Children's Privacy Notice
Last updated: March 2026
This notice is written for parents and guardians. If you are a child reading this, please ask your parent or guardian to read it with you.
1. Who We Are
Kolva Club is a sports club management platform operated by Kolva Ltd (Company Number: 16021159), registered in England and Wales. Your sports club uses our platform to manage sessions, teams, and membership.
Important
Your club is the Data Controller — they decide why and how your child's data is used. Kolva Ltd is the Data Processor — we provide the technology platform and process data on behalf of your club.
2. What Data We Collect About Your Child
We collect only the minimum information necessary to manage your child's participation in the club:
| Data | Why We Need It | Legal Basis |
|---|---|---|
| First name & last name | To identify your child in sessions and teams | Legitimate interest (club management) |
| Date of birth | To place your child in age-appropriate teams and sessions | Legitimate interest (safeguarding) |
| Attendance records | To track session participation for safeguarding and billing | Contract (club membership) |
| Team membership | To manage squad allocation and training groups | Contract (club membership) |
| Medical notes (optional) | To ensure your child's safety during sessions | Consent — you choose to provide this |
| Photo/media consent status | To record whether the club may photograph your child | Consent — you grant or withdraw this |
3. What We Do NOT Do With Children's Data
- ✓We never use children's data for marketing or advertising
- ✓We never profile children or make automated decisions about them
- ✓We never share children's data with third parties for their own purposes
- ✓We never use children's data to train AI models
- ✓We never track children's location or use geolocation data
- ✓We never use “nudge” techniques or dark patterns to encourage children to provide more data
4. Who Can See Your Child's Data
| Who | What They Can See |
|---|---|
| You (parent/guardian) | Everything about your child |
| Club administrators | Name, DOB, team, attendance, medical notes, payments |
| Coaches | Name, attendance, medical notes (for safety). No payment data. |
| Other parents/athletes | Nothing. Data is fully isolated between families. |
Data is isolated between clubs (tenants). One club cannot see another club's data, even on the same platform.
5. How We Protect Your Child's Data
- Encryption in transit: All data is encrypted using TLS 1.3 between your browser and our servers.
- Encryption at rest: Sensitive data is encrypted using AES-256 in our database.
- Access control: Role-based access ensures coaches cannot see payments, parents can only see their own children.
- Tenant isolation: Each club's data is completely separate. There is no cross-club data access.
- EU hosting: All data is stored on servers in Germany/Finland (Hetzner Cloud, EU region).
- No tracking cookies: We use only essential cookies for login sessions. No advertising or analytics cookies.
6. Your Rights as a Parent
As your child's parent or guardian, you have full control over their data:
- Medical consent: You can share medical information about your child for their safety during sessions. You can withdraw this consent at any time from the Privacy & Data page, which will permanently remove the medical notes.
- Photo/media consent: You control whether the club can take and publish photos of your child. You can grant or withdraw this at any time.
- Data export: You can download all data held about you and your children in JSON or CSV format from the Privacy & Data page.
- Data deletion: You can request deletion of your child's data. This has a 14-day cooling-off period. Payment records are anonymised (not deleted) as required by UK financial regulations.
- Rectification: You can update your child's information through your parent portal at any time.
7. How Long We Keep Data
| Data Type | Retention Period |
|---|---|
| Active athlete records | Duration of membership + 6 months |
| Taster/prospect data (not converted) | 6 months from taster session |
| Attendance records | Duration + 12 months, then anonymised |
| Payment records | 7 years (UK HMRC requirement), anonymised on deletion |
| Medical notes | Until consent is withdrawn or membership ends |
8. Third-Party Services
We use a small number of trusted service providers to operate the platform. These are all bound by data processing agreements:
- Hetzner Cloud (Germany/Finland) — Server hosting and database storage
- Stripe (EU/US) — Card payment processing (we never see card numbers)
- GoCardless (UK) — Direct Debit processing (we never see bank details)
- Resend (US) — Sending transactional emails (session reminders, payment receipts)
- Google Cloud (EU/US) — AI features (query text only, no data retention)
See our full sub-processor list for details on data transfer mechanisms.
9. Questions or Complaints
If you have questions about how your child's data is handled:
- Contact your club first — they are the Data Controller
- Contact Kolva: [email protected]
- ICO (UK regulator): If you are not satisfied with our response, you can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint