Privacy Policy

Last updated: 2026-04-27

1. Introduction

This Privacy Policy explains how Clubtrack, Inc. ("Clubtrack", "we", "our", "us") collects, uses, stores, discloses and protects personal data in connection with the Clubtrack platform, website and services (together, the "Services").

Because Clubtrack operates in two very different roles depending on who you are, this policy is structured in two clearly separated parts:

• Part A — When Clubtrack is the Controller. Applies to visitors of our website, prospects, administrators and authorised users of the Clubtrack platform, billing contacts, recipients of our commercial communications, and anyone interacting with Clubtrack directly.

• Part B — When Clubtrack is the Processor. Applies to end-user data (fans, members, ticket buyers, customers) that our customers — typically sports clubs, federations and organisations — upload to or generate through the Services. In this context the customer is the Controller and this data is governed by our Data Processing Addendum.

If you are an end user of a sports club and want to exercise rights over your data, please contact the club directly as they are the Controller of your data. Clubtrack will assist them in responding to your request.

2. Data controller identification

• Company name: Clubtrack, Inc.

• Registration: Delaware, United States

• Registered address: 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States

• Contact: hello@clubtrack.io

• Privacy contact: support@clubtrack.io

• Data Protection Officer: support@clubtrack.io

• EU contact: javi@clubtrack.io

EU data subjects may contact us in any official language of the European Union at javi@clubtrack.io or support@clubtrack.io.

Part A — Clubtrack as Data Controller

A.1 Personal data we collect

A.1.1 Account and administrator data

When an organisation registers for the Services or adds users to its account, we collect:

• First and last name

• Email address

• Username

• Role within the organisation

• Password (stored only as a salted hash; we never store plaintext passwords)

• Profile picture (optional)

• Preferred language and timezone

• Organisation name and billing details

A.1.2 Billing data

For paid plans, we collect company name, VAT/tax ID, billing address, and billing contact. Card details are never collected or stored by Clubtrack; they are processed directly by Stripe, Inc. on its own systems. Stripe acts as an independent PCI-DSS-compliant payment processor for financial data and is a joint/independent controller for that specific purpose.

A.1.3 Communications and support data

If you contact us by email, through our support channels, or via our demo booking form, we collect your name, email, the content of your message, and any information you choose to share.

A.1.4 Website usage data (PostHog)

When you visit clubtrack.io or app.clubtrack.io we may collect technical data such as IP address, browser type and version, operating system, referring URL, pages visited, actions taken, and approximate geographic location (country/city).

We use PostHog (EU region) for product analytics and session recording, only after you have given consent. Until you accept the Analytics category in our consent banner, the PostHog client is opted out by default, autocapture and session recording are not loaded, your IP address is not sent to PostHog (ip: false), and the Global Privacy Control (GPC) signal is honoured (analytics defaults to off without showing the banner). Once consent is granted, PostHog runs in EU-only data residency mode (https://eu.i.posthog.com) and session recording, where enabled, runs with mask_all_inputs: true so the contents of input fields are masked at the source. If you withdraw consent, the PostHog identification is reset and any related cookies and localStorage entries are cleared from your device. Full details are set out in our Cookie Policy.

A.1.5 Marketing data

If you sign up to our newsletter, download a whitepaper, or request a demo, we collect your name, email, company and role, together with a record of your consent (date, IP, method).

A.2 Purposes and legal bases

• Purpose: Creating and managing your Clubtrack account — Data used: Account data — Legal basis (GDPR): Art. 6(1)(b) — Contract performance — Retention: Duration of account + 6 years (Spanish Commercial Code, art. 30)

• Purpose: Providing and maintaining the Services to you — Data used: Account + usage data — Legal basis (GDPR): Art. 6(1)(b) — Contract — Retention: Duration of account + 30 days

• Purpose: Processing payments and invoicing — Data used: Billing data — Legal basis (GDPR): Art. 6(1)(b) — Contract; Art. 6(1)(c) — Legal obligation (tax) — Retention: 6 years (mercantile) / 4 years (tax, Spanish LGT)

• Purpose: Customer support and answering enquiries — Data used: Contact + communication data — Legal basis (GDPR): Art. 6(1)(b) — Contract; Art. 6(1)(f) — Legitimate interest — Retention: 3 years from last interaction

