Privacy Policy
Last updated: January 2026
1. Introduction
Kolva Club (“we”, “us”, “our”) is a sports club management platform operated by Kolva Ltd (Company Number: 16021159), a company registered in England and Wales.
This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service at kolva.club. This includes data about club administrators, coaches, parents, and child athletes.
Important: Children's Data
Kolva Club processes personal data about child athletes (minors under 18 years old). We take special care to protect children's privacy rights under GDPR and UK data protection law. Parents and guardians provide consent for their children's data to be processed through our Service.
Data Controller & Processor
Kolva Ltd (Data Processor)
Company Number: 16021159
Email: [email protected]
General inquiries: [email protected]
Your club is the Data Controller. Kolva Ltd acts as the Data Processor. See our Data Processing Addendum and list of sub-processors.
2. Legal Basis for Processing
Under GDPR, we process personal data on the following legal bases:
Contract (Article 6(1)(b))
Processing is necessary to perform our contract with sports clubs and provide the Service. This includes:
- Managing club memberships and team assignments
- Processing session bookings and attendance
- Handling payments and invoicing
- Providing the platform and its features
Consent (Article 6(1)(a))
We rely on explicit consent from parents/guardians for:
- Processing children's personal data (athletes under 18)
- Storing medical information and emergency contacts
- Taking and storing photographs of child athletes
- Marketing communications (where applicable)
Legitimate Interests (Article 6(1)(f))
We process data based on legitimate interests for:
- Improving our Service and developing new features
- Detecting and preventing fraud or abuse
- Analyzing usage patterns and system performance
- Sending operational communications (non-marketing)
Legal Obligation (Article 6(1)(c))
We process data to comply with legal obligations, including:
- Retaining financial records for tax and accounting purposes
- Responding to lawful requests from authorities
- Complying with safeguarding requirements
3. Data We Collect
Club Information
- Club name, address, contact details
- Organization type (charity, limited company, etc.)
- Business identifiers (company number, VAT number)
- Bank account details for payouts
Administrator & Coach Data
- Name, email address, phone number
- Account credentials (hashed passwords)
- Role and permissions within the club
- Profile photos (optional)
Parent/Guardian Data
- Name, email address, phone number
- Postal address (for billing and communications)
- Relationship to child athletes
- Payment method information (tokenized via Stripe/GoCardless)
- Communication preferences
Athlete Data (Children's Personal Data)
Special Category Data
Some athlete data constitutes “special category data” under GDPR Article 9 (sensitive personal data). We process this data only with explicit parental consent and implement additional safeguards.
- Name, date of birth, gender
- Team assignments and membership status
- Session attendance records
- Medical conditions, allergies, dietary requirements (special category data)
- Emergency contact information
- Photographs and videos (with explicit consent)
- Skill level and progression notes
- Behavior or safeguarding notes (if applicable)
Payment Data
- Payment amount, date, status
- Invoice and receipt details
- Payment method type (card, Direct Debit)
- Transaction IDs and reference numbers
Note: We do not store full credit card numbers or bank account details. Payment processing is handled by Stripe and GoCardless, who tokenize payment methods and securely store sensitive financial data on their PCI-DSS compliant systems.
Usage Data
- Device information (browser, operating system, device type)
- IP address and approximate location (country/region)
- Pages visited, features used, time spent
- Error logs and crash reports
- AI assistant interactions (queries and responses)
4. How We Use Your Data
We use personal data for the following purposes:
Provide the Service
- Manage club operations (athletes, teams, sessions, schedules)
- Track attendance and participation
- Process payments and issue invoices
- Send communications between clubs and guardians
- Provide access to guardian and coach portals
Child Safety & Safeguarding
- Store medical information for emergency situations
- Maintain emergency contact details
- Record safeguarding concerns (where necessary for child protection)
- Verify parent/guardian relationships
Communications
- Send transactional emails (booking confirmations, payment receipts)
- Send operational updates (session changes, closures, important notices)
- Facilitate messaging between clubs and parents
- Respond to support inquiries
Improve the Service
- Analyze usage patterns to improve features
- Debug technical issues and fix errors
- Train and improve our AI assistant
- Develop new functionality based on user needs
Legal & Security
- Comply with legal obligations (tax records, safeguarding duties)
- Detect and prevent fraud or abuse
- Enforce our Terms of Service
- Protect the rights and safety of users
5. AI Processing
Kolva Club uses Google's Gemini AI models to power our AI assistant feature, which helps club administrators manage operations through natural language commands.
What Data is Processed by AI
- User queries and commands (e.g., “Show me unpaid invoices”)
- Aggregated data summaries (e.g., attendance statistics)
- Non-sensitive operational data (team names, session times)
What Data is NOT Sent to AI
- Children's medical information
- Payment card numbers or bank details
- Safeguarding notes or sensitive records
- Full personal identifiers unless necessary for the query
AI Data Handling
All AI processing is done via Google's Gemini API with the following safeguards:
- Data is encrypted in transit (TLS 1.3)
- Google does not use customer data to train models (per Google Cloud AI terms)
- AI interactions are logged for debugging and improvement purposes
- Users can opt out of AI features by not using the AI assistant
For more information, see Google Cloud Terms of Service and Google Cloud GDPR Commitments.
6. Data Sharing & Third Parties
We share personal data with the following third-party service providers who process data on our behalf. For a complete list with details of what data each processor handles, see our sub-processors page.
Payment Processors
- Stripe: Processes card payments. Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy
- GoCardless: Processes UK Direct Debit payments. GoCardless is FCA-regulated. GoCardless Privacy Policy
Email & Communications
- Resend: Transactional email delivery (confirmations, receipts, notifications). Resend Privacy Policy
AI & Analytics
- Google Cloud (Gemini AI): Powers our AI assistant feature. Google Cloud Privacy
Hosting & Infrastructure
- Cloud hosting providers: We use secure, GDPR-compliant hosting services with data centers in the EU/UK.
Legal Disclosures
We may disclose personal data if required by law, court order, or governmental authority, or to:
- Comply with legal obligations
- Protect the rights, property, or safety of Kolva Ltd, our users, or the public
- Respond to safeguarding concerns involving child protection
- Prevent fraud, abuse, or illegal activity
We do NOT sell personal data
Kolva Club does not sell, rent, or trade personal data to third parties for marketing purposes. We only share data with service providers who help us deliver the Service.
7. International Data Transfers
Our primary data storage is within the UK and European Economic Area (EEA). However, some service providers (such as Google Cloud for AI processing) may transfer data to countries outside the UK/EEA.
When we transfer data internationally, we ensure it is protected by:
- European Commission Standard Contractual Clauses (SCCs)
- UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
- Adequacy decisions by the UK or EU for approved countries
- Service providers with strong data protection commitments (e.g., Google Cloud GDPR compliance)
8. Data Retention
We retain personal data for as long as necessary to provide the Service and comply with legal obligations:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | While account is active + 30 days after deletion | Service provision |
| Athlete data | While club subscription is active + 6 months | Service provision, safeguarding |
| Payment records | 7 years from transaction date | UK tax law (HMRC requirements) |
| Invoices & receipts | 7 years from issue date | UK tax and accounting law |
| Safeguarding records | Until child turns 25 (or longer if legally required) | Child protection obligations |
| Usage logs | 90 days | Security and debugging |
| Marketing consent | Until withdrawn + 30 days | Compliance |
After the retention period, we securely delete or anonymize personal data. Some aggregated, anonymized data may be retained indefinitely for statistical purposes.
9. Your Rights Under GDPR
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
Right to Access (Article 15)
You can request a copy of your personal data (or your child's data if you are a guardian). We will provide this free of charge in a structured, commonly used format (e.g., PDF or CSV).
Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data. You can also update your own data directly through your account settings.
Right to Erasure (“Right to be Forgotten”) (Article 17)
You can request deletion of personal data in certain circumstances, such as:
- Data is no longer necessary for the purpose it was collected
- You withdraw consent (where consent was the legal basis)
- Data was unlawfully processed
Exceptions: We may refuse deletion if we are legally required to retain data (e.g., financial records for 7 years, safeguarding records until child turns 25).
Right to Restrict Processing (Article 18)
You can request that we limit how we use your data in certain situations (e.g., while we verify accuracy or investigate a complaint).
Right to Data Portability (Article 20)
You can request a machine-readable copy of your data to transfer to another service provider.
Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that significantly affect you. Our AI assistant does not make automated decisions without human review.
How to Exercise Your Rights
To exercise any of these rights, please contact us at [email protected]. We will respond within one month (or two months for complex requests).
Parents/guardians can exercise these rights on behalf of their children.
10. Children's Privacy
CRITICAL: Parental Consent Required
Kolva Club is designed for use by sports clubs managing child athletes (minors under 18 years old). We require explicit parental or guardian consent before processing children's personal data.
How We Obtain Parental Consent
- Taster/Trial Sessions: Parents provide consent when completing the online signup form, which includes a clear statement about data processing and a checkbox for consent.
- Team Membership: Parents provide written consent (digital or paper) when registering their child for team membership, acknowledging that personal data (including medical information) will be stored and processed.
- Photo/Video Consent: Separate explicit consent is obtained before taking or publishing any photographs or videos of child athletes.
Age Verification
We verify that consent comes from a legal guardian by:
- Requiring guardian email and phone verification
- Validating relationship to child during signup
- Cross-checking emergency contact information
Children's Data We Process
With parental consent, we process the following data about child athletes:
- Name, date of birth, gender
- Team assignments and attendance records
- Medical conditions, allergies, dietary needs (for safety)
- Emergency contact details
- Skill progression and coaching notes
- Photos/videos (only with separate explicit consent)
How We Protect Children's Data
- Access controls: Only authorized club staff (administrators, coaches) can view athlete data, and only for legitimate operational purposes.
- Role-based permissions: Coaches see only basic information (name, attendance). Medical data is restricted to administrators with safeguarding responsibilities.
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Audit logs: We log access to sensitive child data for accountability.
- No AI processing of sensitive data: Children's medical information is never sent to AI models.
Parental Rights
Parents/guardians have the right to:
- Access all data we hold about their child
- Request correction or deletion of their child's data
- Withdraw consent at any time (subject to legal retention requirements)
- Object to specific processing activities
- Request that we stop processing their child's data (subject to club membership obligations)
To exercise these rights, contact us at [email protected].
Safeguarding & Child Protection
In exceptional circumstances involving child protection concerns, we may share data with:
- Local safeguarding authorities
- Police or other law enforcement
- Social services
- Designated Safeguarding Leads at the club
Such disclosures are made only when legally required or necessary to protect the welfare of a child.
11. Data Security
We implement industry-standard security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction:
Technical Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Secure password hashing (bcrypt with salt)
- Regular security updates and patches
- Web Application Firewall (WAF)
- Rate limiting and DDoS protection
Organizational Measures
- Role-based access controls (least privilege principle)
- Multi-factor authentication (MFA) for administrators
- Regular staff training on data protection
- Data protection impact assessments (DPIAs) for new features
- Incident response plan for data breaches
- Regular backups with secure, encrypted storage
Data Breach Notification
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the ICO (Information Commissioner's Office) within 72 hours
- Notify affected individuals without undue delay
- Provide details of the breach, potential impact, and mitigation steps
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features.
When we make significant changes, we will:
- Update the “Last updated” date at the top of this page
- Show a prominent notice on the Service
- For material changes affecting children's data, obtain fresh parental consent where required
Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.
13. Contact Us & Complaints
Contact Information
Kolva Ltd (Data Controller)
Company Number: 16021159
Registered in England and Wales
Privacy inquiries: [email protected]
General inquiries: [email protected]
Right to Complain to the ICO
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK's data protection authority:
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Phone: 0303 123 1113
Website: ico.org.uk/make-a-complaint
14. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
Your California Rights
- Right to Know: You can request details about the personal information we have collected about you in the past 12 months, including categories of data, sources, purposes, and third parties we share it with.
- Right to Delete: You can request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, completing transactions).
- Right to Opt-Out of Sale: We do NOT sell personal information, so there is nothing to opt out of.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
How to Exercise California Rights
To exercise these rights, contact us at [email protected]. We will respond within 45 days (or 90 days for complex requests).
Categories of Personal Information
We collect and process the following categories under CCPA:
- Identifiers (name, email, address, phone)
- Commercial information (payment history, transaction records)
- Internet or network activity (usage logs, IP addresses)
- Biometric information (photos/videos of children, with consent)
- Health information (medical conditions, allergies)
- Education information (team assignments, skill levels)
Shine the Light Law
Under California Civil Code Section 1798.83, California residents can request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.