Data Processing Addendum - Drive Hockey Analytics

Effective Date: October 2025
Last Updated: October 2025

For Drive Hockey Analytics End Users

This Data Processing Addendum (“DPA”) is part of the End User Agreement between you (“End User”, “you”, or “your”) and Drive Hockey Analytics, Inc. (“Drive”, “we”, “us”, or “our”). This DPA provides detailed legal and technical information about how we process your personal data in connection with our hockey tracking services.

For a plain-language summary, see our Privacy Notice. This DPA contains technical details for legal and compliance purposes.

1. DATA CONTROLLER AND ROLES

1.1 Drive as Data Controller

Drive Hockey Analytics, Inc. acts as the Data Controller for all personal data collected from End Users. We determine the purposes and means of processing your personal data.

Our Details:
Drive Hockey Analytics, Inc.
930-3025 Lougheed Hwy, #125
Coquitlam, BC V3B 6S2, Canada
Email: [email protected]

1.2 Service Partners

You may receive tracking services from authorized Drive resellers (“Service Partners”). Service Partners operate tracking equipment but do not control your personal data. They act as service providers under our direction. Your data protection relationship is directly with Drive, not with Service Partners.

1.3 Sub-Processors

Drive engages third-party sub-processors to support our operations (see Section 4). All sub-processors are contractually bound to protect your data.

2. DATA WE COLLECT AND PROCESS

We collect and process three distinct categories of information:

2.1 Personal Information (Personal Data under GDPR)

Personal information that directly identifies you as an individual:

What we collect:

Identity Data: Name, date of birth
Contact Data: Email address, phone number, postal address
Account Data: Username, password (encrypted), account preferences
Profile Data: Team affiliation, jersey number, playing position
Payment Data: Processed by third-party payment processors (Stripe, PayPal, Intuit); we store only transaction IDs and status, not complete card numbers
Communications: Your inquiries, support requests, feedback

How we collect it:

Directly from you when you create an account or update your profile
From Service Partners when they register you for services (with your consent)
Through your use of our Services

Legal basis for processing (GDPR Article 6):

Contract Performance: Necessary to provide Services you requested
Legitimate Interests: Customer support, service improvement, security
Legal Compliance: Tax records, regulatory requirements
Consent: Marketing communications (where required)

2.2 Sensor Data (Anonymous Technical Measurements)

Raw technical data collected from tracking sensors:

What we collect:

Movement measurements: speed, acceleration, deceleration, distance traveled
Position coordinates (X, Y coordinates on rink surface)
Device identifiers (sensor hardware IDs)
Timestamps (when measurements occurred)
Rink calibration data (for positioning accuracy)
Event participation records (which tracking sessions a device participated in)

How we collect it:

Automatically from tracking sensors during games and practices
Initially collected anonymously – sensors do not contain your name or personal identifiers

Important: Sensor Data is technical measurement data. It only becomes personal data when linked to your account (see Section 2.4).

Legal basis for processing:

Contract Performance: Necessary to provide tracking services
Legitimate Interests: Technology development, quality assurance

2.3 Performance Data (Processed Analytics)

Analytics and insights generated by Drive’s proprietary algorithms from Sensor Data:

What we generate:

Performance reports (speed metrics, distance stats, time on ice)
Statistical analysis (trends over time, performance patterns)
Comparative benchmarks (how you compare to position/age averages)
Visualizations (charts, graphs, heat maps)
Predictive insights and recommendations

How we generate it:

Our proprietary algorithms process Sensor Data
Machine learning models analyze patterns
Statistical models generate insights

Intellectual Property Note: The algorithms, methodologies, and derivative analytics constitute Drive’s proprietary technology and trade secrets. Drive retains all intellectual property rights in the technology and its outputs, independent of whether the data is linked to you.

Legal basis for processing:

Contract Performance: Providing analytics services you requested
Legitimate Interests: Product improvement, research, benchmarking (when anonymized)

2.4 How Data Becomes Personal Data: The Token-Based Linking System

The Process:

During Tracking: Sensors collect movement data anonymously
- Example: “Device #42 recorded speed of 25 mph at position X,Y at 14:32:15”
- No personal information is embedded in this data
When You Access Reports: Our system links Sensor Data to your account
- We use secure token-based authentication
- The system creates: “User Account [Token ABC123] ↔ Device #42 data”
- You see performance data displayed in your account as “your” metrics
The Legal Effect:
- When linked: Personal Information + Performance Data = Personal Data under GDPR
- When unlinked: Performance Data = Technical data, Drive’s proprietary asset
- We can unlink, re-link, or control access to this relationship
When You Delete Your Account:
- We delete your Personal Information
- We delete the linking token
- Performance Data remains but can no longer identify you
- This anonymized data becomes Drive’s proprietary asset

What This Means for Your Rights:

You have full GDPR rights over the linked profile (access, correction, deletion, etc.)
You can request deletion of the link at any time
Once unlinked, the anonymized Performance Data is no longer personal data subject to deletion rights

2.5 Usage and Technical Data

Information about how you use our Services:

What we collect:

Pages viewed, features used, time spent
Browser type, device type, operating system
IP address, general location (city/country level)
Cookies and tracking identifiers

Legal basis: Legitimate interests (service improvement, security, analytics)

3. HOW WE USE YOUR DATA

3.1 Primary Processing Purposes

Purpose	Data Used	Legal Basis (GDPR Article 6)
Create and manage your account	Personal Information	Performance of contract
Provide tracking services	Personal Information, Sensor Data	Performance of contract
Generate performance analytics	Sensor Data, Performance Data	Performance of contract
Display your reports	Personal Information (linked), Performance Data	Performance of contract
Process payments	Personal Information, payment data	Performance of contract
Customer support and troubleshooting	Personal Information, Performance Data, usage data	Performance of contract, Legitimate interests
Improve algorithms and technology	Anonymized Performance Data	Legitimate interests
Research and benchmarking	Aggregated/anonymized data	Legitimate interests
Security and fraud prevention	All data types as needed	Legitimate interests, Legal obligation
Legal compliance	All data types as required	Legal obligation
Marketing (with consent)	Personal Information	Consent

3.2 Anonymized and Aggregated Data Usage

When Performance Data is unlinked from your Personal Information (anonymized) or combined with data from many users (aggregated), it becomes Drive’s proprietary asset. We may use it for:

Product Development: Improving tracking accuracy, developing new features
Research: Sports science research, athletic performance studies
Benchmarking: Industry statistics (e.g., “average skating speed for 14-year-olds”)
Commercial Purposes: Licensing to third parties, publishing insights
Any other business purpose

Example of Anonymized Use:
“Players aged 13-15 in competitive leagues average 18.5 mph top speed with 15% variation by position”

What We Will NOT Do:
“John Smith from Vancouver skated 18 mph on Tuesday, October 5, 2025” (without consent)

3.3 Identified Performance Data Sharing

We will NOT share your identified Performance Data (linked to your name) with third parties without your explicit consent.

When You Might Consent:

Scouts or recruiters requesting access to your profile
Coaches or teams you authorize to view your data
Research studies you choose to participate in
Public leaderboards or competitions you opt into

How Consent Works:

We will ask for specific, informed, freely-given consent
You can withdraw consent at any time
Withdrawal does not affect prior processing based on consent

4. WHO WE SHARE YOUR DATA WITH

4.1 Service Partners (Tracking Service Providers)

If you receive tracking services from an authorized Drive reseller:

What they access:

Your name and team affiliation (to deliver services)
Performance Data necessary to operate equipment and provide services

Their obligations:

Keep your information confidential
Use data only to provide tracking services
Cannot use your data for their own marketing
Must refer all data subject requests to Drive
Contractually bound to protect your data

Your rights: You exercise all data rights directly with Drive, not the Service Partner.

4.2 Sub-Processors (Third-Party Service Providers)

We share data with the following sub-processors who help us operate our Services:

Sub-Processor	Service	Location	Data Accessed
Amazon Web Services (AWS)	Cloud hosting	United States	All data (encrypted)
Stripe, PayPal, Intuit	Payment processing	United States	Payment information only
Mailchimp	Email communications	United States	Email address, name
Google Inc.	Analytics, cloud services, ads	United States	Usage data, cookies
HubSpot Inc.	CRM, analytics	United States	Contact information, usage data
Freshworks Inc.	Customer support	United States	Contact information, support tickets
FullStory	Session analytics	United States	Usage data, session recordings
Twitter/Meta	Advertising	United States	Cookies, device IDs

