Privacy Policy — Morphos Sports Analytics Portal

Last updated: May 26, 2026

Morphos Sports Analytics (“we,” “us,” or “our”) respects privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard personal information in connection with the Morphos Sports Analytics Portal website, any mobile applications we may make available from time to time, and related authenticated services that link through them (collectively, the “Service”).

Canadian privacy law is contextual. Depending on facts, PIPEDA and/or provincial private-sector laws may apply. We follow accountability principles: we designate practical responsibility for addressing this Policy and privacy requests (see below). Québec’s Law 25 and other provincial statutes may impose additional duties. Federal artificial-intelligence and data rules are evolving; we will update this Policy when we determine revisions are warranted as requirements applicable to us take shape—without treating draft or prospective statutes as fixed compliance outcomes before they bind us.

This Policy complements these frameworks and identifies practical practices for our Service today.

Where we provide the Service across Canada, disclosures are written to be broadly applicable unless a section calls out Québec or another province expressly.

Our Terms of Service describe rules of using the Service. If you disagree with this Policy, do not use the Service.

Controller / accountability

Personal information handled through the Service is controlled by Morphos Sports Analytics, with principal address at Kitchener, Ontario, Canada.

Privacy accountability / inquiries: privacy@morphosanalytics.com (incoming messages about this Policy and privacy requests may be addressed to this contact).

We designate responsible internal roles for addressing privacy inquiries and escalating incidents; operational titles may evolve but the privacy contact routes requests.

Personal information we collect

We collect categories of information proportionate to providing the Service. Not every field applies to every user.

A. Account and authentication

Identifiers & credentials: name (if supplied), email address, hashed password if applicable, role (e.g. athlete, guardian, agent, coach, staff), timestamps, referrals or invite metadata.
Single sign‑on: if you authenticate with Google, we may receive identifiers (e.g. subject ID), email verification status, profile photo URL, consistent with OAuth consent prompts.
Session security: pseudonymous identifiers in encrypted session tokens; IP address, user agent, and approximate country from platform headers (e.g. network edge or proxy) for security, abuse prevention, and audit.

B. Athlete and performance-related profile data

Subject to product configuration, we may process:

Identity & demographics: first and last name, date of birth, sport, position, jersey number, graduation year, hometown, biography, body measurement fields if offered, and similar profile attributes.
Biometric and movement-related signals: We may process body measurements, performance metrics, and video-derived movement, pose, skating or gait-related, or similar analytics. Depending on regulator guidance and context, some of this data may be treated as highly sensitive. If we introduce processing that constitutes biometric information or biometric templates used to identify or verify a natural person (distinct from ordinary game or performance analytics), we will deploy specific, explicit consent flows and update this Policy before that processing takes effect, including where Law 25 or other law requires it.
Profile visibility / sharing choices: Subject to in-product controls (for example public, team-only, scout-visible, invite-only, or similarly labeled settings), you choose who may see profile fields, statistics, highlights, or linked media. When you enable visibility beyond your immediate team or organization, you direct us to make that information available to the categories of viewers the product implements (for example scouts, programs, recruiters, or the general public). You are responsible for who you expose through those settings; we do not guarantee how third-party recipients will reuse what they view.
Relationships: roster, team, guardian–athlete, agent–athlete associations, invitations, organizational affiliations as mirrored in the Service.

C. Payments (agents/coaches tiers)

Stripe processes payment card and billing particulars. We do not store full card numbers on our Portal application servers; Stripe provides tokenized workflows. We may retain billing customer IDs, subscription status metadata, invoicing artefacts, tax flags, and Stripe event references reconciled for accounting and support.

D. Communications

Operational email (team invites, resets, confirmations) sent through our transactional email infrastructure as configured for the Service.
Support tickets or inbound messages you voluntarily send with their contents.
Launch interest sign-ups: If you submit your email on our public marketing site to be notified when the Morphos Athlete Portal launches, we collect your email address, any role or preference you optionally select on the form, and proof of express consent (including timestamp) through Brevo, our email service provider. We use this information to send launch-related email (typically a one-time announcement when the portal goes live). We do not add you to ongoing marketing lists beyond that scope unless you separately opt in. You may unsubscribe using the link in those emails.

E. Videos and linked media metadata

Where you connect integrations (e.g. YouTube channel linkage) or submit links/IDs:

Channel identifiers, OAuth tokens (secured at rest pursuant to operational standards), playlists or upload metadata, thumbnails, titles, processing status/error strings, ingestion queue entries, linkage to athlete profiles as logically required by your configuration.

Underlying video playback may occur on provider infrastructure—see Service providers (subprocessors).

Cloud-based video and AI processing. Ingesting, analyzing, transcoding, or enriching video may involve subprocessors that supply compute, storage, or machine-learning inference (for example environments on Microsoft Azure or comparable cloud AI services). Depending on architecture, frames, embeddings, audio segments, or derived features may be processed in memory, held in short-lived or transient storage, or retained under our agreements with the vendor—not exhaustive. A subprocessor is not necessarily free to use your footage for its own purposes: use is constrained by contract and documented as assisting the Service and the purposes in this Policy and our Terms of Service. See the subprocessors table for illustrations.

F. Diagnostics, troubleshooting, aggregate analytics

Technical logs capturing IP, UA, timestamps, coarse geo country, latency, correlation IDs (not exhaustive) for debugging, uptime, anomaly detection and security. Where feasible we reduce identifiability in historical logs.

Aggregate or de‑identified statistics may be generated for roadmap or reliability planning and may contribute to model improvement as described below.

De-identified information. Where we apply technical and organizational measures such that information no longer constitutes personal information under applicable law in a given context—for example through robust de-identification, aggregation, or anonymization assessed in light of re-identification risk—we may retain and use that information without a fixed deletion deadline for research and development, model training, benchmarking, product quality, security, and operational analytics, consistent with our Terms of Service. This does not reduce our duties toward information that still identifies an individual.

Metrics and statistics shown in the Service are guides only and must be confirmed through appropriate physical or in‑person assessments by qualified professionals; they are not a substitute for professional evaluation.

G. Organizational / admin tooling

Privileged staff or organizational administrators viewing directory or audit artefacts may see additional operational records (audit trails, quotas, ingestion states). Availability depends on deployment mode and contractual packages.

Purposes — why we process

We collect and use personal information to:

Deliver, configure, personalize, authenticate, operate, upgrade, optimize, analyze reliability of, secure, and troubleshoot the Service;
Bill, collect taxes where applicable (through Stripe calculations), reconcile entitlements and quotas (where enabled);
Communicate about accounts, outages, breaches, transactional notices and substantive policy revisions—not marketing unless separately consented;
Enforce Terms, mitigate fraud/abuse/enumeration/resale, cooperate with lawful requests;
Meet legal/regulatory bookkeeping, subpoena/compelled disclosure, lawful investigation support;
Perform internal business analytics that do not materially re‑identify individuals without additional safeguards where required;
Plan or conclude corporate transactions with appropriate confidentiality / continuity safeguards;
Build, train, evaluate, and improve machine learning and computer vision capabilities using de-identified, aggregated, or anonymized data that does not reasonably identify natural persons, consistent with our Terms of Service and Model improvement and Derived Data below.

Canadian law acknowledges meaningful consent (express or reasonable implied in context depending on sensitivity, medium, regulator guidance, and statutes). Sensitive attributes (for example combining exact date of birth with movement or biometric‑like analytics, if the product introduces such capabilities) merit clearer opt‑in disclosures—we will revise this Policy accordingly if features change.

Where express consent banners are shown in-product for integrations (OAuth or channel linking), we align collection to disclosed scopes presented at linkage time.

Model improvement and Derived Data

Our Terms of Service distinguish User Content (materials you submit or link) from Derived Data (analytics, model outputs, highlights, and similar artifacts generated by the Service). Morphos retains ownership of Derived Data subject to the limited license described in the Terms.

