← Back to Home
GDPR Compliance Statement
TeamKitX is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) and other applicable data protection laws. This document outlines how we collect, process, store, and protect your personal data in compliance with GDPR requirements.
Data Controller: TeamKitX
Contact: privacy@teamkitx.com
Data Protection Officer: Available upon request
Personal Data We Process
Under GDPR, personal data means any information relating to an identified or identifiable natural person. We process the following categories of personal data:
| Data Category |
Data Types |
Purpose |
| Identity Data |
Name, email address, member number |
Account creation, team management |
| Team Data |
Team affiliations, role, size profiles |
Team coordination, equipment fitting |
| Equipment Data |
Assignment records, condition assessments, photos |
Equipment management, accountability |
| Financial Data |
Damage charges, late fees, equipment values |
Charge calculation, inventory valuation |
| Photo Data |
Equipment condition photos |
Documentation, condition tracking |
| Technical Data |
Device type, OS version, app version |
App functionality, technical support |
| Usage Data |
App interactions, feature usage |
Service improvement, analytics |
Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
Legitimate Interest (Article 6(1)(f))
- Equipment management and accountability tracking
- App functionality and technical support
- Service improvement and analytics
- Security and fraud prevention
Contract Performance (Article 6(1)(b))
- Providing sports equipment management services
- Processing assignments and returns
- Calculating damage and late fees
- Enabling team coordination features
Consent (Article 6(1)(a))
- Photo uploads and documentation
- Marketing communications (where applicable)
- Non-essential notifications
- Optional features requiring explicit consent
Legal Obligation (Article 6(1)(c))
- Compliance with applicable laws
- Response to legal requests
- Financial record-keeping requirements
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
Right of Access (Article 15)
- Request confirmation of data processing
- Obtain a copy of your personal data
- Receive information about processing purposes and recipients
Right to Rectification (Article 16)
- Correct inaccurate personal data
- Complete incomplete personal data
- Update outdated information
Right to Erasure / "Right to be Forgotten" (Article 17)
- Request deletion of personal data when no longer necessary
- Withdraw consent and request data deletion
- Object to unlawful processing
Right to Restrict Processing (Article 18)
- Limit processing while verifying accuracy
- Restrict processing instead of deletion
- Object to processing based on legitimate interests
Right to Data Portability (Article 20)
- Receive personal data in structured, machine-readable format
- Transmit data to another controller
- Available for automated processing based on consent or contract
Right to Object (Article 21)
- Object to processing based on legitimate interests
- Object to direct marketing (absolute right)
- Object to automated decision-making and profiling
How to Exercise Your Rights:
Contact us at privacy@teamkitx.com or use the in-app data export feature for data portability requests. We will respond within 30 days as required by GDPR.
Data Processing Activities
Data Collection
- Direct Collection: Information you provide during registration, team setup, and app usage
- Automatic Collection: Technical data, usage patterns, and app performance metrics
- Photo Upload: Equipment photos you choose to upload
- Third-Party Sources: Firebase Authentication for account verification
Data Processing Purposes
- Providing sports equipment management services
- Processing equipment assignments and returns
- Tracking equipment condition and location
- Calculating damage and late return charges
- Enabling team coordination and member management
- Photo documentation for accountability
- Improving app performance and user experience
- Providing customer support and technical assistance
- Ensuring platform security and preventing fraud
Photo Processing
We process equipment photos with special care:
- Photos are processed solely for equipment documentation
- No facial recognition or biometric analysis is performed
- Photos visible only to authorized team members
- Secure storage with access controls
- Can be deleted at any time upon request
Automated Decision-Making
We may use automated processing for:
- Damage charge calculation based on condition changes
- Late fee calculation based on return dates
- Low stock alerts based on inventory levels
- App performance optimization
You have the right to object to automated decision-making and request human intervention where it significantly affects you.
Data Sharing and International Transfers
Data Recipients
We may share your personal data with:
- Team Members: Limited data sharing for team functionality
- Service Providers: Google Firebase (hosting), cloud storage providers
- TeamWalletX: When integration is enabled (for automated penalty creation)
- Legal Authorities: When required by law or legal process
International Data Transfers
Your data may be transferred to and processed in countries outside the EEA, including:
- United States: Google Firebase services (adequacy decision/Standard Contractual Clauses)
- Other Countries: As necessary for service provision with appropriate safeguards
Transfer Safeguards
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Binding Corporate Rules (BCRs) for multinational processors
- Technical and organizational measures ensuring data protection
Data Retention and Deletion
Retention Periods
- Account Data: Retained while account is active and up to 3 years after deletion
- Equipment Records: Retained for accountability and up to 7 years for financial records
- Photos: Retained until manually deleted or account closure
- Technical Data: Retained for up to 2 years for security and improvement purposes
- Assignment History: Retained for up to 5 years for accountability purposes
Automatic Deletion
- Inactive accounts may be deleted after 2 years of no activity
- Technical logs automatically deleted after specified retention periods
- Temporary files and cache data regularly purged
- Deleted photos removed from storage within 7 days
Deletion Process
When you request account deletion or exercise your right to erasure:
- Personal identifiers are immediately anonymized or pseudonymized
- Data is marked for deletion and removed within 30 days
- Photos are permanently deleted from cloud storage
- Some data may be retained longer for legal compliance
- You will receive confirmation of deletion completion
Data Security Measures
Technical Safeguards
- Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
- Access Controls: Multi-factor authentication and role-based access
- Photo Security: Secure cloud storage with access restrictions
- Network Security: Firewalls, intrusion detection, and DDoS protection
- Monitoring: 24/7 security monitoring and incident response
Organizational Measures
- Regular security training for personnel
- Data minimization and privacy by design principles
- Regular security audits and penetration testing
- Incident response and breach notification procedures
Data Breach Response
In case of a personal data breach:
- We will assess the breach within 24 hours
- Notify supervisory authorities within 72 hours if high risk
- Inform affected individuals without undue delay if high risk to rights
- Implement measures to mitigate adverse effects
- Document the breach and response measures
Children's Data Protection
Special protections apply to children's personal data under GDPR:
- Age Verification: We verify users are 16+ or have parental consent (lower ages where national law permits)
- Parental Rights: Parents can exercise rights on behalf of children under 16
- Enhanced Protection: Additional safeguards for data processing involving minors
- Consent Requirements: Parental consent required for data processing of children under 16
- Photo Restrictions: Extra care taken with photos involving minors
Sports Team Context: TeamKitX is designed for sports teams and may be used by minors under team supervision. Team administrators must ensure appropriate consents are obtained.
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR.
EU Data Protection Authorities
- Your Local Authority: Contact the data protection authority in your EU member state
- Lead Authority: We cooperate with lead supervisory authorities under GDPR's one-stop-shop mechanism
- Complaint Process: You can file complaints online or by mail with relevant authorities
Contact Before Complaints
We encourage you to contact us first at privacy@teamkitx.com to resolve any data protection concerns. We are committed to working with you to address any issues promptly and effectively.
Updates to This Data Protection Notice
We may update this GDPR compliance document to reflect:
- Changes in applicable data protection laws
- Updates to our data processing activities
- New features or services that affect data processing
- Feedback from supervisory authorities or users
We will notify you of significant changes through:
- Email notifications to registered users
- In-app notifications highlighting key changes
- Updates posted on our website with change summaries