Data Protection Terms
Data Protection Terms
Effective: May 1, 2026
Notice to Signing Authority.By accepting these terms, the authorized representative of the Customer represents and warrants that they have authority to bind the Customer and its users. Where applicable law requires additional individual consent from athletes, parents, or guardians, the Customer is solely responsible for obtaining that consent before any data is collected. HeatSense relies on the Customer's representation that all required consents are in place.
HeatSense operates a real-time athlete thermal response solution that collects physiological and biometric-adjacent data to generate performance and Thermal Response insights. This Agreement governs the collection, processing, use, storage, and protection of data generated through the Services when deployed by or through the Customer.
This Agreement supplements and is incorporated into HeatSense's Terms of Service and Privacy Policy, each available at heatsense.com. In the event of a conflict between this Agreement and the Terms of Service or Privacy Policy with respect to institutional data handling, this Agreement controls.
1. Definitions
For purposes of this Agreement, the following terms have the meanings set forth below.
"Athlete Data" means any data generated through use of the HeatSense platform by individuals associated with the Customer, including core body temperature, skin temperature, heart rate, Wet Bulb Globe Temperature (WBGT) context, session timestamps, and derived thermal insights.
"Anonymized Data" means Athlete Data from which all Personally Identifiable Information has been irreversibly removed such that the data cannot reasonably be used to identify any specific individual, whether alone or in combination with other available data. A pseudonym, token, or internal identifier assigned by HeatSense does not constitute Personally Identifiable Information for purposes of this definition.
"Aggregated Data" means statistical summaries or population-level outputs derived from Athlete Data that do not contain individual-level data points and cannot be used to reconstruct or identify individual athletes.
"Personally Identifiable Information" or "PII" means any information that identifies or could reasonably be used to identify a specific athlete, including name, jersey number, assigned student ID, date of birth, photograph, or any combination of data points that would permit re-identification.
"Obfuscated Data" means Athlete Data as displayed within HeatSense internal systems in which athlete names and direct identifiers have been replaced with anonymized tokens. See Section 6 (Name Obfuscation and Identity Controls).
"Customer Users" means athletes, coaches, athletic trainers, administrators, and other individuals whose data is collected or who access the HeatSense platform under the Customer's account.
"Services" means the HeatSense thermal response solution, including the athlete app, Teams Dashboard, wearable sensors, hubs, and any related software, firmware, or data processing services.
"TDPSA" means the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code §§ 541.001 et seq., as amended.
"COPPA" means the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501 et seq., and associated FTC regulations.
"HeatSense Data" means de-identified and aggregated data, standards, insights, or metrics developed or generated by HeatSense, including data created by combining Athlete Data from one or more Institutions in wholly de-identified form with existing HeatSense Data or third-party licensed data.
"Derived Data" means all trained models, scoring algorithms, heat strain indices, thermal response baselines, readiness estimates, and other analytical or derivative works created by HeatSense through the processing of Athlete Data, whether or not attributable to any particular Customer. Derived Data is a subset of HeatSense Data.
2. Data Collected
2.1 Categories of Data. HeatSense may collect the following categories of data through the Services when deployed by the Customer:
- Physiological metrics: core body temperature, skin temperature, and heart rate, collected through wearable sensors worn during athletic activity
- Environmental metrics: Clothing insulation, Wet Bulb Globe Temperature (WBGT) and ambient conditions captured at or near the time of use
- Session data: timestamps, session duration, activity type, and geographic region
- Device and connectivity data: sensor identifiers, firmware version, hub identifiers, and connection quality metrics
- Anthropometrics: body composition and biometric profile data (including height, weight, body fat percentage, and lean mass metrics), hydration status, or acclimitization status entered or imported by the Customer or its staff, used to contextualize sensor readings and improve model accuracy. Anthropometric data is provided by the Customer and is not measured directly by HeatSense sensors
- Derived outputs: heat strain indices, zone classifications, Thermal Response Index (TRI) scores, dehydration indicators, cardiovascular strain indicators, aerobic performance indicators, and other Thermal Response intelligence generated by the HeatSense Thermal Performance Engine
2.2 Data Not Collected. HeatSense does not collect retinal scans, fingerprints, voiceprints, or facial geometry. HeatSense does not collect data that constitutes a "biometric identifier" as defined under the Texas Capture or Use of Biometric Identifiers Act (CUBI), Tex. Bus. & Com. Code § 503.001. The physiological metrics listed in Section 2.1 constitute "sensitive data" under the TDPSA, and HeatSense treats them accordingly.
2.3 Wellness Platform. HeatSense is a wellness and performance platform, not a medical device. HeatSense takes inputs — including physiological and environmental data — and produces outputs in the form of insights, alerts, and recommendations. None of these inputs or outputs constitute medical advice, clinical assessment, or diagnosis of any kind, now or at any time. The presence of biometric or vital data does not confer any diagnostic or medical character on the Services. HeatSense does not collect, generate, or retain data that constitutes protected health information (PHI) under HIPAA, and is not a covered entity or business associate under HIPAA.
3. Data Governance
3.1 Overview. HeatSense's data governance practices are designed to meet applicable federal and state privacy and biometric requirements. HeatSense does not collect data constituting biometric identifiers under applicable law, treats physiological metrics as sensitive data, and processes Athlete Data only as directed by this Agreement and applicable law.
3.2 FERPA. Student-athlete data protections under the Family Educational Rights and Privacy Act are addressed in Section 11. HeatSense's default name obfuscation under Section 6 is designed to satisfy FERPA's de-identification standard, placing the ordinary course of platform operations outside FERPA's scope.
3.3 HIPAA. As established in Section 2.3, HeatSense is not a covered entity or business associate under HIPAA and does not collect, generate, or retain protected health information (PHI). No HIPAA obligations apply to HeatSense's data collection or processing activities under this Agreement.
3.4 Non-Punitive Use. Athlete data and platform outputs may not be used as the sole basis for any adverse action against an individual athlete, including removal from participation, disciplinary action, or punitive decisions of any kind. Platform outputs are data and insights delivered to the Customer. Any decisions made in connection with those outputs are made solely by the Customer and its staff, exercising their own independent professional judgment. HeatSense has no role in and bears no responsibility for any decisions made by the Customer or its personnel. Platform data may not be used as a proxy for evaluating any protected health status or characteristic, and no output generated by the platform constitutes a medical assessment for purposes of any disability, accommodation, or eligibility determination under applicable federal or state law, including the Americans with Disabilities Act or Section 504 of the Rehabilitation Act.
4. Customer Authority and Consent Obligations
4.1 Signing Authority. The individual accepting these terms on behalf of the Customer represents and warrants that they are duly authorized to bind the Customer to this Agreement and to make the representations and warranties set forth herein.
4.2 Authority to Bind Customer Users. By accepting these terms, the Customer represents and warrants that it has the authority to bind all Customer Users to the data collection and processing practices described in this Agreement, including through enrollment agreements, employment agreements, team participation requirements, or other instruments with appropriate legal effect.
4.3 Individual Consent Obligations. Where applicable law requires consent directly from an individual Customer User — including but not limited to:
- Adult athletes (18 and older) under the TDPSA, for the processing of sensitive physiological data;
- Parents or legal guardians of athletes under age 13, under COPPA and any applicable state law; and
- Parents or legal guardians of athletes ages 13 through 17 where state law imposes parental consent requirements for sensitive data processing,
the Customer is solely responsible for obtaining, documenting, and maintaining records of all such consents before any data is collected from the relevant individual. HeatSense relies on the Customer's representation that all required consents are in place and does not independently verify individual consents.
4.4 Consent Documentation. HeatSense will make available to the Customer, upon written request, template consent language for use in the Customer's athlete enrollment process. The Customer shall maintain written records of all consents obtained pursuant to Section 4.3 for a minimum of three (3) years following the termination of this Agreement. Upon request, the Customer shall provide HeatSense with evidence of such consents within ten (10) business days.
4.5 Indemnification for Consent Failures. The Customer shall indemnify, defend, and hold harmless HeatSense and its officers, directors, employees, and agents from and against any claims, liabilities, damages, fines, penalties, or expenses (including reasonable attorneys' fees) arising out of or relating to the Customer's failure to obtain required individual consents or to otherwise comply with applicable privacy law in connection with this Agreement.
