Last updated Monday 29th April 2026

Fanalysis Limited (Fanalysis / we / us) owns and operates a football fan community platform and sports data app (the App).

Your privacy is very important to us and we are committed to protecting your personal data. This privacy policy explains how we look after your personal data when you visit our website and/or App and use our Services (as defined below). It also sets out your privacy rights and how the law protects you.

Purpose of this privacy policy

This privacy policy explains how we process your personal data through your use of our website (www.fanalysis.com) (the Website) and App (and any other websites and/or mobile applications we may make available in the future in connection with our business) (together, the Services). This includes any data you may provide when you sign up to and use our Services, either on the Website or the App, or any data that you may provide if you speak with our team.

Our Services are intended for people over the age of 16 only and we will not knowingly or intentionally collect personal data from people under that age. We comply with the Children's Online Privacy Protection Act (COPPA), as amended by the FTC's final rule of January 2025 (effective June 2025), and do not knowingly collect personal information from children under 13 years of age. If we learn that we have collected personal data from a person under 16 (or under 13 in the case of US residents), we will delete that information as quickly as possible. If you believe we have collected information from a person under the applicable age threshold, please contact us immediately.

It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data, along with our Terms of Use

Data Controller

Fanalysis Limited is the data controller for the purposes of this Privacy Policy. Our company registration number is 09072105 and our registered office is Regina House, 124 Finchley Road, London, NW3 5JS.

We have appointed a data protection coordinator who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights in relation to your personal data, please contact the data protection coordinator using the details set out below.

Email address:
hello@fanalysis.com

Postal address:
Data Protection Co-ordinator
Fanalysis Limited, Regina House, 124 Finchley Road, London, NW3 5JS 

You have the right to make a complaint at any time with a supervisory authority. The authority responsible for us is the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO so please do contact us in the first instance.

If you are resident in the EU, you may contact our data protection representative in accordance with Article 27 GDPR: DP-Dock GmbH, Attn: Fanalysis Limited, Ballindamm 39, 20095 Hamburg, Germany, www.dp-dock.com, fanalysis@gdpr-rep.com.

Details of the supervisory authority or privacy regulator applicable to you are set out in the relevant section of this Privacy Policy below. You may also contact us at hello@fanalysis.com and we will direct you. Please contact us first.

Changes to the privacy policy and updates to your information
We keep our Privacy Policy under regular review. This version was last updated on 23 April 2026. Historic versions can be obtained by contacting us. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes via the Website or the App, as applicable, during your relationship with us.

Third-party links
Our Services may include links to third-party websites (such as our partners), plug-ins and other applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of other websites or Apps you visit.

The data we collect about you
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (de-identified data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes first name, last name, username or similar identifier, address, email address, phone number, date of birth, gender and social media handle.

• Contact Data includes email address and telephone numbers.

• Technical Data includes information about your IP address, your login data, browser type, device type, operating system, time zone setting and other technology on the devices you use to access our Services. Some Technical Data (such as IP address, browser type, device type, operating system, and time zone setting) is collected indirectly via Google Analytics (a service provided by Google LLC), which processes this data on our behalf to help us understand how users interact with our Website. Google LLC is based in the United States. For further information on how Google processes this data, see https://policies.google.com/privacy.

• Usage Data includes information about how you use our Services, including content that you click on and how you have moved around our Website and/or App, the date and time of your visit, the pages you viewed, and the time spent on those pages.

• Employment Data includes information you provide or make available to us if you apply for a job with us, including your contact information, education, and employment experience. If you apply for a job with us through a third-party platform, we will collect the personal data you make available to us through such third-party platform.

• Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

• Attribution Data includes information collected about how you discovered and installed the App, and your in-app activity following installation (such as clicks on our advertisements, ad impressions, app install and launch information, and in-app events and actions you take). This data is collected through the AppsFlyer SDK and may include IP address, device type and model, operating system, and engagement information relating to our paid marketing campaigns. This data is only collected where you have given your specific consent to tracking via the consent prompt displayed when you first open the App.

• Image Data includes photographs of yourself that you voluntarily upload when choosing to create an avatar on the App. This data is processed for two purposes: (a) to generate your personalised avatar (using OpenAI's API, provided by OpenAI OpCo, LLC, processing in the United States); and (b) to verify that you meet our minimum age requirement of 16 and scan for Harmful Content (via AWS Rekognition, processing on servers in Ireland (EU)). Your Image is automatically deleted within 7 days of upload, unless we detect Harmful Content which we are required by law to report to the relevant authorities, in which case the Image would be retained for so long as required by such authorities. It is not used for any other purpose.

• Avatar Data includes the AI-generated avatar image created from your Image when you choose to use the avatar creation feature. Your avatar is displayed on your App profile and is not used for any other purpose. You may regenerate your avatar up to three times if you are not satisfied with the result or delete it at any time.

• Verification Data: where we implement additional age verification in certain markets, includes identity documents or other verification data provided by you in circumstances where our systems have indicated that you may not meet our minimum age requirement of 16. This may occur where AWS Rekognition's age estimation during avatar creation suggests you may be under 16, or where the date of birth you provided at registration indicates you are under 16.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. AppsFlyer may also use aggregated and de-identified data derived from Attribution Data for market research and benchmarking purposes; this data cannot identify you or Fanalysis.

Special Categories of Personal Data

We do not generally collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). However, if you apply or have applied to become one of our 'Starting XI Fanalysts' we may need to run criminal records checks, but we will obtain your specific consent to do so in advance. Any criminal records data will be deleted as soon as reasonably practicable once your application has been processed and a decision made as to whether you have been accepted or not. Criminal records data is treated as a special category of data under UK data protection law and we process it only with your explicit consent and in accordance with our appropriate policy document.

Avatars and Age Estimation

Our App allows you to create a personalised avatar. Uploading a photograph of yourself ("your Image") to create an avatar is an entirely optional feature — you are not required to do so and you will not be disadvantaged if you choose not to.

If you choose to create an avatar, you will be invited to upload a photograph of yourself. Your Image is used for two separate purposes:

a) Age estimation and Harmful Content detection: your Image is transmitted to AWS Rekognition (a third-party service provided by Amazon Web Services EMEA SARL, processing on servers located in Ireland (EU)) to estimate your age and verify that you meet our minimum age requirement of 16 and to check that your Image does not contain any Harmful Content. If the estimate indicates you may be under 16, you will not be permitted to use the App.

b) Avatar creation: your Image is transmitted to OpenAI OpCo, LLC to generate a personalised avatar image using OpenAI's API. OpenAI OpCo, LLC processes your Image in the United States. Your avatar is displayed on your App profile and is not used for any purpose other than your App profile.

How we use your Image:

• Your Image is used for avatar creation (via OpenAI OpCo, LLC, in the United States) and for age estimation and Harmful Content detection (via AWS Rekognition, on servers in Ireland (EU)). It is not used to identify you and is not retained for any purpose beyond those described in this Privacy Policy.

• We do not use your Image for any other purpose, including advertising, profiling, or marketing.

• Your Image, any mathematical representation generated during age estimation processing (AWS Rekognition), and age estimation and Harmful Content output are automatically and permanently deleted within 7 days of upload. If Harmful Content is detected, and requires us to make any notifications to authorities, we may be required by law to retain your Image for so long as required by the relevant laws.

• Your generated avatar is retained for the duration of your account. You may regenerate your avatar up to three times if you are not satisfied with the result, or delete it at any time via your account settings.

• Your Image is shared only with OpenAI OpCo, LLC (for avatar generation) and AWS Rekognition (for age estimation and Harmful Content detection), each of which processes it solely on our instructions under a Data Processing Agreement.

• Before you upload your Image, you will be shown a notice confirming that your photograph will be processed in accordance with this Privacy Policy. Where the law applicable to you requires your explicit consent before we process your biometric data, you will be asked to give that consent at the point of upload as described in the relevant sections below.

Lawful basis: We process your Image on the basis of our legitimate interests (Article 6(1)(f) UK GDPR). Our legitimate interest is in ensuring that only users who meet our minimum age requirement of 16 are able to access and use the App, in order to operate our service responsibly and in compliance with our terms of use. We have assessed that this interest is not overridden by your rights and freedoms, given that: (a) uploading your Image is voluntary and an alternative method is available; (b) your Image is used solely for age estimation, Harmful Content detection and avatar creation and for no other purpose; and (c) the Image and data relating to it are automatically deleted within 7 days of upload (unless Harmful Content is detected and we are required to make any notifications to authorities in which case such data would be retained for so long as required by the applicable law).

Additional information for Australian and New Zealand residents

Australia: Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), facial images processed to generate a mathematical representation for age estimation are classified as sensitive information. We collect and process your Image on the basis that it is reasonably necessary for our functions as a service that operates a minimum age requirement of 16 (APP 3.2 of the Privacy Act 1988 (Cth)). If you choose to create an avatar, you will be asked to give your express consent before your Image is processed. The content of the consent notice and your right to request deletion of your Image are set out in the Additional Information for International Residents section below. Uploading your Image is entirely optional and an alternative method is available. We have conducted a privacy impact assessment in relation to our use of facial age estimation in accordance with the OAIC guidance on age assurance technologies. AWS Rekognition   Rekognition processes your Image on servers located in Ireland (EU). Although this involves a transfer of your Image from Australia to Ireland, Ireland is subject to the EU General Data Protection Regulation (GDPR), which the OAIC recognises as providing a comparable level of protection to the APPs. In accordance with APP 8 of the Privacy Act 1988 (Cth), we have taken reasonable steps to ensure that AWS Rekognition and OpenAI OpCo, LLC are contractually bound to handle your personal and sensitive information appropriately, including through our Data Processing Agreements with each provider.

New Zealand: Our collection and processing of biometric information for avatar creation and age estimation is subject to the Biometric Processing Privacy Code 2025 (the Biometrics Code), issued under section 32 of the Privacy Act 2020 (NZ). We have assessed that our use of facial age estimation is a proportionate and necessary means of verifying that users meet our minimum age requirement of 16, and that less privacy-invasive alternatives (such as self-declaration) are available to users who do not wish to upload an Image. You will be provided with clear notice at the point of collection in accordance with Rule 3 of the Biometrics Code, including information about the purpose of processing, the alternatives available to you, how long your Image will be retained, and how to access, correct or raise concerns about your biometric information. You have the right to request access to and correction of your biometric information in accordance with Rules 6 and 7 of the Biometrics Code and the Privacy Act 2020 (NZ). If you have any concerns about our biometric processing, please contact us at hello@fanalysis.com or raise a complaint with the Office of the Privacy Commissioner at www.privacy.org.nz.

Age estimation accuracy: Facial age estimation is not 100% accurate. If you believe the age estimate applied to your avatar is incorrect, you have the right to challenge this by submitting a request to hello@fanalysis.com.

For more information about how AWS processes data, please see the AWS Privacy Notice at https://aws.amazon.com/privacy/. For more information about how OpenAI processes data, please see https://openai.com/policies/privacy-policy.

If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.

How is your personal data collected?
We use different methods to collect personal data from and about you including through:

Direct interactions. You may give us your Identity, Contact, and Marketing Data by filling in forms or by corresponding with us. This includes personal data you provide when you: create an account on our App or Website; subscribe to our services or publications; request marketing to be sent to you; apply to become a Starting XI Fanalyst; upload a photograph of yourself to create an avatar; enter a competition, promotion or survey; or give us feedback or contact us.

Automated technologies and indirect interactions. As you interact with our Services, we automatically collect Technical Data and Usage Data as follows:

• On our Website: we use cookies and similar web technologies, including Google Analytics (provided by Google LLC, United States), which automatically collects Technical Data about visitors to our Website. This data is collected indirectly — that is, it is collected by Google on our behalf from your device and provided to us. The purpose of this collection is to allow us to analyse how users use our Website, improve our Services, and inform our marketing strategy. Google LLC receives this data as our data processor. Your Technical Data collected via Google Analytics is not sold or shared with other third parties for their own purposes. You have the right to request access to and correction of this information by contacting us at hello@fanalysis.com. Please see our Cookie Policy for further details on cookies and how to manage them.

• On the App: Where you have given your consent to tracking, we also collect Attribution Data automatically via the AppsFlyer SDK embedded in the App. Please see the In-App Tracking Technologies and Marketing Attribution Tracking sections below for further details.

Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, including: Technical Data from analytics providers such as Google; and Identity and Contact Data from publicly available sources.

How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where you have provided consent.

• Where we need to perform the contract we are about to enter into or have entered into with you.

• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

• Where we need to comply with a legal obligation.

Generally, we do not rely on consent as our primary legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us. Where we rely on legitimate interests as our lawful basis, you have the right to object to that processing at any time by contacting us at hello@fanalysis.com.

Purposes for which we will use your personal data

1.

To store and assess your application to join the App via our Website

Type of data: (a) Identity (b) Contact

Lawful basis:Performance of a contract with you

2.

To register you as a new user of the App and as a member of our community

Type of data:(a) Identity (b) Contact

Lawful basis:Performance of a contract with you

3.

To operate and facilitate our App

Type of data: (a) Identity (b) Contact (c) Usage (d) Marketing and Communications

Lawful basis: (a) to (b) Performance of a contract with you (c) to (d) Necessary for our legitimate interests (to study how customers use our services, to develop them and grow our business)

4.

To manage our relationship with you

Type of data:(a) Identity (b) Contact (c) Marketing and Communications

Lawful basis: (a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Based on your consent

5.

To administer and protect our business, our Website and App

Type of data: (a) Identity (b) Contact (c) Technical (d) Usage

Lawful basis: Necessary for our legitimate interests. Necessary to comply with a legal obligation

6.

To deliver relevant content and electronic marketing to you

Type of data:(a) Identity (b) Contact (c) Usage (d) Marketing and Communications (e) Technical

Lawful basis:Necessary for our legitimate interests and in relation to electronic marketing, only with your consent

7.

To measure the effectiveness of our paid brand marketing campaigns (marketing attribution tracking), using AppsFlyer

Type of data:(a) Attribution Data (b) Technical

Lawful basis:Your consent (Article 6(1)(a) UK GDPR). We will only carry out this processing where you have given your specific, informed consent via the tracking consent prompt displayed when you first open the App. You may withdraw your consent at any time via your device settings or by contacting us.

8.

To process your job application

Type of data:(a) Employment data

Lawful basis:Necessary for our legitimate interests (to conduct our internal recruitment processes) and, where applicable, to take steps at your request prior to entering into a contract

9.

To enhance our Services and user experience

Type of data:(a) Technical (b) Usage

Lawful basis: Necessary for our legitimate interests

10.

To generate a personalised avatar from your Image using OpenAI's API (OpenAI OpCo, LLC), for display on your App profile

Type of data:(a) Image Data (b) Avatar Data

Lawful basis: Necessary for our legitimate interests (Article 6(1)(f) UK GDPR) in providing the avatar feature you have chosen to use. Your Image is transmitted to OpenAI OpCo, LLC for this purpose under a Data Processing Agreement.

11.

To verify that you meet our minimum age requirement of 16 and have not uploaded any Harmful Content, using AWS Rekognition

Type of data:(a) Image Data

Lawful basis:Necessary for our legitimate interests (Article 6(1)(f) UK GDPR) in ensuring only users who meet our minimum age requirement of 16 can access the App and operating our service responsibly. Uploading your Image is voluntary — an alternative method is available. Your Image is used solely for age estimation and Harmful Content detection and deleted automatically within 7 days of upload (unless Harmful Content is detected and we are required to make any notifications to authorities).

12.

To make suggestions and recommendations to you about goods or services

Type of data:(a) Identity (b) Contact (c) Technical (d) Usage (e) Marketing and Communications

Lawful basis:Necessary for our legitimate interests and in relation to electronic marketing, with your consent

13.

To allow you to provide goods or services to us

Type of data:(a) Identity (b) Contact (c) Technical (d) Usage

Lawful basis:Necessary for our legitimate interests. Performance of a contract with you

14.

To comply with legal, audit or financial obligations

Type of data:(a) Identity (b) Contact (c) Technical (d) Usage

Lawful basis:(a) Necessary for our legitimate interests (b) Necessary to comply with a legal obligation

Marketing 

We will only send you marketing communications where we have obtained your consent to do so or where we are otherwise legally allowed to do so. You can ask us to stop processing your personal data for this purpose at any time, for example, by clicking an unsubscribe link in an email that we send.

We may use your Identity, Contact, Technical, and Usage Data to form a view on what we think you may want or need, or what may be of interest to you ("profiling") and we may market to you on this basis. You have the right to object to this profiling at any time by contacting us.

We do not currently share your personal data with any third parties for direct marketing purposes, and if this changes in the future, we will get your express opt-in consent before doing so, and update this Privacy Policy.

Cookies (Website only)

When you use our Website, we use cookies and similar web tracking technologies. For details of the cookies we use, what they do, and how to manage them, please see our Cookie Policy.

In-App Tracking Technologies (App only)

Our App does not use cookies. Instead, it uses SDKs and device identifiers to collect data about how you use the App. Where you have given your consent, this includes marketing attribution tracking via AppsFlyer — see below.

• Device identifiers: such as your advertising ID (for example, Apple's Identifier for Advertisers (IDFA) on iOS, or Google's Advertising ID on Android). You can reset or limit the use of your advertising ID via your device settings at any time.

• SDKs: pieces of software embedded in the App that enable certain features and data collection, including the AppsFlyer SDK used for marketing attribution tracking.

