Drive Hockey Analytics, Inc. Data and Privacy Policy

1. WHO WE ARE AND OUR ROLE

Drive Hockey Analytics, Inc. is the Data Controller for all personal information collected through our Services. This means we determine how and why your personal data is processed.

Service Partners: You may receive tracking services from authorized Drive resellers (Service Partners). Even when working with a Service Partner, your data protection relationship is directly with Drive, not the Service Partner.

2. WHAT INFORMATION WE COLLECT

We collect three distinct types of information:

A. Personal Information

Personal information that directly identifies you:

• Account Information: Name, email address, phone number, password
• Profile Information: Date of birth, team affiliation, jersey number
• Location Information: City, province/state, country, postal/ZIP code
• Payment Information: Processed by third-party payment processors (Stripe, PayPal); we do not store complete credit card numbers
• Organization Information: Company name (if applicable)

When it's required: Name and email are required to create an account. Other information is optional unless specifically indicated.

B. Sensor Data (Anonymous Technical Measurements)

Raw data collected from tracking sensors during games and practices:

• Movement measurements (speed, acceleration, position coordinates)
• Device identifiers and timestamps
• Rink location data (for calibration purposes)
• Event participation records

C. Performance Data (Processed Analytics)

Analytics and insights we generate from Sensor Data using our proprietary algorithms:

• Performance reports and visualizations
• Statistical analysis and trends over time
• Comparative benchmarks
• Insights and recommendations

How We Separate Personal Information from Performance Data

We use a token-based linking system:

During Tracking:

• Sensors collect movement data anonymously
• No personal information is embedded in sensor data

When You View Reports:

• Our system links sensor data to your account using secure tokens
• You see performance data displayed under "your" account
• We control who can see this connection

When You Delete Your Account:

• We delete your Personal Information
• We delete the link between your account and performance metrics
• The anonymized performance metrics remain but can no longer identify you

What This Means:

• Linked: Performance Data + Personal Information = Your personal data protected under GDPR
• Unlinked: Performance Data alone = Drive's proprietary technical data
• You have full rights over the linked version
• Drive can use the unlinked version for business purposes

D. Website Usage Data

Information automatically collected when you visit our website:

• Cookies and Tracking Technologies: See Section 9
• Usage Data: Pages visited, time spent, clicks, browser type, device type
• Analytics Data: Collected through Google Analytics, HubSpot Analytics, FullStory

3. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

Anonymized and Aggregated Data:

We use Performance Data in anonymized or aggregated form (where it cannot identify you) for:

• Product development and improvement
• Industry research and benchmarking (e.g., "average speed for 14-year-old players")
• Commercial purposes, including licensing to third parties
• Publishing statistics and insights

Example: We might say "players aged 13-15 average 18 mph top speed" but would never say "John Smith skated 18 mph on Tuesday" without consent.

4. HOW WE PROTECT YOUR INFORMATION

We implement industry-standard security measures:

Technical Safeguards:

• Encryption in transit: TLS 1.2 or higher
• Encryption at rest: AES-256
• Multi-factor authentication for administrative access
• Intrusion detection and prevention systems
• Regular security patching and updates
• Secure backup systems

Organizational Safeguards:

• Access controls (need-to-know basis only)
• Employee background checks and training
• Data protection policies and procedures
• Regular security audits
• Incident response plan

5. WHO WE SHARE YOUR INFORMATION WITH

A. Service Partners

If you receive tracking services from an authorized Drive reseller:

• They can see your name and team affiliation (to provide services)
• They can access Performance Data necessary to operate equipment
• They must keep your information confidential
• They cannot use your data for their own purposes
• They must refer data requests to Drive

B. Third-Party Service Providers

We share data with trusted service providers who help us operate:

All service providers are contractually required to protect your data and use it only for specified purposes.

C. With Your Consent

We will share your identified Performance Data (linked to your name) with third parties only when you explicitly consent. Examples:

• Scouts or recruiters you authorize
• Coaches or teams you grant access to
• Research studies you choose to participate in

D. Legal Requirements

We may disclose information when required by law:

• In response to valid legal process (subpoenas, court orders)
• To law enforcement or government agencies when legally required
• To protect our rights, property, or safety
• In connection with business transfers (mergers, acquisitions)

E. What We DO NOT Do

• We do NOT sell your Personal Information to third parties
• We do NOT share your identified Performance Data without your consent
• We do NOT allow Service Partners to use your data for marketing

6. INTERNATIONAL DATA TRANSFERS

Where Your Data is Stored:

• Primary servers: United States (AWS cloud hosting)
• May be accessed from: Canada (Drive's headquarters)

For European Economic Area (EEA) Users:

• We transfer your data to the United States and Canada
• We use Standard Contractual Clauses approved by the European Commission
• You have the same data protection rights regardless of where data is stored
• See our Data Processing Addendum for technical details

7. HOW LONG WE KEEP YOUR DATA

7.1 Our Approach to Data Retention

Drive provides long-term athletic development tracking. We retain your account and Performance Data to allow you to access your historical performance information over years or decades. Many athletes return after extended periods to review their development from youth hockey through adulthood.

Key Principle: We distinguish between inactive accounts (you haven't logged in but haven't deleted your account) and deleted accounts (you've explicitly requested removal).

7.2 Retention by Account Status

7.3 Inactive Accounts Explained

What is an Inactive Account?

Your account becomes "inactive" when you stop logging in but have not requested deletion. This is normal - life gets busy, you may take breaks from hockey, or stop playing for years.

Why We Keep Inactive Account Data:

Historical performance data is valuable. Common scenarios:

• Youth player returns as adult to see development from age 10-18
• Player takes 5 years off, returns to compare performance before/after break
• Parent wants to show their child's athletic progression over a decade
• Former player uses data for coaching or analysis years later

What Happens to Inactive Accounts:

Years 0-2 of inactivity:

• No change - data fully accessible when you log in
• All rights remain (access, correct, delete, download)

After 2+ Years of inactivity:

• Data may be moved to archived storage (secure but not immediately accessible)
• Accessing archived data may require additional service fees or upgraded service packages, as specified when you ordered your product or service
• We may send periodic email reminders (quarterly or less frequently, at our discretion) asking you to confirm you want to keep your account
• You can log in anytime to confirm retention or request deletion, subject to data availability

After 7+ Years of inactivity:

• Quarterly email reminders could be sent asking you to confirm account retention
• We reserve the right to delete your account, particularly if:
  • Reminder emails are undeliverable
  • You do not respond to reminder communications
  • Your account remains dormant despite outreach attempts
• We will make reasonable efforts to provide notice before deletion
• You can reactivate or delete at any time before final deletion, subject to data availability

7.4 Deleted Accounts

How to Delete Your Account:

You must explicitly request deletion through:

• Account settings → "Delete Account" button
• Email to [email protected] with subject "Delete My Account"

Simply not logging in does not delete your account.

Automatic Deletion:

We may automatically delete accounts that:

• Have been inactive for 7+ years, AND
• Have not responded to reminder communications, OR
• Have undeliverable email addresses preventing communication

We will make reasonable efforts to notify you before automatic deletion.

What Happens When You Delete (or We Delete):

Within 90 days:

• Personal Information (name, email, contact details) permanently deleted
• Link between your account and Performance Data permanently deleted
• Important: If you request deletion, you have 90 days to also request data portability. If you don't request portability within this window, your data will be deleted and cannot be recovered.

After 90 days:

• Personal Information: Fully deleted
• Link to Performance Data: Fully deleted
• Performance Data: Anonymized and retained as Drive's proprietary research data (can no longer identify you)

7.5 Specific Data Types

7.6 Why Indefinite Retention is Legal

Under GDPR Article 89 and privacy laws, we can retain data indefinitely when:

• It serves a legitimate purpose - Historical athletic tracking is our core service
• Users expect it - Athletes want long-term performance records
• It's clearly communicated - We tell you upfront in our Terms of Service
• You can delete anytime - Easy deletion through account settings
• We implement safeguards - Archived storage, access controls, periodic reviews
• We respect your rights - All GDPR rights apply to inactive accounts

This is similar to how:

• Medical providers retain health records for decades
• Educational institutions keep academic transcripts indefinitely
• Financial institutions maintain transaction history

Historical performance data has enduring value to athletes.

7.7 Your Control Over Retention

You always have control:

To keep your data indefinitely:

• Simply maintain your account (even if inactive)
• Respond to periodic reminder emails confirming retention
• Log in occasionally (even once every few years)
• Data accessibility and recovery from archived storage may depend on your service package level. Additional fees may apply for archived data access as specified in your product or service order.

