Skip to content
Planner.coach

Data Processing Agreement

Last updated: May 2, 2026

This Data Processing Agreement ("DPA") forms part of, and is governed by, the Terms of Service between you (the "Coach" or "Customer") and HJ Digital, the operator of Planner.coach ("Planner.coach", "we", "us", "our"), a company registered in Wales, United Kingdom. It applies whenever you use Planner.coach to enter, store, or share athlete personal data.

This DPA is the contract required by Article 28 of the UK GDPR (and the equivalent EU GDPR provision where it applies) between you, as the data controller for athlete personal data, and us, as the data processor.

1. Roles

You are the data controller of athlete personal data you enter into Planner.coach. You decide which athletes are recorded, what fields are captured, what consent is collected, who else has access via your team, and when records are removed.

Planner.coach is your data processor for that data. We process athlete personal data only on your documented instructions — the instructions being the ordinary product features (storing profiles, sending consent emails on your behalf, generating reports you have requested, and similar). We do not use athlete personal data for any other purpose.

For our own data — your account, billing, and platform usage — we are the data controller. That processing is described in our Privacy Policy.

For US-resident athletes under the age of 13, the operator-direct deletion obligation under COPPA is not delegable to a processor. In that narrow case Planner.coach takes on a parallel direct relationship with the guardian and will action a guardian's revoke/erasure request itself, in addition to the controller-side erasure obligation that remains with you. See Section 9 below.

2. Subject Matter, Duration, Nature and Purpose

  • Subject matter: the processing of athlete personal data by Planner.coach in order to provide the Service to you.
  • Duration: for as long as your account is active, plus the retention windows in Section 11. On termination we follow the return / deletion obligations in Section 12.
  • Nature: hosting and structured storage of athlete records; sending transactional and consent emails to addresses you supply; generating reports (PDFs, summaries) on your request; processing chat messages through the AI coaching assistant when you choose to use it.
  • Purpose: to provide the Planner.coach service to you; no secondary commercial use.
  • Categories of data subjects: athletes (including minors), their guardians, and, where you choose to record this, guardians' relatives.
  • Categories of personal data: name, contact details, date of birth, jersey/position information, attendance, performance metrics, training notes, photo/video consent preferences, parental consent records (including IP address and user-agent for digital paths), guardian contact details, and any uploaded scans of consent forms.
  • Special-category data: medical notes you choose to enter, and information about minors (covered by UK GDPR Article 8 / Children's Code rather than Article 9, but treated with equivalent care).

3. Your Instructions

We process athlete personal data only on your documented instructions as set out in this DPA, the Terms of Service, the Privacy Policy, and the configuration choices you make in the product. If you ask us to do something that we believe contravenes data protection law, we will say so and will not action the request.

Where law requires us to process beyond your instructions (for example, a binding legal order), we will inform you of that legal requirement before processing — unless the law itself prohibits us from doing so on important grounds of public interest.

4. Sub-processors

You authorise us to engage the following sub-processors to provide the Service. Each is bound by data-protection terms substantively equivalent to this DPA.

  • Supabase Inc. — managed Postgres database hosting and authentication. Athlete personal data is stored in their Postgres clusters; sensitive fields (date of birth, medical notes, email, phone, emergency contacts, guardian details) are encrypted at rest at the column level using AES with a key held in a separate vault.
  • Resend, Inc. — transactional email delivery. Receives only the recipient email address, the email subject / body, and any attached PDFs you have asked us to email.
  • Stripe, Inc. — payment processing for your subscription. No athlete personal data is sent to Stripe; Stripe receives only your billing details.
  • Anthropic PBC — provides the AI coaching assistant. When you use the assistant, your messages, conversation history, and the related coaching context (sessions, activities, training programs) are sent for processing. If you mention an athlete by name, that name is processed by Anthropic. Anthropic does not use this data to train its models.
  • Netlify, Inc. — web hosting and serverless function execution. Acts on data only in transit; does not retain athlete personal data outside transient logs that are scrubbed of PII.
  • Sentry / Functional Software, Inc. — error tracking. Athlete PII is suppressed from Sentry events by our server-side scrubbers; only error metadata reaches Sentry.

We may add or replace sub-processors. Material changes will be announced via email at least 14 days in advance, giving you the chance to object. If you object on reasonable data-protection grounds and we cannot resolve the issue, you may terminate the affected portion of the Service for a pro-rata refund of pre-paid subscription fees.

5. Confidentiality

Personnel with access to athlete personal data are bound by written confidentiality obligations and receive data-protection training proportionate to their role.

6. Security Measures

We maintain a layered set of technical and organisational security measures designed to ensure a level of security appropriate to the risk. These include:

  • TLS encryption of all in-transit traffic.
  • Column-level AES encryption at rest for athlete date of birth, medical notes, contact details, emergency contacts, and guardian contact details — with the key held in a separate vault, rotatable, and verified daily by an automated encrypt/decrypt round-trip probe.
  • Row-level security on every database table so that one user cannot read another user's (or another team's) data even if the application layer is bypassed.
  • A strict Content Security Policy header set to mitigate XSS and content-injection risks.
  • Append-only audit logs for high-stakes actions (athlete erasure, team membership changes, consent recording / revocation).
  • Principle-of-least-privilege for staff access, with logging of administrative actions.

No system is perfectly secure, but we will keep these measures under review and update them as the threat environment and the state of the art evolve. Material additions will be reflected in this DPA's "Last updated" date.

7. Personal Data Breach Notification

On becoming aware of a personal data breach affecting athlete personal data we process on your behalf, we will:

  • Notify you without undue delay, and in any event within 48 hours of becoming aware, by email to the address on file for your account.
  • Provide the information you need to discharge your own controller notification obligations (nature of the breach, categories and approximate volume of data subjects and records affected, likely consequences, and the measures we have taken or propose).
  • Cooperate with your reasonable investigation and remediation steps.

Notification under this Section 7 does not constitute an admission of fault or liability.

8. Assistance with Data-Subject Rights

Where an athlete (or their guardian) exercises a right under the UK GDPR — access, rectification, erasure, restriction, portability, objection — the request is, in the first instance, addressed to you as controller. We provide tools that let you action these requests directly:

  • The athlete profile page lets you view and edit the personal data we hold for an athlete.
  • The Delete athlete action on the athlete profile performs an Article 17 erasure (PII columns wiped, related records cascaded, compliance audit row written).
  • The Export My Data feature in account settings produces a machine-readable export of your data and the athlete data you control.
  • Consent records are visible on the athlete profile and can be revoked from there or by the guardian themselves via their email link.

If a request reaches us first (for example, a guardian emails support directly), we will route the request to you as the controller and notify you, unless the request relates to the COPPA carve-out in Section 9.

9. COPPA Carve-out (US under-13 athletes)

The US Children's Online Privacy Protection Act (COPPA) places deletion obligations on the operator of a service that knowingly collects personal information from children under 13. That operator-direct obligation is not delegable to a processor. Accordingly, where (a) an athlete record is associated with the country code US and (b) the athlete is under 13 at the time of revocation, our system will delete the child's personal data within the same transaction as a guardian's self-revoke via the consent-workflow link.

This is in addition to your own controller-side obligation to action erasure across any other systems where you hold a copy of the athlete's data (paper rosters, shared spreadsheets, messaging apps, and so on).

10. International Data Transfers

Athlete personal data is hosted on US-region infrastructure operated by Supabase. Where this requires a transfer of UK or EU personal data outside the UK / EEA, we rely on the UK International Data Transfer Agreement (UK IDTA) and the equivalent EU Standard Contractual Clauses, supplemented as required by applicable transfer-impact assessments.

Sub-processors that act on data only in transit (for example, email delivery and error tracking) operate under their own adequacy mechanisms or SCCs, summarised in their published privacy documentation.

11. Retention

We retain athlete personal data for as long as you keep an active athlete record on your account. The default automated-retention thresholds (currently 6-year inactivity, 14-day warning, 3-day reminder, 7-year minimised-form consent retention) are described in Section 7 of our Privacy Policy and are an integral part of this DPA.

12. Return or Deletion on Termination

On termination of the Service or written request from you, we will, at your choice and at no additional charge:

  • Make the athlete personal data we hold available to you for export (via the Export My Data feature, plus any direct DB extract reasonably requested for migrations) for a window of 30 days after termination; or
  • Delete the athlete personal data we hold, retaining only the minimised compliance records described in Section 11 and any billing records we are required to keep under tax law.

We will provide written confirmation of completion of the chosen action.

13. Audits

On reasonable written request and not more than once per twelve months (more often where a personal-data breach has occurred or the law requires) we will provide you with the information reasonably necessary to demonstrate compliance with this DPA. Customers on our Club tier may also request a remote walk-through of our security controls; on-site audits are by mutual agreement.

14. Liability

Each party's liability under this DPA is governed by the liability provisions of the Terms of Service. Nothing in this DPA excludes or limits a party's liability under applicable data-protection law.

15. Changes

We may update this DPA from time to time to reflect changes in the Service, our sub-processors, or applicable law. Material changes will be communicated via email at least 14 days before they take effect; continued use of the Service after the effective date constitutes acceptance of the revised DPA.

16. Contact

Questions about this DPA, or notifications under Sections 4 or 7, can be sent to support@planner.coach.

HJ Digital
Wales, United Kingdom