4.6 Institutional Provisioning. The Customer may provision athlete and staff accounts on behalf of its users using administrative credentials or institutional placeholder contact information (including program-assigned email addresses) where individual athletes have not yet provided personal contact details. Accounts created through institutional provisioning are subject to all consent and data protection requirements in this Agreement. The Customer is responsible for updating provisioned accounts with individual contact information upon athlete enrollment and for ensuring that all provisioned users are covered by the consents described in Sections 4.3 and 4.4. HeatSense relies on the Customer's representation that provisioned accounts are authorized under applicable law.
5. Permitted Uses of Athlete Data
5.1 Operational Use. HeatSense may use Athlete Data to provide, operate, and maintain the Services, including generating real-time insights, alerts, and reports delivered to the Customer and authorized Customer Users.
5.2 Prohibited Uses. HeatSense shall not:
- Use Athlete Data to evaluate, score, or make decisions about any individual for employment, insurance, credit, or college admissions purposes;
- Use Athlete Data for targeted advertising;
- Attempt to re-identify Anonymized Data;
- Share Athlete Data with any third party except as expressly permitted under this Agreement or required by applicable law.
6. Name Obfuscation and Identity Controls
HeatSense implements name obfuscation by default. Athletes' names and direct identifiers are masked within HeatSense internal systems and are not visible to HeatSense personnel in the ordinary course of operations. This default obfuscation is designed to satisfy the de-identification standard under FERPA (where applicable) and to reduce exposure under the TDPSA and applicable state privacy law. This section governs if, when, and how that protection may be modified.
6.1 Identity Visibility Requires Written Consent. HeatSense personnel may access or view athlete names or other PII associated with Athlete Data only if the Customer grants express written consent to do so. Such consent must: be signed by an authorized representative of the Customer; specify the purpose for which name-level access is required; specify the duration for which access is authorized; and HeatSense personnel or team authorized to access the identified data.
6.2 Mandatory Audit Log. Every instance in which a HeatSense employee or contractor accesses identified (non-obfuscated) Athlete Data shall be recorded in a tamper-evident audit log. The audit log shall capture: the identity of the HeatSense personnel who accessed the data; the date and time of access; the purpose of access; and the written consent instrument that authorized access. HeatSense shall retain audit logs for a minimum of three (3) years.
6.3 Audit Log Access. Upon written request, HeatSense shall provide the Customer with a copy of the audit log entries related to the Customer's Athlete Data within ten (10) business days. Audit logs are the property of HeatSense but constitute a right of inspection for the Customer with respect to its own data.
6.4 Revocation. The Customer may revoke identity-visibility consent at any time through the Team Dashboard settings. Revocation takes effect immediately upon the Customer toggling the setting — HeatSense personnel will have no further access to identified athlete data from that point forward. HeatSense shall make no further access to identified data without a new consent instrument.
7. Data Retention and Deletion
7.1 Identifiable Data During Term. During the active term of this Agreement, HeatSense retains Athlete Data associated with the Customer's account for the purpose of providing the Services. Athlete Data is stored in Obfuscated form as described in Section 5 unless the Customer has provided identity-visibility consent under Section 6.1.
7.2 Post-Termination. Upon written request following termination, HeatSense can export identifiable Athlete Data to the Customer and/or permanently remove it from HeatSense systems. If requested, HeatSense commits to fulfilling such requests within thirty (30) days. Anonymized Data is retained as set forth in Section 7.3.
7.3 Anonymized Data. Anonymized Data from which all PII has been removed may be retained by HeatSense indefinitely for algorithm training, benchmarking, and product improvement purposes, subject to the restrictions in Section 5. The Customer acknowledges that once data has been anonymized in accordance with the definition in Section 1, it is no longer subject to deletion obligations. HeatSense's rights to create and use HeatSense Data from such Anonymized Data are set forth in Section 10.
7.4 Athlete-Level Deletion Requests. If an individual athlete or their parent or guardian submits a deletion request under applicable law (including the TDPSA right to delete), HeatSense will process such requests in coordination with the Customer. The Customer is responsible for directing deletion requests to HeatSense. HeatSense will respond within thirty (30) days.
7.5 Individual Athlete Departure. When an individual athlete separates from the Customer's program — whether by transfer, graduation, withdrawal, or any other reason — the following applies:
- (a) Identified data. The Customer retains the right to request export or deletion of that athlete's identified Athlete Data pursuant to Section 7.2. Individual athletes or their guardians may direct deletion requests to HeatSense through the Customer. HeatSense will process such requests within thirty (30) days of receipt from the Customer.
