Privacy Policy
Operator: Saga Group LLC ("Saga Group," "we," "us," or "our") Service: BALL 101 mobile application ("BALL 101," "Service," "App") Effective Date: June 1, 2026 Last Updated: June 1, 2026
1. About This Policy and Who We Are
Saga Group LLC, a Texas limited liability company with a business address at P.O. Box [TBD-update before launch], [City], TX [ZIP], operates BALL 101, a mobile application that teaches situational baseball intelligence to children ages 5 to 12 through animated scenarios played under a parent or legal guardian's account.
This Privacy Policy explains what personal information we collect, how we use and share it, how we protect it, and the rights and choices available to parents, guardians, and users. It is part of, and incorporated into, our Terms of Service.
Children's Privacy Notice — Read First. BALL 101 is directed to children under 13. Before any child uses BALL 101, a parent or legal guardian must create an account, review our COPPA Direct Notice to Parents, and provide verifiable parental consent ("VPC") under the Children's Online Privacy Protection Act ("COPPA"). The COPPA-specific summary appears in Section 12 (Children Under 13 — COPPA Notice) of this Policy. The full COPPA Direct Notice is available at https://ball-101.com/coppa-notice and is presented to parents in-app prior to consent.
If you do not agree with this Privacy Policy, do not download, create an account, or use BALL 101.
2. Scope
This Policy applies to personal information collected through: - The BALL 101 mobile application on iOS and Android; - The website at ball-101.com and any subdomains; - Email, SMS, and other electronic communications between you and Saga Group LLC in connection with BALL 101; - Customer support channels (e.g., support@saga.group).
This Policy does not apply to third-party websites, services, or applications, even where linked from BALL 101.
3. Summary Table — What We Collect, Why, and How Long We Keep It
The following table is a plain-language summary. Sections 4 through 8 contain the full details.
| Category | Examples | Purpose | Source | Retention |
|---|---|---|---|---|
| Parent Identifiers | Full name, email address, mobile phone number (stored as a salted hash), encrypted password | Account creation, authentication, VPC, billing, support | Provided by parent during registration | Active life of account + 30 days after deletion request |
| Parent Verification Records | UTC timestamp of consent, hashed mobile phone number, IP address, user-agent string, Twilio Message SID for confirmatory SMS | FTC COPPA audit trail (required) | Generated during VPC flow | Until 30 days after account deletion, then anonymized; consent log retained for 7 years for COPPA recordkeeping |
| Subscription Records | Apple App Store subscriber ID, Google Play subscriber ID, RevenueCat customer ID, subscription tier, start/end dates | Manage subscription, prevent fraud, customer support | Apple, Google, RevenueCat | Active subscription + 7 years after termination (tax recordkeeping) |
| Child Profile Data | First name or nickname (no last name), age band (5–6, 7–8, or 9–12), optional preferred fielding positions, parent-selected avatar cosmetic | Provide age-appropriate gameplay; display profile in parent dashboard | Provided by parent | Active life of account + 30 days after deletion request |
| Child Gameplay Data | Scenarios attempted, answers selected, time to answer, stars earned, session timestamps | Personalize content difficulty, show progress to parent | Generated during child play | Active life of account + 30 days after deletion request |
| Technical Data | Device type, operating system version, app version, crash reports (scrubbed of PII), IP address | Stability, security, fraud prevention | Automatically from device | 90 days for raw logs; aggregated metrics retained indefinitely with no individual identifiers |
| Communications | Emails to support@saga.group or privacy@saga.group; in-app messages | Respond to requests, document parental rights requests | Provided by parent | 3 years from last communication, then deleted |
We do not collect from children: last names, dates of birth, photographs, audio recordings, video recordings, biometric identifiers, government-issued identifiers, precise geolocation, contacts, social media handles, school names, or addresses.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not serve third-party advertising in BALL 101. We do not use children's personal information for targeted advertising.