• Local storage: the App may store certain information locally on your device to support its functionality.

Where you have consented to tracking, the App collects Attribution Data via the AppsFlyer SDK. Where you have not consented, or where you have withdrawn your consent, no attribution tracking data will be collected. Your ability to use the App is not conditional on consenting to tracking.

Marketing Attribution Tracking

We use AppsFlyer Ltd. to measure the effectiveness of our paid marketing campaigns on the App. AppsFlyer acts as our data processor and collects Attribution Data solely on our behalf. It does not use this data for its own purposes or sell it to third parties. Where we participate in Meta's Advanced Mobile Measurement program, AppsFlyer may also receive data from Meta about your interactions with Fanalysis advertisements on Meta platforms (such as Facebook and Instagram). This data is processed by AppsFlyer solely on our behalf for attribution purposes and is subject to the same consent requirements described above — it is only processed where you have given your consent to tracking via the in-app prompt.

We rely on your consent (Article 6(1)(a) UK GDPR) for this processing. You will be asked for consent when you first open the App.  Withdrawing consent will not affect any processing already carried out.

You can withdraw your consent to attribution tracking at any time by: opting out via your device settings (for example, by enabling 'Limit Ad Tracking' on iOS or 'Opt out of Ads Personalisation' on Android); or contacting us at hello@fanalysis.com and requesting that attribution tracking is disabled for your account.

AppsFlyer is based in Israel and may transfer Attribution Data internationally, safeguarded by Standard Contractual Clauses (EU SCCs and the UK International Data Transfer Addendum). AppsFlyer uses sub-processors (including cloud hosting providers) to deliver its service; a current list is maintained at https://www.appsflyer.com/legal/subprocessors/. For further information about how AppsFlyer processes data, please see https://www.appsflyer.com/legal/privacy-policy/.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Disclosures of your personal data

When required for the purposes stated above, we may share your personal data with the following recipients:

Named processors

The following processors handle your personal data in ways that are material to your understanding of how your information is used:

OpenAI OpCo, LLC generates your personalised avatar from your Image via the OpenAI API. OpenAI OpCo, LLC is based in the United States and processes your Image in the United States. All processing is carried out under a Data Processing Agreement. Transfers are safeguarded by Standard Contractual Clauses (EU SCCs and the UK International Data Transfer Addendum). For further information see https://openai.com/policies/privacy-policy.

AWS Rekognition (Amazon Web Services EMEA SARL) provides facial age estimation and Harmful Content detection on our behalf when you choose to upload your Image. AWS processes your Image on servers in Ireland (EU) under a Data Processing Agreement. The transfer of your Image from Fanalysis (UK) to AWS Ireland is covered by the UK Government's adequacy regulations for EEA countries and does not require Standard Contractual Clauses. For EU users, the transfer is intra-EEA and requires no additional safeguard. For further information see https://aws.amazon.com/privacy/.

AppsFlyer Ltd. is our attribution tracking provider. AppsFlyer processes Attribution Data on our behalf where you have consented to tracking. AppsFlyer is based in Israel; transfers are safeguarded by Standard Contractual Clauses. For further information see https://www.appsflyer.com/legal/privacy-policy/.

Google LLC (Google Analytics) is our website analytics provider. Google collects Technical Data from our Website visitors on our behalf. Google is based in the United States; data transfers are safeguarded by Standard Contractual Clauses. For further information see https://policies.google.com/privacy.

GetStream, Inc. (Stream) is our activity feed and content delivery provider. GetStream processes usernames and user-generated content (including match reviews and activitydata) on our behalf. GetStream is based in the United States; transfers are safeguarded by Standard Contractual Clauses. For further information see https://getstream.io/legal/privacy-policy/.

Snowflake Inc. is our data warehousing and analytics provider. Snowflake processes certain account and usage data (including email address, name, nationality, club affiliation, ratings and reviews) for analytical purposes. Snowflake is based in the United States; transfers are safeguarded by Standard Contractual Clauses. For further information see https://www.snowflake.com/legal/privacy-policy/.

OneSignal Inc. is our push notification provider. OneSignal processes push notification tokens and user preference data on our behalf. OneSignal operates infrastructure in the EU (Netherlands). For further information see https://onesignal.com/privacy_policy.

Where we activate a third-party age verification service, we will add the relevant provider as a named processor in this section and update this Privacy Policy before the service goes live in any market.

Infrastructure and operational processors

We use a range of cloud infrastructure, hosting, authentication, database, real-time communications, and operational service providers to deliver our Services. These providers process personal data solely on our instructions and under Data Processing Agreements. Our primary infrastructure stores data in the EU (London, UK) and EU (Netherlands). A current list of all such processors, with their locations and applicable transfer safeguards, is available on request at hello@fanalysis.com.

Other recipients

We may also share your personal data with: professional advisers including lawyers, bankers, auditors and insurers; HMRC, regulators and other authorities in the United Kingdom and other jurisdictions, when required to do so by law; and service providers or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction such as a merger, acquisition, or sale of assets.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not permit our processors to use your personal data for their own purposes. We will supply a full list of processors and sub-processors on request.

International transfers

Our primary infrastructure (authentication, database, file storage, and push notification infrastructure) is located in the EU (London, UK) and EU (Netherlands) and does not involve transfers outside the EEA.

The following international transfers to third countries occur:

• (a) GetStream, Inc. (United States): activity feed and content data, safeguarded by Standard Contractual Clauses.

• (b) Snowflake Inc. (United States): analytics and warehousing data, safeguarded by Standard Contractual Clauses.

• (c) Google LLC (United States): website analytics data, safeguarded by Standard Contractual Clauses.

• (d) AppsFlyer Ltd. (Israel): attribution tracking data where consent is given, safeguarded by Standard Contractual Clauses (EU SCCs and the UK International Data Transfer Addendum).