Where we process personal information contained in User Content, telemetry, or operational logs, we may create de-identified, aggregated, or anonymized datasets—using technical and organizational measures appropriate to the sensitivity and context—to develop and improve our models and analytics. Re-identifying individuals for secondary marketing is not the purpose of this activity; when we use de-identified or aggregate forms for research and improvement, we aim to reduce identifiability in line with this Policy, our Terms, and applicable law. Guardian-managed accounts remain subject to the children section below.

Information that does not qualify as personal information in a given context is generally outside the scope of access‑ and correction‑style requests that apply to identified individuals, subject to regulator guidance if circumstances suggest residual identifiability.

Legal authority (Canadian — high level overview)

Rather than cloning GDPR “bases,” we characterize practice under Canadian norms:

Context	Typical authority	Notes
Core Service delivery & security	Reasonable contractual necessity + safeguarding implied consent cues at login / registration	Sensitive expansions merit explicit consent overlays.
Transactional notices	Fulfillment necessity / implied consent frameworks	Operational; not discretionary marketing lists.
Marketing / testimonials / research	Separate express opt‑in	Launch waitlist: one-time launch notification email when you opt in on our marketing site (see Communications above). Other marketing uses require separate consent.
Legal compliance / lawful requests	Legal obligation	Documented escalation path.

Organizations under Alberta or BC private-sector acts, or Québec’s Law 25, may need disclosures or schedules tailored to their facts—we welcome questions at privacy@morphosanalytics.com.

Children and guardian-managed accounts

Users under 18 must register only through and under the ongoing management of a parent or guardian using appropriate account roles/workflows. Guardians authorize collection, uses, and disclosures described herein, including performance-related metrics and imagery or likeness appearing in video or profile media linked to the minor’s account, where those features are used.

We do not knowingly market to children inappropriately. If you believe a minor’s account was created outside these rules, contact privacy@morphosanalytics.com and we will investigate and may take remedial action.

Cookies and similar technologies

We use strictly necessary session cookies (e.g. authenticating your browser to the Service via NextAuth / Auth.js patterns) and security / anti‑abuse cookies or headers as applicable. We do not deploy third‑party advertising pixels or retargeting networks as of the Last updated date; we will revise this Policy if that changes.

You can control browser cookie settings; disabling essential cookies may block login.

When we disclose personal information

We disclose information:

To service providers / processors who assist under written or standard contractual controls (see table below);
Within your organization or team where sharing is inherent to role-based access (e.g. coach viewing roster stats);
Pursuant to your visibility or sharing settings, including public, scout-visible, share-link, or comparable in-product choices that expand who may view profile data, video, or analytics—you instruct those disclosures to the extent the product reflects your selections;
For legal reasons (subpoena, court order, regulator demand, national security request where compelled, child safety exigencies—subject to validation steps);
Corporate transactions (merger, financing, asset sale) with continuity assurances;
With your direction or explicit consent (e.g. linking an external channel or affirmatively inviting a third party to view content).

We do not sell personal information for cash consideration or list brokerage as described here. Some U.S. state laws characterize certain disclosures as “sales”; we do not treat our processing under this Policy as a sale under those laws as we interpret them today. U.S. residents may contact privacy@morphosanalytics.com about state‑specific privacy rights.

Service providers (subprocessors) — illustrative

Actual vendors may evolve. Maintain an internal registry and publish diff notices for material changes where required.

Provider (category)	Role	Typical data elements	Typically processed in
Google (OAuth / YouTube APIs)	Authentication & media integration	Account IDs, tokens, channel metadata	Canada (including data residency and processing locations per our configuration and Google’s applicable terms)
Stripe	Payments & billing compliance	Billing contact, tokens, invoices	Regions per Stripe’s data processing terms and your account settings
Microsoft Azure (Canada)	Cloud hosting, CDN, observability, database persistence	Logs, IPs, payloads selectively in logs; operational databases	Canada
Brevo	Transactional email; launch waitlist collection and launch announcements	Email addresses, consent records, optional role selection on signup forms	Regions per Brevo’s data processing terms
Cloud AI / ML inference (e.g. vision or speech features)	Feature extraction, model inference, batch analytics	Frames, clips, embeddings, labels, confidence scores, job metadata	Regions per vendor terms and our deployment configuration (may include Canada and/or other regions)

We primarily retain persistent application and primary database workloads in Canada as configured today (Canada above). Some subprocessors—including Stripe, Google, and specialized AI inference providers—may route or store subsets of data outside Canada. By using the Service, you acknowledge cross-border processing may occur where we rely on those vendors, and that foreign laws may apply to their processing as described in their documentation, alongside contractual safeguards we implement where required.