4. Information We Collect From Parents
4.1 Information You Provide
When a parent or legal guardian creates a BALL 101 account, we collect: - Full legal name of the parent or guardian; - Email address of the parent or guardian, which we verify by sending a verification link; - Mobile phone number of the parent or guardian, which is validated as a real mobile (not VoIP) number through Twilio's Lookup API. We store the phone number in two forms: (a) a salted cryptographic hash used for fast lookup and rate-limit matching, and (b) an encrypted-at-rest copy (AES-256, provider-managed key) used solely to match incoming STOP-reply webhooks and to send the FTC-required confirmatory SMS. The plaintext phone number is not displayed in the app after verification and is not used for any marketing communications; - Password, stored as a one-way bcrypt hash (cost factor 12) — never as plaintext; - Express affirmative consent to this Privacy Policy, our Terms of Service, and our COPPA Direct Notice (each requires an unchecked checkbox the parent must affirmatively check); - Verifiable Parental Consent via the FTC-approved Text-Plus method (see Section 6).
4.2 Subscription and Payment Information
If a parent purchases a subscription, the purchase is processed by Apple App Store or Google Play. Saga Group LLC does not receive, see, or store payment card numbers, expiration dates, CVCs, billing addresses, or other financial account information. We receive only: - A subscriber identifier from Apple or Google; - The subscription product purchased (monthly, three-month, or annual); - Subscription start date, renewal status, and end date; - Receipt validation tokens (held by RevenueCat on our behalf to confirm purchase legitimacy).
For information about how Apple processes purchases, see Apple's Privacy Policy at https://www.apple.com/legal/privacy/. For Google, see https://policies.google.com/privacy.
4.3 Customer Support Communications
When you contact us at support@saga.group, privacy@saga.group, or legal@saga.group, we receive the contents of your communication, your email address, and any attachments. We use this information solely to respond to your request and to document parental rights requests as required by COPPA.
5. Information We Collect About Children
We collect personal information from or about a child only after the child's parent or legal guardian has (a) reviewed our COPPA Direct Notice and (b) provided verifiable parental consent under COPPA.
After consent is granted, the parent creates one or more child profiles. The parent enters the child's information directly — children do not enter their own information into BALL 101. For each child profile, we collect:
- First name or nickname only (the parent is instructed to use a first name or chosen nickname; we do not request, prompt for, or store last names);
- Age band (either "5–6," "7–8," or "9–12") used only to filter gameplay difficulty; we do not collect or store exact date of birth;
- Optional preferred fielding positions (e.g., "shortstop," "catcher");
- Parent-selected avatar chosen from a pre-built library of cosmetic illustrations; the avatar is not a likeness of the child.
While the child plays, we collect: - Gameplay events: which scenarios were attempted, which answer options were selected, whether the answer was correct, how many stars were earned, how long the child took to respond; - Session timestamps: when sessions began and ended, total session length; - Device and app technical data (see Section 7) — when associated with a child profile, this data is treated as child personal information.
We do not collect from children: - Last names, full names, or any names other than the parent-supplied nickname; - Date of birth, exact age, or birth year; - Photographs, videos, or audio recordings; - Biometric identifiers including faceprints, voiceprints, fingerprints, gait data, or any data used for automated recognition of an individual; - Government-issued identifiers (Social Security number, passport number, etc.); - Precise geolocation, GPS coordinates, or street address; - Phone numbers, email addresses, or any other contact information of the child; - Contact lists, address book, social media handles, or contacts; - School name, team name, or league affiliation; - Persistent identifiers used for cross-context behavioral advertising.
5.1 What "Personal Information" Means Under COPPA
Effective June 23, 2025, the FTC's amended COPPA Rule expanded the definition of "personal information." Saga Group LLC's data minimization practices intentionally exclude the categories added in the 2025 amendments. We do not collect from any child: - biometric identifiers (including faceprints, voiceprints, gait data, retina/iris patterns, fingerprints); - government-issued identifiers (SSN, passport, birth certificate, state ID); - audio or video recordings; - precise geolocation.
If we ever change this practice, we will update this Policy, present a new COPPA Direct Notice to parents, and obtain renewed verifiable parental consent before collecting any newly added category of child personal information.
