World Sport Action – intuitive sport's management platforms

WORLD SPORT ACTION

PRIVACY POLICY

Last Updated: April 2026

1. Introduction

This Privacy Policy applies to World Sport Action Pty Ltd and its associates, related entities and subsidiaries (together “we,” “us,” “our,” and “WSA”). References to WSA include our Australian parent company, our US subsidiary World Sport Action Inc, and the platforms and services operated by the group including Netball Connect, Squadi, Basketball Connect and all associated platforms and services. Please read this Privacy Policy carefully as it describes how we collect, use, disclose and otherwise handle your Personal Information.

WSA operates as both a Data Controller and a Data Processor depending on the nature of the processing activity:

We act as a Data Controller where we determine the purposes and means of processing your Personal Information directly — for example when you visit our website, contact us, or subscribe to our communications.
We act as a Data Processor where we process Personal Information on behalf of our clients — for example when a sporting association uses Squadi to manage registrations, competitions, and participant data on its behalf.

This Privacy Policy covers both roles and applies to all visitors to our website, Application and all individuals we communicate with in the course of providing our services. This Policy has been drafted to apply to our operations and Personal Data processing activities globally. Our processing activities may be more limited in some jurisdictions due to restrictions under local laws.

WSA is committed to complying with all Applicable Privacy Laws including the Australian Privacy Act 1988 (Cth), the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable US state privacy laws. As our operations expand into Southeast Asia, we are working to align our practices with the applicable privacy laws in the jurisdictions in which we operate, including Singapore, Malaysia, Thailand, Indonesia, the Philippines, Vietnam, Brunei, Cambodia, Laos, and Timor-Leste.

We regularly review this Privacy Policy and may make changes as our services or privacy practices change, or as required by Applicable Privacy Laws. The current version will always be available on our website at www.worldsportaction.com. We encourage you to review this Privacy Policy periodically.

2. About Us

We are World Sport Action Pty Ltd, an Australian company and the parent entity of the World Sport Action group, operating globally through our Squadi, Basketball Connect and Netball Connect sports management software platforms. Our US operations are conducted through our subsidiary World Sport Action Inc, a Delaware incorporated company.

Our registered address and global headquarters is: Suite 10, Level 3, 1 Mona Vale Road, Mona Vale NSW 2103, Australia.

Our US subsidiary address is: 651 N Broad Street, Suite 201, Middletown, DE 19709, United States.

Our websites are available at www.worldsportaction.com and www.squadi.com.

3. Our Contact Details

For all privacy enquiries please contact us at:

By email: info@worldsportaction.com
By mail: The Privacy Officer, World Sport Action Pty Ltd, Suite 10, Level 3, 1 Mona Vale Road, Mona Vale NSW 2103, Australia

4. Our UK GDPR Representative

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group, with its local partners, as our privacy representative and your point of contact for the United Kingdom in accordance with Article 27 of the UK GDPR.

Prighter gives you an easy way to exercise your privacy-related rights (for example, requests to access or erase Personal Data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit the following website:

https://app.prighter.com/portal/12711921834

Prighter and its local partners may also be contacted by the Information Commissioner’s Office and by data subjects regarding any UK GDPR matters.

The appointment of our UK representative does not affect WSA’s own responsibility or liability under UK GDPR.

Note: This Privacy Policy does not contemplate the processing of Personal Data of individuals located in the European Union or European Economic Area. If our operations extend to those jurisdictions in the future, this Policy will be updated to reflect EU GDPR obligations, including the appointment of an EU representative where required.

5. Data Protection Officer

WSA has appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with data protection laws. Our DPO can be contacted at:

By email: info@worldsportaction.com
By mail: The Data Protection Officer, World Sport Action Pty Ltd, Suite 10, Level 3, 1 Mona Vale Road, Mona Vale NSW 2103, Australia

The DPO’s responsibilities include monitoring compliance with data protection laws, advising on data protection obligations, providing advice regarding Data Protection Impact Assessments (DPIAs), and acting as a contact point for data subjects and supervisory authorities. Where required by local law (including in certain Southeast Asian jurisdictions), the DPO may also be supported by local representatives or data protection officers appointed specifically for those jurisdictions.

6. Scope of This Policy

This Policy applies to our interactions with individuals (Data Subjects) in the context of our business operations. This includes but is not limited to:

Visitors to our websites
Users of our mobile applications
Individuals who engage with us to enquire about, purchase, or use our platform and services
Individuals who engage with us for purposes related to their business relationship with us including service provision and customer support
Representatives of our clients, partners, advisers, and other service providers
Participants, players, coaches, referees, and administrators registered through our platform

This Policy is intended for users located in Australia, the United Kingdom, the United States, and the following Southeast Asian jurisdictions:

Brunei Darussalam
Cambodia
Indonesia
Lao People’s Democratic Republic (Laos)
Malaysia
Philippines
Singapore
Thailand
Timor-Leste
Vietnam

Our services are not targeted at or intended for individuals located in the European Union, the European Economic Area, or other jurisdictions outside those listed above.

7. What is Personal Data?

Personal Data is information which identifies you as an individual or makes you identifiable. Examples include your name, address, email address, bank account details, IP address, or any other identifier that can be used directly or indirectly to identify you.

Some Personal Data requires greater protection due to its sensitive nature. This is referred to as Sensitive Information or Special Category Data and includes information regarding your health, genetic or biometric information, religious or philosophical beliefs, race, ethnicity, political opinions, trade union membership, and data concerning sex life or sexual orientation. Further information is provided in Section 12.

8. Types of Information We Collect

We may collect, use, store and transfer different kinds of Personal Data about you depending on our relationship with you and the jurisdiction in which you are located:

Category	Data Points
Business Contact Data	Business email address, postal address, telephone number, relevant team and/or department
Communications Data	Records of contact with us including queries, feedback, complaints and any information you voluntarily provide
Compliance Data	Background check verification information including DBS certificate numbers and status (UK), Working with Children Check numbers, issue dates, expiry dates and status (Australia). We do NOT store detailed criminal history or specific offence information.
Consent and Preference Data	Records of your cookie consent choices and communication preferences, including the categories of cookies you have accepted or declined and the version of the policy in force at the time of consent.
Contact Data	Email address, postal address and/or telephone number
Emergency Contact Data	Name, email address, postal address and/or telephone number of emergency contacts and next of kin
Identity Data	Name, date of birth, username, gender, and data relating to familial connections
Image Data	Profile photographs, photographs, images and video footage from clubs and sporting events and activities
Marketing Data	Your preferences in receiving marketing from us and your communication preferences
Profile Data	Username, registrations and orders, interests, preferences, feedback, and information provided when registering for an account
Special Category Data	Information relating to gender, ethnicity, disability status, health or injury details related to participation in sport, including any concussion incidents, medical clearance information and concussion history
Support Interaction Data	Queries submitted to our support channels and AI assistant, response feedback, and actions taken in response to support requests
Technical Data	IP address, login data, browser type and version, time zone, location, browser plugin types, operating system and platform, and other technology on devices used to access our services
Transactional Data	Information about services we provide; details about invoices and payments for products and services
Usage Data	Information about how you use our website and applications, your searches, and your online activity based on your engagement with us

9. How Do We Collect Your Personal Information?

Directly from you

We may collect Personal Data when you:

Register for an account or provide information relating to sporting activities
Engage with or enquire about our goods or services
Contact us by email, phone, online contact forms, SMS, or social media channels
Subscribe to our mailing list or online services
Attend one of our events or competitions
Provide feedback or leave a review of our services

Indirectly

We may also collect Personal Data about you from:

Sporting organisations, clubs, associations, and governing bodies that use our platform
In the case of a minor, from an authorised parent or legal guardian
Third party service providers including payment processors and background check verification providers
Data analytics providers to improve our website, products, marketing, and user experiences
Publicly accessible social media networks such as Facebook, Instagram, LinkedIn, and Google
Information we learn about you through our relationship with you and the way you interact with us

If you are providing Personal Data on behalf of someone else, you must have the consent of that person to provide their Personal Data to us. It is your responsibility to ensure that you have the authority to share Personal Data about third parties with us.

10. Why Do We Collect, Use and Disclose Your Personal Information?

We need your Personal Data to conduct our business and provide our services. In the UK and in certain Southeast Asian jurisdictions (including Thailand, Indonesia, the Philippines, Malaysia, and Singapore), we must have a lawful basis for processing. In Australia we must identify the reasons for collection. The lawful bases we rely on are:

Contract — processing necessary to perform a contract with you or take steps at your request before entering a contract
Legal Obligation — processing necessary to comply with a legal obligation
Legitimate Interests — processing necessary for our legitimate business interests where those interests are not overridden by your rights and freedoms
Consent — where you have given clear and specific consent to processing

Certain Southeast Asian jurisdictions (notably Indonesia, Thailand, and the Philippines) place particular emphasis on consent as a lawful basis and may require specific or written consent for certain categories of processing. As we develop operations in these jurisdictions, we will seek and record the necessary consents in accordance with local law.

The table below sets out the specific purposes for which we use your Personal Data and the lawful basis we rely on:

Purpose	Example Activities	Data Types	Lawful Basis	Legitimate Interests
To provide our services	Management of accounts, competition registrations, communications, digital signatures, player safety	Identity, Contact, Profile, Transactional, Technical, Special Category Data	Contract / Consent / Legitimate Interest	N/A
To manage our website and platform	Monitoring, troubleshooting, data analysis, network security, system testing	Communication, Identity, Location, Technical, Usage Data	Legitimate Interest	Necessary to maintain usability, security and integrity of our website and networks
To manage and monitor our business	Administration, IT services, network security, fraud prevention, business reorganisation	Business Contact, Communication, Identity, Technical Data	Legitimate Interest	Managing, protecting and administering our business to maintain, monitor and improve services
To manage payments and fees	Collecting and recovering money owed to us	Contact, Communication, Transactional Data	Contract	N/A
To provide support and assistance	Responding to queries, troubleshooting, guidance via support channels including AI-powered assistant	Contact, Profile, Technical, Usage, Communication, Support Interaction Data	Legitimate Interest / Consent	Necessary to provide timely and effective assistance and improve user experience
To handle registrations and events	Creating and maintaining user accounts and event profiles for individuals, participants, clubs and organisations	Identity, Contact, Emergency Contact, Images, Profile, Special Category Data	Consent / Contract	N/A
To assess service quality	Internal quality review and improvement	Business Contact, Communication, Identity, Technical Data	Legitimate Interest	Necessary to ensure high quality services and inform improvements
To implement cookies	Collecting and analysing website usage information to improve user experience and functionality	Technical, Usage Data	Consent / Legitimate Interest	Consent obtained where required by law for non-essential cookies. Legitimate interest relied upon for essential cookies
To administer rights and claims	Enforcing our terms, exercising our rights, and complying with applicable laws	Business Contact, Communication, Identity, Technical Data	Legitimate Interest / Legal Obligation	Necessary to enforce our terms, defend legal claims, and comply with applicable law
To transfer data internationally	Transferring Personal Data across jurisdictions to support global operations and services	All data types potentially in scope	Legitimate Interest	Necessary to facilitate global operations and comply with applicable international transfer mechanisms
To administer complaints and queries	Responding to and managing complaints, queries, and feedback	Business Contact, Communication, Identity, Technical Data	Legitimate Interest	Provides effective and timely resolution of complaints and queries to improve customer experience and maintain user trust
To market our products and services	Providing promotional information about services and updates	Business Contact, Communication, Identity, Technical Data	Consent	N/A
To administer data subject rights	Processing and verifying identity of the requester	Business Contact Data	Legal Obligation	N/A
To perform data analytics	Using analytics to improve our website, services, marketing and user experiences	Communication, Technical, Usage Data	Consent	N/A
To keep records	Maintaining appropriate internal records about our business and services	Communication, Technical, Usage Data	Legal Obligation	N/A
To meet legal requirements	Security compliance, responding to regulatory requests, detecting fraud, child protection, health and safety, governing body compliance	All data types potentially in scope	Legal Obligation	N/A

11. Direct Marketing

WSA may use or disclose your Personal Information for direct marketing communications only where:

We have collected the information from you directly and you would reasonably expect it to be used for direct marketing, or you have expressly consented
We provide a simple means for you to opt out of direct marketing at any time
You have not previously requested to stop receiving direct marketing

In certain Southeast Asian jurisdictions (including Singapore, Malaysia, Thailand, Indonesia, the Philippines, and Vietnam), consent is generally required before sending direct marketing communications. As we develop operations in these jurisdictions, we will obtain the necessary consents and respect any specific “do-not-call” or opt-out registers that apply in those jurisdictions (such as Singapore’s Do Not Call Registry under the PDPA).

You may opt out of direct marketing at any time by:

Adjusting your communication preferences in your profile settings
Using the Unsubscribe link in any promotional email
Contacting us at info@worldsportaction.com

Please note that opting out of marketing communications does not affect transactional or service-related communications necessary for the performance of a contract or other legitimate purposes. It may take up to 7 days for your opt-out request to be fully processed.

12. Sensitive or Special Category Data

Sensitive or Special Category Data is Personal Data that requires more protection because of its sensitive nature. We may process this data only where necessary for specific lawful purposes.

We will only process Sensitive Information about you where:

You have given explicit consent
Processing is necessary to protect vital interests
Processing is required for legal obligations including employment, social security, health and safety or safeguarding laws
Processing is required in the context of legal claims
Processing is required by applicable law in the relevant jurisdiction

We have implemented appropriate policies and safeguards to ensure the secure and lawful processing of sensitive and special category data. Certain Southeast Asian jurisdictions — including Thailand, Indonesia, the Philippines, and Vietnam — impose additional requirements on the processing of sensitive personal data, including specific or written consent and heightened security obligations. As we develop operations in these jurisdictions, we will align our practices with these additional requirements where they apply.

In the context of player safety, we may process health information specifically to: enforce mandatory safety protocols and stand-down periods; prevent serious health consequences from premature return to play; enable evidence-based injury prevention through de-identified analysis; and facilitate medical clearance processes.

While our AI assistant is not designed to collect sensitive data, we recognise users may inadvertently include such information in support queries. We implement automated processes to detect and handle such data appropriately.

13. Automated Decision Making

WSA uses limited automated decision-making processes on our platform within the context of player safety and accreditation requirements. Specifically, when an accreditation expires or an incident is recorded, our system may automatically restrict certain platform functions pending appropriate clearance. This automated process is necessary to protect participant safety. Participants maintain the right to provide updated clearance information to address these restrictions in accordance with sporting body requirements.

Third Party AI

We use an AI-powered assistant provided by Epsilla to help answer questions about our platform. Epsilla’s assistant is powered by Mistral AI as the underlying large language model. This system analyses your queries and retrieves relevant information from our documentation. It is not used for decision-making about you but solely to provide support. Your queries may be processed by both Epsilla and Mistral AI as part of this service. You can always request human support as an alternative.

UK residents have the right not to be subject to a decision based solely on automated processing which produces legal or similarly significant effects. Residents of Southeast Asian jurisdictions with equivalent provisions (including Thailand, Indonesia, and the Philippines) have similar rights under local law. If you have concerns about automated processing, please contact us at info@worldsportaction.com.

14. Safeguarding and Background Checks

Where relevant to the services we provide to sporting organisations, we may process data relating to background checks and safeguarding compliance for individuals in positions of trust including coaches, officials, volunteers, and administrators. This includes:

UK: Disclosure and Barring Service (DBS) certificate numbers, check status, and validity dates
Australia: Working with Children Check numbers, issue dates, expiry dates, and check status
Southeast Asia: as operations develop in these jurisdictions, we will capture equivalent background check or clearance reference numbers and status where such checks are required by local law or sporting body governance (for example Singapore, Malaysia, and the Philippines each operate relevant criminal record or child protection clearance systems)

We do NOT store detailed criminal history, specific offence information, or full background check reports. Only simplified status indicators and certificate reference numbers are retained.

This processing is required by applicable safeguarding legislation, sporting body governance requirements, and our legal obligations to protect children and vulnerable adults. Access to this data is strictly controlled and limited to authorised personnel only.

15. Who Do We Share Your Personal Information With?

Insofar as reasonably necessary for delivering our services and for the purposes set out in this Policy, we may share your Personal Data with:

Service providers — including IT, system administration, software services, AI and machine learning providers for our assistant feature (including Epsilla and Mistral AI), and background check verification providers
Payment service providers — involved in processing and completing payment transactions, including Stripe
Sporting organisations — clubs, associations, states, governing bodies and competition administrators that use our platform and with which you have a direct relationship
Technology infrastructure providers — including Amazon Web Services (AWS) for cloud hosting and infrastructure
Analytics providers — such as analytics tools used to improve our website and applications
Professional advisers — lawyers, auditors, insurers, and other professional advisers bound by confidentiality obligations
Regulatory and legal authorities — law enforcement agencies, courts, tax authorities, or other government and regulatory entities where required by law
Business transferees — parties involved in a proposed sale, merger, reorganisation, transfer, or asset disposal related to our business
Other parties with your permission — third parties explicitly authorised by you

We only allow those parties to handle your Personal Data if we are satisfied they take appropriate measures to protect it. We impose contractual obligations on them to ensure they can only use your Personal Data to provide services to us and where applicable to you.

We will not share your Personal Data with any other third party without your consent.

16. International Data Transfers

WSA operates in Australia, the United Kingdom, the United States, and a number of Southeast Asian jurisdictions. We may transfer your Personal Data internationally in the following circumstances:

To our related entities in other jurisdictions
To service providers and sub-processors operating internationally
Where necessary to provide our services to you

UK Client Data and International Transfers

Personal Data relating to UK clients and their participants — including Personal Data of children and Special Category Data such as health and concussion information — is transferred to and stored on Amazon Web Services infrastructure located in Australia. UK Personal Data is also accessed by our personnel in Australia and the United States for support and operational purposes.

Australia and the United States do not have UK adequacy decisions. UK GDPR does not require UK Personal Data to be stored in the UK, but transfers to third countries without an adequacy decision must be supported by appropriate safeguards.

For transfers of UK Personal Data to Australia and the United States, we rely on appropriate safeguards under UK GDPR. We have entered into the UK Addendum to the EU Standard Contractual Clauses with our cloud infrastructure provider (Amazon Web Services) covering the hosting of UK Personal Data on Australian infrastructure, and we are assessing and putting in place equivalent transfer mechanisms with our other material sub-processors as required. A documented Transfer Risk Assessment has been completed in accordance with Information Commissioner’s Office guidance, recording our assessment that the transfer provides an essentially equivalent level of protection to UK GDPR. Access to UK Personal Data by WSA personnel outside the UK is also governed by an internal data access policy that restricts access to authorised personnel with a legitimate operational need.

For more information on the safeguards applicable to a particular transfer of UK Personal Data, or to request a copy of relevant transfer documentation (with any necessary redactions for commercial confidentiality and to protect the rights of third parties), please contact us at info@worldsportaction.com or via our UK representative using the portal referenced in Section 4.

Australian Data Transfers

Where Personal Data is collected in Australia and transferred overseas, we take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles in relation to that information.

US Data Transfers

Personal Data collected in connection with our US operations may be transferred to our Australian parent and to authorised service providers. Transfers are subject to appropriate safeguards and, where required, consent.

Southeast Asia Data Transfers

Personal Data collected in Southeast Asian jurisdictions is generally stored on Amazon Web Services infrastructure located in Australia and may be accessed by our personnel in Australia, the United Kingdom, and the United States for service delivery, support, and operational purposes. Several Southeast Asian jurisdictions impose specific requirements on cross-border transfers of Personal Data. As we develop operations in each jurisdiction, we align our practices with local transfer requirements. Our general approach by jurisdiction is as follows:

Singapore: We work to meet the Transfer Limitation Obligation under the Personal Data Protection Act 2012 (PDPA) by ensuring that overseas recipients provide a standard of protection comparable to the PDPA, through contractual safeguards and other reasonable measures as operations develop.
Malaysia: We align our cross-border transfer practices with the Personal Data Protection Act 2010 (as amended), relying on consent, contractual safeguards, or other permitted bases as operations develop.
Thailand: We align our cross-border transfer practices with the Personal Data Protection Act B.E. 2562 (2019), which generally requires transfers to be supported by adequacy, appropriate safeguards, or data subject consent. Consents and contractual protections will be put in place as required as operations develop.
Indonesia: We align our cross-border transfer practices with the Personal Data Protection Law (Law No. 27 of 2022), relying on data subject consent and contractual protections as operations develop.
Philippines: We align our cross-border transfer practices with the Data Privacy Act of 2012 and the rules of the National Privacy Commission, applying contractual safeguards to transfers of Personal Data outside the Philippines as operations develop.
Vietnam: We align our cross-border transfer practices with the Personal Data Protection Decree 13/2023/ND-CP and the Personal Data Protection Law, including completing transfer impact assessments and obtaining consents where required as operations develop.
Brunei, Cambodia, Laos, and Timor-Leste: We apply contractual and organisational safeguards to transfers of Personal Data from these jurisdictions, and align with any specific local requirements that apply as operations develop.

For more information on the safeguards in place for a particular transfer of Personal Data from a Southeast Asian jurisdiction, please contact us at info@worldsportaction.com.

For more details on the safeguards in place for international transfers generally please contact us at info@worldsportaction.com.

17. Third Party Services, Websites and Links

Our website and platform may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices. When you leave our website or platform, we encourage you to read the privacy notice of every website you visit.

This Policy does not apply to the sharing of Personal Data by third party providers who may collect Personal Data from you and share it with us. We strongly advise you to review the relevant third party provider’s privacy notice before submitting your Personal Data.

18. Cookies and Tracking Technologies

Each time you interact with our website we may automatically collect Personal Data about your device, your browsing actions and patterns, and content and usage data. We collect this data using cookies, server logs, pixels, tags, and other similar technologies in order to remember your preferences and to understand how our website is used.

Essential cookies are used on the basis of legitimate interests. Non-essential cookies including analytics and marketing cookies are only placed with your prior consent via our cookie consent mechanism. You can adjust your cookie preferences at any time through the cookie settings on our website.

We do not currently use marketing or advertising cookies. If this changes, this Policy and our Cookie Policy will be updated accordingly.

For detailed information about the cookies we use, their purpose, duration, and how to manage them, please see our separate Cookie Policy available on our website. https://squadi.com/cookie-policy/

19. Security of Your Personal Information

We take the security of all Personal Information seriously. Our security measures include:

Industry-standard encryption protocols (TLS/HTTPS) for all data in transit
Encryption of sensitive data at rest
Role-based access controls restricting access to authorised personnel only
Regular security reviews and updates to our security practices
Incident response and data breach management procedures

We limit access to your Personal Data to those employees, agents, contractors and other third parties that have a business need to know. They will only process your Personal Data on our instructions and are subject to a duty of confidentiality.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to our website. Any transmission is at your own risk.

20. How Long We Retain Your Information

We will keep your Personal Data for no longer than is necessary to fulfil the purposes for which we collected it, or to comply with applicable legal, accounting, regulatory, contractual or reporting requirements.

To determine the appropriate retention period we consider the amount, nature and sensitivity of the Personal Data involved, the potential risk of harm from unauthorised use or disclosure, the purposes of processing, whether we can achieve those purposes through other means, and the applicable legal requirements.