- (b) Anonymized data. Anonymized Data derived from a departed athlete's records is not subject to deletion and is not accessible to the departed athlete or their guardian. Once Athlete Data has been anonymized in accordance with the definition in Section 1, it is incorporated into platform-wide models and cannot be disaggregated, attributed to any individual, or retrieved in any form. No deletion right, data portability right, or access right applies to Anonymized Data after the point of anonymization.
- (c) Responsibility. The Customer is responsible for communicating this Section to athletes and their guardians as part of its enrollment and participation documentation.
7.6 Legal Hold. Notwithstanding the foregoing, HeatSense may retain data beyond the periods specified in this Section to the extent required to comply with applicable law, respond to legal process, or enforce its rights under this Agreement, provided that such retained data is subject to all use restrictions in Section 5.
8. Data Security
8.1 Security Standards. HeatSense shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Athlete Data against unauthorized access, disclosure, alteration, or destruction. Such safeguards include: encryption of data in transit (TLS) and at rest (AES-256 via MongoDB Atlas); and access controls limiting data access to authorized personnel on a need-to-know basis. HeatSense relies on platform-level security certifications maintained by AWS and MongoDB Atlas for physical and infrastructure-level safeguards. Formal third-party security assessments are part of HeatSense's planned security program development.
8.2 Security Incidents. In the event HeatSense becomes aware of a security incident that affects Athlete Data associated with the Customer, HeatSense shall notify the Customer within seventy-two (72) hours of becoming aware of the incident. Such notice shall include: a description of the nature of the incident; the categories and approximate volume of data affected; the likely consequences of the incident; the measures HeatSense has taken or proposes to take to address the incident and mitigate its effects; and the name and contact details of HeatSense's data protection contact. The Customer is solely responsible for notifying affected athletes, parents, and regulatory authorities as required by applicable law, including Texas data breach notification requirements under Tex. Bus. & Com. Code §§ 521.001 et seq. HeatSense shall reasonably cooperate with the Customer in connection with any required notifications. A "security incident" for purposes of this Section means any confirmed unauthorized access to, disclosure of, or destruction of Athlete Data that is not otherwise authorized under this Agreement.
8.3 Subprocessors. HeatSense may engage third-party subprocessors (including cloud storage providers, analytics platforms, and infrastructure providers) to process Athlete Data on its behalf. All subprocessors are bound by data protection obligations no less protective than those in this Agreement. A current list of subprocessors is available upon written request.
9. Data Roles and HeatSense Data Rights
9.1 Data Roles. For purposes of the TDPSA and applicable privacy law, the Customer is the "controller" of Athlete Data with respect to its own athletes and users, and HeatSense acts as a "processor" of that data on the Customer's behalf. HeatSense processes Athlete Data only as directed by this Agreement and applicable law.
9.2 Authorization to Create HeatSense Data. The Customer hereby authorizes HeatSense to combine in wholly de-identified and aggregated form Athlete Data with existing and future HeatSense Data to create enhanced HeatSense Data for HeatSense's and its partners' general business use, on a royalty-free, worldwide, irrevocable, perpetual, sublicensable, and transferable basis. This authorization survives termination of this Agreement and is not affected by the Customer's data deletion rights, which apply only to identified Athlete Data as set forth in Section 7.2.
9.3 HeatSense as Controller of HeatSense Data. HeatSense is the controller of HeatSense Data, which may no longer qualify as personal data due to aggregation or de-identification. As controller of HeatSense Data, HeatSense has full authority to use, analyze, license, and commercialize HeatSense Data for any lawful purpose, subject to the restriction in Section 9.6.
9.4 Permitted Uses of HeatSense Data. HeatSense may use HeatSense Data for product improvement, algorithm training, benchmarking, performance partnerships, and licensing derived insights to industry collaborators. HeatSense may publish aggregate benchmarks and share HeatSense Data with performance partners, provided no individual athlete or institution is identifiable from such outputs.
9.5 Ownership of Derived Data. HeatSense is the sole owner of all Derived Data, including all intellectual property rights therein. Derived Data is HeatSense's intellectual property regardless of the Athlete Data from which it derives. The Customer's rights in its underlying Athlete Data do not confer any rights in Derived Data.
9.6 Re-identification Prohibited. HeatSense shall not use HeatSense Data or Derived Data in any manner that permits re-identification of individual athletes or institutions.
