Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") forms part of the agreement between:

• Data Controller: The subscribing organisation ("Academy", "you", "your") that has signed up for a Player Portal account.
• Data Processor: Player Portal, operated by JSL Sports Technology Ltd ("we", "us", "our"), provider of the Player Portal platform.

This DPA is incorporated into and subject to the Player Portal Terms & Conditions.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in the UK GDPR.
• "Processing" means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
• "Data Subject" means the identified or identifiable person to whom the Personal Data relates, including players, parents, guardians, and coaching staff.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

3. Scope & Purpose of Processing

We process Personal Data solely for the purpose of providing the Player Portal platform to the Academy. This includes:

• Managing player registrations, enrolments, and attendance records
• Storing player profiles including name, date of birth, age group, and medical information
• Managing parent/guardian contact details and communications
• Processing payments and financial records via Stripe
• Generating progress reports and performance reviews
• Sending transactional emails (booking confirmations, progress reports, notifications)
• Providing analytics and reporting to Academy administrators

4. Categories of Personal Data

Special Category Data: Medical information provided for players is classified as special category data under UK GDPR. This data is processed with explicit consent from the parent/guardian and is necessary for the legitimate interest of safeguarding the child during sporting activities.

5. Processor Obligations

As Data Processor, Player Portal shall:

• Process Personal Data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorised to process Personal Data have committed to confidentiality
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
  • Encryption of data in transit (TLS/SSL) and at rest
  • Row-level security (RLS) ensuring data isolation between organisations
  • Role-based access controls (admin, coach, parent)
  • Regular security updates and monitoring
  • Secure authentication via Supabase Auth with email verification
• Not engage another processor (sub-processor) without prior written authorisation from the Controller
• Assist the Controller in responding to Data Subject rights requests
• Delete or return all Personal Data upon termination of the agreement, at the Controller's choice
• Make available to the Controller all information necessary to demonstrate compliance with GDPR obligations

6. Sub-processors

The Controller authorises the use of the following sub-processors:

Where sub-processors are located outside the UK, appropriate safeguards are in place (such as Standard Contractual Clauses or UK adequacy decisions) to ensure an adequate level of data protection.

7. Data Subject Rights

We will assist the Academy in fulfilling Data Subject rights requests, including:

• Right of access — providing copies of Personal Data held
• Right to rectification — correcting inaccurate data
• Right to erasure — deleting data when no longer necessary
• Right to restriction — restricting processing in certain circumstances
• Right to data portability — providing data in a structured, machine-readable format (JSON/CSV export)
• Right to object — ceasing processing where applicable

The Academy, as Data Controller, is responsible for responding to Data Subject requests. Player Portal will provide reasonable technical assistance within 5 working days of receiving a request from the Academy.

8. Data Breach Notification

In the event of a Data Breach, Player Portal shall:

• Notify the Academy without undue delay and in any event within 24 hours of becoming aware of the breach
• Provide the Academy with sufficient information to enable it to meet its obligations under Articles 33 and 34 of the UK GDPR, including:
  • The nature of the breach and categories of data affected
  • The approximate number of Data Subjects affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach
• Cooperate with the Academy and take reasonable steps to mitigate the effects of the breach

9. Data Retention & Deletion

• Personal Data is retained for the duration of the Academy's active subscription.
• Upon termination or expiry of the subscription, the Academy may export all data via the platform's built-in export feature (JSON or CSV format).
• Following termination, Personal Data will be deleted within 30 days unless retention is required by applicable law.
• The Academy may request early deletion of specific records at any time by contacting Player Portal support.
• Anonymised and aggregated data (which cannot identify individuals) may be retained for analytical purposes.

10. Children's Data & Safeguarding

Player Portal recognises the sensitive nature of processing children's data and implements the following safeguards:

• Children's accounts are always linked to a parent/guardian account — children cannot create accounts independently
• Parental consent is obtained during registration for the processing of their child's data
• Medical information is only accessible to authorised Academy staff (admins and coaches)
• Player photographs and media are stored securely and only visible within the Academy's organisation
• Data minimisation principles are applied — only necessary data is collected
• The Academy remains responsible for obtaining and maintaining appropriate consent from parents/guardians

11. International Data Transfers

Where Personal Data is transferred outside the United Kingdom, Player Portal ensures that:

• Transfers are made to countries with an adequate level of protection as determined by the UK Secretary of State, or
• Appropriate safeguards are in place, such as the International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses
• All sub-processors maintain appropriate data protection certifications and agreements

12. Audit Rights

The Academy shall have the right to audit Player Portal's compliance with this DPA, subject to:

• Providing at least 30 days' written notice
• Audits being conducted during normal business hours
• The Academy bearing the costs of any audit
• Confidentiality obligations applying to all information obtained during the audit

Player Portal may satisfy audit requests by providing relevant compliance documentation, certifications, or reports from independent assessors.

13. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions set out in the main Terms & Conditions. Nothing in this DPA shall limit either party's liability for breaches of data protection law caused by its own negligence or wilful misconduct.

14. Term & Termination

• This DPA shall come into effect on the date the Academy creates a Player Portal account and shall remain in effect for the duration of the subscription.
• Obligations relating to data deletion, confidentiality, and cooperation shall survive termination.
• Either party may terminate this DPA if the other party materially breaches its obligations and fails to remedy the breach within 30 days of written notice.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

16. Contact

For any queries regarding this Data Processing Agreement or data protection matters, please contact: