Swish — Privacy Notice

This Privacy Notice explains how Swish Basket Inc. (“Swish,” “we,” “us,” or “our”) collects, uses, shares, and protects information in connection with the Swish mobile application (the “App”), which operates with the Swish court camera (the “Camera”, and all together, the “Service”).

Because the Service relies on face recognition to attribute shots to the correct player, this notice contains detailed disclosures about biometric information. Please read Section 4 carefully.

1. Who we are and how to contact us

Controller: Swish Basket Inc. Contact us at [contact@swishbasket.ai]

 

2. Scope

This notice applies to end users who create a Swish account and use the App.

 

3. Information we collect

3.1 Information you provide

• Account information: email address, password (hashed), display name, date of birth (for age verification), and country.
• Profile information: optional profile photo, position, height, team, and skill level.
• Enrollment data: one or more face images captured during onboarding so the Service can generate a face template (see Section 4).
• Content you submit: drill configurations, custom zones, tournament setups, comments, feedback, and support messages.
• Payment information: if you purchase a subscription or hardware, payment card or wallet details are collected and processed by our payment processor (e.g., Apple App Store / Google Play / Stripe); we receive only transaction metadata.

3.2 Biometric information (special category of information)

• Face templates (mathematical vectors derived from your face images) used to recognize you during play.
• Raw enrollment images used solely to generate and, if necessary, regenerate the templates described above.
• See Section 4 for full disclosures, retention, and your rights regarding biometrics.

3.3 Camera captures and gameplay data

• Video frames captured by the Camera while a session is active.
• Audio is not recorded.
• Derived gameplay data: shot attempts, makes/misses, shot origin coordinates, zone classification, trajectory and arc metrics, entry angle, release timing, session duration, and session outcomes.
• Attribution data: which shot is associated with which enrolled player, based on face recognition and position correlation.

3.4 Device and technical data

• Device model, OS version, App version, language, time zone, mobile carrier (if applicable).
• Camera identifiers (serial number, firmware version, pairing tokens).
• IP address, connection type, and diagnostic logs.
• Crash reports and performance telemetry.

3.5 Location data

• Coarse location derived from IP address.
• Court location you register so the App can recognize a saved court and enable cross-court features.

3.6 Information from other users and sources

• If you are invited to a tournament, 1v1, or shared session, we may receive your identifier from the inviting user.
• If you link a third-party account (e.g., Apple ID, Google, social sign-in), we receive the basic profile information that service shares with us.

 

4. Biometric information — detailed disclosures

Face recognition is a core, non-optional feature of the Service for enrolled users. This section is intended to comply with Illinois BIPA, Texas CUBI, Washington RCW 19.375, GDPR Art. 9, UK GDPR Art. 9, and Israel’s Privacy Protection Law.

4.1 What we collect and how

When you enroll, the App captures one or more images of your face. A face template (an irreversible mathematical representation, not a stored image) is generated using on-device processing. The template is used to recognize you in future sessions.

4.2 Purposes

Face templates are used only to:

• Attribute shots to the correct player during sessions;
• Persist your identity across turns and between sessions;
• Enable multi-player disambiguation when several enrolled users are on the same court; and
• Allow rapid, frictionless player switching without manual input.

We do not use face templates for advertising, profiling, mood or emotion detection, demographic inference, surveillance, or law enforcement, and we do not sell them.

4.3 Consent

We collect, store, and use your biometric information only with your express, opt-in written consent, given during onboarding. You may withdraw consent at any time by deleting your enrollment in Settings → Profile → Delete Account

, or by contacting us at [contact@swishbasket.ai]. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawing consent will disable face-based attribution; you may still use manual attribution modes where available.

4.4 Storage and security

• Face templates are stored on our servers.
• Transmission is protected with TLS 1.2+.
• Access is restricted to engineering personnel who require it to operate the recognition system, under confidentiality obligations.

4.5 Retention

• Face templates and enrollment images: retained while your account is active and for no more than three (3) years after your last use of the Service, after which they are permanently deleted, consistent with the maximum permitted under BIPA.
• You may request earlier deletion at any time (see Section 12).
• Raw enrollment images, if retained at all, are deleted within 90 days after a stable template is generated, unless you opt to keep them to allow re-training.

4.6 Disclosure

We do not sell, lease, trade, or otherwise profit from biometric information. We share it only with sub-processors that help operate the recognition system (see Section 7), under written agreements that prohibit independent use.

