Privacy Policy

Social Mums Club Group Pty Ltd (trading as Inverted AI Studio) ABN 96 678 349 310 ("Vertical", "we", "us", "our") is committed to protecting the privacy of all individuals who use the Vertical Player platform. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information.

By creating an Account or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and use of your personal information as described here. If you do not agree, you must not use the Service.

1.1 Information You Provide Directly

Account Registration:

• Full name
• Email address
• Password (stored in hashed form — we never store your plaintext password)

Player Profile and Onboarding:

• Display name (optional)
• Bio or personal description (optional)
• Avatar or profile photo URL (optional)
• The athlete identity you claim (player name, jersey number, position)
• Team affiliation and league
• Physical details associated with your claimed profile (height, position)

AI Assistant Interactions:

• Chat messages and queries you submit to the AI assistant
• Context of your conversations (game recaps, development plans, etc.)

Notification Preferences:

• Push notification subscription details (endpoint URL, public key, auth token — technical identifiers linked to your Account)
• Your notification on/off preferences

1.2 Information Collected Automatically

Session and Authentication Data:

• Session tokens (JWTs) stored as secure, HttpOnly cookies — essential for the Service to function
• Login timestamps and authentication events

Usage and Interaction Data:

• Pages and features accessed
• Games, statistics, and AI insights viewed
• AI insights pinned or saved
• Timestamps of interactions

Technical and Device Information:

• IP address (via hosting provider server logs)
• Browser type and version
• Operating system and device type
• Referral source and time zone

1.3 Information from Third Parties

We receive Sports Data (player statistics, game results, play-by-play events, shot data, injury status, player photos) from our third-party data provider. This data is associated with your Account when you claim a player profile.

1.4 What We Do NOT Collect

• Payment card numbers or banking information (no payment system is currently active)
• Government identification numbers (driver's licence, passport, TFN)
• Biometric data (fingerprints, facial recognition)
• Precise GPS or location data
• Social media profile data (no social login available)
• Contacts from your address book or phone

2.1 Providing and Operating the Service

• Creating and managing your Account and authenticating your sessions
• Linking your Account to your Claimed Player Profile and displaying relevant Sports Data
• Operating the AI assistant and generating personalised AI Content
• Storing and displaying your AI chat history for contextual continuity
• Sending push notifications you have opted into
• Maintaining platform performance and security

2.2 Personalisation

• Tailoring AI Content based on your player profile, performance data, and chat history
• Displaying your personal statistics and game history
• Remembering your preferences and settings

2.3 Service Improvement

• Analysing usage patterns to identify bugs and areas for improvement
• Training and improving AI models and insight generation (where legally permitted and, where feasible, anonymised)
• Developing new features and functionality

2.4 Communications

• Sending essential transactional communications (account confirmation, password resets, security alerts) — these cannot be opted out of while you hold an Account
• Sending service announcements, including updates to our Terms or Privacy Policy
• Responding to support requests

2.5 Legal and Safety

• Complying with applicable laws and legal obligations
• Responding to lawful requests from regulators or law enforcement
• Enforcing our Terms and protecting our rights and others' rights
• Detecting and preventing fraud and security incidents

For users in the European Union or United Kingdom, we process your personal data on the following legal bases:

Where we rely on legitimate interests, you have the right to object. Where we rely on consent, you may withdraw at any time.

4.1 How the AI Assistant Uses Your Data

When you interact with the AI assistant, your chat messages are transmitted to Anthropic, PBC, which operates the Claude large language model powering our AI Features. The AI may use your player statistics, recent game data, and prior messages in your session for context. AI-generated responses are stored in our database linked to your Account.

4.2 Anthropic's Data Handling

Anthropic processes your messages solely to generate AI responses. Anthropic's API usage policy states that Anthropic does not train its models on data submitted through the API. Anthropic's Privacy Policy and Terms of Service apply to their handling of that data.

4.3 No Automated Decision-Making with Legal Effect

The AI Features do not make automated decisions that have legal or similarly significant effects on you. All AI Content is informational and requires your own independent judgment before acting.

4.4 AI Data Retention

AI chat messages and AI Content are retained until you delete them (where available), request Account deletion, or we delete them per our retention schedules.

We do not sell, rent, or trade your personal information to third parties for their marketing or commercial purposes.

5.1 Service Providers

We share personal information with trusted third-party service providers contractually bound to process data only on our instructions and implement appropriate security measures:

5.2 Legal and Regulatory Disclosure

We may disclose your information where required by law, court order, or regulatory direction; to enforce our Terms; or to protect the rights, property, or safety of us, our users, or others. Where permitted, we will notify you before disclosure.

