Data Processing Agreement

Effective date: 1 May 2026

1. Parties and scope

This DPA is between Eccella, a partnership established in Malta (VAT no. MT3270-3921), which operates the Sportivi service ("Eccella", "Sportivi"); and the Club that uses the Service and accepts these terms ("Club"). It forms part of the Sportivi Terms of Service ("Principal Agreement").

In this DPA, "Child" (or "minor") means a person under the age of 18; "Club Data" and "Identity Data" have the meanings given in the Principal Agreement; and other capitalised terms have the meanings given in the Principal Agreement.

Scope of this DPA. This DPA governs Sportivi's processing of Club Data on the Club's behalf, where the Club is controller and Sportivi is processor under Article 28 GDPR. This includes the data of unclaimed Profiles created by the Club, which are single-club records and form part of Club Data.

Out of scope. Identity Data (account credentials, name, date of birth, avatar, contact email, and the cross-club links between an account and the Clubs it is a member of) is controlled by Sportivi as controller and is governed by the Privacy Policy, not this DPA. A Profile's data moves from Club Data to Identity Data when the Profile is claimed by the relevant person or their parent/guardian. Where this DPA conflicts with the Principal Agreement regarding Club Data, this DPA prevails.

2. Roles

The Club is the controller and Sportivi the processor of Club Data. The Club determines the purposes and means; Sportivi processes only as instructed.

3. Club obligations

The Club warrants that: it has a valid GDPR legal basis for the Club Data it processes; it has provided privacy information to its members and obtained any necessary consent — including for children's data and special-category (health) data; its Club Data and instructions comply with law; and it is responsible for the accuracy and content of the forms it creates.

4. Sportivi (Processor) obligations

Sportivi shall:

  1. Process only on documented instructions (this DPA, the Principal Agreement, use of Service features), and as required by EU/Maltese law (informing the Club unless legally prohibited).
  2. Confidentiality — ensure authorised persons are bound by confidentiality.
  3. Security — implement appropriate measures under Article 32 (Annex B).
  4. Sub-processors — engage only per Section 5.
  5. Assist with data-subject rights — taking into account the nature of processing, assist the Club, as far as possible, with requests under Articles 15–22.
  6. Assist with compliance — assist with Articles 32–36 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and information available.
  7. Breach notification — notify the Club without undue delay, and within 48 hours of becoming aware of a breach of Club Data, with the information the Club needs to meet its own obligations.
  8. Deletion or return — at the Club's choice, delete or return all Club Data at the end of services and delete copies, unless law requires storage.
  9. Audits — make available information necessary to demonstrate Article 28 compliance and allow for and contribute to audits, subject to reasonable confidentiality, security and notice.

5. Sub-processors

The Club gives general authorisation for the sub-processors in Annex C. Sportivi imposes data-protection terms on each that are no less protective than this DPA, remains responsible for their performance, and will inform the Club of intended additions/replacements, allowing objection on reasonable grounds within 30 days.

6. International transfers

Club Data is stored within the EU/EEA. Where a sub-processor processes Club Data outside the EEA, Sportivi ensures an appropriate Chapter V mechanism (typically the Standard Contractual Clauses) and will not transfer without it.

7. Liability and term

The Principal Agreement's liability terms apply. This DPA runs while Sportivi processes Club Data, after which Section 4.8 applies.

Annex A — Details of the processing

Subject matter: Provision of the Sportivi club-management platform (Club Data processing).

Duration: For the term of the Principal Agreement until deletion/return of Club Data.

Nature and purpose: Hosting, storage, organisation, retrieval, transmission (notifications/email) and deletion of Club Data to enable the Club to onboard members, organise groups and activities, record attendance/RSVPs, record payments, and communicate with members and guardians.

Categories of data subjects: managers; coaches; adult athletes; child athletes (minors); parents/guardians; form submitters.

Categories of Club Data:

(Identity Data — names, DOB, avatar, contact email, account links — is controlled by Sportivi and is governed by the Privacy Policy, not this Annex.)

Annex B — Technical and organisational measures (Art. 32)

Sportivi maintains appropriate technical and organisational measures to protect Club Data, including: encryption in transit and at rest; role-based access controls so users access only the data they are entitled to; restricted, server-side-only administrative access; verification of incoming integrations; and a documented process for handling personal-data breaches.

Further detail on Sportivi's security measures is available to the Club on request, subject to reasonable confidentiality.

Annex C — Sub-processors

Sportivi engages a small number of sub-processors to provide the Service. The current list — with each sub-processor's function and location — is made available to the Club within the club administration area (and on request) and is kept up to date. Sportivi will notify the Club of any intended addition or replacement and give the Club the opportunity to object on reasonable data-protection grounds (Section 5).

Sportivi's database, authentication and file storage are hosted within the EU/EEA.