 

5. How we use information

We use the categories in Section 3 to:

1. Operate the Service — run sessions, attribute shots, keep score, synchronize devices in distributed play.
2. Authenticate you and secure your account.
3. Provide metrics and analytics to you (shot quality, entry angle, precision, historical performance).
4. Support tournaments, friend play, and leaderboards you opt into.
5. Improve accuracy of detection and recognition under indoor lighting and motion conditions. We do not use your face templates to train publicly available or general-purpose models. Any model improvement using enrollment data is conducted on aggregated, de-identified data, or on data from users who have specifically opted in.
6. Communicate with you — transactional messages, safety notices, support, and, if you opt in, marketing.
7. Prevent fraud, abuse, cheating, and misuse of the Camera.
8. Comply with law, enforce our Terms of Service, and protect rights and safety.

 

6. Legal bases (EEA / UK users)

Purpose	Legal basis
Create and operate your account	Contract (GDPR Art. 6(1)(b))
Process biometric data (face templates)	Explicit consent (Art. 9(2)(a)); Contract for core feature (Art. 6(1)(b))
Improve accuracy and reliability	Legitimate interests (Art. 6(1)(f)) — operating a safe, accurate sports product; balanced against your privacy
Security and fraud prevention	Legitimate interests; Legal obligation
Marketing communications	Consent (withdrawable)
Compliance with legal requests	Legal obligation

Where we rely on legitimate interests, you have the right to object; see Section 12.

 

7. How we share information

We share information only as described below.

• With other users: your display name, profile photo (if set), and gameplay stats are visible to users who share a session, tournament, or friend list with you. You control visibility in Settings.
• Operator of a session: where a session is hosted by a club, facility, coach, or tournament organizer, that operator can see session footage and results for that session. You will be informed of the operator before joining.
• Service providers (sub-processors): cloud hosting, recognition model providers, analytics, crash reporting, customer support tools, email delivery, and payment processing.
• Professional advisors: lawyers, auditors, and insurers under confidentiality obligations.
• Legal, safety, and compliance: to comply with law, valid legal process, or to protect rights, property, or safety.
• Business transfers: as part of a merger, acquisition, financing, or sale of assets, subject to continued protection.

We do not sell personal information and do not share personal information for cross-context behavioral advertising (as those terms are defined under CCPA/CPRA). We do not knowingly provide face templates to data brokers.

 

8. International data transfers

We are based in the United States. Your information may be processed in countries other than your own. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on:

• European Commission adequacy decisions (e.g., Israel, UK); or
• Standard Contractual Clauses, with supplementary measures where required.

 

9. Retention

We retain personal data only as long as necessary for the purposes set out in this notice.

Data	Retention
Account data	While your account is active; up to 30 days after deletion
Face templates and enrollment images	No more than 3 years after last use; sooner on request
Session video (raw)	7–30 days by default, unless you save it
Derived gameplay stats	While your account is active, then anonymized
Support communications	2 years
Security logs	24 months

 

10. Security

We use administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit and at rest, access controls, least-privilege principles, logging, vulnerability management, and employee training. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

In the event of a personal data breach affecting you, we will notify you and regulators as required by applicable law.

 

11. Children

Users under 13 must have verifiable parental or guardian consent to register, and a parent must co-sign the biometric consent. If you believe a child has provided data without appropriate consent, contact us at [contact@swishbasket.ai] and we will delete it.

 

12. Your rights

Subject to your location and applicable law, you may have the right to:

• Access a copy of your personal data;
• Correct inaccurate data;
• Delete your data (including your account and biometric data);
• Restrict or object to certain processing;
• Port your data to another controller;
• Withdraw consent (including biometric consent) at any time;
• Opt out of targeted advertising, sale, or sharing (we do not engage in these, but the right is preserved);
• Not be discriminated against for exercising your rights;
• Lodge a complaint with your local supervisory authority (e.g., your EU Data Protection Authority, the UK ICO, the California Privacy Protection Agency, or the Israeli Privacy Protection Authority).

To exercise rights, use the in-App controls or email [contact@swishbasket.ai]. We will verify your request and respond within the period required by law (typically 30–45 days).

Account deletion on iPhone: you can delete your account directly in the App at Settings  → Profile → Delete Account. This deletes your account, biometric data, personal identifiers, and non-aggregated session data within 30 days, subject to lawful retention obligations.

 

13. Changes to this notice

We will post changes here and, for material changes, notify you in the App or by email before they take effect. Your continued use of the Service after the effective date constitutes acceptance, except where separate consent is required (e.g., material changes to biometric processing will require fresh opt-in).