Privacy Policy

PRIVACY POLICY

Information on the processing of personal data pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR) and Legislative Decree No. 196/2003, as amended.

1. Data Controller

   The controller of your personal data is:

   KITE HABITS S.S.D. a R.L.
   (Società Sportiva Dilettantistica a Responsabilità Limitata)

   Registered office:
   Contrada Giunchi n. 211, 91025 Marsala (TP), Italy

   VAT No. / Tax Code: 02949870816
   Recipient Code (SDI): M5UXCR1

   Data protection e-mail: privacy@kite-habits.pl
   Website: https://kite-habits.pl/

   Registered in the Companies Register of the Chamber of Commerce of Trapani under no. TP - 208668

   Affiliated with OPES Italia, registered in the RASD (Register of Amateur Sports Activities)

   The Controller has not appointed a Data Protection Officer (DPO), as the scope and nature of processing do not require it under Article 37 GDPR.

   All requests regarding personal data protection should be sent to the e-mail address indicated above.

2. Scope of this Policy

   This Privacy Policy applies to:

   • visitors of the website https://kite-habits.pl/ (hereinafter: “Users”),
   • persons booking the Company’s services (hereinafter: “Clients”),
   • participants in lessons, courses, and equipment rentals (hereinafter: “Participants”),
   • persons registered under OPES membership (hereinafter: “Members”),
   • parents/legal guardians of minors using the Company’s services,
   • customers of the Company’s bar,
   • newsletter subscribers.
3. Data collected and methods of collection
   1. Data provided directly by you
      1. Identification data — name, surname, date and place of birth, nationality, identity document number, PESEL / codice fiscale

         Source: Participant Card, booking form

      2. Contact data — address, phone number, e-mail

         Source: Participant Card, booking form, e-mail, WhatsApp, phone

      3. Emergency contact data — name, surname, phone number

         Source: Participant Card

      4. Health data (Article 9 GDPR) — information on health status, allergies, medications, physical limitations, pregnancy — only to the extent necessary to assess fitness to participate in sports activities

         Source: Participant Card, separate consent form

      5. Membership data — data required by OPES Italia (name, surname, date of birth, PESEL/codice fiscale, address)

         Source: Participant Card

      6. Image data — photos, video recordings — only with separate consent

         Source: image consent form

      7. Marketing data — source of how the Client learned about the Company (optional)

         Source: Participant Card

      8. Newsletter data — e-mail, name (optional)

         Source: newsletter form (MailerLite platform)

      9. Bar transaction data — sales data, receipts, invoice data

         Processed via Cassa in Cloud (TeamSystem S.p.A.)

      10. Sports management data — data processed via Sportive in Cloud (TeamSystem S.p.A.) for membership and course management
   2. Data collected automatically
      1. Navigation data — IP address, browser type, OS, visited pages, session time, traffic source (SEOHOST logs)
      2. Analytical data — cookies, behaviour, aggregated demographics (Google Analytics — with consent)
      3. Advertising data — advertising cookies, interactions, conversions (Meta Pixel — with consent)
      4. Indexing data — search visibility and queries (Google Search Console)

         Detailed cookie information is available in the Cookies Policy.

   3. Communication channels Bookings and inquiries may be submitted via: Each booking requires manual confirmation by the Company.
      • booking form (hosted by SEOHOST),
      • e-mail (Titan Mail / Hostinger),
      • WhatsApp (Meta infrastructure — see section 7),
      • telephone.

      Each booking requires manual confirmation by the Company.

4. Purposes and legal bases of processing

   Purpose A — Contract performance
   Legal basis: Article 6(1)(b) GDPR

   Purpose B — OPES membership
   Legal basis: Article 6(1)(b) + (c) GDPR

   Purpose C — Legal obligations
   Legal basis: Article 6(1)(c) GDPR

   Purpose D — Health & safety assessment
   Legal basis: Article 9(2)(a) GDPR (consent)

   Purpose E — Emergency contact
   Legal basis: Article 6(1)(d) GDPR

   Purpose F — Marketing
   Legal basis: Article 6(1)(a) GDPR (consent)

   Purpose G — Image use
   Legal basis: Article 6(1)(a) GDPR

   Purpose H — Website analytics
   Legal basis: Article 6(1)(a) GDPR

   Purpose I — Legal defence / legitimate interest
   Legal basis: Article 6(1)(f) GDPR

   Purpose J — Bar operations
   Legal basis: Article 6(1)(b) and (c) GDPR

   Consent (purposes D, F, G, H) is voluntary and may be withdrawn at any time without affecting prior lawful processing.

5. Data recipients

   Personal data may be shared with:

   • OPES Italia / OPES Latina — independent controller
   • SEOHOST — hosting provider (processor)
   • Hostinger / Titan Mail — e-mail services
   • Google Ireland Ltd — analytics
   • Meta Platforms Ireland Ltd — advertising
   • WhatsApp (Meta Platforms Inc.) — communication
   • legal and tax advisors
   • insurance companies
   • public authorities
   • MailerLite — newsletter services
   • TeamSystem S.p.A. — cloud systems

   The Company does not sell personal data.

6. Booking system

   The website uses a proprietary booking system (not external tools like Calendly).

   Data is hosted on SEOHOST (EU) and transmitted to the Company’s e-mail.

   The system does not store sensitive data. The database is encrypted.

7. Data transfers outside the EEA

   Data may be transferred to the USA via:

   • Google (Analytics, Search Console)
   • Meta (Pixel, WhatsApp)
   • MailerLite (AWS infrastructure)

   Legal basis: EU–US Data Privacy Framework (DPF) + SCC if required.

   WhatsApp contact is initiated voluntarily by the Client.

8. Data retention periods
   • Contract data: 10 years
   • OPES membership: per regulations
   • Tax data: 10 years
   • Health data: duration of service + up to 10 years
   • Emergency data: duration of service
   • Marketing: until consent withdrawal
   • Image: until consent withdrawal
   • Cookies: up to 24 months
   • Legal defence: up to 10 years
   • Bar transactions: 10 years
9. Data subject rights

   You have the right to:

   • access (Art. 15)
   • rectification (Art. 16)
   • erasure (Art. 17)
   • restriction (Art. 18)
   • portability (Art. 20)
   • objection (Art. 21)
   • withdraw consent
   • not be subject to automated decision-making

   Requests:
   📧 biuro@kite-habits.pl

   Response: within 30 days.

   Right to lodge a complaint

   Garante per la protezione dei dati personali (Italy)
   www.garanteprivacy.it

   or Polish authority (UODO).

10. Data security

    The Company applies appropriate technical and organisational measures, including:

    • database encryption
    • restricted access
    • system updates
    • secure email (Titan Mail)
    • physical security
    • secure cloud systems (TeamSystem, MailerLite)
11. Minors

    Services for minors require parental consent.

    Data of minors under 16 without consent will be deleted immediately.

12. Changes to this Policy

    The Company may update this Policy.

    The current version is always available on the website.

13. Related documents
    • Cookies Policy — https://kite-habits.pl/en/cookies-policy/
    • General Terms — https://kite-habits.pl/en/general-terms-and-conditions-of-services/
    • Legal Information — https://kite-habits.pl/en/legal-information/
    • Health data consent form
    • Image consent form
14. Contact

    privacy@kite-habits.pl

    KITE HABITS S.S.D. a R.L.
    Contrada Giunchi n. 211
    91025 Marsala (TP), Italy

    This Privacy Policy enters into force on 01.03.2026.