Data Processing Agreement
1. Parties & roles
- Processor:Levelup360HQ Ltd ("LU360"), the provider of the platform.
- Controller:the club, academy, or organisation that holds an LU360 account and enters or manages personal data through it ("the Club").
This agreement ("DPA") applies whenever LU360 processes personal data on behalf of the Club and is incorporated into the Terms between LU360 and the Club. For personal data where LU360 determines its own purposes (for example, running and securing the service itself), LU360 acts as an independent controller under its Privacy Policy.
2. Subject matter, duration, nature & purpose
- Subject matter: provision of the LU360 youth athlete development platform.
- Duration: for as long as the Club has an account, plus the deletion / return period in Section 9.
- Nature & purpose: hosting, storage, organisation, retrieval, display, and transmission of member data so the Club can track athlete development, run events, communicate with parents, and administer memberships and payments.
3. Categories of data subjects & personal data
Data subjects:the Club's athletes (children and young people), their parents / guardians, and the Club's coaches and administrators.
Personal dataprocessed on the Club's instructions includes: names, dates of birth, contact details, roles, athlete attributes and positions, optional photographs, match appearances and statistics, attendance and RSVPs, coach notes, gameplay-derived data (XP, tiers, badges), messages, and — where the Club uses billing — payment status metadata. Card and bank details are handled directly by our payment processor and are not stored by LU360. A fuller inventory is in our Privacy Policy.
The Club must not instruct LU360 to process special-category data beyond what the platform is designed for. Some information a Club may add (for example free-text medical or dietary notes) can be special-category data; the Club is responsible for having a lawful basis and appropriate condition for it.
4. LU360's obligations as processor
Under Article 28 UK GDPR, LU360 will:
- Process only on documented instructionsfrom the Club — the Terms, this DPA, and the Club's use of the platform's features are those instructions — unless required by law (in which case we notify the Club unless the law prohibits it).
- Confidentiality — ensure people authorised to process the data are under a duty of confidence.
- Security — implement appropriate technical and organisational measures under Article 32 (see Section 7).
- Sub-processors — engage only the sub-processors listed in Section 6, under written terms imposing equivalent obligations, and give the Club prior notice of any intended change so it can object.
- Assist with data-subject rights — provide tools (in-app data export and deletion) and reasonable help so the Club can respond to access, rectification, erasure, restriction, portability, and objection requests.
- Assist with compliance — help the Club with data protection impact assessments, breach handling, and consultations with the ICO, taking into account the nature of processing and the information available to LU360.
- Breach notification— notify the Club without undue delay after becoming aware of a personal data breach affecting the Club's data, with the information the Club needs to meet its own 72-hour reporting duty.
- Deletion or return— at the end of the service, delete or return the Club's personal data as set out in Section 9.
- Audit — make available the information needed to demonstrate compliance and allow for reasonable audits (see Section 8).
5. The Club's obligations as controller
- Ensure it has a lawful basis for the data it collects, including parental consent for children under 13 under Article 8 GDPR.
- Provide appropriate privacy information to its members.
- Give LU360 only lawful, accurate instructions, and not use the platform for data or purposes it isn't designed for.
- Manage who at the Club has admin/coach access, and remove access promptly when someone leaves.
- Appoint and operate its own safeguarding function (see our Safeguarding Policy).
6. Sub-processors
LU360 uses the following sub-processors to deliver the service. Each is bound by written terms and processes data only on LU360's instructions.
- Supabase (EU — Frankfurt) — database, authentication, file storage.
- Vercel (US, with EU edge) — application hosting.
- Resend (US) — transactional email delivery.
- Stripe (US/EU) — payment processing, where the Club uses billing. Stripe acts as an independent controller for payment data it collects directly.
- PostHog (EU) — anonymous product analytics (UUID only, no name/email).
- Sentry (EU) — error monitoring, with PII stripped before sending.
- Browser push services (Google, Apple, Mozilla, Microsoft) — encrypted delivery of push notifications, where enabled.
We give notice of intended additions or changes to this list. If the Club reasonably objects to a new sub-processor on data-protection grounds, the Club may raise it with us before the change takes effect.
7. Security measures
Taking account of the state of the art and the risks — especially that this is children's data — LU360 maintains measures including:
- Encryption in transit (TLS) and at rest (Postgres).
- Passwords hashed by Supabase Auth; short-lived magic-link tokens.
- Row-level security enforcing per-club data isolation (tenants cannot read each other's data).
- Least-privilege, limited, and audited access to production systems.
- Audit logging of significant actions and of staff "view as" access.
- Automated database backups (retained up to 7 days) and a storage backup routine.
- Continuous error and anomaly monitoring.
8. Audit
On reasonable written request and no more than once a year (unless required by a supervisory authority or following a breach), LU360 will provide information reasonably necessary to demonstrate compliance with this DPA. Audits must respect the security and confidentiality of other clubs' data and LU360's systems.
9. Return & deletion
- The Club can export its data from the platform while the account is active.
- On termination, LU360 will, at the Club's choice, delete or return the Club's personal data, save where retention is required by law.
- Residual copies in backups roll off automatically within the backup retention window (up to 7 days) and remain protected until then.
10. International transfers
The Club's data is stored in the EU (Frankfurt). Where a sub-processor involves a transfer outside the UK / EEA (for example US-based hosting edge or email delivery), that transfer is covered by an appropriate safeguard such as the UK International Data Transfer Addendum or Standard Contractual Clauses.
11. Liability & precedence
This DPA forms part of, and is subject to, the Terms between LU360 and the Club, including any limitations of liability there. If there is a conflict between this DPA and the Terms on the processing of personal data, this DPA prevails.
12. How this is agreed
This DPA is accepted as part of Club onboarding and the LU360 Terms. A Club that requires a countersigned copy or its own DPA form can request one at privacy@levelup360hq.com.
13. Contact
Data protection queries: privacy@levelup360hq.com, Levelup360HQ Ltd (United Kingdom).