Data Processing Agreement
Last updated: 5 June 2026
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the agreement between ClubVault (operated by Inkarr, the “Processor”) and the club administrator using the platform (the “Controller”). It sets out how we process personal data on your behalf in accordance with UK GDPR Article 28.
2. Roles
- Controller: The sports club and its designated administrators, who determine the purposes and means of processing member data.
- Processor: ClubVault / Inkarr, who processes data only on the Controller's documented instructions.
3. Subject matter and nature of processing
ClubVault processes personal data for the purpose of providing club management software, including:
- Storing and displaying member and player records
- Processing subscription payments via Stripe Connect
- Sending transactional emails on behalf of the club
- Storing medical and consent records for junior players
- Hosting club documents and certifications
4. Categories of data subjects and personal data
| Data subjects | Categories of personal data |
|---|---|
| Club members (adults) | Name, email, phone, address, role, payment history |
| Junior players (under 18) | Name, date of birth, medical conditions, allergies, emergency contacts, consent records |
| Parents / guardians | Name, email, phone, address, payment details |
| Club staff / coaches | Name, email, coaching certifications, DBS reference |
5. Processor obligations
ClubVault agrees to:
- Process personal data only on documented instructions from the Controller
- Ensure staff with access to personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Assist the Controller in responding to data subject rights requests
- Delete or return all personal data on termination of the agreement
- Provide all information necessary to demonstrate compliance
- Notify the Controller without undue delay of any personal data breach
6. Sub-processors
ClubVault uses the following sub-processors. By accepting this DPA, the Controller authorises their use:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU West (London) |
| Stripe | Payment processing | EU / US (SCCs in place) |
| Resend | Transactional email | EU |
| Vercel | Platform hosting | EU / US (SCCs in place) |
We will notify Controllers of any intended changes to sub-processors and provide an opportunity to object.
7. Security measures
- All data encrypted in transit (TLS 1.2+) and at rest
- Row-level security policies enforced at the database layer
- Role-based access control — staff can only access data relevant to their role
- Medical data access restricted to authorised team managers and club admins
- Regular security reviews and dependency updates
8. Data retention and deletion
On termination of a club's account, all personal data will be deleted within 30 days. Medical data for players who have left a club is soft-deleted immediately and hard-deleted after 30 days, in line with our standard retention policy.
9. Contact
For data processing enquiries, contact privacy@clubvault.app.