BabaUmp Logo

BabaUmp

BabaUmp Privacy Policy

Effective date: 25 September 2025

Last updated: 25 September 2025

This Privacy Policy explains how Avyari Pty Ltd ("BabaUmp", "we", "us", "our") collects, uses, shares, and protects personal information when you use the BabaUmp mobile and web applications, services, websites, and APIs (collectively, the "Services"). It also explains your rights and choices regarding your data.

By registering for or using our Services you accept the collection and use of information in accordance with this policy. If you do not agree, do not use the Services.

1. Summary of what we collect (short)

We collect:

  • Account & contact info (name, email, address, club, role, phone).
  • Video, audio, and images you upload or capture (clips, photos).
  • Technical & device data (device ID, OS, IP, logs).
  • Biomechanical and tracking data derived from video (ball coordinates, speed, spin, 3D trajectories).
  • Facial data and biometrics only where you consent and where needed for the Service (e.g., player ID / face alignment for analysis).
  • Payment and billing data if you subscribe.
  • Usage analytics and crash reports.

We treat biometric, facial, and advanced biomechanical outputs as sensitive personal data and process them only with explicit consent and safeguards (see Section 4 — Sensitive data).

2. Definitions

  • Personal information / personal data — any information that identifies or can reasonably identify you.
  • Sensitive personal data — biometric data, facial recognition data, health-related data, and other data categories that require heightened protection.
  • Processed data / derived data — outputs created by applying algorithms to raw inputs (for example, ball trajectory, velocity vectors, limb angle estimates). These may still be personal data if they relate to an identifiable person.

3. Legal bases (where applicable)

Depending on your jurisdiction, we rely on one or more of the following legal bases to process your data:

  • Consent — for sensitive processing (facial/biometric analysis), and some optional features (marketing, sharing with third parties).
  • Performance of a contract — to provide the Services you requested (accounts, uploads, playback, analyses).
  • Legitimate interests — for diagnostics, security, fraud prevention, product improvement (balanced with user rights).
  • Legal obligation — where we must process or disclose data under law.

Where consent is required we will obtain it via clear prompts and consent screens. You may withdraw consent at any time (withdrawal does not affect prior lawful processing).

4. What we collect — detailed

Account & identity

Name, display name, username, date of birth (optional), gender (optional), contact email, phone, postal address, club/organisation name, role (player/coach/admin), team membership, user profile photo.

Video, images & audio

  • Raw video clips you upload or record via the app (including associated timestamps, frame rates).
  • Audio recorded with video if you enable it.

Biomechanical & tracking data (derived)

  • Per-frame detections (time, x/y pixel coordinates).
  • World-space/3D coordinates where camera calibration exists.
  • Velocity, acceleration, spin, predicted forward path, spline fits, Kalman-smoothed tracks.
  • Keypoints and angle estimates if pose estimation is used (e.g., wrist/arm positions).

Note: Derived biomechanical data may be stored as JSON, CSV, or binary artifacts.

Facial & biometric data

Facial images or facial landmarks used for player identification, automatic cropping, or alignment; templates or embeddings derived from face images if you opt-in.

We will not perform automated facial recognition to identify individuals beyond matching to profiles you explicitly created or consented to. Facial/biometric data is processed only with explicit clear consent and retained under heightened safeguards.

Device & technical

Device model, OS version, app version, unique device identifiers (as permitted), IP address, crash logs, system logs, network diagnostics, storage usage, video metadata (codec, duration, resolution).

Location

Approximate location when you grant it (for session metadata or local club features). We avoid continuous background location collection unless you explicitly allow it.

Payment & billing

Payment processor data (tokenised card or wallet details when you subscribe). We do not store raw card numbers; payment processors may.

Communications

Support requests, messages, feedback, and any content you provide when contacting us.

Analytics & cookies

Usage telemetry, anonymised analytics to improve the product, cookies and similar technologies on the website.

