Organisation. LVL·UP Tennis is a sole-trader / small-business operator of the LVL·UP coaching planner, a Progressive Web Application (PWA) available at lvluptennis.com.
The Service. LVL·UP is a B2B SaaS tool designed for individual tennis coaches. Coaches subscribe to manage session plans, player rosters, 12-week training programmes, an injury log, a performance-test tracker, and a drill library. All functional data is stored in a Supabase (EU-hosted) database and synced across the coach's devices. The Service is built as a single-page HTML/JavaScript application, hosted on Netlify.
Platform roles. The coach is the subscribing customer and the data controller for the personal data they enter about their players. LVL·UP is the data processor for that player data, and the data controller for the coach's own account data. This dual-role structure is documented in the Data Processing Addendum.
User base. LVL·UP accounts are restricted to adults (18 or over). Children do not hold LVL·UP accounts and do not interact directly with the Service. However, coaches routinely add player profiles for under-18 (and potentially under-13) athletes, making the handling of children's personal data a material consideration for this assessment.
Geographic scope. The Service is available globally. Coaches are predominantly located in the EU, UK, Canada, United States, Australia, and New Zealand. The Privacy Policy and Terms of Service acknowledge applicable frameworks including EU/UK GDPR, PIPEDA, the Australian Privacy Act, POPIA, DPDPA, and US state privacy laws.
Article 35(1) GDPR requires a DPIA where processing is "likely to result in a high risk to the rights and freedoms of natural persons". The EDPB's Guidelines on DPIAs (WP248) identify nine criteria; if two or more are met, a DPIA is mandatory. LVL·UP's processing meets the following criteria:
| EDPB Criterion | Met? | Basis |
|---|---|---|
| Vulnerable data subjects | Yes | Coaches routinely add profiles for under-18 players, including potentially under-13. Children are an explicitly protected vulnerable category under GDPR. |
| Special category data (Art. 9) | Yes | The injury and return-to-play log processes health data, which is special category data under Art. 9(1). Processing is restricted to adult (18+) confirmed players in v1, but the infrastructure supports it. |
| New technology | Yes | The "AI Draft Milestone" feature transmits coaching content to Anthropic's generative AI API — a new and evolving technology with uncertain risk profile for personal data. |
| International transfers to third countries | Yes | Personal data is transferred to US-based sub-processors (Anthropic, Netlify, Lemon Squeezy) and global CDN providers (Google Fonts, jsdelivr) without an EU adequacy decision for the US in all cases. |
| Systematic monitoring | Partial | Session logs, performance test results, and injury records constitute ongoing systematic monitoring of athletes' professional development and physical condition. |
| Large-scale processing of sensitive data | Potential | As the Service scales, the volume of player health records across multiple coaches could constitute large-scale special-category processing. |
Four of the nine criteria are fully met; two are partially met. A DPIA is therefore mandatory under Art. 35(1) and the EDPB's supplementary guidance, and this document fulfils that obligation.
The following seven processing operations are assessed. Each operation is described by its data subjects, personal data categories, legal basis, purpose, retention period, and recipients.
| Field | Detail |
|---|---|
| Data subjects | The subscribing coach |
| Personal data | Email address, account preferences (e.g. theme, club name), trial-start timestamp, subscription tier |
| Source | Directly from the coach at registration and via in-app settings |
| LVL·UP role | Data controller |
| Legal basis | Art. 6(1)(b) — performance of a contract (the Terms of Service) |
| Purpose | Authentication, account management, subscription billing coordination, service notifications |
| Retention | Account lifetime plus a maximum of 30 days following account deletion |
| Recipients | Supabase (auth & database), Lemon Squeezy (billing email), Netlify (hosting/logging) |
| Field | Detail |
|---|---|
| Data subjects | Players of all ages added by the coach |
| Personal data | Name, age group/indicator (e.g. U14, Senior), playing hand, UTR or playing level, squad/group name, coaching notes and focus areas, session logs (date, session rating, coach notes), performance test results |
| Source | Entered by the coach; players do not interact directly with the Service |
| LVL·UP role | Data processor on behalf of the coach (data controller) |
| Legal basis (processor) | Art. 6(1)(b) — provision of the service to the coach under contract |
| Legal basis (coach as controller) | Coach must have a lawful basis (typically consent or legitimate interests); acknowledged in ToS and onboarding |
| Purpose | Storage, retrieval, and cross-device synchronisation of coaching data as directed by the coach-controller |
| Retention | Coach account lifetime plus a maximum of 30 days following account deletion |
| Recipients | Supabase (EU-hosted storage). No other recipient for this data. |
| Field | Detail |
|---|---|
| Data subjects | Under-18 players (including those under 13) added by the coach |
| Personal data | Same as PO-2 except: injury and health data is structurally blocked at the application level for all players not explicitly confirmed as 18 or over |
| Age indicators | Age group fields (e.g. "U12", "U14", "U16") explicitly signal under-18 status. The application uses this indicator to enforce the injury data block. |
| Parental consent | The Service provides a coach-facilitated parental consent workflow at /consent/[token]. Coaches are encouraged via the Junior Player Privacy Notice and ToS to obtain parental consent before adding under-18 players. In v1, this workflow is available but not technically mandatory at the point of player creation. A mandatory consent prompt for players with U-group age indicators is planned for v1.1. |
| Legal basis (coach as controller) | For EU/UK players under 16 (or lower national threshold), the coach-controller requires parental consent under Art. 8 GDPR and national implementing legislation. LVL·UP's ToS places this obligation on the coach and provides tools to discharge it. |
| Recipients | Supabase (EU-hosted). No other recipient for this data. |
| Field | Detail |
|---|---|
| Data subjects | Players explicitly confirmed by the coach as 18 years of age or older |
| Personal data | Injury type, body part affected, severity, status (active / recovering / cleared), return-to-play target date, medical restrictions entered by the coach |
| Special category basis | Health data is special category data under Art. 9(1) GDPR. Processing is permitted under Art. 9(2)(h) (preventive medicine and occupational health) and/or Art. 9(2)(a) (explicit consent from the player as obtained by the coach-controller). |
| Application-level control | The injury log UI is disabled at code level for any player not confirmed 18+. This restriction cannot be bypassed by the coach within the application. |
| Legal basis (coach as controller) | Art. 9(2)(h) — health care / occupational rehabilitation purposes, or Art. 9(2)(a) — explicit consent; coach bears responsibility for obtaining adequate consent from adult players. |
| Retention | Coach account lifetime plus 30 days following deletion. |
| Recipients | Supabase (EU-hosted). No other recipient for this data. |
| Field | Detail |
|---|---|
| Data subjects | Primarily the coach; potentially players (if the coach includes player-identifying or health information in the prompt contrary to the in-app warning) |
| Personal data transmitted | The block goal text, weekly notes, and previous check-in text entered by the coach in the Development Plan tab — only when the coach explicitly clicks "AI Draft". No data is transmitted automatically or in the background. |
| In-app warning | An amber warning banner is displayed above the AI Draft button instructing coaches not to include player names, ages, injuries, or health details in those fields. |
| Technical path | Content is sent to a Netlify serverless function, which proxies the request to Anthropic's API. Netlify logs IP address and request metadata; LVL·UP does not retain prompt content. |
| Anthropic data use | Anthropic's API terms provide that customer inputs are not used to train models by default. Anthropic processes data under SCCs as the US-based sub-processor. |
| Legal basis | Art. 6(1)(b) — service provision (the AI Draft is an integral feature); Art. 6(1)(f) — legitimate interests (enabling coaches to draft programme goals). |
| Retention | LVL·UP: does not store prompt content. Anthropic: governed by Anthropic's API data retention terms (typically 30 days for operational purposes; no training retention). |
| Recipients | Netlify (US, hosting/proxy), Anthropic (US, AI processing) |
| Field | Detail |
|---|---|
| Data subjects | Coach's browser (IP address) |
| Personal data | IP address as part of standard HTTP requests for font and library delivery |
| Legal basis | Art. 6(1)(f) — legitimate interests (technically necessary to serve the web application) |
| Purpose | Delivery of web fonts (Google Fonts) and JavaScript libraries (Chart.js, Supabase client via jsdelivr) |
| Retention | Standard CDN access log retention (typically 30–90 days per provider policy) |
| Recipients | Google LLC (US), jsdelivr/Prospectus Global Ltd (global CDN) |
| Risk level | Low. IP-only, no personal content transmitted, industry-standard practice. |
| Field | Detail |
|---|---|
| Data subjects | Subscribing coaches |
| Personal data | Name, email address, billing address, payment card details. LVL·UP does not receive or store card numbers at any point. |
| LVL·UP role | Lemon Squeezy acts as the Merchant of Record, meaning Lemon Squeezy is the data controller for payment card data. LVL·UP receives only a subscription status flag and the coach's email. |
| Legal basis (Lemon Squeezy) | Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — legal obligation (VAT/tax compliance) |
| Retention | Per Lemon Squeezy's policies; typically 7 years for tax/legal compliance records |
| Recipients | Lemon Squeezy Inc. (US). PCI-DSS compliant. |
LVL·UP collects the minimum personal data necessary to deliver the Service:
All personal data is collected solely to deliver the coaching planner functionality. Player data is not used for any other purpose — not for AI training, not for cross-coach benchmarking or aggregation (in v1), not for marketing to players or their families.
Data is retained for the duration of the coach's account plus a maximum of 30 days following account deletion. The 30-day window allows for backup propagation and potential data-export requests before permanent deletion. No longer retention period is justified for the Service's purposes.
| Processing | LVL·UP Basis | Coach Basis (where relevant) |
|---|---|---|
| Coach account data | Art. 6(1)(b) — contract | — |
| Adult player profiles | Art. 6(1)(b) — service provision | Art. 6(1)(a)/(f) — consent or legitimate interests |
| Under-18 player profiles | Art. 6(1)(b) — service provision | Art. 6(1)(a) — consent (parental for <16 EU/UK); national threshold varies |
| Adult player health data | Art. 9(2)(h) / Art. 6(1)(b) | Art. 9(2)(h) or Art. 9(2)(a) — explicit consent |
| AI processing (Anthropic) | Art. 6(1)(b) — service feature | — |
| CDN delivery | Art. 6(1)(f) — legitimate interests | — |
| Payment processing | Lemon Squeezy as MoR controller | — |
Risks are assessed on a 1–5 scale for Likelihood (probability of occurrence) and Severity (impact on individuals' rights and freedoms if it occurs). The combined score determines the inherent risk level. Mitigations are then applied to arrive at the residual risk.
1 = Remote · 2 = Unlikely · 3 = Possible · 4 = Likely · 5 = Almost certain
1 = Negligible impact · 2 = Minor impact · 3 = Moderate impact · 4 = Significant harm · 5 = Severe / irreversible harm
| ID | Risk | L | S | Inherent | Key Controls in Place | Residual |
|---|---|---|---|---|---|---|
| R1 | Coach account compromise (credential theft, phishing) leading to unauthorised access to player data | 3 | 4 | HIGH (12) | Email verification at signup; Supabase Auth session management; HTTPS/TLS in transit; row-level security prevents cross-account access | MEDIUM (8) |
| R2 | Unauthorised processing of health / injury data for an under-18 player | 1 | 5 | HIGH (5) | Hard application-level block — injury log UI is disabled; 18+ confirmation required before any health data field is rendered; structural control cannot be bypassed by coach | VERY LOW (2) |
| R3 | Under-18 player profile added to the system without parental consent being obtained by the coach | 3 | 4 | HIGH (12) | ToS requires coaches to confirm lawful basis for player data; parental consent workflow available at /consent; Junior Player Privacy Notice published; coach informed in onboarding that minor data requires appropriate consent |
MEDIUM (9) |
| R4 | Coach inadvertently or knowingly includes player names, ages, or health data in the AI Draft prompt, transmitting it to Anthropic (US) without adequate safeguards | 3 | 3 | MEDIUM (9) | Amber in-app warning banner displayed before AI Draft fields; feature is entirely user-triggered; SCCs in place with Anthropic; Anthropic's API non-training commitment | MEDIUM (6) |
| R5 | Primary database breach at Supabase exposing player profiles, session logs, and health records | 2 | 5 | HIGH (10) | Supabase SOC 2 Type II certification; encryption at rest and in transit; EU-hosted (Frankfurt) AWS infrastructure; row-level security; LVL·UP's DPA requires 72h breach notification to coaches | MEDIUM (6) |
| R6 | International transfer mechanism (SCCs) invalidated or challenged by supervisory authority, disrupting lawful transfer to US sub-processors | 2 | 3 | MEDIUM (6) | SCCs in place with Anthropic, Netlify, Lemon Squeezy, Google, jsdelivr; EU-US Data Privacy Framework applicable where sub-processors are certified; Transfer Impact Assessment (TIA) conducted June 2026 | LOW (4) |
| R7 | Data not deleted within the documented 30-day SLA following account closure | 3 | 3 | MEDIUM (9) | 30-day deletion policy documented in Privacy Policy and DPA; Supabase account-level access controls; manual deletion process in place | MEDIUM (6) |
| R8 | Regulatory enforcement action (ICO / CNIL / FTC) for inadequate COPPA or GDPR Art. 8 compliance relating to under-13 player data | 2 | 4 | HIGH (8) | Structural health data block for under-18; parental consent workflow; Junior Player Privacy Notice; COPPA Notice published; ToS places legal responsibility on coach-controller; no accounts for children | MEDIUM (6) |
| R9 | CDN providers (Google Fonts, jsdelivr) processing IP addresses in a manner that conflicts with EU/UK data-protection requirements | 2 | 1 | LOW (2) | IP-only processing; SCCs apply; industry-standard practice sanctioned by EDPB in practice; no personal coaching or player data transmitted | VERY LOW (1) |