9.7 Athlete Data Ownership. Athletes and institutions retain ownership of their identified Athlete Data and all rights associated with identified records, including deletion rights under Section 7 and data subject rights under Section 9.8. HeatSense's rights under this Section apply to HeatSense Data and Derived Data only.
9.8 Assistance with Data Subject Rights. HeatSense shall assist the Customer in responding to data subject rights requests (access, correction, deletion, portability) from Customer Users, to the extent technically feasible and required by applicable law. The Customer remains responsible for communicating with its own users regarding their rights.
10. Minors
10.1 COPPA Compliance. If the Customer deploys the Services for athletes under the age of 13, the Customer is solely responsible for obtaining verifiable parental consent as required under COPPA before any data is collected from such individuals. HeatSense does not knowingly collect personal information directly from children under 13 without the Customer's representation that required parental consent has been obtained.
10.2 Ages 13–17. For athletes ages 13 through 17, the Customer shall ensure that applicable state law consent requirements are satisfied before data collection begins. The Customer represents that its standard enrollment, participation, or consent processes satisfy these requirements for its jurisdiction.
10.3 Enhanced Protections. HeatSense shall not use data associated with users identified by the Customer as minors for targeted advertising, profiling for commercial purposes, or sale to third parties. Minors' data is subject to all default obfuscation protections in Section 5 and may not be subject to identity-visibility consent without additional written documentation of the basis for such access.
10.4 Additional Requirements. HeatSense applies the same data protection standards — including obfuscation, access controls, and encryption — to all Athlete Data regardless of the athlete's age. If the Customer's program is subject to additional minor-specific data handling requirements under applicable law or institutional policy that would affect platform configuration or operations, the Customer shall communicate those requirements to HeatSense in writing prior to acceptance of these terms.
10.5 Military Service Members. Where an athlete is an active-duty member, reservist, or participant in a federal military training program (including ROTC) subject to federal data handling obligations under the Uniformed Services Employment and Reemployment Rights Act (USERRA) or applicable Department of Defense regulations, nothing in this Agreement modifies or supersedes those federal obligations. The Customer is responsible for identifying athletes who are subject to such obligations and for ensuring that data collection and processing activities conducted through the Services are consistent with applicable federal military data requirements. HeatSense will cooperate reasonably with the Customer in connection with any such requirements upon written request.
11. FERPA & Student-Athlete Data
11.1 Applicability. The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, may apply to student-athlete data processed through the HeatSense platform when deployed by a school, college, or university that receives federal education funding. This Section sets out how the Parties address FERPA compliance.
11.2 De-Identification as Primary Compliance Mechanism. HeatSense's default name obfuscation under Section 6 is designed to satisfy FERPA's de-identification standard by removing or replacing all direct identifiers that could reasonably identify a student-athlete. Data that meets this standard is not an "education record" subject to FERPA restrictions. HeatSense's use of such de-identified data for algorithm training, product development, and benchmarking under Sections 7.3 and 9 is therefore outside the scope of FERPA. This is the primary mechanism by which the Parties address FERPA compliance in the ordinary course of platform operations.
11.3 Customer Consent Obligations for Identified Data. Where the Customer authorizes HeatSense to access identified student-athlete records pursuant to Section 6.1, the Customer is solely responsible for ensuring that such access complies with FERPA. The Customer represents and warrants that: (a) it has obtained all required written consents from eligible students or their parents (for students under 18) as required under FERPA and applicable state law before authorizing any access to identified records; (b) it has the authority under its own policies and applicable law to grant HeatSense access to student records for the educational and wellness purposes described in this Agreement; and (c) all such consents are documented and available for inspection upon request.
11.4 HeatSense Obligations. HeatSense shall: (a) use identified student-athlete records only as directed by the Customer and as permitted under this Agreement; (b) maintain de-identification by default and limit identified access to circumstances where the Customer has provided express written consent under Section 6.1; and (c) not disclose identified student-athlete records to any third party except as required by applicable law or as authorized in writing by the Customer.
11.5 Limitation. HeatSense does not independently verify FERPA compliance by the Customer and is not liable for a Customer's failure to obtain required student consents. The Customer's indemnification obligation in Section 4.5 extends to any FERPA-related claims arising from the Customer's failure to obtain required consents or to comply with applicable student privacy law.