• Purpose: Product analytics and UX improvement (PostHog) — Data used: Usage data — Legal basis (GDPR): Art. 6(1)(a) — Consent — Retention: 12 months

• Purpose: Security, fraud prevention, abuse detection — Data used: Access logs, IP — Legal basis (GDPR): Art. 6(1)(f) — Legitimate interest — Retention: 12 months

• Purpose: Accountability and traceability of administrative actions (authentication events including failed logins; account creation and deletion; Authorised User creation and deletion; create / update / delete operations on fan and account resources; acceptance of legal documents; subscription lifecycle events sourced from Stripe webhooks (start, renewal, cancellation), recorded on a best-effort basis; privileged access; configuration changes; role assignments; sub-processor changes; data subject rights operations) — Data used: Administrative audit log entries (actor, action, timestamp, target resource) — Legal basis (GDPR): Art. 6(1)(c) — Legal obligation (GDPR Art. 5(2) accountability); Art. 6(1)(f) — Legitimate interest (security, legal defence) — Retention: 24 months maximum, after which entries are irreversibly anonymised by an automated retention process that runs daily — actor identifier, IP address, user-agent, request identifier and metadata are stripped while tenant, action, resource type, resource identifier and timestamp are preserved for accountability (see DPA Annex II §9 and §15)

• Purpose: Proof of acceptance of Clubtrack's legal documents at account registration, paid subscription and each subscription renewal or plan change — Data used: Acceptance log entries (actor, tenant, event, timestamp, IP, user-agent, request identifier, plus the name, version date and SHA-256 hash of each legal document in force at that moment: Terms, Privacy Policy, DPA, DPA Annex II, DPA Annex III, Subprocessors list and Cookie Policy) — Legal basis (GDPR): Art. 6(1)(b) — Contract performance; Art. 6(1)(c) — Legal obligation (GDPR Art. 5(2) and Art. 7(1) demonstrability of consent where applicable); Art. 6(1)(f) — Legitimate interest (legal defence and evidence of contract formation) — Retention: 6 years from the acceptance event, in line with the contract-related limitation period also applied to account and billing data above (Spanish Commercial Code, art. 30); after that window, entries are irreversibly anonymised daily by an automated retention process that strips actor identifier, IP, user-agent, request identifier and metadata while preserving tenant, event type, document hashes, document version dates and timestamp. The canonical archive of prior document versions is preserved in Clubtrack's source control history so that the text accepted at any given moment can be reconstructed from the recorded hash (see DPA Annex II §15)

• Purpose: Direct marketing to existing customers (similar services) — Data used: Email, name, interaction history — Legal basis (GDPR): Art. 6(1)(f) — Legitimate interest (soft opt-in) with easy opt-out — Retention: Until opt-out + 1 year (proof)

• Purpose: Direct marketing to prospects — Data used: Contact data — Legal basis (GDPR): Art. 6(1)(a) — Consent — Retention: Until consent is withdrawn + 1 year (proof)

• Purpose: Sending service notifications and security alerts — Data used: Account data — Legal basis (GDPR): Art. 6(1)(b) — Contract — Retention: Duration of account

• Purpose: Complying with legal obligations (AML, tax, court orders) — Data used: All relevant data — Legal basis (GDPR): Art. 6(1)(c) — Legal obligation — Retention: Per applicable law (up to 10 years, Spanish AML Law 10/2010)

• Purpose: Defending legal claims — Data used: All relevant data — Legal basis (GDPR): Art. 6(1)(f) — Legitimate interest — Retention: Statute of limitations

• Purpose: Dormancy management of inactive non-subscribed accounts (no Authorised-User logins + no authenticated API activity) — Data used: Account data, authentication and activity logs — Legal basis (GDPR): Art. 6(1)(f) — Legitimate interest (data minimisation, GDPR art. 5(1)(c) and (e)) — Retention: 24 months from last activity, with 90/30/7-day notice cycle enforced daily by an automated retention process; on day 0 the account is closed and Personal Data is deleted per DPA §3 within a further 30 days. Any qualifying activity during the notice cycle resets the counter. Paid-plan accounts in good standing are exempt (cross-reference Terms §10.5)

A.2.1 Legitimate interest assessments (LIA)

Where we rely on legitimate interest, we have performed a balancing test between our interest and the rights and freedoms of the data subject. A summary of each LIA is available on request to support@clubtrack.io. You have the right to object to any processing based on legitimate interest at any time (see A.5).

A.3 Automated decision-making and profiling

Clubtrack, when acting as Controller, does not make decisions about you based solely on automated processing that produce legal effects or significantly affect you. We may perform limited profiling for service improvement (e.g. which features you use most) based on legitimate interest, which does not meet the Article 22 GDPR threshold.

Note that in our role as Processor (Part B), we enable our customers to perform profiling on their end users through features such as Fan Score. That profiling is governed by Part B and the DPA, and customers are responsible for compliance.

For specific information about the AI-powered features that may interact with End Users (the optional AI Assistant) and Clubtrack's posture under Regulation (EU) 2024/1689 (the AI Act), see B.9 below.

A.4 Recipients and international transfers

We share personal data with the categories of recipients listed in our Subprocessor List.

A.4.1 International transfers

As a Delaware-incorporated company, some processing takes place in or is accessible from the United States. We host the Clubtrack platform and customer data exclusively in AWS EU regions (Ireland and Frankfurt). However, certain subprocessors (e.g. Stripe, OpenAI) may involve transfers outside the European Economic Area.

For every transfer outside the EEA we rely on the following safeguards, in this order of preference:

1. Adequacy decision of the European Commission (e.g. EU-US Data Privacy Framework for certified US recipients).

2. Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, together with a documented Transfer Impact Assessment (TIA) and supplementary measures (encryption in transit and at rest, access controls, resistance to government access requests).

3. UK International Data Transfer Addendum for UK-originated data.

4. Swiss addendum under FADP for Swiss-originated data.

A copy of the SCCs or TIA summary is available on request.

A.5 Your rights

Under the GDPR and applicable data protection laws you have the following rights:

• Right of access (Art. 15) — obtain a copy of the personal data we hold about you.

• Right to rectification (Art. 16) — correct inaccurate or incomplete data.

• Right to erasure / right to be forgotten (Art. 17).

• Right to restriction of processing (Art. 18).

• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.

• Right to object (Art. 21) — in particular to direct marketing and to processing based on legitimate interest.

• Right not to be subject to automated decisions (Art. 22) — does not apply to Clubtrack as Controller (see A.3).

• Right to withdraw consent at any time, without affecting the lawfulness of prior processing.

• Right to lodge a complaint with your national supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (aepd.es). You can also contact any other EU supervisory authority of your habitual residence, place of work, or place of the alleged infringement.

A.5.1 How to exercise your rights

Send your request to support@clubtrack.io or through the self-service controls in your account. Authorised Users of a Customer can additionally retrieve the record of administrative actions performed under their own account (login and logout events, including failed authentication attempts, and create / update / delete operations they have performed) through the in-app audit log view, which supports the right of access under Art. 15. We will respond within one (1) month of receiving your request, extendable by two additional months for complex requests (we will notify you of any extension). Exercising your rights is free of charge, except for manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse the request.

We may need to verify your identity before acting on your request. We will not ask for more information than necessary for verification.

A.5.2 Authorised User DSAR channel (Clubtrack as Controller)

Right of access (Art. 15 GDPR) and right to data portability (Art. 20 GDPR). Authorised Users can self-serve part of these rights through the in-app endpoints GET /accounts/me/audit-log (administrative actions performed under your own account) and GET /accounts/me/acceptance-log (proof of acceptance of legal documents). For the remainder of the data Clubtrack holds about you as Authorised User (profile, role, Customer membership, billing administrator status if any), please email support@clubtrack.io with the subject line "DSAR". Clubtrack will respond within one (1) month of receiving the request, extendable by two additional months for complex requests (you will be notified of any extension).

Right of rectification (Art. 16 GDPR). Rectification of Authorised User profile data is currently handled via support@clubtrack.io within one (1) month of receipt, until the in-app self-service surface is generally available.

A.6 Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, centralised secret management, network isolation, monitoring and alerting, regular backups, and vulnerability management. Further detail is available in Annex II of our DPA.

A.7 Retention

Retention periods are specified in the table in A.2. After the applicable period, personal data is deleted or irreversibly anonymised within 30 days, and backups containing Personal Data are deleted within 30 additional days in accordance with the Processor's backup retention policy. Certain data may be retained longer where required by law (e.g. tax records, AML, court orders).

For Customers on the self-hosted warehouse modality described in Terms §4.2(b), the 30-day deletion window and the 30-day backup-expiry window above apply only to data stored in Clubtrack-managed systems. On account closure or dormancy-driven closure, Clubtrack revokes its access to the self-hosted warehouse immediately and processes no further data against it; warehouse data on Customer infrastructure is not deleted by Clubtrack and remains under the Customer's exclusive control. Clubtrack does not create, hold or manage backups of self-hosted warehouses, and the 30-day backup-expiry window above does not apply to them — backup, restore, encryption-at-rest of backups and retention of those backups are the Customer's sole responsibility.

A.8 Minors

The Services are intended for business customers and their authorised users (adults). We do not knowingly collect personal data from individuals under the age of 16 (or under the applicable national age of digital consent, e.g. 14 in Spain under Art. 7 LOPDGDD) through our direct interactions. If you believe we have collected data from a minor, please contact support@clubtrack.io and we will delete it.

Data of minors collected through customer platforms (Part B) is the responsibility of the customer/Controller.

A.9 California Privacy Notice (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know the categories and specific pieces of personal information we have collected.

• Right to delete personal information, subject to exceptions.

• Right to correct inaccurate personal information.

• Right to opt-out of sale and sharing of personal information. Clubtrack does not sell personal information and does not share it for cross-context behavioural advertising.

• Right to limit the use of sensitive personal information.

• Right to non-discrimination for exercising your rights.

We honour the Global Privacy Control (GPC) signal. To exercise your California rights, email support@clubtrack.io. You may designate an authorised agent to act on your behalf.

Categories of personal information collected in the last 12 months (as defined in Cal. Civ. Code §1798.140): Identifiers; Customer records; Commercial information; Internet activity; Geolocation (approximate). Not collected: biometric, genetic, precise geolocation, protected class characteristics.

A.10 Changes to this Privacy Policy

Clubtrack may update this Privacy Policy at any time. The version in force is the one published at https://www.clubtrack.io/privacy. Material changes will be notified to Authorized Users solely by email; no other notice channel (in-app banner, postal mail, advance window) is provided. Notification is contemporaneous with the change taking effect, or as soon as practicable after it goes live.

Authorized Users who do not accept the new conditions must reject them by cancelling the paid subscription and closing the account through the self-service controls described in Terms §10.1 and §10.3, which terminates the contract and stops further processing.

Any other behaviour constitutes acceptance of the new conditions. In particular, the absence of a response, continued use of the Services after the change takes effect, and the automatic renewal of the subscription cycle each operate as an unequivocal acceptance of the updated document.

The "Last updated" date at the top indicates when the policy was last revised.

A.11 Contact

• Privacy matters: support@clubtrack.io

• Data Protection Officer: support@clubtrack.io

• EU Representative: javi@clubtrack.io

• Postal address: Clubtrack, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA

Part B — Clubtrack as Data Processor

When Clubtrack provides the Services to a sports club, federation or other organisation (the "Customer"), the Customer determines the purposes and means of the processing of end-user personal data (fans, members, ticket buyers, customers — the "End Users"). In this context, the Customer is the Controller and Clubtrack is the Processor.

B.1 What this means for End Users

If you are a fan, member or customer of a sports organisation that uses Clubtrack:

• The sports organisation is the Controller of your data and is primarily responsible for how your data is used.

• Clubtrack processes your data only on the documented instructions of that organisation and for the purposes described in the DPA.

• To exercise your rights (access, rectification, erasure, portability, objection), contact the sports organisation directly. Clubtrack will assist the organisation in responding to your request.

• If you cannot reach the organisation or believe your request has not been handled properly, you may also contact support@clubtrack.io and we will forward your request and assist as a Processor.

B.2 Categories of End User data we process on behalf of Customers

Depending on which integrations the Customer activates, we may process:

• Identification data: first and last name, email, phone, date of birth, gender, age, postal address, ZIP code, city, country.

• Membership data: membership ID, type, entry date, expiration date, status.

• Transactional data: ticket purchases (event, session, price, stadium, status), shop orders (items, quantities, amounts, shipping), subscription history.

• Engagement data: opens and clicks on communications, attendance, and derived metrics.

• Profiling outputs: Fan Score (data-completeness score) and RFM segment (Champion / Loyal / At Risk / Dormant / Prospect).

• Consent flags: privacy policy acceptance, marketing consent, third-party sharing consent (as synced from source systems such as Shopify).

• Source system identifiers: Shopify Customer ID, ticketing system IDs, membership platform IDs.

We do not systematically process special categories of data under Article 9 GDPR. The Customer is responsible for ensuring it does not upload such data without a valid Article 9 legal basis.

B.3 Purposes (as instructed by the Customer)

The Customer typically instructs us to process End User data for:

• Data integration, unification and deduplication across source systems.

• Fan analytics and insights.

• Segmentation and audience management.

• Profiling: Fan Score and RFM segmentation (see B.4).

• Campaign activation via Mautic (self-hosted email marketing) and other channels.

• Performance tracking and reporting.

B.4 Profiling, Fan Score and segmentation

The Services include two features that qualify as profiling under Article 4(4) GDPR:

Fan Score. A deterministic data-quality score (0–100) assigned to each End User based on which profile fields are populated and which marketing consents the End User has granted. It does not use transactional or behavioural data and does not predict future behaviour. Its primary purpose is to signal record completeness and consent coverage. Clubtrack does not use the Fan Score to gate access, set pricing, target advertising, trigger marketing actions, or otherwise drive automated decisions about the End User. It is a record-quality indicator surfaced to the Customer's Authorised Users; any downstream use by the Customer is governed by the Article 22 GDPR paragraph below in this §B.4 and remains the Customer's responsibility.

RFM segmentation. A backward-looking tier assignment (Champion, Loyal, At Risk, Dormant, Prospect) derived from the End User's transaction recency, frequency and total value. It is descriptive, not predictive, and is not by itself used to take automated decisions.

Neither feature produces legal or similarly significant effects on the End User within the meaning of Article 22 GDPR. Customers remain responsible for ensuring that any downstream use of these features (e.g. dynamic pricing, promotion gating) complies with Articles 13(2)(f) and 22 GDPR, and for informing End Users accordingly. Clubtrack provides a DPIA template on request.

Fan Score and RFM segmentation are deterministic, rule-based features. They are computed from existing event counts and recency / frequency / monetary aggregates of the End User's recorded interactions, and do not rely on machine-learning inference, generative models or large language models. They are therefore not "AI systems" within the meaning of Article 3(1) of Regulation (EU) 2024/1689 (the AI Act). The AI features described in B.9 are separate from Fan Score and RFM, and the two should not be confused.

B.4 (continued) — Consent flag mirroring and demonstrability

Clubtrack mirrors End-User consent flags as they exist in the Customer's source systems (Shopify, Mailchimp, ticketing platforms, internal CRMs, etc.). Clubtrack does not act as the consent collection point for End Users. The proof-of-consent record (timestamp, method, evidence under Article 7(1) GDPR) is maintained by the Customer in the originating source system. Where you wish to withdraw a consent or correct a consent flag, please contact the Customer that holds your relationship; the change is then reflected in Clubtrack on the next ingestion cycle. See DPA Clause 4.13 for the corresponding Processor / Controller allocation.

B.5 International transfers in Processor role

End User personal data is hosted in AWS EU regions (Ireland / Frankfurt) exclusively. Onward transfers to subprocessors in third countries are limited to those listed in our Subprocessor List, and are always covered by appropriate safeguards as described in A.4.1.

B.6 End User rights

As Processor, Clubtrack will assist the Customer in responding to End User requests within the timeframes required by law. Rights listed in A.5 apply equally in this context; they must generally be exercised through the Customer.

Customer-facing tools to exercise End-User rights. When Clubtrack acts as Processor, the Controller (the Customer) is the entity responsible for responding to End-User Article 12–22 GDPR requests. Clubtrack provides Controller-facing self-service tools for the two most operationally significant rights: (i) per-table CSV export of End-User data from the Clubtrack dashboard (Fan Sources, Memberships, Engagements, Shop Orders, Shop Order Items, Tickets, and the unified Fans view) for the right of access (Art. 15) and the right to data portability (Art. 20); and (ii) per-row Delete in the same tables for the right to erasure (Art. 17). Deletions of resources originating from third-party connectors are recorded in a connector deny-list keyed by tenant, connector identifier, resource identifier and resource type, so that the deleted resource is not re-imported on the next connector synchronisation. Where the deleted resource is a FanSource, the unified Fan is automatically recomputed and, if no source remains, removed.

DPIA records covering the Processor's processing activities are maintained internally and are available to Customers on written request to support@clubtrack.io, subject to confidentiality undertakings.

B.7 Retention (Processor role)

End User data is retained as instructed by the Customer. Upon termination of the contract between the Customer and Clubtrack:

• Clubtrack will delete or return all End User data within 30 days, unless longer retention is required by law.

• A machine-readable export may be requested by the Customer prior to deletion.

• Anonymised audit logs may be retained for fraud prevention and legal defence (legitimate interest).

For Customers on the self-hosted warehouse modality described in Terms §4.2(b), Clubtrack's processor obligations regarding End User data held on the self-hosted warehouse end on termination through immediate revocation of Clubtrack's access to that warehouse — not through deletion. The active database connection is closed, the encrypted warehouse credentials held on the tenant configuration are zeroed out, and Clubtrack performs no further read or write against the self-hosted warehouse. The data on the self-hosted warehouse remains on the Customer's infrastructure under the Customer's exclusive control, and the Customer is solely responsible for any subsequent retention, deletion, backup, restore and encryption obligations regarding that storage. Backend-side rows held in Clubtrack's own database (account, configuration, administrative audit log, messaging) continue to follow the 30-day deletion window above.

B.8 Subprocessor changes

Clubtrack will notify Customers at least 30 days in advance of any material change to its subprocessors, with a right to object as set out in the DPA. End Users can consult the current list at any time at clubtrack.io/subprocessors.

B.9 AI features and the EU AI Act

This section describes the AI-powered features included in the Services and Clubtrack's compliance posture under Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (the "AI Act"). It complements A.3 (Automated decision-making) and B.4 (Profiling, Fan Score and segmentation), and aligns with the LLM sub-processor entries in our Subprocessor List.

B.9.1 AI features included in the Services

The Services include an optional AI Assistant (also referred to in the product as "Chat" or "AI Assistant"), available to Authorised Users from the Customer's dashboard. The AI Assistant is a conversational interface that:

• Answers questions about how to use Clubtrack and explains platform features by retrieving Clubtrack's own documentation.

• Returns analytics and reporting information about the Customer's own data (for example, fan summaries, top products, segment metrics) by calling internal Clubtrack tools that query the Customer's tenant.

• Can, on the Authorised User's explicit confirmation, create or delete operational resources within the Customer's tenant (specifically: fan segments, marketing segments and marketing communications). Confirmation is required in the user interface before any such action is executed.

The AI Assistant does not generate marketing content (email body copy, creatives or campaign content), does not send messages to End Users, does not interact directly with End Users, does not perform credit, eligibility or pricing decisions, and does not use End User personal data to take any decision producing legal or similarly significant effects within the meaning of Article 22 GDPR. Its outputs are advisory and are presented to the Authorised User for review.

Use of the AI Assistant is optional: the feature is part of the standard Services, but the Authorised User must explicitly open and prompt the AI Assistant to invoke it. If the AI Assistant is not used, no Personal Data is sent to the LLM sub-processors listed in B.9.2.

B.9.2 AI systems and providers used

The AI Assistant relies on third-party large language model ("LLM") providers acting as sub-processors. The list of authorised LLM sub-processors, kept aligned with our Subprocessor List, is:

• OpenAI Ireland Limited (with OpenAI, L.L.C. for US operations) — currently the only LLM sub-processor used by the AI Assistant.

Any future LLM sub-processor will be added to this section and to the Subprocessor List before being engaged for production traffic, with prior notice to Customers in accordance with the DPA.

For each provider, Clubtrack uses API endpoints in zero-retention or no-training mode where available: prompts and responses are not used to train the provider's models, and provider-side retention is limited (for example, OpenAI's 30-day zero-retention API tier). The applicable provider terms are reflected in the corresponding entries of the Subprocessor List.

Only the data the Authorised User chooses to include in a prompt — together with limited tool-response data retrieved from the Customer's tenant on the Authorised User's instruction — is sent to the LLM provider. End User Personal Data is never sent in bulk to the LLM provider.

B.9.3 AI Act risk classification

Clubtrack has assessed the AI Assistant against the AI Act's risk categories:

• Prohibited practices (Article 5). The AI Assistant does not perform any of the practices prohibited under Article 5, including no social scoring, no emotion recognition in the workplace or in education, no biometric categorisation of natural persons to deduce race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation, no untargeted scraping of facial images, and no exploitation of vulnerabilities.

