Data Processing Agreement
Last updated: May 2026
This DPA is incorporated by reference into the VolleyTag Terms of Service. By using VolleyTag on behalf of an organisation, school, or club, the Data Controller agrees to the terms below.
1. Definitions
- “Controller” — the organisation, school, club, or individual coach using VolleyTag to enter and manage player data.
- “Processor” — VolleyTag (operated by its owner). The entity that stores and processes data on behalf of the Controller.
- “Personal Data” — any information relating to an identified or identifiable natural person entered into VolleyTag, including player names, jersey numbers, positions, and match performance statistics.
- “Processing” — any operation performed on Personal Data, including storage, retrieval, analysis, and deletion.
- “Applicable Law” — data protection legislation applicable to the Controller or Processor, including (where applicable) the EU GDPR, UK GDPR, Australian Privacy Act 1988, and US state privacy laws including CCPA.
2. Subject Matter and Duration
The Processor processes Personal Data on behalf of the Controller for the purpose of providing the VolleyTag volleyball match analysis service. Processing continues for the duration of the Controller's active subscription. On termination, data is retained for up to 30 days to allow export, then deleted.
3. Nature and Purpose of Processing
The Processor processes Personal Data solely to:
- Store player rosters and match tagging data entered by the Controller
- Generate statistics, efficiency charts, and analytics for the Controller's use
- Enable the Controller to export data in CSV or other supported formats
- Operate shared or public player profiles where the Controller has enabled this feature
The Processor will not process Personal Data for any purpose outside the scope above without the Controller's prior written consent, except where required by law.
4. Categories of Data and Data Subjects
Data subjects
Athletes (players) whose performance data is entered into VolleyTag by the Controller. Data subjects are not direct users of the service and have not entered into a direct relationship with the Processor.
Categories of personal data
- Name and jersey number
- Playing position
- Match performance statistics (attack attempts, kills, errors, serve, pass, block counts)
- Profile photo (if uploaded by the Controller)
VolleyTag does not collect special category data (health, biometric, genetic data) and the Controller must not enter such data into the service.
5. Controller Obligations
The Controller warrants that:
- It has a lawful basis to process the Personal Data it enters into VolleyTag (e.g. legitimate interests of a sports organisation, or consent from players / their guardians)
- Where players are under 18, it has obtained appropriate parental or guardian consent before entering their data
- It has provided relevant data subjects with appropriate privacy notices informing them their data is stored in VolleyTag
- It will only enter data that is accurate and limited to what is necessary for sports performance analysis
6. Processor Obligations
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller (as specified in these terms and the main Terms of Service)
- Ensure personnel with access to Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 8)
- Assist the Controller in responding to data subject rights requests (access, rectification, erasure) within a reasonable timeframe
- Notify the Controller without undue delay — and in any event within 72 hours — of becoming aware of a Personal Data breach affecting the Controller's data
- Delete or return all Personal Data on termination of the agreement, unless retention is required by law
- Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA
7. Sub-processors
The Controller grants general authorisation to engage the following sub-processors. The Processor will notify the Controller of any intended changes to this list, allowing the Controller a reasonable period to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | US (AWS us-east-1) |
| Vercel | Application hosting and edge delivery | US / Global edge |
| Stripe | Payment processing (account holder data only — no player data) | US |
8. Security Measures
The Processor maintains the following measures to protect Personal Data:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase infrastructure)
- Row-level security policies ensuring users can only access their own data
- Authentication via Google OAuth — no passwords stored by VolleyTag
- Access to production systems restricted to the Processor's authorised personnel
- Regular dependency and security patch review
9. Data Subject Rights
The Controller is the primary point of contact for data subjects exercising their rights (access, rectification, erasure, portability). The Processor will assist the Controller in fulfilling such requests. Where a data subject contacts the Processor directly, the Processor will redirect them to the Controller unless the Controller is unable or unwilling to respond, in which case the Processor will respond directly within the timeframes required by Applicable Law.
10. International Data Transfers
Personal Data may be transferred to and stored in the United States via the Processor's sub-processors (Supabase, Vercel). Where the Controller is subject to GDPR or UK GDPR, such transfers are made under the sub-processors' own Standard Contractual Clauses or equivalent transfer mechanisms. Controllers based in Australia should note that US-based storage is disclosed under APP 8 of the Australian Privacy Act.
11. Term and Termination
This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. On termination of the Controller's VolleyTag account, the Processor will delete all associated Personal Data within 30 days, except where retention is required by law. The Controller may export their data at any time via the CSV export feature prior to account deletion.
12. Limitation of Liability
Each party's liability under this DPA is subject to the limitations set out in the VolleyTag Terms of Service. This DPA does not expand either party's liability beyond those limits.
13. Governing Law
This DPA is governed by the same law as the VolleyTag Terms of Service. Where a Controller is subject to GDPR, the parties agree that this DPA satisfies the requirements of Article 28 of the GDPR.
14. Contact
To execute a countersigned copy of this DPA, request audit information, or raise a data protection concern, please use the feedback option within the app or email us directly.