SDPP v3.2 — EFFECTIVE JANUARY 1, 2026

Scrotal Data
Protection Protocol

The world's most comprehensive framework for the collection, storage, processing, and protection of testicular data. Because GDPR wasn't enough.

DOCUMENT CLASSIFICATION: SDPP-PUBLIC-2026-01

This document has been approved for public distribution by the Small Ball Technologies Data Governance Board (membership: Jonathan Thompson, also Jonathan Thompson).

Preamble

Small Ball Technologies GmbH ("SBT," "we," "the company," "the organization led by a twelve-year-old") recognizes that testicular data is among the most sensitive categories of personal information that a human being can generate, transmit, or inadvertently share during a video call when they thought they had muted their microphone.

The General Data Protection Regulation (GDPR) provides a robust foundation for data privacy in the European Union. However, the GDPR was drafted without adequate consideration for the unique challenges posed by scrotal telemetry, testicular volumetric measurements, or real-time compression data streams. The Scrotal Data Protection Protocol ("SDPP") was developed to fill this regulatory gap.

The SDPP was authored by Jonathan Thompson at age 11, reviewed by our Chief Medical Officer Dr. Lucas Fischer (who called it "disturbingly thorough"), and ratified by the company's legal team (who asked to remain anonymous).

Section 1: Definitions

For the purposes of this Protocol, the following terms shall have the meanings ascribed below:

  • "Scrotal Data" — Any data point, measurement, observation, estimate, photograph, thermal reading, suction log, compression metric, or anecdotal reference pertaining to the testicles of a Data Subject, whether collected voluntarily, clinically, or through the ambient sensing capabilities of our CompressCore Smart Underwear.
  • "Data Subject" — Any individual who has entrusted Small Ball Technologies with information regarding their testicles. Also referred to as an "Optimizee."
  • "HMI Score" — The Hoffman-Manchauser Index score, a composite metric of testicular efficiency. Classified as Level 2 Scrotal Data (see Section 3).
  • "Testicular Telemetry" — Real-time data streams generated by the CompressCore underwear or VacuBall device, including but not limited to: pressure readings, temperature fluctuations, suction intensity, duration of use, and the number of times the user paused the session to answer the door.
  • "Optimization Journey" — The period during which a Data Subject is actively using SBT products to reduce testicular volume. Average duration: 90 days. Maximum observed duration: 847 days (we've asked him to stop, he won't).
  • "Scrotal Data Breach" — Any unauthorized access, disclosure, alteration, or loss of Scrotal Data. This has never happened. We are including this definition out of an abundance of caution and because Jonathan insisted.
  • "The Vault" — Our physical data storage facility in the basement of SBT headquarters, designed by Jonathan at age 11, featuring biometric access, a Faraday cage, and a miniature refrigerator stocked exclusively with apple juice.

Section 2: Scope and Applicability

The SDPP applies to:

  1. All Scrotal Data collected through our website (smallball.org), mobile applications, physical products, in-person consultations, HQ museum interactive exhibits, and the one time an employee accidentally left a USB drive on the U-Bahn.
  2. All employees, contractors, advisors, interns, visiting researchers, delivery personnel who accidentally see something on a screen, and Jonathan's parents (who have signed the most comprehensive NDA in German corporate history).
  3. All geographic jurisdictions, because testicles exist worldwide and therefore so does our regulatory obligation.

The SDPP supplements, and in all cases exceeds, the requirements of: GDPR (EU), CCPA (California), PIPEDA (Canada), LGPD (Brazil), POPIA (South Africa), and the Australian Privacy Act. If you are from a jurisdiction not listed, rest assured that the SDPP still protects your scrotal data. We protect everyone's scrotal data. That is our brand promise.

Section 3: Data Classification Levels

All Scrotal Data is classified into one of four security levels. Higher levels inherit all protections from lower levels.

1
Level 1: Non-Sensitive
CLEARANCE: ALL EMPLOYEES
  • Shoe size
  • Preferred underwear color
  • Whether the user has ever used the word "optimize" in casual conversation
  • Aggregate, anonymized HMI score ranges
  • Country of residence
  • T-shirt size (for merchandise fulfillment only)
2
Level 2: Moderately Sensitive
CLEARANCE: DEPARTMENT HEADS+
  • Individual HMI score
  • Optimization timeline and progress milestones
  • Product usage frequency
  • Contact form submissions
  • Preferred optimization method
  • Whether the user told their partner about their optimization journey
3
Level 3: Highly Sensitive
CLEARANCE: C-SUITE + CMO ONLY
  • Before-and-after measurements (volumetric, dimensional)
  • Real-time CompressCore compression data
  • Photographic documentation submitted for clinical review
  • Hormonal panel results linked to individual identity
  • VacuBall session duration and intensity logs
  • Any data generated while the user was "just trying it out to see"
4
Level 4: Maximum Security
CLEARANCE: JONATHAN ONLY
  • Raw testicular telemetry streams
  • Complete VacuBall suction logs with breath analysis
  • Predictive optimization models for individual users
  • Cross-referenced HMI scores with career and relationship data
  • The Master Dataset (see Section 4)
  • Jonathan's personal research notes (which he writes in a proprietary shorthand that no one else can read)

