Data Processing Addendum
Kolva Club Platform - Data Processing Addendum
Last Updated: February 2026
Version: 1.0
This Data Processing Addendum (“DPA”) forms part of the Kolva Club Terms of Service (the “Agreement”) between:
Kolva Ltd (Company Number: 16021159), a company registered in England and Wales (“Processor”, “we”, “us”, “Kolva”)
and
You (the person or organisation creating a club account on the Kolva Club platform) (“Controller”, “you”, “Club”)
Together, the “Parties”.
1. Definitions
“Applicable Data Protection Law” means the UK General Data Protection Regulation (UK GDPR) as retained by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, the Data Protection Act 2018, and any successor legislation, together with any guidance and codes of practice issued by the Information Commissioner's Office (“ICO”).
“Children's Data” means Personal Data relating to any individual under the age of 18.
“Club Data” means all Personal Data that the Controller submits to, or that is collected through, the Platform in connection with the Controller's use of the Services.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Club Data.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates, including athletes, parents/guardians, and coaches.
“Personal Data”, “Processing”, “Data Controller”, “Data Processor”, and “Special Category Data” have the meanings given to them in Applicable Data Protection Law.
“Platform” means the Kolva Club software-as-a-service platform accessible at kolva.club.
“Services” means the club management services provided by Kolva to the Controller through the Platform, as described in the Agreement.
“Sub-processor” means any third-party Data Processor engaged by Kolva to Process Club Data on behalf of the Controller.
2. Roles and Scope
2.1 Controller and Processor
The Parties acknowledge and agree that:
- (a) The Controller (Club) determines the purposes and means of Processing Club Data. The Club decides what data to collect from athletes, parents, and coaches, and how to use it.
- (b) The Processor (Kolva) Processes Club Data solely on behalf of, and in accordance with the documented instructions of, the Controller, except where required to do so by Applicable Data Protection Law.
2.2 Scope of Processing
This DPA applies to all Processing of Club Data carried out by Kolva in connection with providing the Services. The details of Processing are set out in Annex A (Processing Details).
2.3 Controller's Obligations
The Controller warrants and represents that:
- (a) It has a lawful basis under Applicable Data Protection Law for all Personal Data submitted to the Platform, including Children's Data.
- (b) It has provided appropriate privacy notices to all Data Subjects (athletes, parents/guardians, coaches) before submitting their data to the Platform. Kolva provides template privacy notices for this purpose, but the Controller remains responsible for ensuring their adequacy.
- (c) Where Processing is based on consent, the Controller has obtained valid consent from Data Subjects (or, in the case of children under 13, from parents/guardians with parental responsibility).
- (d) It shall comply with all obligations applicable to it as a Data Controller under Applicable Data Protection Law.
- (e) It recognises its responsibilities regarding Children's Data and will implement age-appropriate safeguards as required by the ICO's Age Appropriate Design Code where applicable.
3. Processor's Obligations
3.1 Processing Instructions
Kolva shall:
- (a) Process Club Data only on the Controller's documented instructions, unless required by law to do otherwise. If Kolva is required by law to Process Club Data other than in accordance with the Controller's instructions, it will inform the Controller of that legal requirement before Processing (unless prohibited from doing so by law).
- (b) Immediately inform the Controller if, in Kolva's opinion, an instruction infringes Applicable Data Protection Law.
3.2 Confidentiality
Kolva shall ensure that all persons authorised to Process Club Data:
- (a) Are subject to appropriate obligations of confidentiality (whether contractual or statutory).
- (b) Process Club Data only as necessary to perform the Services.
3.3 Security Measures
Kolva shall implement and maintain appropriate technical and organisational measures to protect Club Data against Data Breaches, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of Data Subjects. These measures are described in Annex B (Security Measures).
Given that Club Data includes Children's Data, Kolva shall implement heightened security measures appropriate to the sensitivity of such data.
3.4 Sub-processing
- (a) The Controller provides general authorisation for Kolva to engage Sub-processors to Process Club Data, subject to the conditions in this Section 3.4.
- (b) A current list of Sub-processors is set out in Annex C (Sub-processors). Kolva shall maintain an up-to-date list of Sub-processors at kolva.club/legal/sub-processors (or an equivalent URL notified to the Controller).
- (c) Kolva shall notify the Controller by email at least 30 days before engaging a new Sub-processor or replacing an existing Sub-processor, giving the Controller the opportunity to object.
- (d) If the Controller objects to a new Sub-processor on reasonable grounds relating to data protection, the Parties shall discuss the Controller's concerns in good faith. If no resolution can be reached within 30 days, the Controller may terminate the affected Services without penalty.
- (e) Kolva shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA.
- (f) Kolva remains liable to the Controller for the acts and omissions of its Sub-processors.
3.5 Assistance with Data Subject Rights
- (a) Kolva shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
- (b) Kolva provides self-service tools within the Platform for the Controller to:
- Export Data Subject data (right of access / portability)
- Rectify Data Subject data (right of rectification)
- Delete Data Subject data (right of erasure)
- (c) If Kolva receives a request directly from a Data Subject in relation to Club Data, Kolva shall promptly redirect the request to the Controller, unless legally required to respond directly.
3.6 Data Breach Notification
- (a) Kolva shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Club Data.
- (b) The notification shall include:
- A description of the nature of the Data Breach, including (where possible) the categories and approximate number of Data Subjects affected.
- The name and contact details of a point of contact at Kolva.
- A description of the likely consequences of the Data Breach.
- A description of the measures taken or proposed to be taken to address the Data Breach and mitigate its possible adverse effects.
- (c) Where it is not possible to provide all information at the same time, Kolva shall provide the information in phases without undue delay.
- (d) Kolva shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
- (e) Given that Club Data may include Children's Data, Kolva shall treat any Data Breach involving Children's Data as high priority and shall escalate such breaches immediately.
3.7 Data Protection Impact Assessments
Kolva shall provide reasonable assistance to the Controller in carrying out data protection impact assessments (“DPIAs”) and prior consultations with the ICO, where required under Applicable Data Protection Law, taking into account the nature of the Processing and the information available to Kolva.
3.8 Audit Rights
- (a) Kolva shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.
- (b) Kolva shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to:
- Reasonable advance notice of at least 30 days.
- Audits being conducted during normal business hours.
- The auditor being bound by appropriate confidentiality obligations.
- The audit not unreasonably disrupting Kolva's operations.
- (c) Kolva may satisfy audit requests by providing relevant third-party audit reports, certifications, or summaries of its security practices, where available.
4. International Data Transfers
4.1
Kolva shall not transfer Club Data outside the United Kingdom unless:
- (a) The transfer is to a country that the UK Secretary of State has determined provides an adequate level of protection for Personal Data; or
- (b) Appropriate safeguards are in place, such as the International Data Transfer Agreement (“IDTA”) or the UK Addendum to the EU Standard Contractual Clauses.
4.2
As at the date of this DPA, Club Data is primarily stored within the European Economic Area (Hetzner Cloud, Germany/Finland). Details of any international transfers are set out in Annex C (Sub-processors).
4.3
The EU has been deemed adequate by the UK. Transfers to the EEA do not require additional safeguards under current UK adequacy regulations.
5. Data Retention and Deletion
5.1 During the Subscription
Club Data shall be retained for the duration of the Agreement and in accordance with the Data Retention Schedule set out in Annex D.
5.2 On Termination
Upon termination or expiry of the Agreement:
- (a) Kolva shall, at the Controller's election, either:
- Return all Club Data to the Controller in a commonly used, machine-readable format (CSV or JSON); or
- Delete all Club Data, including all existing copies.
- (b) The Controller shall have 90 days from the date of termination to request data export. After this period, Kolva shall delete all Club Data within 30 days, unless retention is required by Applicable Law.
- (c) Kolva shall confirm deletion in writing upon the Controller's request.
- (d) Kolva may retain anonymised, aggregated data that cannot be linked to any Data Subject for the purposes of improving the Platform.
5.3 Financial Records
Notwithstanding Section 5.2, Kolva may retain transaction records (amounts, dates, and statuses only - not full Personal Data) for up to 7 years where required to comply with UK tax and financial regulations.
6. Children's Data - Additional Safeguards
Important: Children's Data
Given the nature of the Platform, Club Data will routinely include Children's Data. The Parties agree to the following additional safeguards.
6.1
Kolva shall implement access controls so that Club Data (including Children's Data) is accessible only to authorised users within the Controller's organisation (administrators, assigned coaches) and not to other tenants on the Platform.
6.2
Kolva shall not use Children's Data for any purpose other than providing the Services to the Controller.
6.3
Kolva shall not use Children's Data for profiling, automated decision-making, marketing, advertising, or any purpose unrelated to the provision of the Services.
6.4
Kolva shall not sell, share, or disclose Children's Data to any third party except Sub-processors listed in Annex C, and only to the extent necessary to provide the Services.
6.5
The Controller acknowledges its responsibility under Article 8 UK GDPR and the Age Appropriate Design Code to ensure that:
- Parental consent is obtained before submitting Children's Data to the Platform.
- Privacy notices provided to parents/guardians are clear, age-appropriate, and accessible.
- Data minimisation principles are applied - only data necessary for the club's legitimate purposes is collected.
6.6
Kolva shall design and maintain Platform features that process Children's Data in accordance with the principle of the best interests of the child.
7. Liability
7.1
Each Party's liability under this DPA shall be subject to the limitations of liability set out in the Agreement.
7.2
Nothing in this DPA limits or excludes either Party's liability for:
- (a) Fraud or fraudulent misrepresentation.
- (b) Death or personal injury caused by negligence.
- (c) Any liability that cannot be limited or excluded by Applicable Data Protection Law.
8. General
8.1 Conflict
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.
8.2 Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction over any disputes arising under this DPA.
8.3 Amendments
Kolva may update this DPA from time to time to reflect changes in Applicable Data Protection Law or our Processing activities. Material changes will be notified to the Controller at least 30 days in advance. Continued use of the Services after such notification constitutes acceptance of the updated DPA.
8.4 Acceptance
By creating a club account on the Kolva Club platform, the Controller acknowledges that they have read, understood, and agree to be bound by this DPA. If the Controller does not agree to this DPA, they must not create a club account or use the Services.
Annex A - Processing Details
| Item | Details |
|---|---|
| Subject matter | Provision of cloud-based sports club management services |
| Duration | For the term of the Agreement, plus retention periods in Annex D |
| Nature of Processing | Collection, storage, organisation, retrieval, consultation, use, disclosure by transmission, erasure, and destruction |
| Purpose of Processing | To enable the Controller to manage athletes, teams, sessions, attendance, payments, and communications for their sports club |
| Categories of Data Subjects | Athletes (children aged approximately 4-18), parents/guardians, coaches, club administrators |
| Categories of Personal Data | See table below |
Personal Data Categories
| Data Subject | Data Categories |
|---|---|
| Athletes (children) | Full name, date of birth, age, team membership, attendance records, session registrations, athlete status (prospect/active/inactive/waitlist/paused), medical/dietary notes (where provided by parent) |
| Parents/Guardians | Full name, email address, phone number, postal address, payment history (amounts, dates, statuses), parent-athlete relationships, communications sent/received |
| Coaches | Full name, email address, phone number, assigned teams, session schedules |
| Club Administrators | Full name, email address, account credentials (hashed), usage logs |
Special Category Data
Medical and dietary notes provided by parents may constitute Special Category Data under Article 9 UK GDPR. The Controller is responsible for ensuring an appropriate lawful basis for collecting such data (typically explicit consent).
Annex B - Security Measures
Kolva implements the following technical and organisational measures:
Technical Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.3 for all data in transit |
| Encryption at rest | AES-256 encryption for stored data |
| Authentication | Bcrypt password hashing with salting, session-based authentication with secure tokens |
| Access control | Role-based access control (Admin, Coach, Parent) with tenant isolation |
| Multi-tenancy isolation | All database queries scoped to tenant ID; no cross-tenant data access |
| Payment security | Card details and bank account details handled entirely by Stripe and GoCardless (PCI DSS Level 1 compliant); Kolva never stores, processes, or transmits payment card data |
| Database security | PostgreSQL with parameterised queries (Prisma ORM), preventing SQL injection |
| Infrastructure | Hosted on Hetzner Cloud (ISO 27001 certified), EU data centres (Germany/Finland) |
| Backups | Regular automated database backups with encryption |
| Monitoring | Application and server monitoring for anomalous activity |
Organisational Measures
| Measure | Implementation |
|---|---|
| Staff access | Limited to essential personnel on a need-to-know basis |
| Confidentiality | All personnel with access to Club Data bound by confidentiality obligations |
| Incident response | Documented Data Breach response procedure |
| Development practices | Security-focused development with code review |
| Dependency management | Regular updates to address security vulnerabilities |
Annex C - Sub-processors
The Controller provides general authorisation for Kolva to use the following Sub-processors. An up-to-date list is also available at kolva.club/legal/sub-processors.
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Hetzner Cloud (Hetzner Online GmbH) | Infrastructure hosting, database hosting | All Club Data | Germany / Finland (EU) |
| Stripe (Stripe Payments Europe Ltd) | Card payment processing via Stripe Connect | Parent name, email, payment amounts, transaction records. Card details processed directly by Stripe - Kolva does not access or store them. | EU / US (adequate jurisdiction + SCCs) |
| GoCardless (GoCardless Ltd) | Direct Debit payment processing via GoCardless Connect | Parent name, email, bank sort code/account number (processed by GoCardless), payment amounts, mandate references | UK |
| Resend (Resend Inc) | Transactional email delivery | Recipient email addresses, email content (may include names) | US (SCCs / UK IDTA in place) |
| Google Cloud (Google LLC) | AI features (Gemini Flash) - optional | Query text, session/athlete names as context for AI responses. No data stored by Google beyond the API call. | EU / US (adequate jurisdiction + SCCs) |
Notes:
- Stripe and GoCardless process payments as the club's payment processors. The club is the merchant of record. Kolva facilitates the connection but does not control payment processing.
- All US-based Sub-processors are covered by appropriate transfer mechanisms (SCCs, UK IDTA, or adequacy decisions).
Annex D - Data Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Active athlete records | Duration of club membership + 6 months | Contractual necessity |
| Inactive athlete records | 12 months after status changed to inactive, then anonymised or deleted | Data minimisation |
| Prospect (taster) records | 6 months from taster session if not converted to active athlete | Data minimisation |
| Parent/guardian records | Retained while any linked athlete is active, then as per athlete retention | Contractual necessity |
| Coach records | Duration of coach's association with the club + 6 months | Contractual necessity |
| Payment/transaction records | 7 years from transaction date | UK tax/financial regulations (Finance Act, HMRC requirements) |
| Attendance records | Duration of athlete's membership + 12 months | Legitimate interest (safeguarding) |
| Communications (messages) | 24 months from date sent | Legitimate interest |
| Medical/dietary notes | Same as associated athlete record | Explicit consent |
| Safeguarding records | Until athlete reaches age 25, or 7 years from last record (whichever is longer) | Legal obligation (safeguarding) |
| Account credentials | Duration of account + deletion within 30 days of account closure | Contractual necessity |
| Usage/audit logs | 12 months | Legitimate interest (security) |
The Controller may delete data at any time through the Platform's self-service tools. The retention periods above represent maximum retention - data may be deleted sooner at the Controller's discretion.
By creating your club on Kolva Club, you acknowledge and agree to this Data Processing Addendum.
For questions about this DPA, contact: [email protected]