Skip to main content
Klubio Logo
Valikko
Kokeile ilmaiseksi

Tietosuojaseloste

Viimeksi päivitetty: 13 June 2026

Kieli:English·Eesti

Klubio — Privacy Policy

Version: v1.9 · Effective date: 11 January 2026 · Language: published in Estonian and English; where the versions diverge, the Estonian version controls.

1. Who we are

"Klubio" is a trademark (Trademark proof in Class 042, 009, 041 across the European Union) of Klubio LLC (Wyoming, USA), used under licence; Klubio LLC does not operate the platform or process your personal data. This Privacy Policy explains how Qbit Software OÜ ("Klubio", "we", "us") processes personal data in connection with the Klubio platform (klubio.eu and related services).

Qbit Software OÜ, registry code 17099698, Heki tee 3, 74001 Harjumaa, Estonia. Email: info@klubio.eu.

We have not appointed a Data Protection Officer (no statutory obligation at our current scale). Privacy queries go to info@klubio.eu.

2. Two roles — please read this first

Klubio plays two distinct roles, and which one applies determines who is responsible for your data:

  • Klubio as controller — for data we use to operate the platform itself: a Club's account and billing data, security and access logs, customer support, marketing communications, and aggregate statistics. We decide the purposes and means of this processing.

  • Klubio as processor for a Club — for the member, attendance, communication, billing, and (where enabled) medical data that a club collects from its members through Klubio. The Club is the controller of that data; we process it on the Club's instructions under a Data Processing Agreement.

If you are a member, athlete, guardian, coach, or staff member of a club, that club controls your data on the platform. For access, correction, or deletion of that data, contact your club first; we will assist as processor.

3. What personal data we process

The categories below cover both roles. Not every category applies to every person.

  • Account and profile data — name, email, phone, date of birth, national identification number (where a club uses it for membership records), profile photo, preferred language, role. For Clubs: organisation name, registry code, billing and bank details, authorised staff contacts.

  • Membership and participation data — group/team membership, attendance, training records, RSVPs, applications.

  • Guardian and contact data — guardian and emergency-contact names and contacts, relationship, pickup and notification permissions.

  • Financial and transaction data — invoices, payments, billing adjustments; payment status and partial card metadata returned by the Payment Processor (we never store full card numbers or CVCs).

  • Contract and consent data — agreements and forms signed, signatory name and email, and the IP address and timestamp of a signature.

  • Communications data — emails sent and received through the platform, in-app notifications, and notification preferences.

  • Technical and usage data — IP address, browser/device type, timestamps, and pages accessed, used for security and debugging.

  • Marketing preferences — opt-in/opt-out status for marketing emails.

  • Special-category (health) data — only where a Club enables the medical features — allergies, medical comments, medical check-up dates, injuries and diagnoses, anatomical injury location, return-to-play/availability status, medical test results, and injury-related attachments. See §7.

4. Why we use your data and on what legal basis

Where Klubio is the controller, we rely on the legal bases shown in italics (GDPR Article 6).

  • Create and operate Club accounts — uses account data. Performance of a contract (Art. 6(1)(b)).

  • Invoice and collect Subscription and Platform Fees; collect member payments on a Club's behalf — uses account and transaction data. Contract (Art. 6(1)(b)); for accounting records, legal obligation (Art. 6(1)(c)).

  • Send transactional emails (invoices, training updates, account emails) — uses account and communications data. Contract (Art. 6(1)(b)).

  • Customer support — uses categories as needed. Contract (Art. 6(1)(b)) and legitimate interest in providing support (Art. 6(1)(f)).

  • Security, fraud prevention, and abuse detection — uses account and usage/technical data. Legitimate interest in protecting the platform and its users (Art. 6(1)(f)).

  • Improve the service (diagnostics, aggregate statistics) — uses usage/technical data. Legitimate interest (Art. 6(1)(f)).

  • Marketing emails to existing customers — uses email address and marketing preferences. Legitimate interest under the "soft opt-in" (Estonian Electronic Communications Act §103¹) and Art. 6(1)(f); every marketing email has a one-click unsubscribe.

  • Comply with legal obligations (accounting, tax, lawful requests). Legal obligation (Art. 6(1)(c)).

  • Establish or defend legal claims; business sale or restructuring (§13). Legitimate interest (Art. 6(1)(f)).

Where Klubio is a processor, the legal basis for processing member data is determined by the Club as controller. We do not use member data for our own purposes, do not sell personal data, and do not carry out automated decision-making that produces legal or similarly significant effects.

5. Who we share data with

Clubs and other members. If you are a member of a club, that club's authorised administrators and coaches can see the data their permissions allow; your name and profile photo are visible to other members of the same group, and you can control the visibility of your email and phone.

Sub-processors who help us run the platform (each bound by a written data-processing agreement). The current list is published on our Sub-processors page and includes:

  • DigitalOcean, LLC — cloud hosting, database, and file storage. Location: Amsterdam, Netherlands (EEA).

  • Postmark (operated by ActiveCampaign / Wildbit, LLC) — transactional email delivery. Location: United States — see §6.

  • Maksekeskus AS — online payment processing. Location: Estonia (EEA).

  • Merit Aktiva (Merit Tarkvara OÜ) or Excellent Books — accounting sync, only where a club enables an accounting integration. Location: Estonia (EEA).

We will update the list before adding a new sub-processor that handles personal data on our behalf.

Public authorities and advisers. Where required by law (court order, lawful request) or to obtain legal advice, the minimum necessary data may be disclosed.

Successor of the business. See §13. We do not otherwise sell or rent personal data.

6. International transfers

We process personal data within the European Economic Area wherever practicable. Our transactional-email provider Postmark operates from the United States; we transfer the minimum data needed to deliver emails (recipient address, name, message content) under the EU Standard Contractual Clauses and supplementary measures required after Schrems II, and/or the EU-US Data Privacy Framework where the provider participates. You can request a copy of the relevant safeguards from info@klubio.eu.

7. Special-category (health) data

Where a club uses Klubio's medical and injury features, the platform processes health data — a special category under Article 9 GDPR. The club is the controller and is responsible for establishing a valid Article 9 condition (typically the explicit consent of the member or their guardian) before such data is entered. We protect this data with additional safeguards, including application-level encryption (AES-256-GCM) of designated medical fields, storage of attachments in a private bucket, and access restricted to authorised club roles. We process health data only on the club's instructions, never for our own purposes.

8. Children

Clubs use Klubio to manage members who are children. As processor, Klubio does not decide to collect children's data — clubs do, as controllers, and are responsible for obtaining parental/guardian consent where required. In Estonia the digital-consent age is 13; other markets differ. The platform records guardian relationships and contacts to help clubs manage this responsibly. To hold an account in their own name, an individual must meet the applicable age; younger members are managed by a guardian.

9. How long we keep your data

  • Club account data — while the account is active; removed from active systems within 30 days of account closure and from backups within 60 days.

  • Billing, invoice, and accounting records7 years from the end of the calendar year of the transaction (Estonian Accounting Act §12).

  • In-app notifications — deleted automatically after 90 days.

  • Expired sessions — cleaned up automatically.

  • Security and technical logs — up to 90 days; longer where needed for an active investigation.

  • Customer-support correspondence — up to 3 years after the last contact.

  • Marketing preferences and unsubscribe records — for as long as needed to honour your choice.

  • Member data processed as processor — retained per the club's instructions and deleted or returned at the end of our agreement with the club, subject to statutory retention.

If a longer retention is required by law (e.g. an unresolved dispute or regulatory hold), we keep the relevant records until that requirement ends.

10. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction, portability, and to object to processing based on legitimate interests (including marketing). Where processing is based on consent, you may withdraw it at any time without affecting prior processing. You may also lodge a complaint with a supervisory authority (§11).

To exercise these rights for data Klubio controls, email info@klubio.eu from the address associated with your account; we respond within 30 days (extendable by two months for complex requests under Art. 12(3)). For data a club controls (member and medical data — see §2 and §7), contact the club; we will assist as processor. There is no fee for a reasonable request; we may charge or decline for manifestly unfounded or excessive requests (Art. 12(5)). Rights may be limited where fulfilling a request would reveal another person's data.

11. Complaints

Please contact us first at info@klubio.eu. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, www.aki.ee, or with the supervisory authority in your country of residence.

12. Cookies and similar technologies

Klubio uses only strictly necessary cookies and equivalent local storage — those needed to keep you signed in and operate the platform (in practice, sign-in tokens and your language preference stored in your browser's local storage — we do not use authentication cookies). We use no advertising or analytics cookies and no third-party tracking. Because strictly necessary storage does not require consent under the EU ePrivacy rules, we do not show a cookie banner. Clearing your browser's site data will sign you out. (Note: transactional emails may contain a delivery/open pixel — see the Cookie Policy.)

13. Security

We apply appropriate technical and organisational measures, including: TLS encryption in transit; encryption at rest; application-level AES-256-GCM encryption of designated sensitive fields (health data and stored accounting credentials); role-based access control and least-privilege staff access; per-club data isolation; private storage of uploaded files; and security logging. No system is perfectly secure. If we become aware of a personal-data breach likely to result in a risk to your rights, we will notify the Estonian Data Protection Inspectorate within 72 hours and, where the risk is high, affected users without undue delay (GDPR Art. 33–34). Where Klubio is processor, we notify the relevant club without undue delay so it can meet its own obligations.

14. If the business is sold or restructured

If Qbit Software OÜ is sold, merged, or otherwise involved in a corporate transaction, personal data may be transferred to the acquirer or merged entity under the same protections as in this policy. We will notify affected users in advance of any material change in controller.

15. Changes to this policy

We may update this policy. For changes that materially affect how we use personal data, we will give at least 14 days' notice by email or in-app banner before they take effect. The "effective date" at the top reflects the most recent revision.

16. Contact

Questions about this policy or your personal data: info@klubio.eu. Postal: Qbit Software OÜ, Heki tee 3, 74001 Harjumaa, Estonia. Supervisory authority: Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn — www.aki.ee.