Sub-Processor Obligations:

All sub-processors are contractually required to:
- Process data only according to our instructions
- Implement appropriate security measures
- Maintain confidentiality
- Assist with data subject rights requests
- Notify us of data breaches

Sub-Processor Changes:

We may engage new sub-processors as needed for business operations
For significant new sub-processors, we will update this list and notify you
You may object to new sub-processors on reasonable data protection grounds

4.3 Legal and Regulatory Disclosures

We may disclose your data when legally required:

Valid legal process (subpoenas, court orders, warrants)
Law enforcement or government agency requests (when legally compelled)
To protect rights, property, or safety of Drive, users, or the public
To comply with regulatory requirements (tax authorities, data protection authorities)

Your Rights: We will notify you of legal disclosures unless prohibited by law.

4.4 Business Transfers

If Drive is involved in a merger, acquisition, or sale of assets:

Your data may be transferred to the successor entity
The successor will be bound by this DPA
We will notify you before any transfer
You may delete your account before the transfer if you choose

4.5 What We Do NOT Do

We do NOT sell Personal Information to data brokers or third parties
We do NOT share identified Performance Data without your consent
We do NOT allow Service Partners to use your data for their own purposes
We do NOT disclose data to third parties for their marketing without consent

5. INTERNATIONAL DATA TRANSFERS

5.1 Where Your Data is Processed

Primary Storage:

United States (Amazon Web Services data centers)

May be Accessed From:

Canada (Drive’s headquarters and operations team)
Locations of sub-processors listed in Section 4.2

5.2 Safeguards for EEA/UK Data Transfers

For users in the European Economic Area (EEA) or United Kingdom:

Transfer Mechanism:
We use Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) for transfers to countries without adequacy decisions.

Module Used: Controller-to-Processor (Module 2)

Additional Safeguards:

Encryption in transit and at rest
Access controls limiting data access
Contractual restrictions on sub-processor access
Regular security assessments
Data minimization practices

Your Rights: You have the same data protection rights regardless of where your data is stored.

Requesting SCC Details: Email [email protected] for copies of our Standard Contractual Clauses.

6. DATA SECURITY MEASURES

We implement appropriate technical and organizational measures to protect your data:

6.1 Technical Measures

Encryption:

In transit: TLS 1.2 or higher for all data transmissions
At rest: AES-256 encryption for stored data
Database encryption for sensitive fields

Access Controls:

Multi-factor authentication for administrative access
Role-based access controls (principle of least privilege)
Unique user accounts (no shared credentials)
Session timeout and re-authentication requirements

Network Security:

Firewalls and intrusion detection/prevention systems
Network segmentation (separation of systems)
DDoS protection
Regular vulnerability scanning and penetration testing

Application Security:

Secure coding practices
Regular security patches and updates (critical patches within 30 days)
Input validation and sanitization
Protection against OWASP Top 10 vulnerabilities

Monitoring and Logging:

Security event logging and monitoring
Anomaly detection
Regular log review
Incident detection and alerting

Backup and Recovery:

Regular encrypted backups
Geographically distributed backup storage
Tested recovery procedures
Business continuity planning

6.2 Organizational Measures

Personnel:

Background checks for employees with data access
Confidentiality agreements for all personnel
Annual data protection training
Clear data handling procedures

Policies and Procedures:

Information security policy
Data protection policy
Incident response plan
Vendor management procedures

Third-Party Management:

Security assessments of sub-processors
Contractual security requirements
Regular compliance monitoring

Audits and Assessments:

Annual security audits
Compliance reviews
Risk assessments
Security testing

6.3 Data Breach Response

If we discover a data breach affecting your personal data:

Within 24 hours:

Contain and investigate the breach
Assess scope and impact

Within 72 hours:

Notify affected users by email
Notify relevant data protection authorities (if required by law)
Provide detailed information about:
- Nature of the breach
- Categories and approximate number of affected users
- Categories and approximate number of affected records
- Likely consequences
- Measures taken or proposed to address the breach
- Contact information for questions

Your Actions:

Follow instructions in our notification
Change passwords for your account
Monitor for suspicious activity
Contact [email protected] with questions