Section 4: Encryption and Storage

All Scrotal Data is encrypted using SE-256 (Scrotal Encryption, 256-bit), a proprietary encryption standard developed in-house by Jonathan during a particularly boring weekend in March 2024. SE-256 is based on AES-256 but adds an additional layer of obfuscation that Jonathan describes as "the thing that makes it actually good."

Storage specifications:

  • Level 1-2 data is stored on encrypted servers in our Frankfurt data center, operated by a GDPR-compliant hosting provider who has signed a Data Processing Agreement and a supplementary Scrotal Data Processing Agreement (SDPA).
  • Level 3 data is stored on isolated servers in our Berlin headquarters, accessible only via a hardwired terminal in a room that Jonathan refers to as "The Clean Room." It contains no windows and exactly one chair.
  • Level 4 data is stored in The Vault — a physically isolated, electromagnetically shielded chamber in the basement of SBT headquarters. The Vault features: biometric access (fingerprint + retinal scan + a verbal passphrase that changes weekly and is always a Ball Theory pun), 24/7 temperature monitoring at exactly 17.3°C (optimal for both data integrity and testicular health, per Jonathan), a Faraday cage rated to MIL-STD-188-125-1 specifications, and a small refrigerator that Jonathan's mother insists on stocking with apple juice and string cheese.

No Scrotal Data is stored on personal devices, cloud drives, sticky notes, cocktail napkins, or in the memories of employees who happen to glance at a screen at an inopportune moment. Any employee who memorizes a user's HMI score, even accidentally, is required to report to HR for a Cognitive Declassification Session (a 20-minute guided meditation designed to help them forget).

Section 5: Data Retention

Scrotal Data is retained according to the following schedule:

  • Active Optimization Period: All data is retained for the duration of the user's optimization journey.
  • Post-Optimization: Level 1-2 data is retained for 3 years after the user's last interaction for customer support and research purposes.
  • Longitudinal Research: Anonymized Level 3 data may be retained for up to 7 years for inclusion in the Hoffman-Manchauser Longitudinal Study, with explicit consent.
  • Level 4 data: Retained indefinitely in The Vault, because Jonathan says it's "too important to delete" and "future generations will thank us."
  • Right to Deletion: Upon request, we will delete all Scrotal Data associated with your account within 30 days. Jonathan will personally verify the deletion. He takes this very seriously. He once spent an entire Saturday confirming a single deletion request because "thoroughness is the only acceptable standard."

Section 6: Breach Notification

In the event of a Scrotal Data Breach (which, again, has never happened), the following protocol will be activated:

  1. Detection: Our automated monitoring system ("BallWall") will detect the breach within 0.3 seconds. BallWall was programmed by Jonathan and uses machine learning to identify anomalous access patterns. It has a 99.97% accuracy rate. The remaining 0.03% consists of false positives triggered by Dr. Fischer's habit of logging in at 3 AM "just to check."
  2. Internal Alert: Jonathan will be notified immediately. If it is a school night, notification may be delayed by up to 8 hours at the insistence of his mother.
  3. Containment: The affected systems will be isolated within 15 minutes. If Level 4 data is involved, The Vault will enter lockdown mode, which Jonathan describes as "like a submarine, but for data."
  4. User Notification: Affected users will be notified within 72 hours via encrypted email. The notification will include: a description of the breach, the categories of data affected, recommended actions, a personal apology from Jonathan, and a 25% discount code for the Complete Protocol (because we feel bad, and because optimizing often helps with stress).
  5. Regulatory Notification: The relevant data protection authority will be notified within 72 hours, as required by GDPR. We will also notify the fictional International Scrotal Data Commission, which Jonathan established in 2025 and which currently has one member (Jonathan).
  6. Post-Incident Review: A full review will be conducted within 14 days. Findings will be published in our annual Scrotal Data Transparency Report, which is available upon request and has been downloaded exactly four times (three of which were Jonathan from different devices).

Section 7: Employee Certification

All SBT employees who handle Scrotal Data must complete the SDPP Certification Program, a 40-hour training course developed by Jonathan and administered quarterly. The program includes:

  • Module 1: "What Is Scrotal Data and Why Should You Care?" (4 hours)
  • Module 2: "The Classification System: A Deep Dive into Depth" (6 hours)
  • Module 3: "Encryption for Non-Geniuses" (8 hours, taught by Jonathan, who has been asked to be "less condescending" during this module)
  • Module 4: "Physical Security and Why You Should Not Leave Your Laptop at Starbucks" (4 hours)
  • Module 5: "Breach Response Simulation" (8 hours, includes a simulated breach that Jonathan triggers at a random point during the session, usually while everyone is at lunch)
  • Module 6: "Ethics in Scrotal Data Handling" (6 hours, featuring a 45-minute monologue by Jonathan about trust)
  • Final Exam: A 200-question written examination with a passing grade of 94%. The highest score ever recorded was 98%, achieved by Mia Lang. Jonathan's score is not disclosed, though he has confirmed it was "higher than 98%."

Employees who fail the certification exam are allowed one retake. Employees who fail twice are reassigned to a role that does not involve Scrotal Data. Currently, this is the front desk, which Dr. Weiss manned for two weeks in 2024 before passing on his third attempt.

Section 8: Third-Party Sharing

Small Ball Technologies does not sell, rent, lease, or barter Scrotal Data to any third party, under any circumstances, for any reason, ever.

Scrotal Data may be shared only with:

  • The Hoffman-Manchauser Research Network, for the purposes of advancing Ball Theory, subject to a bilateral Scrotal Data Sharing Agreement (SDSA) that is even longer than this document.
  • Medical professionals, when explicitly authorized by the Data Subject for clinical consultation purposes.
  • Law enforcement, only when compelled by a valid court order — and even then, Jonathan has stated he will "comply reluctantly and with a strongly worded letter."

Section 9: The SDPP Compliance Badge

Organizations that meet SDPP standards may display the official SDPP Compliance Badge on their website and marketing materials. The badge signifies that the organization handles Scrotal Data in accordance with the highest known standards of privacy and security.

To date, one organization has been certified: Small Ball Technologies GmbH. The certification was self-issued. Jonathan sees no conflict of interest in this arrangement.

Organizations wishing to pursue SDPP certification should contact our Data Governance Board at sdpp@smallball.org. Please allow 6-8 weeks for Jonathan to review your application, which he will do personally, because he does not delegate matters of scrotal data governance.

Section 10: Your Rights

Under the SDPP, you have the following rights, which exceed those granted by GDPR:

  1. Right to Access: You may request a complete export of all Scrotal Data we hold about you. This will be delivered in encrypted format via secure download link. Do not open this file on public Wi-Fi.
  2. Right to Rectification: If your Scrotal Data is inaccurate, you may request a correction. Please note: "I don't think my HMI score is that high" is not grounds for rectification unless accompanied by a new clinical assessment.
  3. Right to Deletion: You may request the complete deletion of your Scrotal Data at any time. We will comply within 30 days. Jonathan will personally verify the deletion and send you a confirmation email that he describes as "brief but heartfelt."
  4. Right to Data Portability: You may request your Scrotal Data in a machine-readable format for transfer to another testicular optimization provider. We are not aware of any other testicular optimization providers, but we support the principle.
  5. Right to Restriction: You may restrict the processing of your Scrotal Data while a dispute is being resolved.
  6. Right to Object: You may object to the processing of your Scrotal Data for research purposes. Jonathan will respect your decision, though he has been known to sigh audibly.
  7. Right to Not Be Judged: This right is unique to the SDPP. Regardless of your HMI score, optimization progress, or product usage patterns, no employee of SBT will judge you. This is explicitly stated in every employment contract and is enforceable by HR.

Section 11: Contact

For all SDPP-related inquiries, please contact:

DATA PROTECTION OFFICER
Jonathan Thompson
Founder, CEO, and self-appointed Data Protection Officer
Email: privacy@smallball.org
Phone: +49 30 555 BALL (2255), ext. 1
Hours: Mon-Fri 9:00-17:00 CET (homework permitting)

This Protocol was last updated on January 1, 2026 (Version 3.2). Previous versions are archived in The Vault. The SDPP is reviewed annually by Jonathan, who typically makes revisions during winter break because, in his words, "it's important and also I'm bored."

The Scrotal Data Protection Protocol is a proprietary framework of Small Ball Technologies GmbH. It is not recognized by any governmental body, regulatory agency, or standards organization. Jonathan is aware of this and considers it "their loss."