Data Processing Addendum (DPA)
Version: 2026-03-24
Effective Date: April 24, 2026
This Data Processing Addendum ("DPA") supplements the CoachMate Terms of Service ("Agreement") and applies when Customer submits personal data to the CoachMate platform that is subject to applicable data protection laws.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable individual, as defined by applicable data protection laws.
- "Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
- "Controller" / "Business" means the party that determines the purposes and means of Processing.
- "Processor" / "Service Provider" means the party that Processes Personal Data on behalf of the Controller.
- "Data Protection Laws" means all applicable privacy and data protection laws, including CCPA/CPRA (California), COPPA (federal), and applicable state privacy laws.
2. Roles and Scope
Customer is the Controller/Business. Customer determines what Personal Data is submitted to CoachMate and for what purposes.
CoachMate is the Processor/Service Provider. CoachMate Processes Personal Data solely to provide the Service and as instructed by Customer, consistent with the Agreement.
3. CoachMate's Obligations
CoachMate will:
- (a) Process Personal Data only as necessary to provide the Service and as documented in the Agreement, this DPA, and Customer's reasonable instructions;
- (b) Not sell, share, or use Personal Data for any purpose other than providing the Service, including not using it for advertising, profiling, or cross-context behavioral targeting;
- (c) Implement and maintain reasonable technical and organizational security measures, including encryption in transit (TLS) and at rest, row-level security for multi-tenant data isolation, role-based access controls, rate limiting and bot protection, and regular security assessments;
- (d) Ensure that personnel with access to Personal Data are bound by confidentiality obligations;
- (e) Not engage additional subprocessors without listing them on the Subprocessor page and providing reasonable notice of changes;
- (f) Assist Customer in responding to data subject requests (access, deletion, correction, portability) within reasonable timeframes;
- (g) Notify Customer of confirmed Personal Data breaches without undue delay and in any event within 72 hours of confirmation, including the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed to address the breach;
- (h) Upon termination of the Agreement and upon Customer's written request, return or delete Personal Data within 30 days, except where retention is required by law;
- (i) Make available to Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA.
4. Customer's Obligations
Customer will:
- (a) Ensure it has a lawful basis for submitting Personal Data to CoachMate;
- (b) Provide legally adequate privacy notices to individuals whose data is submitted;
- (c) Obtain all required consents, including verifiable parental consent for children under 13 (COPPA);
- (d) Not submit sensitive Personal Data (health information, SSNs, financial account numbers) except as specifically supported by the Service (e.g., medical information in waiver forms);
- (e) Promptly notify CoachMate of any data subject requests it cannot fulfill independently.
5. Subprocessors
Current subprocessors are listed at /subprocessors.html. CoachMate will provide at least 15 days' notice before adding a new subprocessor. If Customer objects to a new subprocessor, the parties will discuss alternatives in good faith. If no resolution is reached within 30 days, Customer may terminate the affected Service.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing | Names, emails, payment amounts, transaction data | United States |
| Supabase | Database, authentication, file storage | All platform data | United States (AWS) |
| SendGrid (Twilio) | Email delivery | Email addresses, names, email content | United States |
| Netlify | Website hosting, serverless functions | Request data, IP addresses | United States |
| Cloudflare | Bot protection (Turnstile) | IP addresses, browser data | Global CDN |
| Geoapify | Address validation | Address fields | Germany / EU |
6. International Data Transfers
CoachMate primarily Processes data in the United States. For transfers of Personal Data from outside the United States, CoachMate will provide appropriate data transfer mechanisms upon request.
7. CCPA/CPRA Specific Terms
For purposes of the CCPA/CPRA:
- CoachMate is a "Service Provider" as defined in Cal. Civ. Code § 1798.140(ag);
- CoachMate will not sell or share Personal Data;
- CoachMate will not retain, use, or disclose Personal Data for any purpose other than performing the Service;
- CoachMate will not combine Personal Data with data from other sources except as permitted to provide the Service;
- CoachMate certifies it understands and will comply with these restrictions.
8. Audit Rights
Customer may, upon 30 days' written notice and no more than once per year, request that CoachMate provide written responses to reasonable security and compliance questionnaires. If a questionnaire is insufficient, the parties will discuss alternative assurance mechanisms in good faith.
9. Term and Termination
This DPA is effective for the duration of the Agreement. Obligations regarding Personal Data (security, confidentiality, deletion/return) survive termination.
10. Conflict
In the event of a conflict between this DPA and the Agreement, this DPA governs with respect to Personal Data Processing.
11. Contact
For DPA inquiries: support@coachmatesports.com