IPSF Data Protection Policy 2025

IPSF Logo

IPSF Data Protection Policy

Effective Date: 2025 | Last Updated: October 2025

  1. Definitions
    • Personal Data – any information relating to an identified or identifiable natural person.
    • Processing – any operation performed on personal data, such as collection, storage, use, disclosure or deletion.
    • Controller – the organisation that determines the purposes and means of processing personal data.
    • GDPR - the EU General Data Protection Regulation (2016/679).
    • Processor – an external service provider that processes personal data on behalf of IPSF.
    • Data Subject – the individual whose personal data is processed by IPSF.
    • Supervisory Authority – the President of the Personal Data Protection Office (Prezes UrzÄ™du Ochrony Danych Osobowych – UODO), the independent national data-protection authority of Poland.

1. Purpose and Scope

This Policy explains how the IPSF collects, uses, stores and protects personal data in accordance with GDPR and the Polish Data Protection Act.

It applies to all personal data processed through IPSF systems, websites, applications, membership databases, competition management tools and related operations.

This Policy applies globally to all activities conducted by the IPSF and to any national federations, committees or authorised organisers duly acting under the authority of the IPSF, insofar as they process personal data for IPSF-related purposes. IPSF acts as the data controller for its own processing operations. National Federations and event organisers act as independent controllers unless a written Data Processing Agreement states otherwise.

2. Data Protection Contact

IPSF has designated a Data Protection Contact (not a formal DPO under Article 37 GDPR).
Email: support@ipsfsports.org
Postal address: os. Jana III Sobieskiego 40/2N, 60-688 Poznań, Poland.

3. Legal Bases for Processing (Articles 6 and 9 GDPR)

IPSF processes personal data only where a lawful basis applies:

  • Contract performance (Art. 6(1)(b)) for account registration, competition entry, and membership administration;
  • Legal obligation (Art. 6(1)(c)) for compliance with accounting, tax, and applicable anti-doping rules;
  • Legitimate interests (Art. 6(1)(f)) for system security, fraud prevention, and communication with members;
  • Consent (Art. 6(1)(a)) for newsletters, marketing, media, and processing of minors' data;
  • Special category data may be processed under Art. 9(2)(a) (explicit consent), Art. 9(2)(f) (establishment, exercise or defence of legal claims), Art. 9(2)(g) (substantial public interest in sports governance), or Art. 9(2)(h) (health data for athlete safety).

4. Categories of Personal Data

Depending on the context, IPSF may process:

  • Identification: name, date of birth, nationality, passport or ID number.
  • Contact: email address, telephone number, postal address.
  • Membership and account: login credentials, federation affiliation, preferences.
  • Competition and judging: registration details, scores, results, eligibility and disciplinary records.
  • Financial: payment IDs and transaction references from Stripe or PayPal (no card data stored by IPSF).
  • Technical: IP address, browser type, device ID, cookies, usage logs.
  • Media: photos and videos (with consent).
  • Minors: personal data of individuals under 18 processed only with verifiable parental or guardian consent.

5. Systems and Data Sources

- Website: Joomla CMS (SSL/TLS encrypted).
- App and database: hosted by Hetzner Online GmbH (Germany).
- Email: SendGrid / Twilio (USA).
- Payments: Stripe and PayPal (EU/USA).
- Internal collaboration: Google Workspace (EU data region).

IPSF collects limited personal data through its official website and digital platforms.
Data automatically collected may include IP address, browser type, time zone, and access logs for security and statistical purposes.

IPSF’s digital systems include a Joomla-based website and an internal web/mobile application. These platforms collect and process limited personal data such as user registrations, competition entries, and IP addresses for security purposes. All communication between users and IPSF systems is encrypted using SSL/TLS. Hosting is provided by Hetzner Online GmbH (Germany) within the European Union, ensuring GDPR-compliant data handling.

The IPSF website and applications use SSL/TLS encryption, two-step authentication for administrative logins, and regular software updates to maintain data integrity.

6. Processors and Safeguards (Articles 28 and 46 GDPR)

All processors operate under written Data Processing Agreements.

Where data leaves the EEA, IPSF applies the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or equivalent safeguards.

Processor / Service Provider

Purpose of Processing

Location

Legal Safeguard

Hetzner Online GmbH

Hosting and data storage

Germany

EU – GDPR compliant

SendGrid / Twilio

Email distribution and transactional messaging

USA

Standard Contractual Clauses (EU 2021/914)

Stripe / PayPal

Payment processing

EU / USA

Standard Contractual Clauses (EU 2021/914)

Google Workspace

Internal collaboration and backups

EU data region

Standard Contractual Clauses (EU 2021/914)

7. Data Retention and Deletion

Personal data is retained only as long as necessary for the purposes collected:

  • Membership and user accounts: until account closure plus 24 months of inactivity;
  • Competition records: 10 years for historical and statistical purposes (Art. 89 GDPR);
  • Financial records: 7 years (accounting obligations); and
  • Media content: until consent is withdrawn.

Data no longer required is securely deleted or anonymised in line with IPSF's retention schedule.

Cookies used on IPSF websites are limited to essential functionality and analytics tools governed by consent in accordance with the ePrivacy Directive. For more details, see the IPSF Privacy Policy.

8. Security Measures (Article 32 GDPR)

IPSF applies appropriate technical and organisational measures including:

  • SSL/TLS encryption for all transmissions;
  • EU-based hosting, firewalls, and intrusion detection;
  • Role-based access control and two-factor authentication for administrators;
  • Regular patching, vulnerability assessments, and encrypted backups;
  • Staff training and confidentiality obligations; and
  • Secure storage and destruction of any paper records.

IPSF reviews these measures annually to ensure continued effectiveness

9. International Transfers (Articles 44 to 46 GDPR)

Limited transfers to the USA (e.g., SendGrid, Twilio, PayPal) are protected by the EU Standard Contractual Clauses (Decision (EU) 2021/914).

No other third-country transfers take place without adequate safeguards.

10. Rights of Data Subjects (Articles 12 to 23 GDPR)

Individuals may exercise the following rights: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.

To exercise any of these rights, please contact us at support@ipsfsports.org

We will respond within one month of receiving your request (this may be extended by up to two months for particularly complex cases).

If you are not satisfied with how we handle your request, you have the right to make a complaint to the President of the Personal Data Protection Office (UODO) – the Polish national data protection authority – in accordance with Article 77 of the GDPR.

11. Processing of Minors' Data

IPSF processes the personal data of individuals under 18 years of age only with verifiable consent from a parent or legal guardian.

Where national law sets a lower threshold (e.g. 16 years under Polish law), IPSF will apply the higher standard by default.

12. Images and Videos

IPSF may use images and videos of athletes, coaches, and officials to promote events or achievements, subject to consent.

Unauthorised third-party commercial use is prohibited.

13. DPIAs, Records, and Breach Management

IPSF maintains Records of Processing Activities (Art. 30) and conducts Data Protection Impact Assessments for new technologies or high-risk processing (Art. 35).

All personal data breaches are recorded. Where required, IPSF will notify UODO within 72 hours and inform affected individuals where there is a high risk to rights and freedoms (Arts. 33 and 34).

In the event of a personal-data breach, IPSF will immediately assess the risk to the rights and freedoms of affected individuals and record the incident in its internal breach register. Where notification is required, IPSF will inform the President of the Personal Data Protection Office (UODO) within 72 hours of becoming aware of the breach and, when appropriate, will also notify affected individuals without undue delay. IPSF will document all facts, effects, and remedial actions in accordance with Article 33(5) GDPR.

In the event of a data breach, IPSF will:

  1. Immediately contain the incident and assess its scope;
  2. Record the breach in the internal register, noting date, type, and corrective actions;
  • Notify UODO within 72 hours where required under Article 33 GDPR; and
  1. Inform affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.

IPSF reviews all incidents annually to prevent recurrence.

14. Updates

Any amendments shall be approved by the IPSF Executive Board and communicated through the IPSF website or other appropriate channels. The latest version will be available at https://ipsfsports.org/privacy

  1. Contact Us

International Pole and Aerial Foundation,
Operating as International Pole and Aerial Sports Federation (IPSF)
os. Jana III Sobieskiego 40/2N, 60-688 Poznań, Poland

Email: support@ipsfsports.org





We use cookies
We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site...
Ok Decline
More information | Imprint