This Privacy Policy explains how Kisscloud S.A.S. processes personal data through ASD in Cloud, the cloud management platform for sports associations, sports companies and sports organizations, including related modules, portals, public pages, restricted areas, applications, features and connected services.
ASD in Cloud is the name of the application. The legal entity providing the service is Kisscloud S.A.S., with registered office at Corso Ercole I d'Este, 4/9, 44121 Ferrara, Italy, VAT and Tax Code 01895650388, contactable at support@asdincloud.it.
This notice distinguishes processing activities where Kisscloud acts as an independent controller from those where Kisscloud processes data on behalf of customers, usually sports associations or sports companies, as processor.
1. Preliminary Note: Controller and Processor
In the ordinary use of the platform, the customer that enters, imports, collects or manages data relating to athletes, members, registered participants, parents, guardians, staff, collaborators, coaches, suppliers or other data subjects normally remains the data controller. The customer determines purposes, legal bases, retention periods, privacy notices, consents and authorizations relating to such data.
In these cases Kisscloud processes data on behalf of the customer, under documented instructions and within the limits necessary to provide ASD in Cloud, ensure security, maintenance, technical support, continuity, backups and requested features. For such processing activities, Kisscloud acts as processor under Article 28 GDPR.
Kisscloud acts as an independent controller when it processes data for its own purposes, such as contract management, billing, account administration, support, platform security, service communications, direct marketing where permitted and compliance with legal obligations.
End users linked to a club, such as athletes, parents or staff, should first contact their club or organization to receive detailed information on purposes, legal bases and retention periods for data entered by that club on ASD in Cloud.
2. Controller and Contact Details
The data controller for the own purposes described in this Privacy Policy is Kisscloud S.A.S., with registered office at Corso Ercole I d'Este, 4/9, 44121 Ferrara, Italy, VAT and Tax Code 01895650388.
For personal data protection requests, exercise of rights, questions about this policy or privacy communications, you may write to support@asdincloud.it and include 'Privacy' in the subject line.
As of the last updated date of this Privacy Policy, Kisscloud has not appointed a Data Protection Officer (DPO) under Articles 37 et seq. GDPR. Privacy communications may be sent to the address indicated above. If the appointment becomes mandatory or Kisscloud decides to appoint a DPO voluntarily, the relevant contact details will be published and notified as required by law.
If a request concerns data managed by a specific customer sports association or sports company, Kisscloud may invite the data subject to contact that organization directly or forward the request to the customer, where appropriate and permitted.
3. Categories of Data Subjects
The platform may involve processing data relating to different categories of persons, depending on the features enabled by the customer and the user's role.
- contacts, administrators, directors and representatives of customers or potential customers;
- users authorized by the customer, including staff, coaches, collaborators, office personnel, volunteers and advisors;
- members, registered participants, athletes, course participants, parents, guardians and persons exercising parental responsibility;
- suppliers, professionals, sponsors or other persons entered by the customer into the platform;
- website visitors, users of public forms, persons requesting information, support or demos;
- recipients of communications, notifications, campaigns or messages sent through the platform.
4. Personal Data Processed
The categories of data processed vary depending on the data subject's role, the purchased plan, customer configurations and the features used.
- identification and contact data, such as name, surname, email, phone number, address, tax code, date and place of birth;
- account and authentication data, such as credentials, user identifiers, tenant, roles, permissions, account status and access logs;
- data relating to clubs, associations and organizations, such as name, registered office, contacts, sports practiced, sports season, number of members, settings and preferences;
- sports and organizational data, such as teams, groups, categories, attendance, absences, calendars, events, registrations, pre-registrations, roles and communications;
- administrative and accounting data, such as fees, payments, deadlines, receipts, invoices, reports, billing data and bank or payment references where necessary;
- documents, files, forms, attachments, images, certifications, templates, communications and content uploaded or generated through the platform;
- health data or special categories of personal data, such as medical certificates, sports fitness, health deadlines or equivalent information, when the customer decides to manage them on the platform;
- technical data, such as IP address, user agent, session identifiers, application logs, security logs, language preferences, technical cookies and usage data;
- data included in support requests, reports, emails, chats, demos, contact forms or commercial communications.
5. Purposes, Legal Bases and Retention as Controller
Where Kisscloud acts as an independent controller, it processes personal data for the purposes listed in the table below. Retention periods are determined according to necessity, proportionality, accountability and legal obligations.
| Purpose | Legal basis | Data | Retention |
|---|---|---|---|
| Responding to contact requests, information requests, quotes, demos or pre-contractual support. | Pre-contractual measures requested by the data subject; legitimate interest in managing commercial relationships. | Name, surname, role, organization, email, phone number, content of the request. | For the time necessary to handle the request and, where relevant, for compatible follow-up commercial contacts or until objection. |
| Creating, administering and managing customer accounts, tenants, roles, permissions and onboarding. | Performance of a contract or pre-contractual measures; legitimate interest in proper service management. | Account data, contact data, organization data, configurations, preferences, essential logs. | For the duration of the relationship and thereafter within the limits necessary for legal obligations, defense of rights and security. |
| Providing the service, maintaining the platform, providing support, diagnosing anomalies and improving features. | Performance of a contract; legitimate interest in ensuring quality, security and service continuity. | Usage data, technical logs, tickets, support emails, screenshots or data shared by the user in the request. | For the time necessary to manage the service and support; technical logs are kept for periods proportionate to security needs. |
| Managing billing, accounting, payments, orders, renewals, debt collection and tax obligations. | Performance of a contract; legal obligations; legitimate interest in credit protection. | Identification and tax data, addresses, billing data, orders, payments, accounting documents. Payments due to Kisscloud may be handled through Stripe. | For the periods required by applicable civil, tax and accounting law, normally up to 10 years where required. |
| Sending service communications, technical notices, security alerts, contractual deadlines, document changes or relevant updates. | Performance of a contract; legal obligations; legitimate interest in properly informing users. | Contact details, role, organization, content of communications. | For the duration of the relationship and for the time necessary to document relevant communications. |
| Sending commercial communications about similar Kisscloud products or services, newsletters or informational content, where permitted. | Consent where required; legitimate interest or soft spam within the limits allowed by applicable law; right to object always guaranteed. | Name, email, organization, preferences, essential interaction history. | Until consent is withdrawn or objection is made; in any case for periods proportionate to the commercial relationship. |
| Protecting infrastructure, accounts, data, networks and services, preventing abuse, fraud, unauthorized access or breaches. | Legitimate interest in security; legal obligations where applicable. | IP, user agent, access logs, application logs, security events, technical identifiers. | For periods proportionate to security, investigation and defense needs; longer in case of incidents, abuse or disputes. |
| Establishing, exercising or defending rights in judicial, out-of-court or administrative proceedings. | Legitimate interest; legal obligations; establishment, exercise or defense of legal claims. | Data necessary in relation to the specific dispute, request, audit or proceeding. | For the time necessary to manage the matter and according to applicable limitation periods. |
6. Processing on Behalf of Customers
When the customer uses ASD in Cloud to manage profiles, registrations, documents, fees, attendance, communications, medical certificates, deadlines, portals or other information relating to its own data subjects, Kisscloud does not independently determine the main purposes of those processing activities.
In such cases the customer is the controller and must provide data subjects with its own privacy notice, identify suitable legal bases, collect any required consents, manage authorizations for minors, define retention periods and verify that the processed data are relevant and proportionate.
Kisscloud processes such data as processor, according to the contract, any Data Processing Agreement, the customer's documented instructions and applicable law. Kisscloud may access customer data only where necessary to provide the service, deliver support, solve technical issues, prevent abuse, comply with legal obligations or upon customer request.
7. Children's Data and Parental Responsibility
ASD in Cloud is often used in sports and association contexts, where children's data may be processed. When such data are entered or collected by the customer, the customer remains responsible for informing parents, guardians or persons exercising parental responsibility and for obtaining consents or authorizations where required.
Kisscloud does not knowingly ask children to autonomously enter into a contractual relationship with Kisscloud. Any accounts or access for children must be enabled and managed by the customer according to applicable law and its internal procedures.
8. Health Data and Special Categories
The platform may allow the management of medical certificates, sports fitness, health deadlines or other data that may fall within special categories of personal data under Article 9 GDPR.
When such data are uploaded or managed by the customer, the customer must verify the existence of an appropriate lawful condition, limit data to what is strictly necessary, define consistent permissions and adopt suitable notices and procedures.
Kisscloud processes such data as processor, except in exceptional cases where they are communicated directly to Kisscloud for support or legal obligations; in such cases processing is limited to what is strictly necessary.
9. Communications, Notifications and Campaigns
The platform may allow the customer to send emails, notifications, reminders, notices, organizational communications or campaigns to users, families, staff or other recipients.
When the customer decides recipients, content and purposes of communications, the customer is the controller and is responsible for the lawfulness of the sending, including consents, notices, legal bases, objections, exclusion lists and accuracy of contact details.
Kisscloud may process the data necessary for delivery, technical tracking, security, error handling, logs and support, according to the privacy role applicable to the specific communication.
10. Recipients and Providers
Data may be disclosed or made accessible to persons authorized by Kisscloud, within the limits of their duties, and to providers or technical partners necessary to deliver the platform.
Categories of recipients may include cloud hosting and infrastructure providers, authentication, security, monitoring, backup, storage, email and notification providers, customer support tools, administrative tools, payment and billing providers, professional advisors and public authorities where required by law.
As of the last updated date of this Privacy Policy, Kisscloud uses DigitalOcean for the main cloud infrastructure in Europe, Amazon Web Services SES for email delivery, Brevo for SMS delivery and Stripe for managing payments due by customers to Kisscloud.