6. How We Obtain Verifiable Parental Consent (VPC)
Saga Group LLC uses the FTC-approved Text-Plus method of verifiable parental consent. The flow is as follows:
- The parent creates a parent account using their own name, email address, and password and acknowledges this Privacy Policy and the COPPA Direct Notice via affirmative checkbox.
- The parent enters their own mobile phone number. We validate it as a real mobile number (not VoIP, not landline) using the Twilio Lookup API.
- We send a 6-digit, single-use, time-limited one-time passcode ("OTP") to the parent's mobile number via SMS.
- The parent enters the OTP in-app. We verify the OTP and record consent.
- We then send a mandatory confirmatory SMS to the parent's mobile number, confirming that consent was granted and explaining that the parent may reply STOP at any time to revoke consent and immediately invalidate the child's session.
- We log the following audit record: UTC timestamp of consent, hashed phone number, IP address, user-agent, and the Twilio Message SID of the confirmatory SMS.
Only after this entire sequence completes successfully is the parent's phone_vpc_status marked "confirmed" and only then may the parent create a child profile.
If the parent later replies STOP to any Saga Group LLC SMS, we immediately mark consent as revoked, invalidate any active child session under that parent account, and stop processing child personal information except as needed for the parental rights described in Section 9.
7. Information Collected Automatically
When you use BALL 101, we automatically collect limited technical information necessary to operate the Service:
- Device information: device model, operating system and version, app version, screen size, locale, and time zone;
- Network information: IP address (used for security and abuse detection, then truncated for analytics);
- App diagnostics: crash reports, error logs, and performance metrics, processed with personal information scrubbing rules to remove names, email addresses, and other identifiers;
- Session information: app open events, screen views (excluding any free-text content), and feature usage events.
We do not use: - Apple's IDFA (Identifier for Advertisers); - Google's Advertising ID; - Any third-party advertising SDK; - Any cross-context behavioral tracking technology.
We do not use cookies in the mobile app. If we use cookies on the ball-101.com marketing website, they are limited to strictly necessary cookies for site operation; we will update this Policy if that changes.
8. How We Use Personal Information
We use personal information only for the purposes listed below. Each purpose corresponds to a defined business need:
| Purpose | Personal Information Used | Legal Basis (where applicable) |
|---|---|---|
| Create and authenticate the parent account | Parent name, email, hashed phone, password hash | Performance of contract; consent |
| Obtain and document Verifiable Parental Consent | Phone (hashed), IP, user-agent, consent timestamp, Twilio Message SID | Legal obligation (COPPA), consent |
| Create and manage child profiles | Child nickname, age band, positions, avatar | Performance of contract following VPC |
| Personalize age-appropriate gameplay | Age band, gameplay events, scenario attempts | Performance of contract following VPC |
| Display child progress in the parent dashboard | Gameplay events, child profile data | Performance of contract following VPC |
| Process subscriptions | Apple/Google subscriber ID, subscription tier and dates | Performance of contract |
| Respond to support requests and parental rights requests | Email, communication contents | Legal obligation (COPPA), legitimate interest |
| Detect and prevent fraud, abuse, and security incidents | Device info, IP, technical logs | Legitimate interest |
| Comply with legal obligations, respond to lawful requests | All categories as relevant | Legal obligation |
| Improve the Service (only with aggregated, de-identified data) | Aggregated gameplay metrics with no individual identifiers | Legitimate interest |
We do not use personal information to: - Send or display third-party advertising; - Engage in cross-context behavioral advertising; - Conduct targeted advertising of any kind to children; - Build user profiles for sale or disclosure to data brokers; - Train third-party machine learning models on personal information.
8.1 Push Notifications (Parent Devices Only)
Where you have granted operating-system permission, we may send push notifications to your parent device (not to a child's session or device) for the following purposes only: - Account security notices (e.g., new login alert, password reset confirmation); - Subscription notices (e.g., free trial ending, payment failure); - Material updates to this Privacy Policy or the Terms of Service; - Optional engagement reminders (which you may disable in-app at any time).
