Data Processing Agreement

Data Processing Agreement

Between: Alex Baker and Paul French trading as Tadpole.club ("Processor", "we", "us") And: The subscribing organisation ("Controller", "you", "Club")

Effective Date: Upon acceptance during club onboarding Version: 2026-01-v1

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Alex Baker and Paul French trading as Tadpole.club and the Club for the provision of membership management services. This DPA sets out the terms under which we process personal data on your behalf.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data
• "Data Subject" means the individual to whom the personal data relates
• "Sub-processor" means any third party engaged by us to process personal data
• "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

3. Scope of Processing

3.1 Subject Matter

We process personal data to provide membership management services including:

• Member registration and profile management
• Membership card generation and wallet passes
• Payment processing facilitation
• Email communications on your behalf
• Reporting and analytics

3.2 Duration

Processing continues for the duration of our service agreement plus any retention periods required by law.

3.3 Categories of Data Subjects

• Club members
• Membership applicants
• Day permit purchasers
• Emergency contacts

3.4 Types of Personal Data

• Identity data (name, date of birth, photograph)
• Contact data (email, phone, address)
• Membership data (member number, tier, status)
• Financial data (payment records - not card numbers)
• Consent records

4. Processor Obligations

We commit to:

4.1 Instructions

• Process personal data only on your documented instructions
• Inform you if we believe an instruction infringes GDPR (unless prohibited by law)

4.2 Confidentiality

• Ensure all personnel processing data are bound by confidentiality obligations
• Limit access to personal data to those who need it

4.3 Security (Article 32)

We implement appropriate technical and organisational measures including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Role-based access control with audit logging
• Multi-factor authentication for administrative access
• Regular security assessments
• Incident response procedures

4.4 Sub-processors

• Maintain a list of approved sub-processors (see Section 7)
• Notify you of any intended changes to sub-processors
• Ensure sub-processors are bound by equivalent data protection obligations
• Remain liable for sub-processor compliance

4.5 Data Subject Rights

• Assist you in responding to data subject requests
• Provide necessary information within reasonable timeframes
• Not respond directly to data subjects (unless instructed)

4.6 Breach Notification

• Notify you of any data breach without undue delay (within 72 hours)
• Provide sufficient information to meet your notification obligations
• Document all breaches including facts, effects, and remedial actions

4.7 Audit Rights

• Make available all information necessary to demonstrate compliance
• Allow for and contribute to audits and inspections (with reasonable notice)
• Audits limited to once per year unless a breach has occurred

5. Controller Obligations

You commit to:

• Ensure lawful basis for all processing you instruct
• Provide clear, documented instructions
• Respond to data subject requests within statutory timeframes
• Notify us promptly of any changes affecting processing

6. Data Transfers

6.1 Location

All personal data is stored within the European Economic Area (EEA), specifically:

• Primary database: Ireland (EU)
• File storage: Ireland (EU)
• Email processing: France (EU)

6.2 International Transfers

We do not transfer personal data outside the EEA except:

• Where covered by an EU adequacy decision
• Where Standard Contractual Clauses are in place
• Where the EU-US Data Privacy Framework applies (Stripe)

7. Sub-processors

We use the following sub-processors:

Notification: We will notify you at least 30 days before adding new sub-processors. You may object to new sub-processors within 14 days.

8. Data Retention & Deletion

8.1 During Agreement

We retain data as necessary to provide services and comply with legal obligations.

8.2 On Termination

Within 30 days of agreement termination:

• We will provide you with a complete export of your data
• We will delete or anonymise all personal data (except where retention is legally required)
• We will provide written confirmation of deletion

8.3 Legal Retention

Some data must be retained for legal compliance:

• Financial records: 7 years (Irish tax law)
• Audit logs: 3 years

9. Liability

Our liability under this DPA is subject to the limitations set out in our main service agreement. We are not liable for:

• Processing carried out in accordance with your instructions
• Breaches caused by your failure to comply with GDPR
• Actions of sub-processors where we exercised due diligence

10. Term & Termination

This DPA:

• Comes into effect upon your acceptance during onboarding
• Continues for the duration of our service agreement
• Survives termination for any processing required by law

11. Governing Law

This DPA is governed by Irish law and subject to the exclusive jurisdiction of the Irish courts.

12. Contact

Data Protection Officer Alex Baker and Paul French trading as Tadpole.club Email: dpo@tadpole.club

Privacy Team Email: privacy@tadpole.club

13. Acceptance

By checking the acceptance box during club onboarding, you confirm that:

1. You have authority to bind your organisation to this DPA
2. You have read and understood the terms
3. You accept this DPA as part of our service agreement