Data Policy
This Data Policy describes how the Organization handles athlete data in research and consulting engagements — biomarker results, training-load streams, wearable data, medical history, and the algorithmic outputs derived from them. It complements our Privacy Policy for general website data.
1. Principles
Five principles govern every engagement involving athlete data:
- Consent. No athlete data is collected, analyzed, or shared without explicit, informed, written consent.
- Minimization. We collect only what is necessary to answer the clinical or research question at hand.
- Purpose limitation. Data collected for one purpose is not repurposed without renewed consent.
- Transparency. Athletes and authorized representatives can see what we hold, what we infer from it, and how we use it.
- Clinical primacy. Algorithmic outputs inform clinical decisions; they do not replace them.
2. Categories of athlete data
- Identification data — name, date of birth, identifiers as required by clinical record-keeping
- Biomarker data — blood panels, biological-age markers, body composition
- Training-load data — sessions, volumes, intensities, RPE, GPS streams
- Wearable data — HRV, sleep, heart rate, accelerometry
- Medical history — relevant injury, surgery, medication where shared by treating clinicians
- Derived data — risk scores, biological-age estimates, and other outputs computed by us
3. Legal basis and consent
Athlete data is processed on the basis of explicit consent, supplemented where applicable by a contract between the Organization and the athlete's club, federation, or institution. Consent is granular: athletes can opt in to specific uses (clinical decision support, research participation, anonymized publication) and out of others, without losing access to core services.
For minors, consent is provided by the parent or legal guardian, with the athlete's assent obtained and recorded where age-appropriate.
4. Data Processing Agreements
Every institutional engagement is governed by a Data Processing Agreement that defines: purposes of processing, categories of data, retention period, sub-processors permitted, security measures, breach notification timelines, and the athlete's rights of access and erasure. Standard templates are available on request.
5. Security
Athlete data is encrypted in transit (TLS 1.3) and at rest (AES-256). Role-based access controls are applied, with least-privilege defaults. Access logs are retained and reviewed. Multi-factor authentication is required for all staff accessing athlete data. We conduct annual penetration testing and quarterly internal access audits.
6. Sub-processors
We use a small number of sub-processors for hosting, computation, and analytics infrastructure. The current list is available on request to engaged organizations. We do not transfer athlete data to sub-processors outside the European Union, the United States, or Singapore without adequate safeguards in place.
7. Retention and deletion
Athlete data is retained for the duration of the engagement plus the period required by the governing Data Processing Agreement. On request — and subject to clinical record-keeping obligations — we delete athlete data within 30 days. Deletion includes derived data and model inputs; published anonymized aggregates remain in our research record.
8. Algorithmic transparency
Where we use machine-learning models to inform clinical decisions, we publish:
- The intended use case and population
- The feature set and known limitations
- Sensitivity and specificity in validation cohorts
- Known performance differences across demographic and morphological cohorts
Model outputs are returned to clinicians alongside the inputs that drove them. Athletes have the right to a human review of any algorithmic output that materially affects their care.
9. Research use and publication
Athlete data may be used for research and editorial publication only in anonymized form, with sufficient data removed to prevent re-identification, or with explicit written consent of the athlete. Identifiable case studies require renewed consent for each publication.
10. Athlete rights
Athletes — or their authorized representatives — have the right to:
- Access the data we hold on them and the derived outputs
- Receive a portable export of their data in a structured format
- Correct inaccurate or outdated data
- Withdraw consent and request deletion, subject to clinical obligations
- Request human review of any algorithmic decision affecting them
- Lodge a complaint with their local data-protection authority
11. Breach notification
In the event of a data breach affecting athlete data, we will notify the relevant authority within 72 hours and affected athletes without undue delay. Notification will include what data was affected, what has been done in response, and what the athlete can do to protect themselves.
12. Governance
Athlete data practices are reviewed annually by an independent Data Ethics Committee that includes a data-protection lawyer, an athlete representative, and a non-affiliated sports physician. The Committee's findings and our responses are summarized in our annual Transparency Report.
13. Contact
For questions about athlete data, write to our contact form. For breach reports or urgent matters, email our contact form.