Data Processing Agreement (DPA)

Last Updated: February 27, 2026

This Data Processing Agreement ("DPA") forms part of the Subscription Agreement between MyAthlete ("Processor") and the Swimming Club ("Controller"). It reflects the parties' agreement with regard to the processing of personal data, in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (GDPR).

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person (Athletes, Parents, Coaches) processed by the MyAthlete Engine.
"Self-Healing Logic" refers to the automated background processes used to maintain data integrity through probabilistic matching and record merging.

2. Subject Matter and Duration

The subject matter of the processing is the provision of a Club Operating System. Processing shall continue for the duration of the Club’s subscription.

3. Nature and Purpose of Processing

Processor shall process Personal Data for the following purposes:

Maintaining a "Golden Record" of athlete performance via automated Self-Healing Engine.
Processing financial liabilities and payment metadata via Mollie B.V. integration.
Managing safeguarding and medical records for athlete safety.
Providing AI-driven performance analytics and career trajectory predictions.

4. Controller Obligations

The Controller (The Club) represents and warrants that it has obtained all necessary consents (especially regarding minors' medical data and media permissions) to process the data via the Service. The Controller is responsible for the accuracy of manual data imports and the secure transmission of generated SD3 files.

5. Processor Obligations

Instruction: Processor shall process data only on documented instructions from the Controller.
Confidentiality: Processor ensures that personnel authorized to process data are committed to confidentiality.
Security: Processor shall implement technical measures including Atomic Transaction Rollbacks and Scoped Permission Gating to protect data.
Sub-processors: Processor uses third-party sub-processors (e.g., Google Cloud, Mollie). Controller provides a general authorization for these providers.

6. Special Categories of Data

The Service processes Special Category Data (Medical/Health information and Criminal Vetting status). Processor shall apply enhanced security controls to these modules, ensuring access is restricted to users holding the specific "Compliance Officer" or "Medical Lead" scope.

7. Data Subject Rights

Processor shall provide the Controller with tools to fulfill Data Subject requests (access, rectification, erasure). Due to the Self-Healing nature of the database, the Processor will assist the Controller in identifying merged or retrospectively "healed" records upon request.

8. Data Breaches

Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach, providing sufficient information to allow the Controller to meet its legal obligations.

9. Data Deletion and Return

Upon termination of the Subscription Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data, unless statutory laws (such as sporting record retention requirements) require storage of the data.

Annex 1: Details of Processing

Data Subjects: Club Athletes, Parents, Legal Guardians, Coaches, Volunteers, and Committee Members.
Data Types: Names, DOB, Gender, Registration IDs, Bank Account metadata (Mollie), Medical Conditions, Emergency Contacts, Garda Vetting status, and Performance Statistics.