Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the organisation subscribing to a Padelio Club or Club Pro plan (the "Controller") and CodeCore, KVK 99831562 ("Padelio", the "Processor"). It governs the processing of personal data that Padelio carries out on behalf of the Controller under Regulation (EU) 2016/679 ("GDPR").

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by Padelio on behalf of the Controller through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
• "Sub-processor" means any third party engaged by Padelio to process Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Supervisory Authority" means the independent public authority responsible for monitoring the application of the GDPR.

2. Scope and Purpose

Padelio processes Personal Data solely to provide the Service as described in the Terms of Service. This includes managing organisation profiles, memberships, tournament and league operations, venue management, and related communications. The Controller determines the purposes and means of processing; Padelio acts only on documented instructions from the Controller.

3. Data Categories

The following categories of Personal Data may be processed under this DPA:

• Organisation member names, email addresses, and profile information
• Player names, skill levels, and match participation records
• Tournament and league results, scores, and statistics
• Venue addresses and booking information
• Communication data (invitations, notifications)
• Audit log data (actions performed, timestamps, IP addresses)

4. Sub-processors

Padelio engages the sub-processors listed on our Sub-processor List page. The Controller consents to the engagement of these sub-processors. Padelio will notify the Controller at least 30 days before adding or replacing a sub-processor. If the Controller objects to a new sub-processor on reasonable grounds related to data protection, Padelio will use reasonable efforts to make available an alternative arrangement. Padelio ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

View Sub-processor List

5. Security Measures

Padelio implements and maintains appropriate technical and organisational measures to protect Personal Data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls with role-based permissions and least-privilege principle
• Regular security assessments and vulnerability scanning
• Logging and monitoring of access to Personal Data
• Secure software development practices
• Employee confidentiality obligations and data protection training

6. Data Subject Rights

Padelio will assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR (access, rectification, erasure, portability, restriction, and objection). Padelio will promptly notify the Controller of any request received directly from a Data Subject and will not respond to such requests without the Controller's prior authorisation, unless legally required to do so.

7. Breach Notification

Padelio will notify the Controller without undue delay after becoming aware of a Personal Data breach. The notification will include the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

8. Audit Rights

The Controller may audit Padelio's compliance with this DPA once per calendar year, with 30 days' prior written notice. Audits will be conducted during normal business hours and will not unreasonably interfere with Padelio's operations. Padelio will cooperate with audits and provide access to relevant documentation, systems, and personnel. The Controller bears the cost of any audit.

9. International Transfers

Padelio stores primary data within the European Economic Area (EEA). Where Personal Data is transferred outside the EEA, Padelio ensures appropriate safeguards are in place, including EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or an adequacy decision by the European Commission. Details of transfer mechanisms for each sub-processor are available on the Sub-processor List page.

10. Termination and Data Return

Upon termination of the Controller's subscription or this DPA, Padelio will, at the Controller's choice, return or delete all Personal Data processed on behalf of the Controller within 30 days. The Controller may request its data in a machine-readable format at any time during the subscription period. After the 30-day post-termination period, Padelio will delete all remaining Personal Data unless retention is required by applicable law.

11. Governing Law

This DPA is governed by the laws of the Netherlands. Any disputes arising under this DPA will be submitted to the competent courts in the Netherlands, without prejudice to the Data Subject's right to lodge a complaint with a Supervisory Authority or to seek a judicial remedy in the Member State where the Data Subject habitually resides.