Push notifications are routed through Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) via Expo's push relay. We do not send push notifications to children, and we do not use push tokens or notification engagement data for advertising or any purpose beyond delivering the notice.
You may disable push notifications at any time in your device's operating-system settings or by toggling notification preferences in BALL 101's Settings.
9. Parental Rights and How to Exercise Them
A parent or legal guardian of a child who uses BALL 101 has the following rights under COPPA. These rights apply regardless of the parent's state of residence.
9.1 Right to Review
A parent may request to review the personal information we have collected about their child. We will provide the information after reasonably verifying that the requestor is the child's parent or legal guardian. We may verify by, for example, confirming control of the parent account email address and re-sending an SMS confirmation to the registered phone number.
9.2 Right to Refuse Further Collection or Use
A parent may direct us to stop collecting further personal information from their child, or to stop using personal information already collected. We will honor the request promptly and, if necessary to give effect to the request, may close the child's profile.
9.3 Right to Delete
A parent may request that we delete their child's personal information. Upon receipt and verification of a deletion request, we will: - Immediately soft-delete the child profile and prevent further data collection (no later than 24 hours from verified receipt); - Within 30 days, hard-delete the child's personal information from our production database via our automated COPPA cleanup job; - Within 90 days, ensure deletion from our routine backups through the normal backup rotation cycle. Backups are encrypted and access-restricted during the rotation window. We do not restore deleted personal information from backup except to comply with law.
Some records are retained after deletion as required by law: (a) the parent's VPC consent audit log (retained 7 years for COPPA recordkeeping), (b) financial transaction records (retained 7 years for tax recordkeeping), and (c) any records subject to an active legal hold. These retained records do not include the child's gameplay data or profile.
9.4 How to Exercise Rights
A parent may exercise rights by any of the following methods: - In-App: open Settings → Privacy & Data → Request Account Deletion or Request Data Review; - Email: write to privacy@saga.group with subject line "Parental Rights Request"; - Mail: send a written request to Saga Group LLC, Privacy Officer, P.O. Box [TBD-update before launch], [City], TX [ZIP].
We will respond to all parental rights requests within 30 days of verified receipt. There is no charge for exercising parental rights.
9.5 Verification
To protect against fraudulent requests, we verify the requestor's identity before honoring a parental rights request. Verification methods may include: confirming control of the registered parent email address, sending a confirmation code to the registered parent phone number, or confirming details that match the account.
10. Information Sharing and Disclosure
We share personal information only as described below.
10.1 Service Providers (Processors / Sub-Processors)
We share personal information with the following service providers, each of whom processes personal information solely on our behalf, under written agreements requiring them to maintain the confidentiality, security, and integrity of the information, and prohibiting any use of the information other than to provide services to Saga Group LLC. We perform reasonable due diligence on each provider and obtain written assurances of their data protection practices.
| Service Provider | Service Provided | Categories of Data Processed | Location |
|---|---|---|---|
| Supabase, Inc. | Database hosting, authentication infrastructure | All categories of parent and child data | United States |
| Twilio Inc. | SMS verification of parent mobile number for VPC | Parent phone number (transient), Message SID, send status | United States |
| RevenueCat, Inc. | Subscription management and receipt validation | Apple/Google subscriber identifiers, subscription status | United States |
| Apple Inc. | iOS app distribution, in-app purchases, App Store payment processing | Apple ID-related identifiers, purchase records (Apple-side) | United States |
| Google LLC | Android app distribution, in-app purchases, Google Play Billing | Google account identifiers, purchase records (Google-side) | United States |
| Replit, Inc. | Application hosting and compute infrastructure | All categories of parent and child data (in transit / at rest in database) | United States |
| Functional Software, Inc. d/b/a Sentry | Crash and error reporting (with PII scrubbing) | Device info, anonymized crash diagnostics | United States |
| Expo | Mobile app build, over-the-air updates, push notifications (parent-only) | Device push tokens (parent device), app version data | United States |
We do not currently use Google Analytics, Meta SDKs, TikTok SDKs, ad networks, or any analytics provider that collects personal information from children for advertising or cross-context purposes. If we add or replace a service provider in a way that materially affects this Policy, we will update Section 10 and (where required by law) obtain new parental consent.
10.2 No Disclosure for Advertising or Marketing
Saga Group LLC does not disclose any child's personal information, or any parent's personal information, to third parties for advertising, marketing, or cross-context behavioral advertising purposes. Saga Group LLC does not sell personal information.
10.3 Legal Disclosures
We may disclose personal information when we, in good faith, believe disclosure is required to: - Comply with a subpoena, court order, or other legal process binding on us; - Cooperate with law enforcement in connection with the safety of a child; - Enforce our Terms of Service; - Protect the rights, property, or safety of Saga Group LLC, our users, or others.
Where permitted by law, we will notify the affected user of the request before disclosing personal information, unless prohibited from doing so by law or court order.
10.4 Business Transfers
If Saga Group LLC undergoes a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred to the acquirer or successor entity. In any such transfer involving child personal information, the acquirer must agree in writing to honor the privacy commitments in this Policy or provide affected parents with prior notice and the opportunity to delete their child's information.
10.5 With Parent Consent
We may share personal information with a third party where the parent has expressly directed us to do so (for example, by initiating an email to a youth-baseball coach with the child's progress summary attached, where such a feature is available in the App). We do not currently offer any such sharing feature, and will obtain separate, opt-in verifiable parental consent before enabling one.
10.6 Aggregated and De-Identified Information
We may use and share aggregated or de-identified information (information that no longer identifies and cannot reasonably be linked to any individual) for any lawful purpose, including product improvement, research, and reporting. We will not attempt to re-identify de-identified information and will contractually require any recipient to do the same.
11. Data Retention Policy
In accordance with the COPPA Rule (16 C.F.R. § 312.10) as amended in 2025, we maintain a written data retention policy that specifies (a) the purposes for which children's personal information is collected, (b) the specific business need for retaining the information, and (c) the timeframe for deletion. The following table reflects that policy.
| Data Category | Purpose for Collection | Business Need for Retention | Deletion Timeline |
|---|---|---|---|
| Parent name, email, password hash | Authenticate the parent account; enable login | Account access during active subscription | Deleted within 30 days of account deletion request |
| Parent phone (hashed) | Verify parental consent; STOP-message processing | COPPA audit trail | Hashed phone retained 7 years (COPPA audit); plaintext never retained |
| Child nickname, age band, avatar, positions | Provide age-appropriate gameplay | Active gameplay during account life | Deleted within 30 days of account deletion request |
| Child gameplay records | Personalize content; show parent dashboard | Active gameplay during account life | Deleted within 30 days of account deletion request |
| VPC consent log (timestamp, hashed phone, IP, UA, Twilio SID) | FTC-required COPPA audit trail | Federal recordkeeping | Retained 7 years from consent date |
| Subscription transaction records | Tax recordkeeping, fraud prevention | IRS and state tax requirements | Retained 7 years from transaction date |
| Crash and diagnostic logs | Stability and security | Operational stability | Retained 90 days; aggregated metrics retained without individual identifiers |
| Support communications | Respond to and document parental rights and support requests | Document compliance with COPPA rights | Retained 3 years from last communication |
We do not retain children's personal information for longer than is reasonably necessary to fulfill the purpose for which it was collected. We do not use children's personal information for any secondary purpose.
12. Children Under 13 — COPPA Notice
This section is a summary of the more detailed disclosures in this Policy and is intended to satisfy the operator notice requirements of 16 C.F.R. § 312.4(d). The full COPPA Direct Notice to Parents is presented to every parent in-app prior to verifiable parental consent and is available at https://ball-101.com/coppa-notice.
Operator. Saga Group LLC, P.O. Box [TBD-update before launch], [City], TX [ZIP]. Privacy Officer: privacy@saga.group.