As a general guide we apply the following indicative retention periods:

Data Category	Indicative Retention Period
Account and registration data	Duration of account plus 3 years
Competition and results records	7 years from end of relevant season
Financial and transaction records	7 years from date of transaction
Health and special category data	Duration of participation plus 2 years
Safeguarding and background check data	Duration of role plus 3 years or as required by relevant governing body
Communications and support records	2 years from date of communication
Marketing and consent records	Until consent is withdrawn or 2 years of inactivity
Website analytics and technical data	12 months
Identity verification records	7 years from last interaction

Retention periods may vary depending on jurisdictional requirements. Personal Data may be retained longer where required by laws in Australia, the United Kingdom, the United States (including state-specific requirements such as CCPA), or applicable Southeast Asian jurisdictions.

Once retention periods have elapsed, we securely delete, anonymise, or archive Personal Data in accordance with applicable data protection laws including the Australian Privacy Act 1988, UK GDPR, applicable US state privacy laws, and applicable Southeast Asian privacy laws.

If you require details on specific retention periods applicable to your Personal Data, please contact us at info@worldsportaction.com.

21. Children and Minors Privacy

WSA is committed to protecting the privacy of children and minors. As a provider of software for community sport, we collect Personal Data relating to persons of all ages including Minors.

Children Under 13 — COPPA Compliance (United States)

For users under the age of 13 in the United States, WSA complies with the Children’s Online Privacy Protection Act (COPPA). We do not knowingly collect, use, or disclose Personal Information from children under 13 without first obtaining verifiable parental or guardian consent, which is managed by the relevant club, association, or sporting organisation. If we learn that Personal Information has been collected from a child under 13 without such consent, we will delete that information as soon as reasonably practicable.

Children Under 13 — United Kingdom

For users under the age of 13 in the UK, we rely on the relevant club, association, or sporting organisation to obtain verifiable parental or guardian consent before any Personal Information is collected or processed.

Children in Southeast Asian Jurisdictions

Age thresholds for children’s privacy differ across Southeast Asia. For example, under Thailand’s PDPA a child is generally a person under 20 years of age (with specific consent rules for under-10s), while Singapore, Malaysia, the Philippines, Indonesia, and Vietnam apply their own definitions and consent standards. Where a user is a minor under the applicable local law, we rely on the relevant club, association, or sporting organisation to obtain the consent of a parent or legal guardian in accordance with that local law before any Personal Information is collected or processed.

Minors Aged 13 to 17

For users aged 13 to 17 (or such other age as may constitute a minor under applicable local law), WSA requires that a parent or legal guardian provide consent for registration or participation through the relevant club or sporting organisation, acknowledge the collection and use of Personal Information as described in this Privacy Policy, and act as the primary point of contact for any privacy-related matters concerning the minor.

Information We May Process About Minors

With appropriate consent obtained by the club or sporting organisation, WSA may process the following types of information for minors:

Name, date of birth, and contact information
Registration details for sporting activities or competitions
Medical or emergency details provided for participation purposes
Performance, attendance, or participation data
Photographs, videos, or media where permitted by parents or guardians
Usage information relating to the Squadi platform

Parental Rights

A parent or legal guardian may at any time request to review, correct, update, or delete Personal Information held about their child, or withdraw consent for further collection. Such requests should be submitted to the club, association, or sporting organisation with which the minor is registered. WSA will assist and take action once the relevant organisation submits an authorised request to us.

22. Notifiable Data Breaches

We have procedures in place to deal with any suspected data breach. In the event of a data breach or unauthorised access to or disclosure of your Personal Information that is likely to result in serious harm, WSA will:

Investigate the breach promptly
Notify affected individuals where required by applicable law
Notify the relevant supervisory authority within the prescribed timeframe

Australia — the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme where a breach is likely to result in serious harm.

United Kingdom — the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a breach where it poses a risk to the rights and freedoms of individuals.

United States — relevant state authorities and affected individuals in accordance with applicable state breach notification laws.

Southeast Asian jurisdictions — where a breach affects data subjects in Singapore, Malaysia, Thailand, Indonesia, the Philippines, Vietnam, Brunei, Cambodia, Laos, or Timor-Leste, we will notify the relevant supervisory authority and affected individuals within the timeframe and in the manner required by applicable local law. Applicable timeframes include, among others, notification to the Singapore Personal Data Protection Commission within three (3) calendar days, the Philippines National Privacy Commission within 72 hours, and equivalent timelines under Thai, Indonesian, Vietnamese, and Malaysian law.

23. Withdrawing Consent

If we rely on your consent to process your Personal Data you have the right to withdraw that consent at any time by contacting us at info@worldsportaction.com.

Please note that withdrawal of consent will not affect the lawfulness of processing before the point at which you withdraw consent, nor will it affect processing carried out on any other lawful ground other than consent.

24. Your Rights

Depending on the jurisdiction in which you are located, you have specific rights in relation to your Personal Data. We can decide not to take action where we have been unable to confirm your identity or if we consider the request to be unfounded or excessive. If this happens we will always inform you in writing.

24A. Australian Residents

Under the Australian Privacy Act 1988 you have the right to access and correct the Personal Information we hold about you. You may also complain to us about how we have handled your Personal Information. Please contact our Privacy Officer at info@worldsportaction.com.

24B. UK Residents

Under UK GDPR you have the following rights. In most circumstances you do not need to pay any charge for exercising your rights and we have one month to respond:

Your Right	Details
Right to be informed	We must provide clear and transparent information about how we use your Personal Data. This Policy fulfils that obligation.
Right of access	You may request copies of your Personal Data (a Data Subject Access Request). We have one month to respond. In most cases this is free of charge.
Right to rectification	You may ask us to correct inaccurate or incomplete Personal Data. This right always applies.
Right to erasure	You may ask us to delete your Personal Data in certain circumstances. We may refuse where retention is required by law, for legal claims, or for public interest purposes.
Right to restriction of processing	You may ask us to restrict processing of your Personal Data where its accuracy is contested, processing is unlawful, or you have objected and processing is restricted pending a decision.
Right to object to processing	You may object to processing based on legitimate interests or for direct marketing purposes at any time.
Right to data portability	Where processing is based on consent or contract and is automated, you may request your Personal Data in a structured, machine-readable format.
Right to withdraw consent	Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

24C. United States Residents

US residents in certain states have specific rights regarding their Personal Data. We do not sell Personal Information. We do not share Personal Information for cross-context behavioural advertising without your consent.

The following rights apply depending on the state in which you reside:

Right	Applicable States
Right to Know	California, Colorado, Connecticut, Iowa, Utah, Virginia
Right to Access	California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Nevada, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia
Right to Correct	California, Colorado, Connecticut, Iowa, Utah, Virginia
Right to Delete	California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Nevada, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia
Right to Opt-Out of Sale or Sharing	California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Nevada, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia
Right to Limit Use of Sensitive Personal Data	California only
Universal Opt-Out Mechanism	California, Colorado, Connecticut, Iowa

Right to Limit Use of Sensitive Personal Data (California)

California residents have the additional right to limit the use and disclosure of their sensitive Personal Data to purposes specified under the California Privacy Rights Act (CPRA).

Shine the Light Law (California)

Under California’s Shine the Light law (California Civil Code Section 1798.83), California residents are entitled to request and receive information regarding certain types of Personal Data that we share with third parties for their direct marketing purposes. To make such a request, please contact us at info@worldsportaction.com with the subject line “Shine the Light Request.”

Nevada and Vermont

Nevada residents may request that we refrain from selling their Personal Data. Vermont residents may contact us for details on our data-sharing practices. Please contact us at info@worldsportaction.com for more information.

How to Exercise Your US Rights

To exercise any of your US state privacy rights please contact us at info@worldsportaction.com. We will respond to verifiable consumer requests within 45 days. We may extend this by a further 45 days where reasonably necessary and will notify you of any extension. We may require additional information to verify your identity before processing certain requests.

Consent Requirements for Targeted Advertising and Sensitive Data

In accordance with applicable state privacy laws, we provide consumers with the right to opt out of the use of their Personal Data for targeted advertising or its sale to third parties. Certain states require explicit consent to process sensitive Personal Data, which may include race, ethnicity, health information, biometric data, and precise geolocation. We are committed to respecting these rights and ensuring that your sensitive data is only processed in compliance with applicable legal requirements.

24D. Southeast Asian Residents

Residents of Southeast Asian jurisdictions have specific rights under their local privacy laws. The following is a summary of the rights generally available in each jurisdiction; the specific scope, conditions, and response timeframes are determined by local law. We will handle requests from residents of these jurisdictions in accordance with applicable local law as operations in each jurisdiction develop:

Jurisdiction	Applicable Law	Key Rights Generally Available
Singapore	Personal Data Protection Act 2012 (PDPA)	Right to access, right to correction, right to withdraw consent, and right to complain to the PDPC.
Malaysia	Personal Data Protection Act 2010 (as amended)	Right to access, right to correction, right to prevent processing for direct marketing, right to withdraw consent, right to data portability (under 2024 amendments), and right to complain to the JPDP.
Thailand	Personal Data Protection Act B.E. 2562 (2019)	Right to access, rectification, erasure, restriction of processing, objection, data portability, withdrawal of consent, and right to complain to the PDPC.
Indonesia	Personal Data Protection Law (Law No. 27 of 2022)	Right to access, rectification, deletion, restriction, objection, data portability, withdrawal of consent, and right to complain to the supervisory authority.
Philippines	Data Privacy Act of 2012	Right to be informed, access, rectification, erasure or blocking, damages, data portability, object, and right to complain to the NPC.
Vietnam	Personal Data Protection Decree 13/2023/ND-CP and Personal Data Protection Law	Right to know, consent, access, rectification, deletion, restriction, objection, withdrawal of consent, and complaint.
Brunei, Cambodia, Laos, Timor-Leste	Applicable local laws	Rights vary by jurisdiction. We will respond to requests in accordance with the rights available under the relevant local law.