| R10 | Payment data breach at Lemon Squeezy exposing billing details of subscribing coaches | 2 | 4 | HIGH (8) | Lemon Squeezy is the Merchant of Record — LVL·UP never receives card data; Lemon Squeezy is PCI-DSS compliant; LVL·UP's exposure limited to coach email which is also held in Supabase | LOW (3) |
| R11 | Automated decision-making or profiling of players without adequate safeguards (Art. 22 GDPR) | 1 | 3 | LOW (3) | No automated decision-making in v1. Performance test results and session logs are informational tools for the coach; no algorithmic decision is made about a player. AI feature is coach-triggered drafting only, not player evaluation. | VERY LOW (2) |
| R12 | Coach shares account credentials with another person, enabling a third party to access player data without authorisation | 2 | 3 | MEDIUM (6) | ToS prohibits account sharing; one subscription = one coach account; session management via Supabase Auth | LOW (4) |
| Risk ID | Description (short) | Residual Risk | Status |
|---|---|---|---|
| R1 | Account compromise | MEDIUM | Acceptable pending MFA (REC-03) |
| R2 | Under-18 health data | VERY LOW | Adequately controlled |
| R3 | Under-18 without parental consent | MEDIUM | Acceptable pending mandatory prompt (REC-01) |
| R4 | AI prompt PII transmission | MEDIUM | Acceptable pending PII detection (REC-04) |
| R5 | Supabase breach | MEDIUM | Inherent cloud risk; adequately mitigated |
| R6 | Transfer mechanism invalidation | LOW | Adequately controlled |
| R7 | 30-day deletion SLA | MEDIUM | Acceptable pending deletion test (REC-02) |
| R8 | Regulatory action (COPPA/GDPR-K) | MEDIUM | Acceptable pending mandatory consent (REC-01) |
| R9 | CDN IP logging | VERY LOW | Adequately controlled |
| R10 | Payment breach | LOW | Adequately controlled by MoR model |
| R11 | Automated decision-making | VERY LOW | No automated decisions in v1 |
| R12 | Unauthorised account sharing | LOW | Adequately controlled |
Article 36(1) GDPR requires the controller to consult the supervisory authority prior to processing where a DPIA indicates that the residual risk remains high, unless the controller takes measures to mitigate that risk.
| Field | Detail |
|---|---|
| DPIA owner | LVL·UP Tennis — hello@lvluptennis.com |
| Date of assessment | June 2026 |
| Version | 1.0 |
| Next scheduled review | June 2027, or upon any of the following triggers: |
| Review triggers |
(a) Introduction of injury logging for under-18 players (v1.1) (b) Introduction of a new AI feature or change in AI sub-processor (c) Addition of new sub-processors processing personal data outside the EEA (d) Material change to the data architecture (e.g. migration from Supabase) (e) Confirmed personal data breach or near-miss incident (f) Supervisory authority guidance materially affecting any processing described herein (g) Geographic expansion to jurisdictions with heightened children's privacy requirements |
| Legal review recommendation | This DPIA was prepared by the LVL·UP operator and should be reviewed by a qualified UK/EU data protection solicitor or DPO prior to or concurrent with the supervisory authority consultation trigger assessment described above. |
| Data | Origin | Stored at | Region | Transfer mechanism |
|---|---|---|---|---|
| Coach email, account preferences | Coach (signup/settings) | Supabase | EU (Frankfurt, AWS) | N/A — primary EU storage |
| Player profiles, session logs, performance tests | Coach (in-app entry) | Supabase | EU (Frankfurt, AWS) | N/A — primary EU storage |
| Adult player health/injury records | Coach (in-app entry, 18+ confirmed only) | Supabase | EU (Frankfurt, AWS) | N/A — primary EU storage |
| AI Draft prompt text | Coach (explicit button click) | Anthropic API (transient) | US | SCCs (Anthropic DPA) |
| Subscription billing data (name, email, card) | Coach (checkout) | Lemon Squeezy (MoR) | US | SCCs; Lemon Squeezy is data controller for card data |
| IP address (font/library requests) | Coach browser (automatic) | Google / jsdelivr CDN | US / Global | SCCs; IP-only; low risk |
| IP address, request logs | Coach browser (all requests) | Netlify edge | US / Global CDN | SCCs (Netlify DPA) |
| Parental consent tokens | System-generated when coach creates consent link | Supabase | EU (Frankfurt, AWS) | N/A — primary EU storage |
This document is a public summary. The full internal DPIA, including detailed security architecture, specific Supabase RLS policies, and internal incident-response procedures, is available to competent supervisory authorities on request to hello@lvluptennis.com. This document does not constitute legal advice and should be reviewed by qualified legal counsel.