Personal Information We Collect From Children. First name or nickname (parent-entered), age band (6–8 or 9–12), optional fielding positions (parent-entered), gameplay records (scenarios attempted, answers selected, time to answer, stars earned, session timestamps), and limited technical data necessary to operate the Service (device type, OS, app version, IP address, app diagnostics scrubbed of PII).
How We Use That Information. To provide age-appropriate gameplay; personalize content difficulty based on prior performance; show progress to the child's parent in the parent dashboard; operate, maintain, and secure the Service; comply with our legal obligations.
Disclosure Practices. We disclose children's personal information only to the service providers listed in Section 10.1, each of whom processes it solely on our behalf under written agreement. We do not disclose children's personal information to third parties for advertising or marketing. We do not sell children's personal information. We do not share children's personal information for cross-context behavioral advertising.
Parental Rights. A parent has the right to review, refuse further collection or use of, and delete their child's personal information at any time, by contacting privacy@saga.group or using the in-app Settings → Privacy & Data controls. See Section 9.
No Conditional Participation. A parent who refuses to consent to the collection of personal information that is not reasonably necessary for the child to participate in BALL 101 will still be permitted to use the features of BALL 101 that do not require such information.
Persistent Identifier — Internal Operations Exception. Where we use a persistent identifier (e.g., an internal account UUID) solely to support the internal operations of BALL 101 (authentication, security, payment processing) and not for any other purpose (such as behavioral advertising or amassing a profile on the child), this collection is treated under the "internal operations" exception in 16 C.F.R. § 312.5(c)(7).
13. Information Security
Saga Group LLC maintains a Written Information Security Program ("WISP") in accordance with 16 C.F.R. § 312.8 as amended in 2025. A summary of our security practices follows; the full WISP is reviewed at least annually by Saga Group LLC and is available to parents on request at privacy@saga.group.
13.1 Administrative Safeguards
- Information Security Coordinator. [INSERT NAME, e.g., the Managing Member of Saga Group LLC] serves as the designated employee responsible for coordinating the WISP.
- Risk Assessment. We conduct a written risk assessment at least annually and after any material change to our systems or data flows.
- Access Controls. Personnel access to production systems containing personal information is granted on a least-privilege basis and reviewed at least quarterly.
- Training. All personnel and contractors with access to personal information receive privacy and security training before access is granted and annually thereafter.
- Vendor Due Diligence. Before sharing personal information with a service provider, we evaluate the provider's privacy and security practices and obtain written assurances of confidentiality, security, and integrity (see Section 10.1).
13.2 Technical Safeguards
- Encryption in Transit. TLS 1.2 or higher is required on all connections to BALL 101's API and on all connections between BALL 101 and service providers.
- Encryption at Rest. Personal information is encrypted at rest in our database using industry-standard AES-256 encryption.
- Password Storage. Parent passwords are stored only as one-way bcrypt hashes (cost factor 12 or higher).
- Phone Number Protection. Mobile phone numbers are stored as a salted hash for fast lookup and as an encrypted-at-rest copy (used only for STOP-reply matching and FTC-required confirmatory SMS); the plaintext number is not displayed in-app after verification.
- Authentication. Verifiable parental consent uses one-time SMS passcodes with short expiry windows (15 minutes).
- Row-Level Security. Database access is enforced at the row level so that no account can access another account's data.
- Session Scoping. Child sessions are scoped to read-only access to gameplay content; child sessions cannot access parent settings, subscription, or account endpoints.
- Application Security. The API enforces HSTS, content security policy, rate limiting, request body size limits, and JSON Web Token authentication on all sensitive endpoints.
- Monitoring. We log authentication events, VPC events, and access to personal information. We monitor for anomalous activity.
13.3 Physical Safeguards
Personal information is hosted by cloud providers with industry-recognized physical security certifications. We do not maintain self-hosted servers.
13.4 Testing and Monitoring
We test and monitor the effectiveness of safeguards on a regular basis, including dependency vulnerability scanning, configuration review, and (as we scale) periodic third-party penetration testing.
13.5 Annual Evaluation
At least annually, the Information Security Coordinator evaluates and updates the WISP based on testing and monitoring results, new threats, technology changes, and material changes to our data flows.
13.6 Incident Response
We maintain an incident response plan. In the event of a security incident affecting children's personal information, we will: - Investigate and contain the incident promptly; - Notify affected parents without unreasonable delay where legally required; - Notify regulators, including the Federal Trade Commission and state attorneys general, as required by applicable law; - Document the incident, response, and remediation steps.
No system can be guaranteed 100% secure. We cannot warrant the absolute security of personal information, but we work diligently to apply the safeguards above.
14. State Privacy Rights
If you are a resident of a U.S. state that grants specific privacy rights, the rights described in this Section may be available to you in addition to the rights described elsewhere in this Policy. Where state law provides parents with rights on behalf of their children, the parent may exercise those rights through the contacts in Section 9.
14.1 California (CCPA / CPRA)
California residents have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act: - Right to Know what categories of personal information we collect, the sources, the business purpose, and the categories of third parties to whom we disclose it. This information is provided throughout this Policy. - Right to Access a copy of the specific pieces of personal information we have collected about you in the prior 12 months. - Right to Delete personal information we have collected, subject to legal exceptions. - Right to Correct inaccurate personal information. - Right to Opt Out of sale or sharing of personal information for cross-context behavioral advertising. Saga Group LLC does not sell or share personal information. - Right to Limit use of sensitive personal information. Saga Group LLC does not use sensitive personal information for any purpose beyond providing the requested Service. - Right to Non-Discrimination for exercising privacy rights.
To exercise these rights, contact privacy@saga.group. We will verify your identity using one of the verification methods in Section 9.5.
Categories of personal information collected in the prior 12 months (CCPA categories): - Identifiers (parent name, email, hashed phone, account UUID); - Customer Records (subscription history); - Commercial Information (subscription tier); - Internet or Network Activity (app diagnostics); - Inferences (none — we do not generate inferences for profiling).
Categories disclosed for a business purpose: all of the above, only to the service providers listed in Section 10.1.
Categories sold or shared for cross-context behavioral advertising: None.
14.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, and other states with comprehensive privacy laws
If you are a resident of a state with a comprehensive consumer privacy law, you may have rights including the right to access, delete, correct, and obtain a copy of your personal information, and the right to opt out of targeted advertising, sale, or profiling. Saga Group LLC does not engage in targeted advertising, does not sell personal information, and does not engage in profiling that produces legal or similarly significant effects.
To exercise applicable rights, contact privacy@saga.group.
14.3 Appeals
If we decline a privacy rights request, you may appeal the decision by responding to our decision email or by writing to privacy@saga.group with subject line "Privacy Appeal." We will review the appeal and respond within the period required by your state's law (generally 45 to 60 days).
15. International Users
BALL 101 is offered primarily to users in the United States. We do not currently market the Service to users outside the United States. If you are outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using BALL 101, you consent to this transfer. If you are subject to the European Union General Data Protection Regulation, the United Kingdom GDPR, or another non-U.S. privacy law, please contact us at privacy@saga.group to discuss the availability of additional rights.
16. Changes to This Policy
We may update this Policy from time to time. When we do: - If the change is material and affects personal information already collected (for example, a new category of collection or a new third party with whom personal information will be shared), we will obtain new verifiable parental consent before applying the change to existing accounts. The Service may be unavailable to non-consenting accounts after a reasonable transition period. - If the change is non-material (for example, a clarification of an existing practice or a change in our address), we will update the "Last Updated" date at the top of this Policy and post a notice in the App.
We encourage parents to review this Policy periodically.
17. Contact Us
For questions about this Policy, to exercise privacy rights, or to report a privacy concern:
Saga Group LLC Attn: Privacy Officer P.O. Box [TBD-update before launch], [City], TX [ZIP]
Email: privacy@saga.group Support: support@saga.group
We will respond to all privacy inquiries within 30 days of receipt.
This Privacy Policy is provided in the English language. In the event of any inconsistency between this Policy and any translation, the English version controls.
© Saga Group LLC. All rights reserved.