I. GENERAL PROVISIONS
This Privacy Policy describes the rules for processing personal data in connection with the use of the platform lapsly.com (hereinafter: "Platform") and the provision of Services by Fintech Analytics sp. z o.o. (hereinafter: "Service Provider").
This document is consistent with the provisions of the Platform Terms of Service, including the section on personal data protection and the use of AI tools.
With respect to data entered into the Platform by the Client (e.g., data of athletes, parents/guardians, coaches), the Client generally remains the Data Controller, and the Service Provider acts as a Processor based on the Data Processing Agreement (DPA) – in accordance with Art. 28 GDPR.
II. DATA CONTROLLER AND CONTACT
Data Controller:
Fintech Analytics sp. z o.o., ul. Grabiszyńska 251D, 53-234 Wrocław, KRS: 0001025699, NIP: 8943207457, REGON: 524783195.
Contact:
- privacy matters: privacy@lapsly.com
- technical matters and support: support@lapsly.com
- formal matters/complaints: complaints@lapsly.com
If the Client is the Data Controller for persons whose data is entered into the Platform (e.g., athletes, parents/guardians, coaches), the Client is responsible for fulfilling information obligations under Art. 13/14 GDPR towards those persons and for ensuring an appropriate legal basis.
III. SCOPE OF DATA AND SOURCES
1) Client Data (controller: Service Provider)
- identification and registration data (e.g., name, tax ID, address),
- contact data (e.g., email, phone),
- billing data (e.g., invoice information),
- account data (login, permissions, change history within the account).
2) User Data entered by the Client (controller: Client)
- identification and contact data (e.g., first name, last name, email – if entered),
- data related to training and sports activities (e.g., attendance, trainings, sports results),
- technical metadata related to Platform usage (e.g., system event logs).
Prohibition of special category data
The Platform is not intended for processing special category data (Art. 9 GDPR), in particular health data, medical documentation, genetic/biometric data, or disability information.
IV. PURPOSES AND LEGAL BASES FOR PROCESSING
Processing purposes (examples):
- conclusion and performance of the Agreement and provision of Services (Art. 6(1)(b) GDPR),
- settlements and tax/accounting obligations (Art. 6(1)(c) GDPR),
- handling inquiries, complaints, and communication with the Client (Art. 6(1)(b) and (f) GDPR),
- ensuring Platform security, preventing abuse, technical logs (Art. 6(1)(f) GDPR),
- improving the Platform and its features (Art. 6(1)(f) GDPR),
- sending commercial information / newsletter – if available and if consent was given or based on a legally permissible basis.
With respect to data entrusted by the Client (e.g., athletes/parents/coaches), the legal basis for processing on the Client's side is in particular Art. 6 GDPR (depending on the role and purpose), and the Service Provider processes data as a Processor based on Art. 28 GDPR and the DPA.
V. CATEGORIES OF RECIPIENTS AND SUB-PROCESSORS
Data may be disclosed only to the extent necessary for the provision of Services, in particular to:
- hosting and IT infrastructure providers (e.g., servers, data storage, backups),
- providers of inquiry handling and communication tools,
- accounting and payment service providers – for settlements,
- subcontractors providing technical support/Platform maintenance,
- AI tool providers – if used within the Services (according to section VI).
Sub-processors (list)
| Name | Role/Service | Location | Transfer basis (if outside EEA) |
|---|---|---|---|
| DigitalOcean | Hosting / infrastructure | EEA / Netherlands | — |
| Resend | Communication / support | Outside EEA / USA | SCC |
| OpenAI | AI analysis within Services | Outside EEA / USA | SCC |
The list of service providers is updated on an ongoing basis.
VI. AI TOOLS AND DATA ANALYSIS
Within the provision of Services, data entered or provided by the Client may be used solely for analytical, statistical purposes and to support Platform functionality, including using AI-based tools.
AI analysis:
- does not serve automated decision-making producing legal effects for natural persons,
- does not constitute profiling within the meaning of Art. 22 GDPR,
- is performed solely for data aggregation, trend detection, and supporting sports, organizational, and statistical analyses.
Minimization and limitation principles:
- we transmit to AI tools only data necessary for the given purpose,
- we apply pseudonymization/aggregation where possible,
- data is not used to train general AI models outside the scope of providing Services to the Client.
VII. TRANSFERS OUTSIDE EEA
If, as part of using sub-processors, data is transferred outside the European Economic Area (EEA), the Service Provider applies appropriate safeguards provided for in Chapter V GDPR, in particular Standard Contractual Clauses (SCC), and implements supplementary measures if required.
VIII. DATA RETENTION PERIOD
- Client data related to the Agreement – for the duration of the Agreement, then for the statute of limitations period,
- billing data – for the period required by law (e.g., tax and accounting regulations),
- data processed in security logs – for the period necessary to ensure security and pursue claims,
- entrusted data (Users) – according to the Agreement/DPA and Client decisions as Controller (including deletion after termination of Services, if provided).
IX. DATA SUBJECT RIGHTS
Data subjects have rights under GDPR, in particular: access to data, rectification, erasure, restriction of processing, data portability, objection, and the right to lodge a complaint with a supervisory authority.
Important:
If data was entered into the Platform by the Client (e.g., data of athletes/parents/coaches), the Client as Controller is the primary addressee of GDPR requests (Art. 15–22). The Service Provider as Processor supports the Client in accordance with the DPA.
X. SECURITY
The Service Provider applies technical and organizational measures adequate to the risks (Art. 32 GDPR), including access control mechanisms, transmission encryption, backups, and security monitoring.
The Client is obliged to maintain confidentiality of access data, properly grant permissions to Users, and use the Platform in accordance with the Terms of Service.
XI. COOKIES AND ANALYTICS
The Platform may use cookies and similar technologies to ensure Platform functionality, maintain sessions, improve security, and conduct statistics.
- Essential cookies – necessary for Platform operation.
- Analytical cookies – help understand how the Platform is used (if used and if consent was given, where required).
Users can change cookie settings in their browser. If a cookie consent banner is active on the Platform, settings can also be changed from there.
XII. DATA IMPORT FROM PUBLIC PZP DATABASES
Upon first activation of an account for a sports club with an active PZP license, the system may retrieve from publicly available databases information about athletes assigned to the club and their sports results (within the scope of public data).
By activating an account, the Client declares that:
- they have the required legal basis for processing athlete data (Art. 6 GDPR),
- they have fulfilled information obligations towards data subjects (Art. 13/14 GDPR),
- they remain the Data Controller, and the Service Provider acts as Processor,
- no special category data (Art. 9 GDPR) is entered into the Platform, only public sports data.
XIII. PRIVACY POLICY CHANGES
The Service Provider may update the Privacy Policy in particular in the event of changes in legislation, technological changes, or changes in the scope of sub-processors used (including AI tools). The current version of the document is published on the Platform.