Privacy Policy

1. Who we are

Falken Ltd. ("Falken", "we", "us") operates the Falken platform — the products described in section 3. We are the data controller for the personal information we collect directly from you when you use our products. Organizations you join through Falken (clubs, camps, schools, leagues) are also controllers for the data they collect about you in their organizational context — see section 6.

Address: Falken Ltd., 402 Foxcroft Drive, Winston-Salem, NC 27102, United States.

Privacy contact: privacy@falken.ltd · dpo@falken.ltd (working contact, not a designated DPO under GDPR) · (980) 643-8814 (Children's Privacy line).

UK Article 27 representative: Falken has not yet appointed a UK representative. Until one is appointed, UK users may contact us directly at privacy@falken.ltd. We will update this notice within 30 days of an appointment. UK and EEA users — see our UK & EEA Supplement.

This policy is governed by the laws of the State of North Carolina, United States.

2. Products covered

This policy applies to all of the following products and any sub-products or features within them:

• Falken — this website at www.falken.ltd.
• Echelon — our REST API at api.falken.ltd.
• Nexus.Web — the admin dashboard for organization administrators.
• Nexus — the mobile and desktop app for athletes, coaches, and Electronic Scoring Target (EST) device communication.
• Sentinel — our internal background-jobs service. Not user-facing, listed for completeness.

3. Information we collect

We collect personal information in the categories described below. Where the source is "you" we mean information you give us directly; where the source is your organization or device, we identify that explicitly.

We use Google Analytics 4 for traffic measurement on this website and on our admin dashboard at https://falken.nexus. Google Analytics provides aggregate analytics — page views, traffic sources, device categories, geographic regions — and sets cookies in your browser to do this. We do not currently use any error-monitoring SaaS (such as Sentry or Datadog). The full vendor disclosure is on the Sub-processors page; UK and EEA users should see the cookies section of the UK & EEA Supplement for important consent-related information.

4. How we use your information

We use your information for the purposes below. The "Lawful basis (UK/EEA)" column applies to UK and EEA users; US users — see the Your rights and choices section.

Anthropic and OpenAI, the AI providers we use for inference, contractually do not train their models on inputs from API customers like Falken under their published API terms.

5. How we share your information

Organizations you join. When you join a club, camp, school, league, or other organization on Falken, that organization sees your roster information, scores, photos, and (for camp registrations) registration data. Each organization is an independent data controller for its members. The organization sets its own data practices for its members; we recommend you ask the organization directly for theirs. Stripe acts as a payment processor for both Falken and the organization in this flow.

Our service providers (sub-processors). We use third-party services to run Falken — for hosting, identity, payments, AI inference, and more. The complete list, with what each one does and what data it sees, is at /privacy-policy/sub-processors.

Other users. Your scores may appear on public leaderboards if your organization has public leaderboards enabled. You can adjust leaderboard visibility in your account settings. Direct messages are not shared with anyone outside the recipients.

Authorities. We disclose information when legally required — by warrant, subpoena, or other valid legal process. We commit to reviewing requests for legal sufficiency and to challenging overly broad requests.

Business transfers. If Falken is acquired by or merges with another company, your information may be transferred as part of the transaction. We will notify you before any such transfer takes effect.

App store payments. We do not use Apple In-App Purchases or Google Play Billing. Payment flows in our mobile apps redirect to web checkout via Stripe; the app stores do not process your payment information.

We do not sell personal information. We do not sell, rent, or share your personal information for advertising, "cross-context behavioral advertising," or any other commercial purpose. This statement constitutes the "right to opt out of sale or sharing" disclosure required under California's CCPA / CPRA. There is nothing to opt out of.

6. Special-category disclosures

Some kinds of data carry additional rules and have their own dedicated notices. Please read them in addition to this policy.

• Children under 13. If your child is under 13, we collect their personal information only with your verifiable consent. Read the Children's Privacy Notice →
• UK and EEA users. If you live in the UK or the European Economic Area, you have additional rights under the UK GDPR, and we must disclose specific information about how we process your data. Read the UK & EEA Supplement →

7. Data retention

We keep your information only as long as we need it for the purpose we collected it, or as required by law. Specific retention periods:

8. Security

We protect your information with:

• Encryption in transit (HTTPS / TLS) and at rest (Microsoft Azure SQL Database, Azure Blob Storage, Azure CDN).
• Identity, authentication, and access controls via Auth0, with role-based authorization at the API.
• Vendor security posture: Stripe is PCI-DSS Level 1 certified; Microsoft Azure and AWS hold SOC 2 attestations.
• End-to-end encrypted direct messages (the underlying cryptography is provided by NSec.Cryptography).

No system is 100% secure. If we discover a breach affecting your information, we will notify you and the relevant authorities as required by law.

9. Your rights and choices

You have rights regarding your personal information. Where we operate (United States, with users in the UK and EEA), the specific rights you have depend on where you live.

Everyone. You can:

• Access the personal information we have about you, by request to privacy@falken.ltd or in your account settings.
• Correct inaccurate information directly in your account, or by request.
• Delete your information, subject to limited exceptions required by law (e.g., financial records).
• Export your information in a structured, machine-readable format.
• Opt out of marketing using the unsubscribe link in any marketing email.

California residents have specific rights under CCPA / CPRA, including the right to know, delete, correct, opt out of sale (we do not sell — see section 5), and limit the use of sensitive personal information. To exercise: contact privacy@falken.ltd. We do not discriminate against you for exercising any right.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) residents have similar rights to access, correct, delete, port, and opt out. Contact privacy@falken.ltd.

UK and EEA residents — see the UK & EEA Supplement.

Future AI training opt-out. Falken does not currently train AI models on user data. When and if we begin training AI models on usage patterns (not on your profile data), we will provide an opt-out (or opt-in, depending on jurisdiction) and notify you in advance. You can pre-record a preference at any time by emailing privacy@falken.ltd.

10. Changes to this policy

We may update this policy from time to time. When we make a material change (such as a new category of data, a new sub-processor handling sensitive data, or a new processing purpose), we will email you and post an in-app banner at least 30 days before the change takes effect.

Non-material changes (typo fixes, formatting, link updates) are reflected in the "Last Updated" date and version number above. The complete history of every policy is on the policy changelog page.

11. Contact us