Babel FC Privacy Policy
Effective as of [PLACEHOLDER — Effective Date]
EOM, LLC. (“we,” “our,” or “us”) respects your privacy. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and protect personal information when you use the smartphone application “Babel FC” and all related features and websites (collectively, the “Service”).
This Policy applies to all users worldwide. By using the Service, you acknowledge that you have read and understood this Policy. We comply with applicable privacy laws, including the Japanese Act on the Protection of Personal Information (the “APPI”), the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act (“CCPA / CPRA”).
1. Introduction and Scope
1.1 Data Controller: EOM, LLC.
1.2 This Policy covers personal information we process about individual users. It does not apply to information that cannot be linked to an identified or identifiable person (“anonymous data”).
2. Information We Collect
2.1 Account Data
- Sign-in identifiers: provided through your chosen Apple ID or Google account, including a unique user ID, display name, and email address (where Apple or Google provides it).
- The Service does not support email-and-password sign-in. Sign-in is limited to Apple and Google social sign-in.
2.2 Profile Data (provided by you)
- Nickname
- Favorite league and favorite club
- Learning goals
- UI language preference
2.3 Learning Progress Data
- Completed lesson IDs
- Learning streak (consecutive days of practice)
- Earned roles (Reserve / Sub / Starter / Captain / Legend)
2.4 Activity Logs
- PostHog: in-app event data (screen transitions, feature usage). Sent in association with an anonymized user identifier.
- Firebase Crashlytics: device information, OS version, and stack traces sent automatically when the app crashes. You can opt out of this in the in-app settings.
2.5 Microphone Audio (Shadowing feature only)
- The Service captures microphone audio during the Shadowing feature. Audio is processed entirely on your device and is never transmitted to any server. See Section 10 for details.
3. How We Collect Information
| Data Type | Collection Method |
|---|---|
| Sign-in data | Automatically obtained via Apple / Google social sign-in |
| Profile data | Entered by you during onboarding or in the settings screen |
| Learning progress data | Recorded automatically as you use the Service |
| Activity logs (PostHog) | Collected automatically as usage logs |
| Crash reports (Firebase Crashlytics) | Sent automatically on crash (opt-out available) |
| Microphone audio | Processed only on-device during Shadowing (no transmission) |
4. How We Use Your Information & Legal Bases
We use your information for the purposes listed below. For users to whom GDPR applies, we identify the corresponding legal bases.
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the Service (authentication, save and sync of learning progress) | Contract — Article 6(1)(b) |
| Detect, investigate, and fix bugs | Legitimate interests — Article 6(1)(f) |
| Improve the Service, enhance user experience, develop new features | Legitimate interests — Article 6(1)(f) |
| Respond to your inquiries and provide support | Contract; Legitimate interests — Article 6(1)(b)/(f) |
| Send important administrative messages (policy updates, security alerts) | Contract; Legal obligation — Article 6(1)(b)/(c) |
| Send optional product announcements or marketing emails (opt-in only) | Consent — Article 6(1)(a); withdrawable at any time |
| Detect, investigate, and prevent abuse or violations of our Terms | Legitimate interests; Legal obligation — Article 6(1)(f)/(c) |
| Comply with applicable law | Legal obligation — Article 6(1)(c) |
We will not use your information for purposes outside the scope above without your prior consent.
5. Data Security
We protect personal information using the following measures:
- Encryption in transit and at rest: data is encrypted in transit via TLS and at rest using the encryption features provided by our cloud processors.
- Access control: access to personal information is limited to what is operationally necessary, on a least-privilege basis.
- Processor oversight: we enter into data protection agreements with the processors listed in Section 7 and review their handling periodically.
No method of transmission or storage is completely secure, but we continually review our practices against current industry standards.
6. Data Breach Notification
If a leak, loss, damage, or other compromise of personal information (“Data Breach”) occurs, we will promptly verify the facts, assess the risks of further disclosure or recurrence, and report to the Personal Information Protection Commission of Japan (the regulator) and notify affected individuals as required by applicable law, in principle within 72 hours of becoming aware of the Data Breach. If a notification is delayed, we will explain the reason and report additional information as soon as it becomes available.
7. Third-Party Processors and International Data Transfers
7.1 Third-Party Processors
We rely on the following third-party processors to provide the Service. Their privacy policies are linked below.
| Processor | Information Handled | Method | Privacy Policy |
|---|---|---|---|
| Google Firebase (Authentication, Crashlytics) | Sign-in data, crash reports | API | https://firebase.google.com/support/privacy |
| PostHog | Activity logs, anonymized identifiers | SDK | https://posthog.com/privacy |
| Cloudflare (Workers / KV / R2) | Profile data, learning progress data | API | https://www.cloudflare.com/privacypolicy/ |
| football-data.org | Request information when fetching match data | API | Privacy Policy at bottom of /about |
| Apple Inc. | Sign-in data (when using Apple ID) | OAuth | https://www.apple.com/legal/privacy/ |
| Google LLC | Sign-in data (when using Google account) | OAuth | https://policies.google.com/privacy |
We will not share your personal information with any other third party without your prior consent, except where required by law (e.g., for protection of life, body, or property).
7.2 International Data Transfers
The Service processes data in Japan, the United States, the European Union, the United Kingdom, and other countries where our processors operate. When transferring data internationally, we rely on the following safeguards:
- EU adequacy decision for Japan: In 2019, the European Commission recognized Japan as a country providing an adequate level of protection of personal data. Transfers from the EU to Japan can therefore generally proceed without additional measures.
