Data Processing Agreement (DPA) — Article 28 Contract for Club Owners

What the Data Processing Agreement is, why Club owners are asked to accept it on first sign-in, and how it lines up with controller/processor roles under GDPR Article 28.

When you create a team on the Club plan, you're setting up a workspace where you (or your club) decide which athlete data is collected, why it's collected, and how long it's kept. Under UK and EU data-protection law that makes you the data controller. Planner.coach hosts and processes that data on your instructions, which makes Planner.coach the data processor.

GDPR Article 28 requires those two parties to have a written contract in place. The Data Processing Agreement (DPA) is that contract.

Why you're being asked to accept it

The first time a Club-tier owner opens Team Settings after this feature shipped, a banner appears asking you to read and accept the DPA. The banner stays in place until you accept -- you can still use the rest of the workspace, but the gate is there to make sure no Club owner can quietly skip past a contract their data-protection regime requires them to have.

Only the team owner is asked to accept. Members you invite (admins, coaches, assistants, viewers) inherit the agreement through the workspace; they don't need to accept it themselves.

You can read the full text any time at planner.coach/dpa. It's also linked from the Privacy Policy and the Terms of Service.

What the DPA covers

The agreement is intentionally narrow -- it only covers Planner.coach's role as a processor of athlete data on your behalf. In summary it says:

What we process and why. Athlete profiles, parental-consent records, session and measurement data, billing identifiers -- processed solely to provide the Planner.coach service to you.
Who else touches it. A list of sub-processors we use to run the platform: Supabase (database hosting), Resend (transactional email), Stripe (billing), Netlify (compute and CDN), Anthropic (AI coach -- only the prompt content you choose to send). We give notice before adding new sub-processors.
How long we keep it. Athlete personal data follows the six-year retention rule unless you delete it earlier; on account closure, data is removed in line with the same window.
What we do if there's a breach. Notification to you without undue delay, with the information you'd need to decide whether to escalate to a regulator.
Help with data-subject requests. When a guardian asks you for access, correction, or erasure, we provide the tools -- profile export, hard-delete on the athlete profile, audit log -- and operational help if you need it.
Security measures. Encryption at rest of personal fields, encryption in transit, account isolation at the database level, and the controls described on the data-security page.
What happens at the end. On termination, we either return your data in a portable format or delete it, at your choice.

The COPPA carve-out is called out separately: for US-resident athletes under 13, federal law gives Planner.coach a non-delegable obligation to delete on guardian request. That's reflected in the DPA and in the parental-consent revoke flow.

What it doesn't cover

The DPA is a processor agreement -- it doesn't replace the Terms of Service or the Privacy Policy, which still apply.

It also doesn't speak for the controller side. Your own privacy notice to athletes and guardians, your lawful basis for processing, your record-of-processing under Article 30 -- those are all your responsibility as controller. The DPA can't fill those gaps; it just makes sure that on the platform side, Planner.coach is operating under terms compatible with your obligations.

Updates

If we materially change how data is processed -- a new sub-processor, a change in retention, a new region -- we'll notify team owners by email and ask for re-acceptance where required. Cosmetic changes (typos, formatting) don't trigger a new acceptance.

Frequently asked questions

Do solo coaches on the Pro plan need to accept this?

No. The DPA gate only applies to Club-tier team owners. Pro plan coaches working in a personal workspace are covered by the existing Terms of Service and Privacy Policy.

Can I get the DPA as a signed PDF for our club's records?

You can print or save the page at /dpa -- the acceptance timestamp and your account identifier are recorded server-side, and we can produce a confirmation on request. If your club's safeguarding lead or DPO needs a counter-signed version on letterhead, get in touch and we'll arrange it.

What if I'm not sure whether to accept?

The DPA is required to operate a Club workspace under UK and EU data-protection law -- it isn't an optional add-on. If something in the wording concerns you, please flag it before accepting; we'd rather have the conversation than have you accept something you're uncomfortable with.

Does this make Planner.coach the controller for our athletes?

No. The DPA explicitly fixes Planner.coach as the processor and you (or your club) as the controller. The only narrow exception is the COPPA case for US-resident athletes under 13, where the law puts a direct obligation on Planner.coach as the platform operator.

Setting Up a Team -- The workspace creation flow that the DPA banner appears in.
Teams Overview -- What a team workspace is and how it differs from a personal workspace.
Parental Consent -- Consent collection and the revoke flow, including the COPPA carve-out.
Data Security and Retention -- Encryption, retention, hard-delete, and the audit log.

Command Palette

Data Processing Agreement