7. YOUR DATA PROTECTION RIGHTS

You have the following rights under GDPR (Regulation EU 2016/679) and similar data protection laws:

7.1 Right of Access (Article 15)

What: Request copies of your personal data
What you’ll receive:

Confirmation whether we process your data
Categories of data processed
Purposes of processing
Recipients of your data
Retention periods
Copy of your Personal Information and Performance Data

How to exercise: Email [email protected] or use account download feature
Response time: 30 days (may extend to 60 days for complex requests)
Fee: Free for first request; may charge reasonable fee for excessive requests

7.2 Right to Rectification (Article 16)

What: Correct inaccurate or incomplete data
How to exercise: Account settings or email [email protected]
Response time: 30 days

7.3 Right to Erasure / “Right to be Forgotten” (Article 17)

What: Request deletion of your personal data
What we’ll delete:

Your Personal Information (name, email, contact details)
The link between your account and Performance Data
Your account and login credentials

What may be retained:

Anonymized Performance Data (no longer identifies you)
Data required by law (financial records for 7 years)
Data necessary for legal claims

How to exercise: Email [email protected] or account settings
Timeline: Deletion within 90 days

Important Note: Once unlinked, Performance Data is anonymized and becomes Drive’s proprietary asset, not subject to deletion rights under GDPR Article 17(3)(d) (processing necessary for archiving purposes in the public interest, scientific/historical research, or statistical purposes).

7.4 Right to Restriction of Processing (Article 18)

What: Limit how we process your data
When available:

You contest data accuracy (while we verify)
Processing is unlawful but you prefer restriction over deletion
We no longer need data but you need it for legal claims
You’ve objected to processing (pending verification of legitimate grounds)

How to exercise: Email [email protected]
Response time: 30 days

7.5 Right to Data Portability (Article 20)

What: Receive your data in structured, machine-readable format

What you’ll receive:

Personal Information (name, email, account details)
Complete Performance Data linked to your account (all sensor data and analytics from your linked tracking sessions)
Historical reports and insights
Transaction records

Important Timing:

Best practice: Request portability BEFORE requesting account deletion to receive complete data
If you request deletion first: You have 90 days from your deletion request to also request data portability
Portability fulfillment: We will fulfill your portability request before deleting your data
After 90 days from deletion request: If you haven’t requested portability, your Personal Information and link to Performance Data will be deleted
After deletion is complete: Performance Data is anonymized and no longer subject to portability rights

How to exercise: Email [email protected] with subject “Data Portability Request”

Format: JSON, CSV, or other commonly used format suitable for importing to another service

Response time: 30 days

To another provider: If technically feasible, we can transmit directly to another controller at your request

No fee: First request is free

7.6 Right to Object (Article 21)

What: Object to processing based on legitimate interests or direct marketing

Processing you can object to:

Marketing communications (anytime)
Processing based on legitimate interests (with valid grounds)
Profiling for marketing purposes

Processing you cannot object to:

Processing necessary for contract performance
Processing required by law

How to exercise: Email [email protected] or unsubscribe from marketing emails
Effect: We will cease the objected processing unless we have compelling legitimate grounds

7.7 Rights Related to Automated Decision-Making (Article 22)

Our Practice: We do not make solely automated decisions with legal or similarly significant effects.

Our Use of Algorithms:

We use algorithms to generate performance analytics
These are tools to provide insights, not automated decisions affecting your rights
You always control how to use the insights

7.8 Right to Withdraw Consent (Article 7(3))

What: Withdraw consent for processing based on consent
Where applicable:

Marketing communications
Optional data collection
Sharing identified data with third parties

How to exercise: Email [email protected] or account settings
Effect: We will cease processing; does not affect prior lawful processing

7.9 Right to Lodge a Complaint (Article 77)

What: File a complaint with a data protection authority

How to complain:

Contact us first: [email protected] (we want to resolve issues)
If unsatisfied, contact your local supervisory authority

Find Your Supervisory Authority (EEA):
https://edpb.europa.eu/about-edpb/board/members_en

For Canada: Office of the Privacy Commissioner of Canada
https://www.priv.gc.ca

7.10 How to Exercise Your Rights

Primary Contact:
Email: [email protected]
Subject line: “Data Subject Request – [Type of Request]”

Include in Your Request:

Your full name
Email address associated with your account
Specific right you’re exercising
Any relevant details

Verification:

We may ask for identification to verify your identity
This protects against unauthorized access to your data

Response Timeline:

30 days for most requests
May extend to 60 days for complex requests (we’ll notify you)
We’ll keep you informed of progress

No Fee:

Requests are free unless manifestly unfounded or excessive

8. DATA RETENTION

8.1 Retention Periods

Account Status	Personal Information	Performance Data	Legal Basis
Active account	Retained while account exists	Retained (linked) while account exists	Contract performance, Legitimate interests
Inactive account (0-2 years)	Retained	Retained (linked)	Contract performance, Legitimate interests, Consent
Inactive account (2-7 years)	Retained but may be archived	Retained but may be archived (linked)	Contract performance, Legitimate interests, Consent
Inactive account (7+ years)	May be deleted at Drive’s discretion, particularly if communications undeliverable	May be unlinked and anonymized at Drive’s discretion	Reasonable retention limit after extended abandonment
Explicitly deleted by user	Deleted within 90 days	Link deleted within 90 days	User request (Right to Erasure)
After deletion	Deleted	Anonymized, retained indefinitely	No longer personal data
Financial records	7 years from transaction	N/A	Legal obligation

Important Distinctions:

Inactive Account vs. Deleted Account:

Inactive: You haven’t logged in for a period of time, but your account still exists. Your data is retained so you can access your historical performance data when you return. You can reactivate your account anytime by logging in.
Deleted: You have explicitly requested account deletion through account settings or by contacting us. We will delete your Personal Information and the link to your Performance Data within 90 days.

Why We Retain Inactive Account Data:

Drive provides long-term athletic development tracking. Many athletes return after years of inactivity to access their historical performance data (e.g., reviewing their youth hockey performance as adults, tracking development from age 10 to 25).

Historical Performance Data is a core feature of our service, not incidental data. Your account and linked Performance Data are retained indefinitely unless you explicitly delete your account.

Inactive Account Management:

After 2 years of inactivity, we may move your data to archived storage (cheaper, slower access)
After 7 years of inactivity, we will send annual email reminders asking you to confirm you want to keep your account
After 10 years of inactivity with no response to notices, we will send a final 90-day deletion warning
You can reactivate anytime before deletion by logging in
You can delete your account anytime through account settings

Your Rights for Inactive Accounts:

All GDPR rights apply to inactive accounts:

You can access your data anytime
You can delete your account anytime
You can update your information
You can download your data

8.2 Retention Criteria

We determine retention periods based on:

Purpose for which data was collected
Legal obligations (tax, employment, corporate law)
Legitimate business needs (legal claims, audits)
Data subject rights and expectations
Risk of harm from continued storage

8.3 Secure Deletion

When retention periods expire:

Data is securely deleted or anonymized
Deletion is irreversible
We maintain deletion logs for compliance
Backups containing expired data are overwritten within 90 days

9. SPECIAL CATEGORIES OF PERSONAL DATA

9.1 Health Data Considerations

Performance Data may be considered health-related data under GDPR Article 9 (special category data) in certain contexts, particularly when it reveals information about:

Physical fitness levels
Injury recovery
Athletic capacity

Legal Basis for Processing Health-Related Performance Data:

Explicit Consent (GDPR Article 9(2)(a)): By creating an account and using tracking services, you provide explicit consent to process performance data that may reveal health information
Necessary for Healthcare/Sports Medicine (GDPR Article 9(2)(h)): When used by medical professionals for athlete health assessment
Made Public by You (GDPR Article 9(2)(e)): If you choose to share publicly

Withdrawal of Consent: You can withdraw consent at any time by deleting your account or requesting deletion of the link to your Performance Data.

9.2 Children’s Data (Under 16 in EEA)

Parental Consent Required:

For users under 16 in the EEA (or under 13-18 in some jurisdictions per local law)
Parent/guardian must provide consent before account creation
We verify parental consent through reasonable means

Parental Rights:

Access child’s data
Correct child’s data
Delete child’s account
Withdraw consent at any time

Contact for Children’s Privacy:
[email protected] with subject “Child Privacy”

10. AUTOMATED PROFILING AND DECISION-MAKING

10.1 Our Use of Algorithms

We use algorithms and machine learning to:

Process Sensor Data into Performance Data
Generate insights and recommendations
Identify performance patterns and trends
Compare performance to benchmarks

10.2 No Solely Automated Decisions

We do NOT make solely automated decisions that produce legal effects or similarly significantly affect you (GDPR Article 22).