To exercise any of the above rights, please contact us at info@worldsportaction.com. We will respond to verifiable requests within the timeframe required by the applicable local law. We may require additional information to verify your identity before processing certain requests.

25. Complaints

We hope that we can resolve any query or concern you raise about our use of your Personal Information. Please contact us at info@worldsportaction.com in the first instance, with the subject line “Privacy Complaint.” All complaints will be treated seriously, dealt with promptly, and in a confidential manner.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

Australia — Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au or 1300 363 992
United Kingdom — Information Commissioner’s Office (ICO): www.ico.org.uk/concerns or 0303 123 1113
United States (California) — California Privacy Protection Agency (CPPA): https://oag.ca.gov/privacy/ccpa
United States (Other states) — Relevant state Attorneys General offices. Contact information available via the National Association of Attorneys General (NAAG) directory.
Singapore — Personal Data Protection Commission (PDPC): www.pdpc.gov.sg
Malaysia — Personal Data Protection Department (JPDP): www.pdp.gov.my
Thailand — Personal Data Protection Committee (PDPC): www.pdpc.or.th
Indonesia — Relevant Indonesian supervisory authority established under the Personal Data Protection Law.
Philippines — National Privacy Commission (NPC): www.privacy.gov.ph
Vietnam — Relevant Vietnamese supervisory authority established under the Personal Data Protection Decree and Personal Data Protection Law.
Brunei, Cambodia, Laos, Timor-Leste — relevant local authority where a complaints body has been established.

26. Anonymity and Pseudonymity

Where it is lawful and practicable, we offer you the opportunity of not identifying yourself, or of using a pseudonym, when entering transactions or otherwise dealing with WSA in relation to a particular matter. Please contact our Privacy Officer at info@worldsportaction.com if you wish to explore this option.

27. Privacy Policy Updates

This Privacy Policy was last updated in April 2026. We may update this Privacy Policy from time to time, in which case we will post the updated version on our website. Where changes are material we will endeavour to notify you directly. Please check back periodically to ensure you are aware of the current terms of our Privacy Policy.

28. Definitions

Applicable Privacy Laws means the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles, the Notifiable Data Breaches (NDB) scheme, the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), other applicable US state privacy laws, and applicable privacy laws in the Southeast Asian jurisdictions in which WSA operates (including Singapore’s Personal Data Protection Act 2012, Malaysia’s Personal Data Protection Act 2010 (as amended), Thailand’s Personal Data Protection Act B.E. 2562 (2019), Indonesia’s Personal Data Protection Law (Law No. 27 of 2022), the Philippines’ Data Privacy Act of 2012, Vietnam’s Personal Data Protection Decree 13/2023/ND-CP and Personal Data Protection Law, and applicable local laws in Brunei, Cambodia, Laos, and Timor-Leste), each to the extent applicable to WSA’s operations.

Club means any club or team registered to use our platform from time to time.

Competition means any competition, tournament or league supported by our platform.

Competition Administrator means the entity responsible for the conduct and staging of a Competition.

Data Controller means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing Personal Data.

Data Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

Minor means any person under the age of 18, or such other age as may constitute a minor under applicable local law. For COPPA purposes, a child means any person under the age of 13. Definitions of minors vary across Southeast Asian jurisdictions — for example, Thailand’s PDPA generally treats a person under the age of 20 as a minor for consent purposes.

Official means a Club Official, Match Official or Team Official, or an employee, consultant, officer or director of a sporting body, State or Competition Administrator.

Participant means participants in sport including Players and Officials.

Personal Information or Personal Data means any information or opinion about an identified natural person or a natural person who is reasonably identifiable, whether the information is true or not and whether it is recorded in a material form or not. Personal Information includes personal data as defined under UK GDPR and corresponding definitions under applicable Southeast Asian privacy laws.

Player means any person registered to a Club or selected as a member of a Representative Team.

Privacy Officer means the person appointed by WSA to deal with complaints and enquiries under this Privacy Policy.

Sensitive Information means information about a natural person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information, genetic information, biometric information for identification purposes, and biometric templates.

Special Category Data under UK GDPR means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, data concerning health, data concerning sex life, and data concerning sexual orientation. Corresponding categories of sensitive personal data are defined under applicable Southeast Asian privacy laws.

Sporting Administrators means any sport, State, Competition Administrator or Club with which the Participant has a direct relationship through WSA’s platform.

State means state organisations, bodies, sporting leagues and associations.

WSA means World Sport Action Pty Ltd and its associates, related entities and subsidiaries, including World Sport Action Inc and the platforms Squadi, Basketball Connect and Netball Connect.

WSA Partners means any entity that has a commercial agreement or arrangement with WSA, States, a Competition Administrator or Club.