• High-risk systems (Annex III). The AI Assistant is not a high-risk AI system within the meaning of Article 6 and Annex III. It is not used for biometric identification or categorisation, critical infrastructure, education or vocational training, employment or worker management, access to essential private or public services and benefits (including credit scoring or essential services eligibility), law enforcement, migration, asylum and border control, or administration of justice and democratic processes. It is a customer data platform assistant for sports clubs, used by Authorised Users of the Customer to query analytics and trigger internal operational actions on their own tenant.

• Limited-risk systems (Article 50). The AI Assistant does qualify as an AI system intended to interact directly with natural persons in the sense of Article 50(1) of the AI Act, and is therefore subject to the corresponding transparency obligations described in B.9.4.

• Minimal-risk systems. No further AI features below the limited-risk threshold are deployed in the Services at this time.

Clubtrack will reassess this classification whenever a new AI feature is introduced or a deployed feature is materially extended, and will update this section accordingly.

B.9.4 Transparency obligations under Article 50

In compliance with Article 50 of the AI Act:

• Disclosure of AI interaction (Article 50(1)). The AI Assistant is identified as such in the user interface (it is labelled "AI Assistant" in the navigation, panel header, opening tooltip and accessibility labels), and the system prompt instructs the model to identify itself as the "Clubtrack AI Assistant" when asked. Authorised Users are therefore informed in a clear and distinguishable manner that they are interacting with an AI system.

• Marking of AI-generated content (Article 50(2)). The AI Assistant produces conversational text and, where relevant, on-screen charts. This text is generated by an LLM and is rendered exclusively inside the AI Assistant interface, which is itself labelled as such, so its AI origin is unambiguous to the Authorised User. The AI Assistant does not generate or publish synthetic audio, video, image or deep-fake content. Where Clubtrack adds in the future any AI-generated content that would be released or disseminated outside the AI Assistant interface, Clubtrack will implement appropriate machine-readable marking in line with Article 50(2) and the technical standards adopted under it.

• No emotion recognition or biometric categorisation (Article 50(3)). The AI Assistant does not perform emotion recognition and does not carry out biometric categorisation of natural persons. The transparency obligations of Article 50(3) are therefore not triggered, but Clubtrack states this expressly to remove any doubt.

• Disclosure of AI-generated text on matters of public interest (Article 50(4)). The AI Assistant is not used to generate or publish text on matters of public interest. Clubtrack does not therefore rely on the journalistic, artistic or human-review exemptions of Article 50(4).

B.9.5 Human oversight

Human oversight of the AI Assistant is structurally embedded in the product:

• The AI Assistant is invoked only on the explicit request of an Authorised User of the Customer; it does not run autonomously in the background.

• Any action that creates or deletes a resource (fan segment, marketing segment, marketing communication) requires explicit confirmation by the Authorised User in the user interface before it is executed. The AI Assistant cannot bypass this confirmation step.

• AI Assistant outputs are advisory and are reviewed by the Authorised User before being acted upon. They do not by themselves trigger any decision producing legal or similarly significant effects on an End User.

• Authorised Users can stop, retry or close any AI Assistant interaction at any time, and Customers can manage internal access to the AI Assistant through their role and permission configuration.

B.9.6 Relationship with Fan Score and RFM segmentation

For the avoidance of doubt, Fan Score and RFM segmentation are deterministic, rule-based features as described in B.4. They are not AI systems within the meaning of Article 3(1) of the AI Act and are not subject to the obligations described in this B.9. The risk classification in B.9.3 applies exclusively to the AI Assistant and to any future LLM-powered feature that Clubtrack may add and document in this section.

B.9.7 Where to find more information

Authorised Users and End Users can find further information by combining this section with:

• A.3 for Clubtrack's position on automated decision-making affecting Authorised Users acting as data subjects.

• B.4 for the description of Fan Score and RFM segmentation as profiling under Article 4(4) GDPR.

• B.5 for the international transfers framework that applies, in particular, to LLM sub-processors located in or accessible from the United States.

• The Subprocessor List for the up-to-date list of LLM sub-processors and their declared transfer mechanisms.

• The Data Processing Addendum for the contractual framework governing AI-related processing on behalf of Customers.