Last updated: June 2023
When we talk about the “Services” in this Policy, we are referring to the use of software applications and platforms made available online to customers for the purpose of tracking physical training and historical injury profiles of athletes.
Kitman Labs Limited, an Irish registered company, is the service provider for all customers located within Europe, the Middle East and Africa (collectively, “EMEA”). Kitman Labs Inc., a US company, provides the Services to customers located outside EMEA (such as those in the United States, Australia, New Zealand and Asia) and is the company responsible for the personal data of non-EMEA based customers. The Sports Office, a UK registered company, will process personal data of customers based in the UK.
With respect all laid out above, each company may, where the client engagement warrants, work as a sub-processor for the other in processing client data. All sub-processing is undertaken legally and in compliance with law. If you have any questions please contact the Kitman Labs DPO at firstname.lastname@example.org.
This policy is to outline our obligations with respect GDPR, UK GDPR, HIPAA (and any other US legislation) and any other legislation which may apply to Kitman.
For the purposes of HIPAA compliance, Kitman Labs is considered a Business Associate ‘BA’ and Client may be considered a Covered Entity ’CE’. Any reference to personal data may be considered Protected Health Information, and Controller should be understood to mean Covered Entity and any reference to Processor shall be understood to mean Business Associate unless stated otherwise. For the purposes of HIPAA the Kitman DPO shall be the Kitman Privacy Officer.
What Information Does Kitman Collect and Receive?
In the course of its operations, Kitman labs operates as both a Data Processor and a Data Controller. For clarity, Kitman is a Data Controller for Human Resources and Business personal data and a Data Processor for Customer Data:
- Human Resources (Controller)
- HR File
- Potential Employees
- Marketing (Controller)
- Marketing opt-in data
- Customer Lead Generation Data
- Customer Data (Processor)
- ID, health and performance data for provision of services
- Account and billing information
- Service usage information
Kitman as Data Controller
HR file: Comprises information which is collected for the purposes of Kitmans role as an employer. Payroll is the process data for the purposes of paying employees and some contractors also.
Potential employees: If you apply for a job with Kitman, we will receive the personal data you provide to us such as your name, address, contact information, education details and professional experience. We will use this information for the purposes of hiring only and will process it only on the basis of our legitimate interests. You can ask for your information to be removed from our database at any time by contacting email@example.com.
Kitman as Data Processor
Kitman may collect, store and analyse information (including personal data and sensitive personal data such as health related data) about individuals (such as athletes) whose personal data is processed by Kitman during the provision of the Services to its customers (“Customer Data”). This information is controlled by Kitman’s customers and is processed by Kitman in accordance with the agreement for Services (“Customer Agreement”). To the extent that Kitman collects, stores and analyses Customer Data, Kitman does so on behalf of its customers and is a “data processor” only.
If Customer Data includes your personal data or you are using the Services by invitation of a Kitman customer, whether that customer is your employer, team, another organisation, or an individual, Kitman collects, stores, and analyses your personal data on behalf of its customer. That customer will determine its own policies regarding the treatment of Customer Data which may apply to your use of the Services. Please check with the customer about the policies it has in place.
Customer Data: may, among other things, comprise data that identifies a person, and relates to them and their health. This data will be used in order to provide the services of Kitman Labs to our customers.
Account and billing information: To create a Kitman account and to access the Services, customers must provide Kitman with names, usernames, passwords and contact information. In addition customers may provide billing information including bank account details to complete transactions in relation to our Services.
Services usage information: When a customer interacts with the Services, usage information is created and may include details of administrative, technical and support communications with us.
How Does Kitman Use Customer Data?
Customer Data will be used by Kitman in accordance with customer’s instructions, including any applicable terms in the Customer Agreement, and as required by applicable law. Any information processed by Kitman as a Controller will only be done so where there is a strict legal basis (e.g. employees on the basis of contract. Kitman will only collect the minimum information which is necessary and relevant to accomplish the legally authorised purpose of collection and will be retained for the minimum relevant periods based on that legally authorised purpose (including consent).
Kitman uses Kitman Data that it controls for the following purposes which are subject to yearly review:
To provide, update, and improve our Services: This includes use of Kitman Data to support delivery of the Services under a Customer Agreement, prevent or address service errors, security or technical issues, analyse and monitor usage, trends and other activities. We also use de-personalised and aggregated data generated by our customers’ use of our Services to better understand how customers are using the Services in order to improve them. This processing of Kitman Data is required as a matter of contractual necessity and also may be necessary in line with our legitimate interests.
To send emails and other communications: If you contact us, we may use your contact information to respond. We may also send service, technical and administrative emails and messages. We may also contact customers to inform them about changes in our Services, our service offerings, and important service related notices, such as security and fraud notices. These emails and messages are considered part of the Services and customers may not opt-out of them. In addition, we occasionally send emails about new product features, events or other news about Kitman. These are marketing messages you can opt out of at any time. This processing of Kitman Data is required as a matter of contractual necessity and is also necessary for our legitimate interests which are described in more detail below.
For billing and account management: We use account and billing information to administer accounts and keep track of billing and payments. This processing of Kitman Data is required as a matter of contractual necessity and may also be required to enable us to comply with our legal obligations.
For investigating fraud and abuse: We work hard to keep the Services secure and to prevent abuse and fraud. Such processing will be in our legitimate interests of keeping the Service safe and secure.
For research: We use anonymised and aggregated data for business purposes such as performing research on specific subject-areas as well as statistical analysis and machine-learning, market analysis and producing reports. The data is anonymised and aggregated so the data is no longer associated with and can no longer be linked to an identifiable customer of the Services, or athlete whose data we have been provided with by a customer.
Other uses for the data Kitman collects?
Kitman may share information described in this Policy from time to time under certain circumstances, so we can offer you the best service possible, to run our business, or to comply with legal and regulatory obligations and to comply with any legal requests. Such sharing will also be necessary for the purposes of our legitimate interests.
Third Party Service Providers and other partners: Kitman may provide Kitman Data to vendors, service providers, and other partners including affiliates in our corporate group who work on our behalf to help provide the Services and who will use this information only in accordance with instructions from Kitman or restrictions imposed by Kitman. We do not share or sell information with other Data Controllers. Further information on the third parties who receive this data is available at kitmanlabs.com/sub-processors.
Legal Compliance: Kitman may process information in order to comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.
Changes to Business Structure: In the event Kitman is involved in a merger, acquisition, bankruptcy, dissolution, reorganisation, sale of some or all of Kitman’s assets, financing, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence).
Fraud and Illegal Activity: Kitman may work to enforce our rights, prevent fraud and for safety and to protect the Services and its customers. This is in order to protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or other criminal activities. Such sharing may be required by law or may be necessary for the purposes of our legitimate interests..
Legal Basis for Processing
To the extent that Kitman’s processing of Kitman Data is subject to the EU General Data Protection Regulation, we rely on a number of legal bases to collect and use information for purposes described in this Policy, including:
- as necessary to provide the Services and to perform the Customer Agreements;
- where you have consented to processing, which you can revoke at anytime
- where necessary to comply with a legal obligation, a court order, or to exercise and defend legal claims;
- as necessary for Kitman’s legitimate interests or those of a third party.
Where we rely on legitimate interest to process Kitman Data, the legitimate interest we rely on are (i) to create, provide and maintain innovative Services; (ii) to ensure security (including compliance with the HIPAA security rule) of personal data for which Kitman is either a Controller or a Processor; (iii) to carry out marketing; and (iv) to recruit talented individuals.
Security and Data Retention
Kitman takes security seriously. We take various physical, administrative, and technological steps to store and transmit data securely. For example, all personal data is held on dedicated and encrypted servers and behind secure firewall(s). In addition to technological security measures, Kitman places access controls on its employees, contractors, and other partners. Our employees are subject to strict contractual confidentiality obligations that are consistent with this Policy, and may be disciplined or terminated if they fail to meet these obligations. Despite these measures, Kitman cannot guarantee that the information described in this Policy will be completely secure.
We only store Kitman Data for as long as is necessary to provide our Service under the Customer Agreement or to comply with our legal and regulatory obligations. This means certain transaction data will be held beyond the duration originally intended, however this will at all times be done in compliance with our Retention Policy examples of where this may be reasonably necessary is to: resolve disputes, prevent fraud or abuse, or enforce this Policy and our agreements with customers.
Where Kitman is a Data Controller we will at all times seek to ensure the accuracy, relevance, timeliness and completeness of information collected, where we are a Processor we seek to facilitate this for our Clients. In order to ensure quality, information is collected directly from Clients to the greatest extent possible. This information is input directly by coaches, athletes and staff of the Client, or sometimes in bulk transfers by the Client to Kitman Labs.
International Data Transfers
Data subject rights
Under certain Data Privacy Laws, if your personal data is processed by us in Kitman Labs, then you have certain statutory rights in relation to your data. Subject to exemptions provided by law you can request access to your personal data as well as seek to rectify, erase, restrict, port and object to Kitman processing your personal data.
You can also access your personal information or exercise any of your rights described above by sending us a request at firstname.lastname@example.org. After we verify your identity, we will process the request in accordance with law. (Under HIPAA individuals have the rights to Amend, Disclose, and Access however given Kitmans role as a BA, these are unlikely to feature in our processing).
Where Kitman is a Processor we provide our clients with the means by which they can undertake this themselves via the services we provide.
Without prejudice to any other rights you also have the right to file a complaint against Kitman Labs Limited with your local supervisory authority, or with the Irish Data Protection Commissioner by contacting them at email@example.com.
If you have any questions about Kitman’s Policy or practices and if you are habitually resident in EMEA and wish to exercise any of your statutory rights please contact our Data Protection Officer at firstname.lastname@example.org or at the address below:
Kitman Labs Limited
Block B, Fourth Floor, Joyce’s Court
Talbot St, Dublin 1, Ireland
If you have any questions about Kitman’s Policy or practices and if you are based outside EMEA, please contact Kitman Labs Inc. at email@example.com or at the address below:
405 El Camino Real #440,
CA 94025, USA