- EU Standard Contractual Clauses (SCCs): For transfers to processors located in the United States or other countries without an adequacy decision, we rely on the Standard Contractual Clauses adopted by the European Commission under Article 46 GDPR.
- UK International Data Transfer Agreement (IDTA): For transfers originating from the United Kingdom, we implement the IDTA or the UK Addendum to the EU SCCs, as applicable.
- EU–US Data Privacy Framework (DPF): Where our U.S. processors are self-certified under the DPF, we rely on that certification.
- Additional technical safeguards: such as encryption in transit (TLS).
By using the Service, you understand and agree that your information may be processed abroad as described.
8. Data Retention
We retain personal information for the periods set out below.
| Data Type | Retention Period |
|---|---|
| Account, profile, and learning progress data | While the account is active, plus up to 1 year after termination, for dispute resolution and legal obligations |
| Activity logs (PostHog) | Up to 12 months, then deleted or anonymized |
| Crash reports (Firebase Crashlytics) | Standard Firebase retention (typically 90 days) |
| Microphone audio | Not stored (discarded after on-device processing) |
| Marketing consent records | 3 years after withdrawal of consent (audit trail) |
We may retain anonymized or aggregated data beyond these periods.
9. Account Deletion
You may delete your account at any time from the in-app settings. When you do:
- Cloudflare KV / R2 user data: deleted without undue delay upon receipt of the deletion request.
- Firebase Auth records: a deletion request is issued via the Firebase Authentication API.
- PostHog activity logs: a deletion request is issued via PostHog’s Person Deletion API.
Deletion at third-party processors may take some time to complete, in accordance with each processor’s specifications.
10. Microphone Audio (Shadowing feature)
The Service uses your device microphone exclusively for the Shadowing feature. The handling is as follows:
- Purpose: to detect when you have finished speaking so the app can advance to the next phrase.
- Processing location: audio is processed entirely on your device.
- Transmission: audio is not transmitted to our servers or any third-party server.
- Evaluation: we do not evaluate or score your pronunciation.
- Storage: audio is not stored on the device beyond the moment of detection and is discarded thereafter.
- Disclosure to third parties: we do not provide audio data to any third party, including for App Store or Google Play review purposes.
11. Your Rights
Depending on your location, you have the following rights regarding your personal information.
11.1 Rights under the Japanese APPI (Articles 28–30)
- Right to disclosure (including third-party transfer records)
- Right to correction, addition, or deletion
- Right to suspension of use or third-party provision
A processing fee of JPY 1,000 (excluding tax) per request may be charged for disclosure requests. We will respond to requests in writing or by email within two weeks of receipt, in principle.
11.2 Rights under GDPR / UK GDPR (Articles 15–22)
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object
- Right not to be subject to automated decision-making
- Right to withdraw consent (where processing is based on consent)
- Right to lodge a complaint with a supervisory authority (users in the EEA / UK have the right to lodge a complaint with their local Data Protection Authority)
We will respond to GDPR requests within one month, after verifying your identity (extendable by two further months for complex or numerous requests). Requests are free of charge unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.
11.3 Rights under CCPA / CPRA (California residents)
California residents have the right to:
- request disclosure of the categories and specific pieces of personal information collected, the sources, the purposes, and the third parties to whom it has been disclosed;
- request deletion of personal information;
- opt out of the “sale” or “sharing” of personal information (we do not sell or share personal information for cross-context behavioral advertising); and
- not be discriminated against for exercising these rights.
You may submit a verifiable request directly or through an authorized agent.
11.4 How to Exercise Your Rights
To exercise any of the above rights, please use our contact form.
12. Cookies and Similar Technologies
Neither our website (babelfc.com) nor the Babel FC mobile application sets first-party cookies. In-app session management and usage analysis are conducted via the SDKs and APIs described in Sections 2 and 7 of this Policy.
Note that third-party resources embedded on the website (such as Google Fonts) may set their own cookies. Those cookies are governed by the respective providers’ privacy policies.
13. Children’s Privacy
13.1 The Service is intended for users aged 16 years or older. We do not knowingly collect personal information from anyone under 16.
13.2 Where the laws of your country or region set a different age threshold, the local threshold applies. If you are under the applicable digital age of consent, you may use the Service only with the verifiable consent of a parent or legal guardian.
13.3 The Service does not implement an age gate. This is an operational decision based on (i) the fact that the Service is not directed at users under 16, and (ii) our policy of minimizing additional personal data collection.
13.4 If we become aware that we have collected personal information from a person below the applicable age of consent without parental authorization, we will delete that information promptly. Parents or guardians who believe we hold personal information about their child should contact us via the contact form.
14. Apple App Tracking Transparency (ATT)
The Service does not engage in “tracking” as defined by Apple’s App Tracking Transparency (ATT) framework — that is, we do not link user activity in the Service to data collected on apps or websites owned by other companies.
PostHog activity logs are used solely for in-app event analysis and feature improvement, and are not combined with data from other companies’ apps or websites for tracking purposes. Accordingly, the Service does not display the ATT tracking permission dialog.
PostHog identifiers are used only for internal user identification within the Service and are not associated with advertising IDs (IDFA / GAID).
15. Changes to This Policy
We may revise this Policy from time to time. If we make material changes, we will post the updated Policy on our website, update the Effective Date above, and provide reasonable advance notice (e.g., by email) where required by applicable law. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.
16. Contact Us
For questions, concerns, or requests regarding this Policy or your personal information, please contact us:
- Operator: EOM, LLC.
- Contact form
If you are located in the European Economic Area or the United Kingdom and believe your privacy concern has not been resolved, you have the right to lodge a complaint with your local supervisory authority.
- Effective Date: [PLACEHOLDER — Effective Date]