• (e) OpenAI OpCo, LLC (United States): Image Data for avatar generation, safeguarded by Standard Contractual Clauses (EU SCCs and the UK International Data Transfer Addendum).

• (f) AWS Rekognition (EMEA SARL): Image Data for age estimation, processed in Ireland (EU) — no third-country transfer.

• (g) Third-party age verification provider (where applicable): where we activate an age verification service involving international data transfers, we will update this section with details of the provider, the destination country, and the applicable transfer mechanism before processing begins.

Whenever we transfer your personal data outside the UK or EU, we use Standard Contractual Clauses approved by the UK Government or the European Commission, or transfer to countries with an adequacy decision. Please contact hello@fanalysis.com for further information on the specific mechanism used for any particular provider.

Data security

We make reasonable efforts to protect your personal data by using physical and electronic safeguards designed to improve the security of the personal data we maintain. We have established procedures to address suspected personal data breaches and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for.

By way of example, we will retain:

1.

Account and profile data

Period: Duration of your account plus 6 years

2.

Marketing preferences

Period: Until you withdraw consent or unsubscribe

3.

Technical and usage data

Period: 2 years from collection

4.

Job application data (unsuccessful)

Period: 1 year from decision

5.

Job application data (successful)

Period: Duration of employment plus 6 years

6.

Criminal records check data

Period: Deleted promptly after application decision

7.

Your Images, any mathematical representation generated during age estimation processing (AWS Rekognition), and age estimation and Harmful Content output

Period: Automatically deleted within 7 days of upload, unless it includes Harmful Content requiring us to make any notifications to authorities in which case such data would be retained for so long as required by the applicable law

8.

Avatar images (AI-generated)

Period: Duration of your account, or until you delete your avatar

9.

Attribution Data (collected via AppsFlyer)

Period: For the duration of our agreement with AppsFlyer, following which it is deleted or anonymised. You may request earlier deletion by contacting us.

In some circumstances we will de-identify your personal data for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your legal rights

Under UK and EU data protection law, you have the following rights in relation to your personal data. If you are an Australian or New Zealand resident, please see the Australian and New Zealand Residents section below for the rights applicable to you under local law.

• Request access to your personal data (commonly known as a "data subject access request").

• Request correction of the personal data that we hold about you.

• Request erasure of your personal data where there is no good reason for us continuing to process it.

• Object to processing of your personal data where we are relying on a legitimate interest.

• Request restriction of processing of your personal data.

• Request the transfer of your personal data to you or to a third party.

• Withdraw consent at any time where we are relying on consent to process your personal data.

• Rights related to automated decision-making. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where we use automated decision-making (such as AI scoring of Fanalyst applications), you have the right to request human intervention, to express your point of view, and to contest the decision.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). We try to respond to all legitimate requests within one month.

US Residents

If you are a California resident or a resident of another US state with comprehensive privacy legislation (such as Virginia, Colorado or Connecticut), you may have additional rights under applicable state privacy laws. We do not currently meet the applicability thresholds under these laws. We do not sell personal data, nor do we share personal data for cross-context behavioural advertising purposes. Contact us at hello@fanalysis.com with any privacy questions.

COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA), as amended by the FTC's final rule of January 2025 (effective June 2025). Our Services are not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. Under the amended COPPA Rule, personal information includes biometric identifiers such as facial patterns. If we learn that we have collected personal data from a person under 13, we will delete that information as quickly as possible in accordance with our general data retention policy set out above. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at hello@fanalysis.com and we will delete such information from our systems.

Biometric privacy (US state residents): Some US states, including Illinois, Texas and Washington, have enacted laws specifically governing the collection and use of biometric information. If you are a resident of one of these states and you choose to upload your Image to create an avatar, the following protections apply to you regardless of your state's specific requirements: (a) you will be shown a notice before uploading your Image confirming that your photograph will be processed in accordance with this Privacy Policy; (b) uploading your Image is entirely optional and you will not be disadvantaged if you choose not to do so; (c) your Image and any associated data generated by AWS Rekognition will be automatically deleted within 7 days of upload; (d) we will never sell your biometric information to any third party; and (e) your Image is shared only with OpenAI OpCo, LLC (for avatar generation) and AWS Rekognition (for age estimation and Harmful Content detection), each of which processes it solely on our behalf under a Data Processing Agreement and for no other purpose. To exercise any rights you may have under applicable state biometric privacy law, or to raise a concern about our processing of your biometric information, please contact us at hello@fanalysis.com.

Australian and New Zealand Residents

Australian Residents

If you are an Australian resident, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to the handling of your personal information by Fanalysis. The following additional information is relevant to you:

Lawful basis: The APPs do not operate on a structured lawful basis model equivalent to UK GDPR. We collect and use your personal information where it is reasonably necessary for our functions and activities, or with your consent. For Image Data processed via AWS Rekognition for age estimation purposes, we rely on your consent (APP 3.3 of the Privacy Act 1988 (Cth)). If you choose to create an avatar, you will be asked to give your express consent before your Image is processed, as described in the Avatars and age estimation section above.

Your rights: Under Australian privacy law, you have the right to: (a) request access to the personal information we hold about you (APP 12); and (b) request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading (APP 13). You do not currently have a right to erasure, data portability or to object to processing under Australian law (though these rights are under government consideration for future reform). To exercise your access or correction rights, please contact us at hello@fanalysis.com.

Complaints: You may make a complaint to the OAIC at www.oaic.gov.au. Please contact us first.

Children (Australian residents under 18): Australian privacy law defines a child as a person under 18. Our Services are directed at users over 16. Once the Australian Children's Online Privacy Code is registered (expected by December 2026), we will review and update our practices to ensure full compliance with the Code in relation to Australian users aged 16-17.

New Zealand Residents

If you are a New Zealand resident, the Privacy Act 2020 (NZ) applies to the handling of your personal information by Fanalysis.

Your rights: Under the Privacy Act 2020 (NZ), you have the right to: (a) request access to the personal information we hold about you (IPP 6); and (b) request correction of personal information that is inaccurate (IPP 7). You do not currently have a right to erasure, data portability or to object to processing under New Zealand law. To exercise your rights, please contact us at hello@fanalysis.com.

Indirect collection (IPP 3A — effective 1 May 2026): From 1 May 2026, where we collect personal information about you from a source other than you directly, we are required under IPP 3A of the Privacy Act 2020 (NZ) to take reasonable steps to ensure you are aware of the following matters: (a) the fact that the information has been collected; (b) the purpose of the collection; (c) the intended recipients of the information; (d) the name and address of the agency collecting and holding the information (Fanalysis Limited, Regina House, 124 Finchley Road, London NW3 5JS / hello@fanalysis.com); (e) whether the collection is required or authorised by law and if so which law; and (f) your right to access and correct your information. The personal information we collect about you indirectly, and the relevant details for each, are as follows: (i) Technical Data (such as IP address, browser type, device type, operating system, time zone setting, pages visited, and time spent on pages) — collected indirectly via Google Analytics (Google LLC, United States) when you use our Website. Purpose: to analyse how users use our Website, improve our Services and inform our marketing strategy. Recipients: Google LLC as our data processor. No statutory authority is relied upon for this collection. Your access and correction rights are set out above. (ii) Attribution Data (such as device identifiers, IP address, app install information, and in-app engagement data) — collected indirectly via the AppsFlyer SDK (AppsFlyer Ltd, Israel) when you use our App, but only where you have given your consent to tracking via the in-app prompt. Purpose: to measure the effectiveness of our paid marketing campaigns and attribute app installs and in-app activity to specific advertising sources. Recipients: AppsFlyer Ltd as our data processor. No statutory authority is relied upon for this collection. Your access and correction rights are set out above. We bring these matters to your attention by presenting this Privacy Policy to you at the point of registration and requiring your acknowledgment of it. If we add new third-party providers that involve indirect collection of your personal information, we will update this Privacy Policy and notify you of the change before the new collection begins.

Complaints: You may make a complaint to the Office of the Privacy Commissioner at www.privacy.org.nz. Please contact us first.

Canadian Residents

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the handling of your personal information by Fanalysis. If you are a resident of Quebec, the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (Law 25) also applies and sets out additional rights described below.

Age estimation and biometric processing (AWS Rekognition)

When you choose to create an avatar on the App, you may voluntarily upload a photograph of yourself (your Image). Your Image is processed by AWS Rekognition (Amazon Web Services EMEA SARL) solely to estimate whether you meet our minimum age requirement of 16. This processing involves the analysis of facial features using automated statistical techniques, which the Office of the Privacy Commissioner of Canada (OPC) treats as biometric processing for the purposes of PIPEDA. Biometric information is classified as sensitive personal information under PIPEDA and requires your express consent before we can collect and process it. Canadian users will be asked to actively confirm their consent before their Image is processed. The full notice content — covering what is collected, why, who receives it, retention period, and the right to request deletion — is set out in the Additional Information for International Residents section below. You may withdraw your consent at any time by contacting us at hello@fanalysis.com. If you withdraw consent, we will not be able to process your Image and you will not be able to use the avatar creation feature, but this will not affect your ability to use the App.

Age verification (where implemented)

For users in certain markets, in circumstances where our systems indicate you may not meet our minimum age requirement of 16 — including where AWS Rekognition's age estimation suggests you may be under 16, or where the date of birth you provided at registration indicates you are under 16 — we may request that you complete additional age verification using a third-party age verification service. Where we implement age verification for Canadian users, we will update this section before the service goes live with full details of the provider, the data processing involved, and the applicable consent requirements under PIPEDA. Where PIPEDA requires your express consent before biometric information is collected or processed (including facial images processed for identity verification purposes), we will ensure that consent is obtained before any such processing begins. You will be provided with clear information about the processing at the point of verification.

Lawful basis (PIPEDA)

PIPEDA does not operate on a structured six-basis lawful basis model equivalent to UK GDPR. We collect and use your personal information where we have a legitimate purpose for doing so and where you have provided the necessary consent. For biometric information (your Image processed via AWS Rekognition), we rely on your express consent as described above. For general personal information, we collect and use it for the purposes identified in this Privacy Policy, which you acknowledge by using our Services.

Your rights under PIPEDA

Under PIPEDA, you have the right to: (a) request access to the personal information we hold about you; (b) request correction of personal information that is inaccurate or incomplete; and (c) withdraw consent to the collection, use or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice. To exercise these rights, please contact us at hello@fanalysis.com. You do not currently have a right to erasure, data portability or to object to processing under federal Canadian law (though these rights may be introduced in future legislative reform).

Complaints: You may make a complaint to the OPC at www.priv.gc.ca. Please contact us first.

Quebec Residents (additional rights under Law 25)

If you are a resident of Quebec, the following additional rights and obligations apply:

Right to de-indexing: You may request that we cease disseminating your personal information or de-index any hyperlink associated with your name if the dissemination causes you harm or contravenes applicable law.

Right to data portability: You have the right to receive the personal information you have provided to us in a structured, commonly used technological format, and to request that we transmit it to another organisation where technically feasible.

Consent for minors: If you are under 14 years of age, we require the consent of your parent or legal guardian before we collect or process your personal information.

Privacy by default: Our Services are designed so that features enabling identification, profiling, or tracking are not activated without your knowledge and consent.

Complaints (Quebec): You may also make a complaint to the Commission d'accès à l'information du Québec (CAI) at www.cai.gouv.qc.ca. Please contact us first.

Turkish Residents

If you are a resident of Turkey, the Law on the Protection of Personal Data No. 6698 (Kişisel Verilerin Korunması Kanunu, KVKK) applies to the handling of your personal information by Fanalysis.

Biometric data and age estimation (AWS Rekognition)

Under Article 6 of the KVKK, biometric data is classified as a special category of sensitive personal data and may only be processed with your explicit consent. The processing of your Image by AWS Rekognition to estimate your age constitutes processing of sensitive personal data under Turkish law. Turkish users will be asked to actively confirm their express consent before their Image is processed. The full notice content is set out in the Additional Information for International Residents section below. You may withdraw your consent at any time by contacting us at hello@fanalysis.com. Withdrawal of consent will not affect your ability to use the App but will mean you cannot use the avatar creation feature.

Lawful basis (KVKK)

Under the KVKK, we process general personal data on the basis of contract performance or legitimate purpose, and special category personal data (including biometric data) on the basis of your explicit consent.

Your rights under the KVKK

Under Article 11 of the KVKK, you have the right to: (a) find out whether your personal data is being processed; (b) request information about the processing of your personal data; (c) find out the purpose of processing your personal data and whether it is being used in accordance with that purpose; (d) know the third parties to whom your personal data has been transferred; (e) request correction of incomplete or inaccurate personal data; (f) request deletion or destruction of your personal data where the grounds for processing no longer exist; (g) object to the processing of your personal data by automated means which produces adverse results; and (h) seek compensation for damages arising from unlawful processing of your personal data. To exercise any of these rights, please contact us at hello@fanalysis.com.

Children (Turkish residents under 18)

Under Turkish law, individuals under 18 lack full legal capacity and cannot provide valid independent consent to the processing of their personal data. If you are under 18 and a Turkish resident, the consent of your parent or legal guardian is required before we collect or process your personal information. Our minimum age requirement is 16. If you are aged 16 or 17 and a Turkish resident, please ensure your parent or guardian is aware of and consents to your use of our Services.

Complaints: You may make a complaint to the KVKK at www.kvkk.gov.tr. Please contact us first.

Saudi Arabian Residents

If you are a resident of Saudi Arabia, the Personal Data Protection Law (PDPL), issued pursuant to Royal Decree No. M/19 (2021) as amended, and the Implementing Regulations apply to the handling of your personal information by Fanalysis. The Saudi Data and Artificial Intelligence Authority (SDAIA) is responsible for overseeing data protection compliance in Saudi Arabia.

Biometric data and age estimation (AWS Rekognition)

Under the PDPL, biometric data — including facial images processed to generate an estimate of your age — is classified as sensitive personal data and may only be processed with your explicit consent. Saudi Arabian users will be asked to actively confirm their consent before their Image is processed. The full notice content and your right to request deletion of retained data are set out in the Additional Information for International Residents section below.

Lawful basis (PDPL)

Under the PDPL, we process sensitive personal data (including biometric data) on the basis of your explicit consent, and general personal data on the basis of legitimate purpose.

Cross-border transfers

Your personal data, including your Image, is transferred to service providers located outside Saudi Arabia, including AWS Rekognition (Ireland, EU) and OpenAI OpCo, LLC (United States). We are implementing SDAIA Standard Contractual Clauses with each of these providers as the safeguard for these transfers. In the interim, transfers of sensitive personal data are also covered by your express consent given at the point of biometric processing as described above. This section will be updated once SDAIA Standard Contractual Clauses are executed and as SDAIA publishes adequacy determinations for relevant countries.

Your rights under the PDPL

Under the PDPL, you have the right to: (a) be informed of the processing of your personal data; (b) access the personal data we hold about you; (c) request correction of inaccurate personal data; (d) request deletion of your personal data where the grounds for processing no longer exist; (e) object to processing carried out without a legal basis; and (f) withdraw consent at any time where we rely on consent to process your personal data. To exercise any of these rights, please contact us at hello@fanalysis.com.

Individuals aged 16 or 17 who are Saudi residents may provide consent to data processing directly under Saudi law, provided consent requests use age-appropriate language. Our minimum age requirement is 16.

Complaints: You may make a complaint to SDAIA at www.sdaia.gov.sa. Please contact us first.

UAE Residents

If you are a resident of the UAE, Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) applies to the handling of your personal information by Fanalysis. The UAE Data Office is the regulatory authority responsible for overseeing data protection compliance in the UAE.

Biometric data and age estimation (AWS Rekognition)

Under the UAE PDPL, biometric data — including facial images processed to generate an estimate of your age — is classified as sensitive personal data requiring explicit, informed, and revocable consent. UAE residents will be asked to actively confirm their consent before their Image is processed. The full notice content and your right to request deletion of retained data are set out in the Additional Information for International Residents section below.

Lawful basis (UAE PDPL)

Under the UAE PDPL, we process sensitive personal data (including biometric data) on the basis of your explicit consent, and general personal data on the basis of contract performance or legitimate purpose.

Cross-border transfers

Your personal data, including your Image, is transferred to service providers located outside the UAE, including AWS Rekognition (Ireland, EU) and OpenAI OpCo, LLC (United States). In the absence of a formal adequacy determination by the UAE Data Office for these countries, transfers of sensitive personal data are made on the basis of your explicit consent given at the point of processing as described above. This section will be updated if the UAE Data Office publishes adequacy determinations for the relevant countries.

Age verification

Federal Decree-Law No. 26 of 2025 on Child Digital Safety requires digital platforms to implement age verification mechanisms. Fanalysis verifies users’ ages using a combination of self-declaration at registration (date of birth) and, where users choose to create an avatar, AWS Rekognition age estimation. Fanalysis’s Services are not directed at children under the age of 16.

Your rights under the UAE PDPL

Under the UAE PDPL, you have the right to: (a) access personal data held by Fanalysis; (b) request correction of inaccurate personal data; (c) request deletion of personal data where the grounds for processing no longer exist; (d) object to certain processing; and (e) withdraw consent at any time where we rely on consent. To exercise any of these rights, please contact us at hello@fanalysis.com.

Complaints: You may make a complaint to the UAE Data Office. Please contact us first.

Additional Information for International Residents

In many countries, applicable law classifies biometric data — including facial images processed for age estimation — as sensitive or special category personal data requiring your explicit consent before processing. If the law applicable to you requires this, you will be asked to give your express consent at the point of image upload as described in the Avatars and age estimation section above and below.

Biometric data and age estimation (AWS Rekognition)

Where applicable law requires your explicit consent, a notice will be displayed before upload setting out: what information is collected (your Image); why it is collected (to estimate your age using AWS Rekognition and to generate your personalised avatar using OpenAI); who receives it (AWS Rekognition, processing on our behalf under a Data Processing Agreement on servers in Ireland (EU), and OpenAI OpCo, LLC, processing in the United States); how long it is retained (deleted within 7 days of upload, or as required by law if Harmful Content is detected); and that uploading your Image is entirely optional and an alternative is available. Once your Image has been processed, you may request deletion of any copy still held by Fanalysis at any time by contacting hello@fanalysis.com. Please note that the age estimation itself is completed immediately and cannot be reversed.

Your Image is also transmitted separately to OpenAI OpCo, LLC for the purpose of generating your personalised avatar. This is a separate processing activity from the age estimation carried out by AWS Rekognition. OpenAI OpCo, LLC processes your Image in the United States.

Cross-border transfers

Your personal data, including your Image, is transferred to service providers located outside your country, including AWS Rekognition (Ireland, EU) and OpenAI OpCo, LLC (United States). We implement Standard Contractual Clauses or equivalent contractual safeguards with each of these providers for these transfers. In the interim, transfers of your sensitive personal data are also covered by your express consent given at the point of biometric processing.

Your rights

Under the laws applicable to you, you generally have the right to: access the personal data we hold about you; request correction of inaccurate personal data; request deletion of your personal data where the grounds for processing no longer exist; and withdraw consent where we rely on consent to process your personal data. To exercise any of these rights, please contact us at hello@fanalysis.com.

Brazil

If you are a resident of Brazil, the Lei Geral de Proteção de Dados (LGPD), Law 13.709/2018, applies to the handling of your personal information by Fanalysis. The Autoridade Nacional de Proteção de Dados (ANPD) is responsible for oversight.

Under the LGPD, biometric data is classified as sensitive personal data (Arts. 5(II) and 11) and may only be processed with your explicit, specific and highlighted consent. You will be asked to give this consent before your Image is processed as described above.

Cross-border transfers: your Image is transferred to AWS Rekognition (Ireland, EU) and OpenAI OpCo, LLC (United States) under Data Processing Agreements and contractual safeguards consistent with LGPD Art.33. We are implementing additional contractual mechanisms as required. In the interim, transfers of your sensitive personal data are covered by your express consent.

Adolescents aged 16-17: the LGPD includes specific provisions for the personal data of children and adolescents under the age of 18. We process the personal data of users aged 16 or 17 in a manner consistent with their best interests and only for the purposes described in this Privacy Policy.

Your rights under the LGPD: in addition to the general rights set out above, you have the right to anonymisation, blocking or deletion of unnecessary or excessive data; portability of your data to another service provider; information about entities with which your data has been shared; and information about the consequences of not providing consent. To exercise these rights, contact us at hello@fanalysis.com.

Complaints: You may make a complaint to the ANPD at www.gov.br/anpd. Please contact us first.

Japan

If you are a resident of Japan, the Act on Protection of Personal Information (Act No. 57 of 2003, as amended) (APPI) applies to the handling of your personal information by Fanalysis. The Personal Information Protection Commission (PIPC) is responsible for oversight.

Under the APPI, biometric data processed in connection with identifying an individual is classified as special care-required personal information requiring your opt-in consent before processing. You will be asked to give this consent before your Image is processed.

Overseas third-party provision: the APPI requires specific consent when personal information is provided to third parties located overseas. Your Image is provided to AWS Rekognition in Ireland (EU) and OpenAI OpCo, LLC in the United States. The express consent you give at the point of image upload covers both the biometric processing and the provision of your Image to these overseas third parties for the purposes described. We have also implemented Data Processing Agreements with each provider as additional safeguards.

Your rights under the APPI: you have the right to request disclosure of your personal information; request correction, addition or deletion of inaccurate personal information; request cessation of use or erasure of personal information that is no longer necessary or was processed unlawfully; and request cessation of third-party provision. To exercise these rights, contact us at hello@fanalysis.com.

Complaints: You may raise a concern with the PIPC at www.ppc.go.jp. Please contact us first.

Singapore

If you are a resident of Singapore, the Personal Data Protection Act 2012 (PDPA) applies to the handling of your personal information by Fanalysis. The Personal Data Protection Commission (PDPC) is responsible for oversight.

Under the PDPA, your Image is personal data and you will be asked to give your express consent before it is processed for age estimation and avatar creation, as described above.

Cross-border transfers: your Image is transferred to AWS Rekognition (Ireland, EU) and OpenAI OpCo, LLC (United States). These transfers are made subject to contractual protections consistent with the PDPA’s transfer limitation obligations, including Data Processing Agreements with each provider.

Online safety: Fanalysis is committed to complying with Singapore’s Online Safety Act 2022 and applicable codes of practice issued by the Infocomm Media Development Authority (IMDA). We verify users’ ages using a combination of self-declaration at registration and AWS Rekognition age estimation for users who create avatars. Our Services are not directed at children under the age of 16.

Your rights under the PDPA: you have the right to access personal data held by Fanalysis; request correction of inaccurate personal data; and withdraw consent, subject to legal or contractual restrictions. To exercise these rights, contact us at hello@fanalysis.com.

Complaints: You may raise a concern with the PDPC at www.pdpc.gov.sg. Please contact us first.

Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us:

Email:hello@fanalysis.com

Post: Data Protection Co-ordinator, Fanalysis Limited, Regina House, 124 Finchley Road, London, NW3 5JS

EU Representative: DP-Dock GmbH, Attn: Fanalysis Limited, Ballindamm 39, 20095 Hamburg, Germany (fanalysis@gdpr-rep.com)