Privacy Policy.

This Privacy Policy explains how 2NINE Academy ("2NINE", "we", "us", "our") collects, uses, discloses, stores, and protects your personal information when you use our website (2nineacademy.com), engage with our coaching, schools, membership, or digital product services, or otherwise interact with us. 2NINE Academy is an Australian-based business founded and operated by John Haggerty. This policy complies with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and where relevant, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA / CPRA).

We collect the minimum personal information required to deliver our services. Categories include:

• Identity & contact: full name, email, phone, country, school, parent/guardian contact (for athletes under 18).
• Athletic profile: position, graduation year, height/weight, hang time, training history, goals.
• Film & media: video URLs and notes you submit for review.
• Account credentials: hashed passwords, login timestamps, OAuth tokens (e.g. Google sign-in).
• Transactions: purchase records, invoices, billing country (payment card data is processed by our PCI-DSS compliant payment processors · we never store full card numbers).
• Communications: inquiries, support messages, coaching notes.
• Technical data: IP address, device, browser, operating system, referring URL, pages visited, session duration, cookie identifiers.

Directly from you (forms, inquiries, account signup, film uploads), automatically (cookies, analytics, server logs), and from third parties you authorise (e.g. Google sign-in returns your name, email, profile image). We do not purchase personal information from data brokers.

We use personal information to:

• Deliver coaching, training, school programs, membership content, and digital products.
• Respond to inquiries and provide film review feedback.
• Process payments, issue invoices, and manage subscriptions.
• Authenticate accounts and protect against fraud, abuse, and unauthorised access.
• Send service updates and · only with your consent · marketing communications you can unsubscribe from at any time.
• Comply with legal obligations (tax, child safety, lawful requests).
• Improve our website, programs, and content via aggregated analytics.

Where GDPR applies we rely on: (a) contract · to provide the services you purchase; (b) consent · for marketing and non-essential cookies; (c) legitimate interests · security, fraud prevention, service improvement; (d) legal obligation · tax, accounting, child safety.

We disclose personal information only to vetted service providers acting on our behalf under written confidentiality and data-protection obligations. Categories include:

• Hosting & database: Supabase (PostgreSQL infrastructure), Cloudflare (edge/CDN).
• Authentication: Google OAuth, Supabase Auth.
• Payments (when enabled): Stripe, Paddle, or PayPal.
• Email delivery: Resend / Postmark.
• Analytics: privacy-respecting analytics with IP anonymisation.
• Professional advisers: accountants, lawyers, auditors, where strictly necessary.

We do not sell, rent, or trade your personal information. We do not engage in targeted advertising profiling.

Some of our service providers are located outside Australia (including the United States and the European Union). When we transfer personal information overseas we take reasonable steps to ensure the recipient handles it in accordance with the APPs and, where applicable, GDPR Standard Contractual Clauses. By using our services you consent to such transfers.

We implement industry-standard technical and organisational safeguards including: TLS 1.2+ encryption in transit, AES-256 encryption at rest, hashed passwords (bcrypt/argon2), Row-Level Security (RLS) on all customer data tables, role-based access control, principle-of-least-privilege admin access, audit logging, two-factor authentication on administrative accounts, regular security scanning, and incident response procedures. No internet-connected system can be guaranteed 100% secure; if we become aware of a notifiable data breach affecting your information we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

We retain personal information only as long as needed for the purposes described in this policy or as required by law: active account data while your account is open; inquiry records for up to 24 months; financial records for 7 years (tax law); film submissions until you request deletion or 24 months after account closure, whichever is sooner. When no longer required, data is securely deleted or de-identified.

You may at any time request to:

• Access the personal information we hold about you.
• Correct inaccurate or outdated information.
• Delete your account and associated personal information ("right to erasure"), subject to legal retention obligations.
• Object to or restrict certain processing.
• Receive a portable copy of your data.
• Withdraw consent for marketing at any time.

To exercise any right, email2nineacademy@gmail.com. We respond within 30 days. If you are not satisfied with our response you may lodge a complaint with the OAIC at oaic.gov.au, or with your local data protection authority.

Many of our athletes are under 18. We require a parent or legal guardian's consent before collecting personal information, film footage, or processing payments for athletes under 18. Parents/guardians may at any time review, correct, or delete their child's information by emailing us. We do not knowingly collect personal information from children under 13. If you believe we have done so in error, contact us immediately and we will delete it.

We use a small number of cookies and similar technologies:

• Strictly necessary: authentication, session, security (cannot be disabled).
• Functional: remember your preferences.
• Analytics: aggregated, anonymised usage statistics.

You can disable non-essential cookies via your browser settings; some site features may be limited as a result. We honour Global Privacy Control (GPC) signals where transmitted.

We only send marketing emails to users who have opted in. Every marketing email contains a one-click unsubscribe link. Service emails (account, security, invoices, program updates) are essential and cannot be unsubscribed from while your account is active.

Our website may link to third-party sites (social platforms, video providers, partner schools). We are not responsible for their privacy practices and encourage you to read their policies.

We may update this policy from time to time. The "Effective" date at the top of this page will be updated and, for material changes, we will notify registered users by email or via a prominent notice on the site at least 14 days before the change takes effect.

Privacy Officer · 2NINE Academy
Email: 2nineacademy@gmail.com
Based in Australia. We respond to all privacy requests within 30 days.