KUDO COACH PRIVACY POLICY

1. INTRODUCTION

Kudo Coach ("we," "us," or "our") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, and services.

This policy complies with the Protection of Personal Information Act (POPIA) of South Africa and the General Data Protection Regulation (GDPR) of the European Union, as well as other applicable data protection laws.

2. INFORMATION WE COLLECT

2.1 Personal Information

We may collect the following personal information:

• Account Information: Name, email address, password, and profile picture
• Profile Information: Date of birth, weight, height, coaching name (for coaches)
• Contact Information: Phone number, country code
• Platform Connection Information: Credentials and access tokens for connected platforms (Strava, Training Peaks, Garmin, etc.)
• Coach-Athlete Relationship Information: Information about your coaching relationships
• Payment Information: Payment details for subscription services
• Activity Data: Workout metrics, performance data, health and weight data and statistics imported from connected platforms
• Device Information: Device type, operating system, and browser information

2.2 Automatically Collected Information

We automatically collect certain information when you visit, use, or navigate our platform:

• Usage Data: Information about how you use our platform, including clicks, pages visited, features used, and time spent
• Technical Data: IP address, browser type and version, time zone setting, operating system, and device information
• Cookies and Similar Technologies: Information collected through cookies and similar tracking technologies (see our Cookie Policy section)

3. HOW WE COLLECT YOUR INFORMATION

We collect information through:

• Direct Interactions: When you create an account, update your profile, connect with a coach or athlete, or contact us
• Automated Technologies: Through cookies, server logs, and similar technologies
• Third-Party Platforms: When you connect your Strava, Training Peaks, Garmin, or other accounts to our platform
• API Integrations: When we retrieve your activity data from connected platforms via their APIs

4. HOW WE USE YOUR INFORMATION

4.1 Providing and Improving Our Services

• Delivering personalized training analysis and feedback
• Facilitating coach-athlete relationships and communications
• Generating personalized workout names (Digital Validation Experiment feature)
• Operating, maintaining, and improving our platform and services

4.2 Communications

• Sending you notifications about your activities, analyses, and platform updates
• Delivering activity analyses via your selected channels (email, Telegram, WhatsApp)
• Providing customer support and responding to inquiries

4.3 Research and Analytics

• Analyzing usage patterns to improve our services
• Developing new features and functionalities
• Evaluating the effectiveness of our platform and services

4.4 Legal and Security

• Detecting and preventing fraud, unauthorized access, and other harmful activity
• Complying with legal obligations and enforcing our terms
• Resolving disputes and addressing legal claims

5. LAWFUL BASIS FOR PROCESSING

We process your personal information based on the following legal grounds:

• Contract: Processing necessary for the performance of our contract with you
• Consent: Processing based on your explicit consent
• Legitimate Interests: Processing necessary for our legitimate interests, such as improving our services, provided these interests are not overridden by your rights
• Legal Obligation: Processing necessary to comply with legal obligations

6. DATA SHARING AND DISCLOSURE

We may share your information with the following categories of recipients:

6.1 Service Providers

We share information with third-party service providers who help us operate, deliver, and improve our services, including:

• Cloud hosting and infrastructure providers
• Payment processors
• Communication and notification service providers
• Analytics and data processing providers

6.2 Connected Platforms

When you connect your accounts, we exchange information with third-party platforms (Strava, Training Peaks, Garmin, etc.) according to their APIs and your authorization.

6.3 Coaches and Athletes

Coaches have access to activity data and information for their connected athletes. Athletes can see which coaches have access to their information.

6.4 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request.