Examples of what we DON’T do:

Automatically determine team selection
Make recruitment/scholarship decisions
Provide medical diagnoses

What we DO:

Provide performance analytics as tools for human decision-makers
Generate insights that coaches, scouts, or you can use
Create statistical comparisons for informational purposes

Your Rights: You always have the right to question and understand how our algorithms generate insights. Contact [email protected] for explanations.

11. CHANGES TO THIS DPA

11.1 How We Update

We may update this DPA to:

Reflect changes in data protection laws
Improve clarity and transparency
Add new features or services
Update sub-processor lists

11.2 Notification of Changes

We will notify you of material changes by:

Email to your registered address (30 days advance notice)
Prominent notice in your account dashboard
Updating the “Last Updated” date on this document

11.3 Your Options

If you disagree with changes:

You may terminate your account under the End User Terms of Service
You may exercise your Right to Erasure
Termination must occur before changes take effect

If you continue using Services:

Continued use after the effective date constitutes acceptance
You remain bound by the updated DPA

12. CONTACT INFORMATION

12.1 Data Protection Contacts

For exercising data rights or privacy questions:

Email: [email protected]
Phone: 1-604-260-2881

Mail:
Drive Hockey Analytics, Inc.
Attention: Data Protection Officer
930-3025 Lougheed Hwy, #125
Coquitlam, BC V3B 6S2, Canada

12.2 EU Representative

For EEA users (if required):
[To be appointed if Drive has no EU establishment – currently not required as Drive provides services remotely]

12.3 Supervisory Authorities

Canada:
Office of the Privacy Commissioner of Canada
Website: https://www.priv.gc.ca

European Union:
Find your data protection authority:
https://edpb.europa.eu/about-edpb/board/members_en

13. LEGAL BASIS SUMMARY

Quick reference for GDPR compliance (Article 6 and 9):

Processing Activity	Data Used	Legal Basis (Art. 6)	Special Category Basis (Art. 9, if applicable)
Account creation and management	Personal Information	Performance of contract	N/A
Providing tracking services	Personal Info, Sensor Data, Performance Data	Performance of contract	Explicit consent
Generating analytics	Sensor Data, Performance Data	Performance of contract	Explicit consent
Customer support	Personal Info, Performance Data	Performance of contract, Legitimate interests	Explicit consent
Payment processing	Personal Info, payment data	Performance of contract	N/A
Product improvement	Anonymized Performance Data	Legitimate interests	Not applicable (anonymized)
Research and benchmarking	Aggregated/anonymized data	Legitimate interests	Not applicable (aggregated)
Security and fraud prevention	All data types as needed	Legitimate interests, Legal obligation	Not applicable
Legal compliance	All data types as required	Legal obligation	Legal obligation
Marketing (opt-in)	Personal Information	Consent	N/A

14. DEFINITIONS

Anonymization: Processing that irreversibly prevents identification of individuals

Aggregation: Combining data from multiple individuals so no individual can be identified

Data Controller: Entity that determines purposes and means of processing personal data (Drive)

Data Processor: Entity that processes data on behalf of the Controller (our sub-processors)

Data Subject: Individual whose personal data is processed (you)

Personal Data: Information relating to an identified or identifiable individual

Processing: Any operation performed on personal data (collection, storage, use, sharing, deletion)

Pseudonymization: Processing that prevents direct identification without additional information

Special Categories of Personal Data: Sensitive data including health data (GDPR Article 9)

Sub-processor: Third party engaged by Drive to process personal data

15. COMPLIANCE FRAMEWORKS

This DPA is designed to comply with:

GDPR (EU Regulation 2016/679) – General Data Protection Regulation
PIPEDA (Canada) – Personal Information Protection and Electronic Documents Act
CCPA (California) – California Consumer Privacy Act
UK GDPR – United Kingdom General Data Protection Regulation
Privacy Shield Principles (where applicable)

This Data Processing Addendum was last updated on October 2025.

For questions about this DPA, contact [email protected]