Vollyze Team Data Processing Addendum
Version: July 14, 2026
Effective date: July 14, 2026
This Team Data Processing Addendum ("DPA") forms part of the Vollyze Terms of Service between Vollyze ("Vollyze" or "Processor") and the school, club, company, association, or other organization using a Staff or Team workspace ("Customer"). If an individual creates the workspace for an organization, that individual represents that the individual is authorized to bind the organization to this DPA.
1. Roles and Scope
Customer is the controller, business, or equivalent party that determines why and how Team Personal Data is processed. Vollyze is the processor, service provider, or contractor that processes Team Personal Data only to provide and secure the Service under Customer's documented instructions.
This DPA applies to personal data entered into, synchronized through, or generated for a Staff or Team workspace ("Team Personal Data"). It does not apply to accountless Free local records that remain only on a device, or to information for which Vollyze independently determines purposes and means, such as its own minimal security and legal-compliance records.
2. Customer Instructions and Responsibilities
Customer instructs Vollyze to process Team Personal Data to authenticate adult staff; manage teams, rosters, invitations, roles, and permissions; synchronize match and practice records; create reports; provide live sharing; generate requested AI summaries; secure the Service; provide support; and delete data.
Customer will:
- process Team Personal Data lawfully, fairly, and transparently;
- have authority and any required consent to register and share player information, including information about minors;
- provide required notices to players, parents or guardians, staff, and other data subjects;
- limit data to what is necessary for legitimate team activity;
- assign access only to authorized adult Head Coaches, Coaches, and Managers;
- respond to data-subject requests as controller; and
- not instruct Vollyze to process unlawful, unnecessary, or prohibited data.
Customer must not use Vollyze as a medical record system or enter government identifiers, payment-card data, precise location, diagnosis, treatment records, or other special-category data unless Vollyze has expressly agreed in writing to that processing.
3. Vollyze Obligations
Vollyze will:
- process Team Personal Data only on documented instructions, including the Terms, this DPA, in-App actions, and written support requests;
- notify Customer if an instruction appears to violate applicable data-protection law, unless prohibited by law;
- ensure persons authorized to process Team Personal Data are bound by confidentiality;
- maintain the technical and organizational measures in Appendix 2;
- assist Customer, taking into account the nature of processing, with data-subject rights, security, breach response, impact assessments, and regulator consultations where reasonably required;
- delete or return Team Personal Data as described in Section 8; and
- make information reasonably necessary to demonstrate compliance available under Section 9.
Vollyze will not sell Team Personal Data, use it for cross-context behavioral advertising, or use it outside the direct business relationship with Customer. Vollyze will not combine it with personal data received from another customer except as allowed by applicable law to provide or secure the Service.
4. Personnel and Confidentiality
Access to production Team Personal Data is limited to persons who need access to operate, secure, support, or comply with law for the Service. Those persons are subject to confidentiality obligations and least-privilege access controls.
5. Subprocessors
Customer authorizes the subprocessors in Appendix 3. Vollyze remains responsible for requiring each subprocessor to protect Team Personal Data under terms that are materially consistent with this DPA for its assigned processing.
Vollyze will update the public subprocessor section of this DPA before adding a subprocessor that materially changes Team Personal Data processing and, where reasonably practicable, provide advance notice through the App, website, or Customer's account email. Customer may object on reasonable data-protection grounds by contacting Vollyze before the change takes effect. The parties will work in good faith on a reasonable alternative; if none is available, Customer may stop using the affected feature and terminate the affected Team workspace.
6. Security and Incident Notice
Vollyze will maintain security measures appropriate to the risk and described in Appendix 2. If Vollyze becomes aware of a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Team Personal Data ("Personal Data Breach"), Vollyze will notify Customer without undue delay and provide information reasonably available to support Customer's legal obligations. Notice is not an admission of fault.
Customer is responsible for securing its devices, Apple IDs, email accounts, login credentials, invitation links, staff access, and exported files.
7. Data-Subject Requests
Customer may use the App's record editing, Team-management, Team-ending, member-removal, and account-deletion controls to respond to a request. If Vollyze directly receives a request relating to Team Personal Data, Vollyze will, where legally permitted, direct the requester to Customer and notify Customer. Vollyze will not independently respond except on Customer's documented instruction or as required by law.
8. Return, Retention, and Deletion
During an active Team, Customer may access and export data using available App features. When the Team Owner completes Team termination, Vollyze deletes shared roster, match, practice, report, invitation, AI-cache, Team-name, and Team-logo data from the primary service.
Account deletion removes associated personal server data that Vollyze is not required to retain. De-identified operational audit records are retained for no more than 12 months. