1. Introduction

SimpleTherapy, Inc. (“we,” “us,” or “our”) operates the ProPlayAI platforms and is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share personal information when you use our video-based motion analysis services.

This Privacy Policy applies to the following services and brands operated by SimpleTherapy, Inc.:

• PerformAI – Human performance analytics
• SportsAI – Athletic movement analysis
• ProPlayAI – Sports performance and biomechanics (including PitchAI, HitAI and QBThrowAI)

Collectively, these are referred to as the “Services” in this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password, organization name, job title, and contact details.
• Payment Information: Credit card details and billing address for subscription purchases. Payment processing is handled by PCI-compliant third parties.
• Video Content: Videos, images, and files you upload for movement analysis, ergonomic assessment, or sports performance evaluation.
• Subject Information: Information about individuals depicted in uploaded content, which may include name, role, team, or assessment context as provided by you.
• Communications: Messages, feedback, and support requests you send to us.

2.2 Information Collected Automatically

• Device Information: IP address, browser type, operating system, and device identifiers.
• Usage Data: Pages visited, features used, time spent, and navigation paths.
• Log Data: Server logs, error reports, and diagnostic information.

2.3 Information from Third Parties

We may receive information from enterprise customers who provide employee or participant data for assessments, single sign-on (SSO) providers, and business partners or resellers.

3. Video and Movement Data

Our Services analyze video recordings of human movement. We want to be transparent about how this data is handled.

3.1 What We Process

When you upload video content, our AI-powered 3D NeuroNet engine analyzes movement patterns to generate:

• 3D skeletal models and joint position data
• Biomechanical measurements (angles, velocity, range of motion)
• Risk scores and ergonomic assessments (REBA, NIOSH, RULA, etc.)
• Performance analytics and comparison reports
• Sports-specific metrics (pitch mechanics, throwing analysis, etc.)

3.2 Biometric Information

In some jurisdictions, movement analysis data derived from video may be classified as biometric information. Important clarifications:

• We do not use biometric data for identification purposes
• Our analysis focuses on movement patterns and biomechanics, not identifying individuals
• Video can be processed with face-blurring enabled to reduce identifiability
• We comply with applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA)

3.3 Consent for Video Subjects

If you upload videos depicting other individuals (employees, athletes, etc.), you are responsible for obtaining appropriate consent from those individuals or their legal guardians before uploading. By uploading such content, you represent that you have obtained all necessary consents and authorizations.

3.4 Minor Athletes (ProPlayAI)

For sports performance analysis involving athletes under 18, the uploading party (coach, trainer, or parent/guardian) must obtain verifiable parental or guardian consent before uploading video content. We do not knowingly collect personal information from children under 13 without parental consent.

4. How We Use Your Information

We use your information for the following purposes:

• Provide Services: Process videos, generate reports, and deliver movement analysis results.
• Account Management: Create and manage your account, process subscriptions, and handle billing.
• Customer Support: Respond to inquiries, troubleshoot issues, and provide technical assistance.
• Improve Services: Analyze usage patterns, develop new features, and enhance platform performance.
• Communications: Send transactional messages, product updates, and marketing communications (with consent where required).
• Security: Protect against fraud, abuse, and unauthorized access.

4.1 AI and Machine Learning

We may use anonymized or aggregated data that does not identify any individual to train and improve our AI and machine learning models. This enhances the accuracy of our motion analysis technology. We do not use identifiable personal information or identifiable video content to train AI models without explicit consent.

5. Legal Bases for Processing (EEA/UK)

If you are in the European Economic Area (EEA) or United Kingdom (UK), we process your data based on:

• Contract: Processing necessary to provide the Services you requested.
• Legitimate Interests: Improving our Services, fraud prevention, and direct marketing (where not overridden by your rights).
• Consent: Where you have given explicit consent, which you may withdraw at any time.
• Legal Obligation: Compliance with applicable laws.

6. How We Share Your Information

We may share your information with:

• Service Providers: Third-party vendors who help us operate our business (cloud hosting, payment processing, customer support, analytics). These providers are contractually obligated to protect your data. A list of subprocessors is available upon request.
• Enterprise Customers: If you use Services through your employer or organization, we may share data with them as necessary to provide the Services.
• Legal Requirements: When required by law, court order, or government request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.
• With Your Consent: For other purposes with your explicit permission.

We do not sell your personal information.

7. International Data Transfers

SimpleTherapy, Inc. is headquartered in the United States. Your information may be transferred to and processed in the United States or other countries where our service providers operate.

7.1 Data Privacy Framework Compliance

SimpleTherapy, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

SimpleTherapy has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and its UK Extension. SimpleTherapy has also certified that it adheres to the Swiss-U.S. DPF Principles for the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework Program and to view our certification, please visit: https://www.dataprivacyframework.gov/

7.2 Standard Contractual Clauses

For transfers from the EEA, UK, or Switzerland to countries without an adequate level of data protection (where not covered by the Data Privacy Framework), we use Standard Contractual Clauses (SCCs) approved by the European Commission or UK Information Commissioner’s Office. Enterprise customers requiring data residency in specific regions should contact us to discuss available options.

8. Data Retention

We retain your information as follows:

Anonymized or aggregated data that cannot identify any individual may be retained indefinitely for research and analytics.

9. Your Privacy Rights

9.1 All Users

• Access: Request a copy of your personal data.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your data, subject to legal requirements.
• Opt-Out: Unsubscribe from marketing communications.
• Data Export: Request your data in a portable format (JSON).

9.2 EEA/UK Residents (GDPR)

Additional rights under GDPR:

• Right to restrict processing
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time
• Right to lodge a complaint with your supervisory authority

9.3 California Residents (CCPA/CPRA)

Additional rights under California law:

• Right to know what personal information we collect and how it is used
• Right to delete personal information
• Right to correct inaccurate information
• We do not sell personal information or share it for cross-context behavioral advertising
• Right to non-discrimination for exercising your rights

9.4 Australian Residents

If you are in Australia, you have rights under the Privacy Act 1988 to access and correct your personal information. You may also complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles.

9.5 How to Exercise Your Rights

Contact us at privacy@simpletherapy.com to exercise any of these rights. We will respond within the timeframes required by applicable law (generally 30-45 days). We may verify your identity before processing requests.

10. Cookies and Tracking

We use cookies and similar technologies:

• Essential: Required for login, security, and core functionality.
• Analytics: Help us understand how you use our Services.
• Functional: Remember your preferences.
• Marketing: Deliver relevant ads (with consent where required).

You can manage cookies through your browser settings. Disabling certain cookies may affect functionality.

11. Security

We implement appropriate technical and organizational measures to protect your information, including encryption in transit and at rest, access controls, and regular security assessments. Our parent company, SimpleTherapy, Inc., maintains SOC 2 Type II certification.

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Enterprise Customers

When providing Services to enterprise customers (employers, organizations, sports teams), we typically act as a data processor on behalf of the customer (data controller). The enterprise customer’s privacy policy governs their collection and use of your information.

Enterprise customers may request a Data Processing Agreement (DPA) with Standard Contractual Clauses. Contact legal@simpletherapy.com for DPA requests.

13. Third-Party Links

Our Services may link to third-party websites or services not operated by us. We are not responsible for their privacy practices. Review their privacy policies before providing personal information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on our websites, updating the “Last Updated” date, and where required, providing additional notice. Your continued use of the Services after changes constitutes acceptance.

15. Contact Us

For questions about this Privacy Policy or to exercise your rights:
SimpleTherapy, Inc.
(Operating ProPlayAI)
Attn: Privacy Team
Email: privacy@simpletherapy.com
Websites: proplayai.com

Supervisory Authorities

You may lodge complaints with:

• UK: Information Commissioner’s Office (ico.org.uk)
• EU: Your local Data Protection Authority
• Australia: Office of the Australian Information Commissioner (oaic.gov.au)
• Canada: Office of the Privacy Commissioner (priv.gc.ca)

16. Data Privacy Framework Dispute Resolution

SimpleTherapy commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, its UK Extension, and the Swiss-U.S. DPF to the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA), an alternative dispute resolution provider based in the United States.

If you do not receive timely acknowledgement of your DPF-related complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the ICDR/AAA are provided at no cost to you.

16.1 Binding Arbitration

Under certain conditions, individuals may invoke binding arbitration as outlined in Annex I of the DPF Principles. To invoke arbitration, deliver notice to SimpleTherapy at privacy@simpletherapy.com and follow the procedures described in Annex I. For more information, visit the Data Privacy Framework website at https://www.dataprivacyframework.gov/.

17. Regulatory Oversight and Enforcement

17.1 FTC Enforcement

SimpleTherapy, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

17.2 Lawful Requests and National Security

SimpleTherapy may disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

17.3 Liability for Onward Transfers

SimpleTherapy remains liable under the Data Privacy Framework for the processing of personal data transferred to third parties acting as agents on our behalf, unless we prove we are not responsible for the event giving rise to the damage.