To delete your data:

• Use account settings → "Delete Account"
• Email [email protected]
• Respond to any reminder email requesting deletion

To download your data first:

• Use account download feature before deletion
• Request data export via [email protected]
• See Section 8 for data portability rights

7.8 Inactive Account Reminders

We may send email reminders at our discretion:

• After 2+ years of inactivity: Periodic reminders (frequency varies)
• After 7+ years of inactivity: Reminders before potential deletion

Email goes to: The email address on your account (keep it current!)

If emails are undeliverable:

• We may be unable to notify you before account deletion
• Keep your email address current to ensure you receive important notices

Can't access that email anymore?

• Contact [email protected] from a new email
• We'll verify your identity and update your contact information

7.9 Special Retention Cases

Legal obligations:

Some data must be kept longer due to legal requirements:

• Financial records: 7 years (tax law)
• Records subject to litigation hold: Until legal matter resolved
• Regulatory investigations: Until investigation closed

Your rights still apply - you can access this data and we'll explain why it's retained.

Deceased users:

If we're notified of a user's death, we work with family/estate representatives to:

• Provide data access to authorized parties
• Honor any documented wishes about data retention/deletion
• Delete account if requested by estate

Contact [email protected] with subject "Deceased User Account"

8. YOUR PRIVACY RIGHTS

You have the following rights under GDPR and similar privacy laws:

Access Your Data

Request copies of your Personal Information and Performance Data.

Correct Your Data

Update inaccurate or incomplete information.

Delete Your Data

Request deletion of your Personal Information and the link to your Performance Data. (Anonymized Performance Data may be retained.)

Restrict Processing

Limit how we use your data in certain situations.

Data Portability

Receive your data in a common format to transfer to another service.

Object to Processing

Object to processing based on legitimate interests.

Withdraw Consent

Withdraw consent for marketing or other consent-based processing.

Lodge a Complaint

File a complaint with your data protection authority if you believe we violated your rights.

How to Exercise Rights:

• Email: [email protected]
• Account settings (for some rights)
• We will respond within 30 days (may extend to 60 days for complex requests)

Find Your Supervisory Authority (EEA):
https://edpb.europa.eu/about-edpb/board/members_en

9. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar technologies to:

• Keep you logged in
• Remember your preferences
• Analyze how you use our Services
• Provide targeted advertising

Types of Cookies We Use:

Your Cookie Choices:

• Most browsers allow you to block or delete cookies
• Some features may not work properly if you disable cookies
• For targeted advertising, you can opt out at: www.aboutads.info/choices

10. CHILDREN'S PRIVACY

Age Requirements:

• 18 or older: Can create account independently
• Under 18: Requires parent/guardian consent
• Under 16 (EEA): Requires parent/guardian consent per GDPR

Parental Rights:

Parents/guardians can:

• Access their child's data
• Correct their child's information
• Delete their child's account
• Contact [email protected] with concerns

We do not knowingly collect data from children without parental consent. If you believe we have collected data from a child without consent, contact us immediately.

11. DATA BREACH NOTIFICATION

If your data is compromised:

• We will notify you within 72 hours of discovering the breach
• Notification will include:
  • Nature of the breach
  • Types of data affected
  • Likely consequences
  • Steps we're taking to address it
  • Steps you should take to protect yourself
• We will also notify relevant data protection authorities as required by law

12. CHANGES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time. We will notify you of material changes by:

• Email to your registered address
• Notice in your account dashboard
• Posting the updated notice on our website with a new "Last Updated" date

Your continued use of the Services after changes take effect constitutes acceptance of the updated Privacy Notice.

13. THIRD-PARTY LINKS AND SERVICES

Our website may link to third-party websites or services. This Privacy Notice applies only to Drive Hockey. We are not responsible for the privacy practices of third parties. Please review their privacy policies before providing them with information.

14. YOUR CALIFORNIA PRIVACY RIGHTS

California "Shine the Light" Law:

California residents can request information about personal information disclosed to third parties for marketing purposes. Contact [email protected] to make such a request.

California Consumer Privacy Act (CCPA):

Many rights under CCPA are similar to GDPR rights described in Section 8.

15. CONTACT US

This Privacy Notice is written in plain language to help you understand your rights and our practices. For detailed legal and technical information, please review our Data Processing Addendum.