5.3 Business Transfers

In a merger, acquisition, or asset sale, your information may be transferred to the acquiring entity. We will notify you before your information becomes subject to a materially different privacy policy.

5.4 Aggregated and De-Identified Data

We may share aggregated, anonymised data (which cannot reasonably identify you) for research, analytics, or business development.

Our infrastructure routes data through the United States. We take the following steps to protect your information during international transfers:

• Data processing agreements with contractual safeguards with all service providers
• Preference for providers participating in recognised data protection frameworks
• Minimum necessary data transfer principle

For EU/UK users, international transfers are conducted in compliance with GDPR Chapter V using Standard Contractual Clauses where required.

We implement appropriate technical and organisational security measures:

Technical measures include:

• HTTPS with TLS encryption for all data in transit
• HTTP Strict Transport Security (HSTS) headers
• Industry-standard JWT tokens in secure, HttpOnly cookies
• Passwords hashed with cryptographic algorithms — plaintext passwords are never stored
• Row-level security (RLS) at the database level — each user can only access their own data
• Server-side API keys never exposed to the browser
• AI-generated content sanitised with DOMPurify to prevent XSS
• Security headers: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection
• VAPID key-based push notification encryption

Despite these measures, no security system is impenetrable. In the event of a data breach likely to cause serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

When you delete your Account, we take reasonable steps to delete or de-identify your information within 30 days, except where retention is required by law, for legal claims, or pending back-up overwrite (typically within 90 days).

9.1 Rights Under Australian Privacy Law

Right to Access: Request access to the personal information we hold about you. We will respond within 30 days and may charge a reasonable fee for access.

Right to Correction: Request correction of inaccurate, out-of-date, or incomplete personal information.

Right to Complain: Lodge a complaint with us, and if unsatisfied, escalate to the OAIC at www.oaic.gov.au.

9.2 Additional Rights for EU/UK Users (GDPR)

Right to Erasure: Request deletion of your personal data where it is no longer necessary, you withdraw consent, or it has been unlawfully processed.

Right to Restriction: Request restricted processing in certain circumstances.

Right to Data Portability: Receive your personal data in a structured, machine-readable format where processing is based on consent or contract and carried out by automated means.

Right to Object: Object to processing based on legitimate interests, including profiling.

Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful processing.

Right Not to Be Subject to Automated Decisions: Not to be subject to decisions based solely on automated processing with legal or significant effects. We do not currently make such decisions.

9.3 How to Exercise Your Rights

Contact us at team@invertedai.studio. We may verify your identity before processing requests. Response times: 30 days (Australian law) or one calendar month (GDPR, extendable by two further months for complex requests). We will not discriminate for exercising your rights.

10.1 Essential Cookies

We use only essential cookies required to operate the Service:

• Supabase auth token — maintains your authenticated session. Cannot be disabled without preventing login.
• Supabase refresh token — refreshes your session when it expires. Cannot be disabled without preventing login.

10.2 Service Worker Cache

Our Service registers a service worker for offline functionality. It caches static assets locally on your device only — no personal information is included and nothing is transmitted to us. You can clear it via your browser settings.

10.3 Push Notification Subscription

If you opt into push notifications, your browser stores a push subscription linked to your Account. You can withdraw at any time through Account settings or browser notification settings.

10.4 What We Do NOT Use

We do not use analytics cookies, advertising cookies, social media tracking pixels, or third-party retargeting. If we introduce such technologies in future, we will update this Policy and obtain your consent where required.

The Service is intended for users aged 13 and over. We do not knowingly collect personal information from children under 13. Users aged 13–17 may use the Service only with parental or guardian consent.

If you are a parent or guardian and believe your child has created an Account without your consent, please contact us immediately. We will promptly suspend the Account and delete associated data.

We may update this Privacy Policy from time to time. For material changes, we will update the "Last Updated" date, notify you by email, and/or display a prominent in-app notice. For changes that affect how we use your information in unexpected ways, we may seek your re-consent.

Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Social Mums Club Group Pty Ltd (trading as Inverted AI Studio)
Attn: Privacy Officer
Email: team@invertedai.studio
Address: 28 Chestnut Street, Wynnum, QLD 4178, Australia
ABN: 96 678 349 310

We aim to acknowledge enquiries within 5 business days and provide a substantive response within 30 days.

Escalation contacts:

• Australian users: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au · 1300 363 992
• EU users: Your local Data Protection Authority — www.edpb.europa.eu
• UK users: Information Commissioner's Office (ICO) — ico.org.uk · 0303 123 1113