5. How we use your data

We use personal data for:

  • Core Services — create/verify accounts, upload/store/playback video, run detection & predictions, provide overlays and downloads.
  • Processing & analytics — run YOLO/pose models, Kalman smoothing, spline fitting, and generate trajectory.json, overlays, reports.
  • Notifications — to notify you when processing finishes or to send account emails.
  • Billing — manage subscriptions and invoices.
  • Product improvement and research — model training, quality metrics, aggregated analytics (always de-identified where possible).
  • Safety & fraud prevention — investigate abuse, fix issues, and secure the Service.
  • Legal compliance — respond to lawful requests or obligations.
  • Marketing (optional) — with your consent, to send promotions and product updates.

6. Sensitive data and biometric processing (explicit rules)

Biomechanical outputs and facial/biometric data are treated as sensitive. We will only process them if you (a) explicitly consent via an in-app consent screen describing purpose and retention, or (b) you are an organisational customer who has a data processing agreement allowing such processing for team management and with the explicit consent of affected persons.

We will provide granular consent toggles (e.g., "Use facial landmarks to improve alignment", "Allow biomechanical data export for third-party analysis").

You can opt out at any time; opt-out stops further processing but does not retroactively delete data unless you request deletion (see Section 11).

7. Sharing & third parties

We do not sell your personal data. We may share data with:

Service providers (data processors)

  • Cloud storage and compute providers (Microsoft Azure Blob Storage, Azure Container Instances/Container Apps, Azure SQL, App Insights).
  • Identity & auth providers (Auth0 or similar).
  • Payment processors (Stripe, Apple/Google In-app billing).
  • Analytics & monitoring (App Insights, crash reporting).

These providers process data on our behalf under contracts and are required to implement appropriate security measures.

Third-party integrations (with your explicit action)

If you connect to a third party (team management tools, social accounts, club admin portals), we will share only the data you authorize. You control these connections and can revoke access.

Legal & safety

To comply with law or enforce our Terms of Service; or to protect rights, property, or safety.

Business transfers

In the event of a reorganisation, sale, merger, acquisition, or insolvency event we may transfer personal data to the acquiring entity, subject to confidentiality and notice to users where required by law.

When we share data we require recipients to follow security standards and contractual restrictions. We publish a list of processors and DPAs on request.

8. Cross-border transfers

We are based in Australia and use cloud providers with data centers in multiple regions. Personal data may be transferred to, stored in, and processed in countries outside your country of residence (including the United States and other jurisdictions). Where transfers occur we use legal safeguards (standard contractual clauses, local adequacy, or explicit consent) to protect your data.

9. Data retention

  • Raw video & audio you upload: retained for the period you select in account settings or until you delete it; default retention is 180 days for free accounts and configurable for paid tiers.
  • Derived detection/trajectory artifacts: retained according to your session settings (default 365 days) or as required for subscriptions/records.
  • Account & billing records: retained for legal and tax obligations (minimum 7 years where applicable).
  • Logs & telemetry: retained in aggregated/anonymised form; raw logs retained short-term (e.g., 90–180 days).

We apply retention schedules and securely delete data when no longer required, except where legal holds apply.

10. Security

We implement administrative, technical, and physical measures designed to protect personal data, including:

  • Encrypted storage at rest (where supported) and TLS in transit.
  • Short-lived SAS tokens for uploads (no account keys in clients).
  • Role-based access control, least privilege, and audited access for internal systems.
  • Regular security testing, patching, and vulnerability management.
  • Incident response procedures; notification to affected users and regulators when required by law.

While we take strong measures, no system is perfect — if a breach occurs we will follow legal obligations on notification.

11. Your rights and choices

Depending on your jurisdiction you may have the right to:

  • Access and obtain a copy of personal data we hold.
  • Correct inaccurate or incomplete data.
  • Delete your data ("right to be forgotten") subject to legal retention requirements.
  • Object to or restrict processing (including profiling) in certain circumstances.
  • Port your data to another provider in a commonly-used format (CSV, JSON).
  • Withdraw consent at any time for future processing.
  • Opt out of marketing communications.

To exercise rights, contact: privacy@babaump.com (or use the in-app Data Requests feature). We may require verification and will respond within applicable statutory timeframes.

12. Automated decisions & profiling

Our Services use automated processing to generate predictions and overlays (e.g., predicted ball path). These outputs are decision-support tools for coaches, umpires and players — not final legal decisions. If any fully automated decisions with legal or similarly significant effects are made, we will notify you and obtain consent where required by law and provide an appeal/ review mechanism.

13. Children & minors

Our Services are not directed to children under 16 (or higher local age). We do not knowingly collect personal information from minors without parental/guardian consent. Organisations using the platform for junior players must obtain any parental consents necessary before uploading or processing minors' videos or biometric data.

14. Cookies & tracking

Our websites use cookies and similar technologies for authentication, security, analytics, and preferences. You can control cookies via browser settings and consent banners where present.

15. Legal requests & law enforcement

We will respond to lawful requests from public authorities. When possible we will notify you of requests for your data unless prohibited by law.

16. International customers & applicable laws

If you are located in the European Economic Area, UK, California, or other jurisdictions with data privacy laws, additional rights or protections may apply. We will cooperate with regulators and follow applicable local rules (GDPR, UK GDPR, CCPA/CPRA, Australian Privacy Act, etc.). Data transfer safeguards are used for cross-border flows.

17. Third-party links

Our Services may contain links to third-party sites. We are not responsible for their privacy practices. Please review their policies.

18. Changes to this policy

We may update this Policy. Material changes will be communicated via the app, email or posted with a new effective date.

19. Contact us

  • Data privacy contact: privacy@babaump.com
  • Data Protection Officer (if appointed): [name/contact]
  • Mailing address: Avyari Pty Ltd, [address to insert]

For data-subject requests please include account email and as much detail as possible.

20. Data Processing & Security Addenda (for enterprise customers)

We offer Data Processing Agreements (DPAs), Security Assessment documents, SOC2/ISO evidence (if/when available), and options for regional data residency on request. Contact sales@babaump.com for enterprise DPA and regional retention options.

21. Example consent language (in app)

"I consent to BabaUmp processing my video and extracting biomechanical and facial landmark data to provide analysis and overlays. I understand this includes storage of facial feature templates and derived biomechanical metrics. I can withdraw this consent at any time from Settings > Privacy."

When enabling coach/team sharing: "I consent to share selected videos, player profiles and derived analytics with [club/team name]."

22. Practical implementation notes for engineering & compliance teams

(These items are for dev/ops; include in the privacy implementation checklist)

  • Implement consent screens and record consent timestamps + version of privacy policy.
  • Use short-lived SAS tokens for direct client uploads; avoid embedding storage keys.
  • Encrypt sensitive artifacts (face templates, raw videos) at rest and restrict access.
  • Provide a user-facing data export / delete endpoint (authenticated) that also triggers removal from long-term backups.
  • Maintain a processors registry and DPAs for Auth0, Azure (Blob/SQL/App Insights), Stripe, analytics vendors.
  • Add audit logging for access to biometric data.
  • Implement per-account retention settings and scheduled deletion jobs.
  • Provide an admin interface to manage enterprise DPAs, regional storage, and consent exceptions.

Legal note

This policy is a template and does not constitute legal advice. We recommend review by a qualified privacy lawyer to ensure compliance with local laws (for example: Australian Privacy Act, GDPR, CCPA/CPRA) and to adapt wording for enterprise contracts and particular jurisdictions.

Short checklist / next steps (1–3 highest leverage actions)

  1. Legal review & localisation — send this draft to your lawyer (Australia + EU/US counsel if you expect users there).
  2. Implement consent & data request UI — add consent capture, versioned policy acceptance, and an in-app "Request my data / Delete my data" flow.
  3. Processor contracts & DPA — prepare DPAs with Auth0, Azure, Stripe and other processors; test SAS upload flow to ensure no storage keys leak.

Why this way

  • Treats biometric & facial data as sensitive (legal and reputational risk).
  • Matches typical competitor coverage (account info, video/analytics, processors, data subject rights) while being practical for the BabaUmp architecture (SAS uploads, Azure processors).
  • Built to support both consumer and enterprise (club) use-cases with DPAs and regional options.