If and when features allowing customers to collect payments from families, athletes or other end users through their own Stripe, Satispay or other payment service provider accounts are enabled, those providers may process personal data according to their own roles, privacy notices and terms. The customer enabling those integrations remains responsible for choosing the provider, configuring it and providing appropriate information to its own end users.
Providers that process personal data on behalf of Kisscloud are appointed as processors or sub-processors where required by the GDPR and receive only the data necessary to perform the entrusted activities.
The updated list of main sub-processors may be requested by writing to support@asdincloud.it.
11. Infrastructure, Location and Transfers
The main infrastructure of ASD in Cloud is hosted on DigitalOcean servers located in Europe. This choice is consistent with the objective of keeping the main processing of data within the European Union or European Economic Area.
Some technical providers, integrated services or support tools may involve access or processing from countries other than Italy or the European Union. In such cases Kisscloud adopts, where necessary, appropriate safeguards under Articles 44 et seq. GDPR, such as adequacy decisions, standard contractual clauses, supplementary measures or other bases provided by law.
Further information on relevant providers may be requested by writing to support@asdincloud.it, it being understood that certain technical details may be communicated in aggregate or limited form for security reasons.
12. Security
Kisscloud adopts technical and organizational measures appropriate to the risk, taking into account the state of the art, implementation costs, the nature of the data and the purposes of processing.
Measures may include access controls, authentication, roles and permissions, encrypted HTTPS connections, security logs, tenant isolation, backups, monitoring, updates, incident management procedures and limitation of internal access on a need-to-know basis.
No IT system can guarantee absolute security. Users and customers must protect credentials, devices, configurations, roles and permissions, and promptly notify Kisscloud of any unauthorized access or suspected breaches.
13. Retention and Deletion
Data processed by Kisscloud as controller are retained for the time necessary for the purposes for which they were collected, to comply with legal obligations, document relevant activities, ensure security or protect rights.
Data processed on behalf of customers are retained according to the customer's instructions, the contract, any Data Processing Agreement, platform settings and technical backup and security procedures.
Kisscloud performs daily backups of the infrastructure and data necessary for service continuity. Backup copies may retain data for a limited period even after deletion from the active environment, until natural overwriting or deletion according to applicable technical procedures.
Upon termination of the relationship, the customer must export or request the necessary data within the agreed or technically available time limits. After that period, Kisscloud may delete, anonymize or retain data only within the limits necessary for legal obligations, backups, security, disputes or accountability.
Data deletion requests handled directly by Kisscloud are fulfilled within 24 hours of receipt, except where certain data must be retained for legal obligations, security, abuse prevention, establishment, exercise or defense of legal claims, or where the request must be handled by the customer as controller.
14. Data Subject Rights
Where Kisscloud acts as controller, the data subject may exercise, within the limits provided by the GDPR, the rights of access, rectification, erasure, restriction, objection, portability, withdrawal of consent and the right not to be subject to decisions based solely on automated processing, where applicable.
Requests may be sent to support@asdincloud.it. Kisscloud responds within the time limits provided by law, normally within one month of receipt, subject to permitted extensions in case of complexity or a high number of requests.
Where the request concerns data processed on behalf of a customer, Kisscloud may direct the data subject to the controller customer or assist the customer in handling the request, as provided by the contract and the GDPR.
15. Complaint to the Supervisory Authority
The data subject has the right to lodge a complaint with the competent supervisory authority. In Italy, the competent authority is the Italian Data Protection Authority, Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Rome, website www.garanteprivacy.it.
The data subject may also contact the authority of the EU country where they habitually reside, work or believe the infringement occurred.
16. Cookies and Similar Technologies
The website and platform may use technical cookies, session identifiers, language preferences and similar technologies necessary for operation, security, authentication and storage of preferences requested by the user.
Any non-essential analytics, measurement or marketing cookies will be used, where present, according to applicable law and, where required, subject to consent. More specific information may be made available in a dedicated Cookie Policy or in the consent management banner.
17. Automated Decision-Making
For the purposes described in this Privacy Policy, Kisscloud does not use decision-making processes based solely on automated processing that produce legal effects concerning the data subject or similarly significantly affect them.
The platform may include technical automations, notifications, deadlines, filters, reports, calculations or document generation configured by the customer. These features support operational management and remain under the responsibility of the customer that decides how to use them.
18. Changes to this Privacy Policy
Kisscloud may update this Privacy Policy to reflect legal, technical, organizational or functional changes to the platform. The updated version will be published on this page with the last updated date.
In case of material changes, Kisscloud may provide notice through reasonable means, such as the platform, email or website notices.
19. Language Version
This Privacy Policy is available in Italian and English. In case of conflict or interpretative divergence between versions, the Italian version prevails, unless otherwise required by mandatory law or agreed in writing.