football program content
• Provide customer support

Security and Platform Integrity

• Verify user identity and prevent unauthorized access
• Detect and prevent fraud or misuse
• Monitor for security threats
• Enforce our Terms of Service

Improve SpiralXO

• Analyze usage patterns and trends
• Develop new features and functionality
• Fix bugs and optimize performance
• Conduct research using aggregated, anonymized data

Legal and Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and prevent harm
• Protect our rights and property
• Enforce our agreements

Communications

• Send account-related notifications
• Provide customer support responses
• Send important updates about the platform or our Terms

We do not use your information for:

• Marketing or advertising to players
• Selling personal data to third parties
• Purposes unrelated to operating the platform

5. How We Share Your Information

We do not sell your personal information. We share information only in the following limited circumstances:

Within Your Organization

Information is shared with other authorized users in your organization according to the access controls and permissions your organization sets.

Service Providers

We work with trusted third-party service providers who help us operate SpiralXO, such as:

• Cloud hosting and data storage providers
• Payment processors (if applicable)
• Analytics and monitoring services
• Customer support tools

These providers:

• Access information only as needed to perform their functions
• Are contractually obligated to protect your data
• Cannot use your information for their own purposes

Legal Obligations

We may disclose information when required by law or in response to:

• Valid legal process (subpoenas, court orders, warrants)
• Governmental or regulatory requests
• Emergency situations involving safety or security
• Protection of our rights, property, or users

Business Transfers

If SpiralXO is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you and provide choices before your information is transferred or becomes subject to a different privacy policy.

With Your Consent

We may share information for other purposes with your explicit consent.

6. Support Access and Account Impersonation

Customer Support and Troubleshooting

To provide effective customer support, troubleshoot technical issues, and resolve platform problems, our support team may need to access user accounts using administrative privileges. This practice is commonly known as “support impersonation” or “login-as-user.”

When Support Impersonation Occurs

We may use support impersonation to:

• Diagnose and resolve technical issues that cannot be addressed remotely
• Investigate reported bugs or platform errors
• Verify reported problems in real-time
• Assist with account recovery or configuration issues
• Provide hands-on customer support when necessary

Support impersonation is used only:

• When necessary to resolve a support request or technical issue
• With appropriate authorization from organization administrators (when feasible)
• By authorized support staff who have undergone security and privacy training
• In accordance with our internal security policies and access controls

Logging and Accountability

We maintain detailed logs of all support impersonation activities, including:

• The support staff member who accessed the account
• The date and time of access
• The duration of the session
• The reason for access

These logs are:

• Retained for security, compliance, and audit purposes
• Reviewed regularly to ensure proper use
• Protected with the same security measures as other sensitive data

Your Rights

You may request a record of support impersonation events related to your account by contacting us at privacy@spiralxo.com. Organization administrators can also review access logs through their administrative dashboard (where available).

By using SpiralXO, organizations authorize support impersonation as described below for legitimate support and security purposes.

We are committed to using support impersonation responsibly and only when necessary to serve you better.

7. Data Retention

We retain your information for as long as necessary to:

• Provide the service to your organization
• Comply with legal obligations
• Resolve disputes and enforce our agreements

When your organization terminates its account:

• Active user access is immediately disabled
• We retain data for up to 90 days to allow for account recovery, renewal, or data export (‘Grace Period’)
• After this period, we delete or anonymize personal information
• Some information may be retained longer for legal, security, or legitimate business purposes
• Certain sensitive data related to minors (such as player availability logs) may be deleted earlier, typically within thirty (30) days, to reduce privacy risk
• Aggregated, anonymized data may be retained indefinitely

After the Grace Period:

• Personal information is deleted or anonymized
• Aggregated, anonymized data may be retained indefinitely
• Security, audit, and access logs may be retained beyond the Grace Period as required for compliance, security, or legal purposes

You can request deletion of specific data at any time by contacting us at privacy@spiralxo.com.

8. Data Security

We implement reasonable technical and organizational security measures to protect your information, including:

• Industry-standard encryption for data in transit and at rest
• Secure password hashing (we never store plain-text passwords)
• Access controls and authentication mechanisms
• Regular security monitoring and audits
• Employee training on data protection
• Detailed logging of administrative access and support impersonation activities

However, no system is completely secure. While we work hard to protect your information, we cannot guarantee absolute security against all threats. You also play a role by:

• Using strong, unique passwords
• Keeping login credentials confidential
• Reporting suspicious activity immediately

9. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

Access and Portability

You can request a copy of the personal information we hold about you.

Correction

You can update or correct inaccurate information through your account settings or by contacting us.

Deletion

You can request deletion of your personal information, subject to legal and operational requirements.

Restriction

You can request that we limit how we use your information in certain circumstances.

Objection

You can object to certain processing of your information.

Withdrawal of Consent

Where we rely on consent, you can withdraw it at any time.

To exercise these rights, contact us at privacy@spiralxo.com.

Organization Controls

Remember that your organization controls access to SpiralXO. Organization administrators can:

• Manage user accounts and permissions
• Update organization information
• Export or delete data
• Terminate the organizational account

10. Children’s Privacy

SpiralXO is designed for users 13 years of age and older. We do not knowingly collect personal information from children under 13.

Age Verification Responsibility

Organizations are responsible for verifying that all users meet minimum age requirements before adding them to the platform. SpiralXO relies on organizations to confirm eligibility during user onboarding.

We may require organizations to confirm age compliance as part of account setup or renewal.

If we discover that we have collected information from a child under 13:

• We will delete that information as quickly as possible
• We will notify the relevant organization
• We may suspend or terminate the account

If you believe a child under 13 has created an account, please contact us immediately at privacy@spiralxo.com.

Organizations are responsible for:

• Verifying that all users meet age requirements
• Obtaining required parental or guardian consents
• Ensuring compliance with applicable child protection laws
• Supervising and safeguarding minor users (ages 13-17)

11. Your Responsibilities

If You’re an Organization

You are responsible for:

• Ensuring you have lawful authority to collect and share user data with us
• Complying with applicable privacy and data protection laws (including FERPA, COPPA, GDPR, etc.)
• Informing your users about how their data will be used
• Obtaining necessary consents from users or their guardians
• Managing user access and permissions appropriately

If You’re a User

You are responsible for:

• Providing accurate information
• Keeping your login credentials secure
• Using the platform in accordance with our Terms of Service
• Respecting other users’ privacy

12. State and Regional Privacy Rights

California Residents (CCPA/CPRA)

SpiralXO acts as a Service Provider and does not sell or share personal information for cross-context behavioral advertising.

If you’re a California resident, you have specific rights under the California Consumer Privacy Act:

• Right to Know: What personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@spiralxo.com.

European Economic Area, UK, and Switzerland (GDPR)

Data Processing Role: Where applicable, SpiralXO acts as a Data Processor on behalf of organizations, which act as Data Controllers.

If you’re in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation, including:

• Access, correction, and deletion rights
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with your local supervisory authority

Legal Basis for Processing: We process your information based on:

• Contract performance: To provide the service you’ve requested
• Legitimate interests: To improve and secure our platform
• Legal obligations: To comply with applicable laws
• Consent: Where we’ve obtained your explicit consent

Other Regions

We comply with applicable privacy laws wherever we operate. If you have questions about your rights, contact us at privacy@spiralxo.com.

13. International Data Transfers

SpiralXO is based in the United States. If you access our platform from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

These countries may have different data protection laws than your country. When we transfer data internationally, we implement appropriate safeguards, such as:

• Standard contractual clauses
• Adequacy decisions by relevant authorities
• Other legally recognized transfer mechanisms

14. Cookies and Tracking Technologies

SpiralXO uses cookies and similar technologies to:

• Keep you logged in
• Remember your preferences
• Analyze platform usage
• Improve performance and security

Types of Technologies We Use

• Essential Cookies: Required for the platform to function (authentication, security)
• Analytics Cookies: Help us understand how users interact with SpiralXO
• Functional Cookies: Remember your settings and preferences

Your Choices

Most browsers allow you to control cookies through settings. However, disabling essential cookies may affect your ability to use SpiralXO.

15. Third-Party Links

SpiralXO may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies before sharing information with them.

We are not responsible for the privacy practices or content of third-party sites.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Legal or regulatory requirements
• New features or functionality

When we make changes:

• We’ll post the updated Privacy Policy with a new “Last Updated” date
• For material changes, we’ll notify you via email or platform notice
• Your continued use of SpiralXO after changes take effect means you accept the updated Privacy Policy

We encourage you to review this Privacy Policy periodically.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

FieldIQ Holdings LLC
30 N. Gould St.
Sheridan, WY 82801
Email: privacy@spiralxo.com

18. Additional Information for Specific Contexts

FERPA Compliance (Educational Records)

For purposes of the Family Educational Rights and Privacy Act (FERPA), SpiralXO acts as a ‘school official’ with legitimate educational interests when designated as such by an organization through a written agreement or Data Processing Addendum.

If your organization is subject to the Family Educational Rights and Privacy Act (FERPA), you are responsible for ensuring compliance. SpiralXO can function as a “school official” with legitimate educational interests when properly designated, but you remain responsible for:

• Maintaining appropriate agreements
• Ensuring proper use of educational records
• Protecting student privacy rights

• We do not sell, rent, or use student data for marketing or advertising
• Upon contract termination, we will return or delete student data in accordance with our retention policy and any applicable Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

School districts may request a DPA outlining data use limitations, security measures, and data return or deletion obligations.

Youth Sports Organizations

Organizations working with minors (ages 13-17) should:

• Have appropriate child safeguarding policies
• Obtain necessary parental consents
• Ensure proper supervision
• Comply with applicable youth protection laws

19. Data Flow Transparency

Data Segmentation & Access Controls

SpiralXO uses role-based access controls to ensure that:

• Organization data is logically separated from other organizations
• Users can access only the data permitted by their role
• Coaches, staff, and players see only team-relevant information

Data is processed solely to provide platform functionality and is not shared across organizations.