7. INTERNATIONAL DATA TRANSFERS

We may transfer, store, and process your information in countries other than your own. When we transfer personal information outside of South Africa or the European Economic Area, we implement appropriate safeguards in accordance with POPIA and GDPR requirements, including:

• Standard contractual clauses approved by the European Commission
• Data processing agreements with third-party service providers
• Only transferring data to countries with adequate data protection laws or organizations with appropriate safeguards

8. DATA RETENTION

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

When determining retention periods, we consider:

• The amount, nature, and sensitivity of the personal information
• The potential risk of harm from unauthorized use or disclosure
• The purposes for which we process the information and whether we can achieve those purposes through other means
• Applicable legal, regulatory, tax, accounting, or other requirements

9. YOUR PRIVACY RIGHTS

Depending on your location, you may have certain rights regarding your personal information:

9.1 POPIA Rights (South Africa)

• Right to Access: Request access to your personal information
• Right to Correction: Request correction of inaccurate or incomplete information
• Right to Deletion: Request deletion of your personal information
• Right to Object: Object to processing of your personal information
• Right to Withdraw Consent: Withdraw consent for processing where consent is the basis for processing
• Right to Complain: Lodge a complaint with the Information Regulator

9.2 GDPR Rights (European Union)

• Right to Access: Access and receive a copy of your personal information
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your personal information
• Right to Restrict Processing: Request restriction of processing of your personal information
• Right to Data Portability: Receive your personal information in a structured, commonly used format
• Right to Object: Object to processing of your personal information
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on your consent
• Right to Complain: Lodge a complaint with a supervisory authority

9.3 How to Exercise Your Rights

To exercise your rights, please contact us using the information provided in the "Contact Us" section below. We will respond to your request within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before fulfilling your request.

10. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit and at rest
• Regular security assessments and vulnerability scanning
• Access controls and authentication requirements
• Security monitoring and incident response procedures
• Regular staff training on data protection and security

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

11. CHILDREN'S PRIVACY

Our platform is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will take steps to delete such information.

12. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to collect and store information when you use our platform. Cookies are small files placed on your device that enable us to recognize your browser and remember certain information.

12.1 Types of Cookies We Use

• Essential Cookies: Required for the operation of our platform
• Functional Cookies: Enable personalized features and remember your preferences
• Analytics Cookies: Help us understand how you use our platform
• Marketing Cookies: Used to deliver relevant advertisements and track marketing campaign performance

12.2 Your Cookie Choices

Most web browsers allow you to control cookies through their settings. You can:

• Accept or reject all cookies
• Accept only certain types of cookies
• Be notified when you receive a cookie and decide whether to accept it

However, refusing cookies may prevent you from using certain features of our platform.

13. THIRD-PARTY LINKS AND SERVICES

Our platform may contain links to third-party websites, applications, or services that are not operated by us. When you click on these links, you may be directed to third-party sites over which we have no control. We recommend reviewing the privacy policies of these third-party sites, as their privacy practices may differ from ours.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated policy on our platform and updating the "Last Updated" date. We encourage you to review this policy periodically to stay informed about how we protect your information.

16. SPECIFIC PROVISIONS FOR SOUTH AFRICAN USERS (POPIA)

As required by the Protection of Personal Information Act (POPIA) of South Africa, we provide the following additional information:

16.1 Information Officer

We have appointed an Information Officer responsible for ensuring our compliance with POPIA.

16.2 Cross-Border Transfers

We may transfer your personal information to recipients outside South Africa. When we do so, we ensure that:

• The recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection
• You consent to the transfer
• The transfer is necessary for the performance of a contract between you and us
• The transfer is necessary for the conclusion or performance of a contract concluded in your interest

16.3 Security Compromise Notifications

In the event of a security compromise involving your personal information, we will notify you and the Information Regulator as required by POPIA.

16.4 Direct Marketing

We will only send you direct marketing communications with your consent. Each communication will include an option to opt-out of future marketing.

17. SPECIFIC PROVISIONS FOR EUROPEAN USERS (GDPR)

17.1 Data Controller

For the purposes of the GDPR, Kudo Coach is the data controller responsible for your personal information.

17.2 Data Protection Officer

We have appointed a Data Protection Officer who can be contacted at dpo@kudocoach.com.

17.3 Automated Decision-Making

We may use automated decision-making, including profiling, to analyze your activities and provide personalized training insights. You have the right to object to such processing and request human intervention, express your point of view, and contest decisions based solely on automated processing.

17.4 Complaints

If you are in the European Economic Area and believe that our processing of your personal information infringes data protection laws, you have the right to lodge a complaint with a supervisory authority in the country where you live or work, or where you believe the infringement occurred.