GDPR Compliance Statement - Kappascore

Last Updated: 2025-12-01

1. Data Controller Information

Data Controller: Kappascore
Contact Email: [email protected]
Website: kappascore.com

2. Legal Basis for Processing

Kappascore processes personal data based on the following legal grounds under GDPR Article 6:

2.1. Legitimate Interests (Article 6(1)(f))

We process limited technical data based on our legitimate interests to:

• Ensure website security and prevent fraud
• Analyze website usage to improve our sports statistics service
• Provide and maintain our free information platform
• Prevent misuse of our services

2.2. Consent (Article 6(1)(a))

For non-essential cookies and certain data processing activities, we obtain explicit consent through our cookie banner.

2.3. Legal Obligation (Article 6(1)(c))

Where required by law, we process data to comply with legal obligations.

3. Data Processing Principles

We adhere to GDPR principles as outlined in Article 5:

• Lawfulness, fairness and transparency: We process data legally, fairly, and transparently
• Purpose limitation: We collect data for specified, explicit, and legitimate purposes
• Data minimization: We only collect data that is adequate, relevant, and limited to what is necessary
• Accuracy: We keep personal data accurate and up to date
• Storage limitation: We retain data only for as long as necessary
• Integrity and confidentiality: We process data securely to prevent unauthorized access or disclosure
• Accountability: We demonstrate compliance with GDPR principles

4. Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

4.1. Right of Access (Article 15)

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, access to that data.

4.2. Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected.

4.3. Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes collected.

4.4. Right to Restriction of Processing (Article 18)

You have the right to restrict the processing of your personal data in specific situations.

4.5. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

4.6. Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests.

4.7. Right to Withdraw Consent (Article 7)

Where we rely on consent for processing, you have the right to withdraw consent at any time.

5. Data Processing Activities

5.1. Data Collection

We collect the following categories of data:

• Technical Data: IP addresses (anonymized), browser type, device information
• Usage Data: Pages visited, time spent, referral sources
• Cookie Data: As described in our Cookie Policy

5.2. Data Sharing

We may share data with:

• Service Providers: Analytics providers, hosting services, security services
• Legal Authorities: When required by law or to protect our rights

We do not sell personal data to third parties.

5.3. Data Transfers

As a global sports statistics platform, data may be transferred to countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Other approved transfer mechanisms

6. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (SSL/TLS)
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Data minimization and anonymization where possible

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Analytics Data: Up to 14 months
• Server Logs: Up to 30 days
• Cookie Data: As specified in our Cookie Policy
• Contact Information: Until request for deletion

8. Data Protection Impact Assessment (DPIA)

We conduct DPIAs for processing activities that are likely to result in high risk to individuals' rights and freedoms, particularly when:

• Introducing new technologies
• Processing sensitive data on a large scale
• Systematically monitoring publicly accessible areas

9. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours (Article 33)
• Notify affected data subjects without undue delay when the breach is likely to result in high risk to their rights and freedoms (Article 34)
• Document all data breaches, including their effects and remedial actions taken

10. International Operations

If Kappascore establishes operations in multiple EU member states, we will:

• Designate a lead supervisory authority as our main regulator in the EU
• Comply with the one-stop-shop mechanism for cross-border processing
• Appoint representatives in the EU if required under Article 27

11. Children's Data

Kappascore is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

12. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

13. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates the GDPR. The supervisory authority in your jurisdiction can be found through the European Data Protection Board website.

14. Contact Information for GDPR Matters

For all GDPR-related inquiries, including exercising your data subject rights:

Email: [email protected] (if a DPO is appointed)
Alternative Contact: [email protected]
Response Time: We will respond to all requests within one month, as required by GDPR Article 12

15. Record of Processing Activities

We maintain a record of processing activities as required by GDPR Article 30, which includes:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• Transfers to third countries
• Retention periods
• Security measures

16. Updates to This Statement

We may update this GDPR Compliance Statement periodically to reflect changes in our processing activities or legal requirements. We will notify users of significant changes through our website.

17. Related Documentation

This statement should be read in conjunction with our:

• Privacy Policy
• Cookie Policy
• Terms and Conditions

Note: This GDPR Compliance Statement applies to our processing of personal data of individuals in the European Union, European Economic Area, and United Kingdom.