1. Parties and Roles

Controller: The coach (or organisation) using LVL·UP to record information about their players.

Processor: LVL·UP Tennis ("LVL·UP", "we", "us"), providing the LVL·UP coaching planner Service.

LVL·UP processes personal data on behalf of the Controller as defined in Article 4(8) of the GDPR. The Controller determines the purposes and means of processing; LVL·UP processes only on documented instructions of the Controller, which are expressed through the Service's normal use.

2. Subject Matter and Duration

Subject matter: Processing of personal data relating to the Controller's players, for the purpose of providing the LVL·UP coaching planner Service.

Duration: For as long as the Controller's LVL·UP account is active, plus a maximum of 30 days following account deletion (during which data is removed from production systems and any remaining backups).

3. Nature and Purpose of Processing

• Storage and retrieval of player profiles, session notes, programme plans, and (for players the Controller has confirmed as 18 or over) injury and return-to-play records.
• Cross-device synchronisation of the Controller's coaching data.
• Generation, on the Controller's explicit request, of AI-drafted milestone text via the Anthropic API. No automatic AI processing occurs.

4. Categories of Data Subjects and Personal Data

5. Sub-Processors

LVL·UP engages the sub-processors listed in Section 4 of the Privacy Policy, namely:

• Supabase (EU-hosted) — authentication and primary database
• Lemon Squeezy (US, merchant of record) — payment processing
• Anthropic (US) — AI text generation, only when the Controller explicitly requests it
• Netlify (US) — hosting and API proxy
• Google Fonts (US) — font delivery (IP address only)
• jsdelivr (global CDN) — JavaScript library delivery (IP address only)

The Controller hereby authorises LVL·UP to engage these sub-processors. LVL·UP will give the Controller at least 30 days' notice of any new sub-processor (via email to the Controller's account email and via update to the Privacy Policy); the Controller may object on reasonable grounds, in which case the parties will discuss resolution in good faith. LVL·UP remains liable to the Controller for the acts and omissions of its sub-processors.

6. International Transfers

Where personal data is transferred outside the EEA, the UK, or Switzerland (for example to sub-processors located in the United States), the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, in each case as concluded between LVL·UP and the relevant sub-processor. Copies of these are available from each sub-processor's public privacy or trust pages, linked in Section 4 of the Privacy Policy.

7. Security Measures

LVL·UP implements technical and organisational measures appropriate to the risk, including:

• Encryption in transit (HTTPS/TLS for all client-server communication)
• Encryption at rest at the database layer (Supabase managed)
• Authentication via Supabase Auth with email verification
• Application-level access control — each coach can only access their own coaching data
• Structural prevention of injury and health data processing for under-18 players
• Explicit user-triggered (not automatic) AI processing with in-app warnings against entering identifying or health data

8. Personal Data Breach

LVL·UP will notify the Controller, without undue delay and where feasible within 72 hours of becoming aware, of any confirmed personal data breach affecting the Controller's data. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address it. Notifications are sent to the Controller's account email; the Controller is responsible for ensuring that address is current.

9. Assistance with Data-Subject Requests

If the Controller receives a request from a data subject (for example, a player or a player's parent or guardian) to exercise rights under the GDPR or UK GDPR — including rights of access, rectification, erasure, restriction, portability, or objection — LVL·UP will, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond. The Controller can email hello@lvluptennis.com for assistance.

10. Data Return and Deletion

On termination of the Service (whether by the Controller deleting their account or LVL·UP discontinuing the Service):

• The Controller may export their coaching data in standard formats before deletion.
• LVL·UP will delete or anonymise the Controller's personal data within 30 days, except where retention is required by law (for example, tax records retained by the payment sub-processor).
• Sub-processors are instructed to delete in line with their own data-retention obligations.

11. Audit and Information

LVL·UP will make available to the Controller, on reasonable request and at reasonable intervals (no more than once per year unless required by a supervisory authority), information necessary to demonstrate compliance with this DPA. The parties may agree, on request, to a written audit by an independent third party at the Controller's cost.

12. Liability and Indemnity

Each party's liability under this DPA is governed by the limitation-of-liability provisions in the Terms of Service. Nothing in this DPA limits either party's statutory liability to data subjects or to a supervisory authority.

13. Term, Governing Law and Variation

This DPA takes effect when the Controller accepts the Terms of Service and ends with the Controller's account. It is governed by the same law and jurisdiction as the Terms of Service. LVL·UP may update this DPA from time to time; material changes will be notified at least 30 days in advance via the Controller's account email.

14. Records of Processing Activities (Article 30(2) GDPR)

Article 30(2) GDPR requires processors to maintain written records of all categories of processing activities carried out on behalf of controllers. This DPA and the processing descriptions in Sections 3–7 above constitute LVL·UP's Article 30(2) Record of Processing Activities (RoPA). The RoPA records:

• Processor identity: LVL·UP Tennis — hello@lvluptennis.com
• Categories of processing: as set out in Section 3
• Data subjects and personal data categories: as set out in Section 4
• Sub-processors and recipients: as set out in Section 5
• International transfers and safeguards: as set out in Section 6
• Technical and organisational security measures: as set out in Section 7

LVL·UP will make this record available to any competent supervisory authority on request, in accordance with Article 30(4) GDPR. The SME exemption under Article 30(5) does not apply, as LVL·UP processes personal data of children and, where applicable, special-category data.

15. Data Protection Impact Assessment (Article 35 GDPR)

GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) before processing that is likely to result in a high risk to individuals. LVL·UP's processing meets the criteria for a mandatory DPIA under EDPB guidelines: it involves personal data of children, AI processing via a third-country API (Anthropic, US), use of new technologies, and international transfers to US-based sub-processors.

LVL·UP has completed a DPIA (Version 1.0, June 2026) covering all processing operations described in this DPA — including children's data, the AI Milestone feature (Anthropic transfer), special-category health data, and the US sub-processor chain. The published public summary is available at /dpia. The DPIA will be reviewed and updated annually and whenever a material change to the processing operations occurs. The full internal version is available to competent supervisory authorities on request to hello@lvluptennis.com.

16. Contact

For all DPA-related matters, including signed-copy requests, sub-processor objections, breach notifications, and data-subject assistance: email hello@lvluptennis.com.