Cross-border disclosures may be legally restricted or require safeguards (contracts, transfer risk assessments, and technical measures). Québec may impose heightened notice for transfers outside Québec; we document processor relationships and region choices in this Policy and our internal records.

Retention — how long we keep data

Retention is purpose-driven, not indefinite:

Account & profile artifacts: lifecycle of active account plus a grace / legal hold buffer of 30 days after closure unless a longer period is required by law or needed to resolve disputes, abuse, or billing.
Logs / security artefacts: typically retained up to 30 days in rotating windows (class and severity may justify limited extensions for security incidents or legal hold).
Financial records tied to Stripe: we align operational copies with the above where practicable; statutory bookkeeping and tax retention may require longer periods as applicable law mandates.

Aggregated datasets may persist with identifiers removed sooner.

Technical backups may retain residual copies until rotation completes; operational deletion timelines above apply to primary systems.

Security

We maintain administrative, technical, and organizational measures appropriate to sensitivity: encryption in transit (TLS), password hashing, least-privilege credential patterns, segregation of privileged routes, intrusion monitoring hypotheses, patching cadence—not exhaustive and never a guarantee.

Report suspected vulnerabilities to security@morphosanalytics.com.

Your rights — access, correction, withdrawal, portability

Canadian individuals generally have expectations of access and correction fairness; Québec Law 25 provides additional rights in some cases (for example de-indexing and cessation of dissemination, subject to conditions). Automated decision-making is described below.

You may submit requests via privacy@morphosanalytics.com. We may verify identity (guardian attestations handled carefully). Responses occur within timelines reasonable under circumstance and law (typically about 30 calendar days domestically when a request is not complex).

Deletion caveats: we may decline or postpone where retention is mandated (tax, subpoena preservation, unresolved chargebacks, unresolved abuse remediation). Pseudonymous residual fragments in archival backups may linger until overwritten under rotation.

Portability (machine readable exports) may be fulfilled where technically feasible; contact privacy@morphosanalytics.com to request an export.

International users (outside Canada) contacting us voluntarily may invoke parallel rights subject to overlaps.

Automated decision‑making & profiling

We do not use solely automated processing that produces legal or similarly significant effects about you under Québec tests as we apply them to the Service today. AI-assisted metrics in the product (for example speed, shot, or event summaries) are decision-support guides for human coaches, staff, or guardians—not a substitute for human judgment and not automatic recruitment, eligibility, or contracting decisions—see our Terms of Service. If we introduce features that cross into solely automated decisions with similar significance, we will update this Policy and any in-product disclosures before they take effect.

Complaints

You may contact our privacy contact first. You may also lodge a complaint with:

Office of the Privacy Commissioner of Canada (OPC) — https://www.priv.gc.ca
Provincial privacy authorities when applicable (e.g. Alberta OIPC, BC OIPC, Québec CAI).

We are not aware of an additional sector-specific privacy regulator (for example dedicated health or education bodies) that applies to the Service as of the Last updated date; contact privacy@morphosanalytics.com if your use case may fall under sector rules.

Changes to this Policy

We will update the “Last updated” date and may provide additional notice (email or in-product banner) for material changes—especially where fresh consent is legally required (for example introducing marketing tracking, materially broader disclosures, or new categories of sensitive or biometric processing).

Unless applicable law requires a different rule, continued use after notice constitutes acknowledgment of updates except where implied consent is not permitted—for example Québec may require clearer notice or consent for certain new purposes.

Contact

Morphos Sports Analytics — Privacy
Address: Kitchener, Ontario, Canada
Email: privacy@morphosanalytics.com
Security: security@morphosanalytics.com