Sub-processors
Last updated: February 2026
Overview
Kolva Club (“we”, “us”, “our”) uses a limited number of third-party sub-processors to deliver and operate the platform. As a data processor acting on behalf of sports clubs (the data controllers), we are committed to transparency about who has access to personal data and why.
This page lists all sub-processors currently authorised to process personal data on our behalf, in accordance with our Data Processing Agreement (DPA) and applicable data protection legislation including the UK GDPR, EU GDPR, and the Data Protection Act 2018.
Change Notification
We will notify club administrators at least 30 days before adding or changing sub-processors. Notifications are sent by email to the primary administrator on the account. If you object to a new sub-processor, you may contact us within that notice period to discuss your concerns or exercise your rights under the DPA.
Current Sub-processors
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Hetzner Cloud Hetzner Online GmbH | Infrastructure hosting, database hosting | All Club Data | Germany / Finland (EU) |
| Stripe Stripe Payments Europe Ltd | Card payment processing via Stripe Connect | Parent name, email, payment amounts, transaction records. Card details processed directly by Stripe. | EU / US (adequate jurisdiction + SCCs) |
| GoCardless GoCardless Ltd | Direct Debit payment processing via GoCardless Connect | Parent name, email, bank details (processed by GoCardless), payment amounts, mandate references | UK |
| Resend Resend Inc | Transactional email delivery | Recipient email addresses, email content (may include names) | US (SCCs / UK IDTA in place) |
| Google Cloud Google LLC | AI features (Gemini Flash) – optional | Query text, session/athlete names as context for AI responses. No data stored beyond API call. | EU / US (adequate jurisdiction + SCCs) |
International Data Transfers
Where personal data is transferred outside the UK or the European Economic Area, we ensure that appropriate safeguards are in place in accordance with UK GDPR Article 46 and EU GDPR Chapter V.
For US-based sub-processors (Resend and Google Cloud), we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) – EU-approved model clauses incorporated into our agreements with each sub-processor.
- UK International Data Transfer Agreement (UK IDTA) – the UK addendum to the SCCs, ensuring transfers comply with UK data protection law.
- EU–US Data Privacy Framework – where the sub-processor is certified under the framework, this provides an additional adequacy basis for EU–US transfers.
Stripe processes data within the EU via Stripe Payments Europe Ltd. Where data may transit through US infrastructure, Stripe relies on SCCs and the EU–US Data Privacy Framework. Google Cloud AI requests are routed through EU endpoints where available; SCCs and adequacy decisions cover any residual US processing.
Due Diligence
Before engaging any sub-processor, we carry out a data protection impact assessment that considers:
- The nature and sensitivity of data to be processed
- The sub-processor's security certifications and track record
- Contractual data protection commitments (DPA / sub-processor agreement)
- Data residency and applicable transfer mechanisms
- The sub-processor's sub-processor policies (onward transfers)
Each sub-processor is bound by a written agreement that imposes obligations no less protective than those set out in our Data Processing Agreement.
Questions
If you have questions about our sub-processors or wish to raise an objection to a proposed sub-processor change, please contact us: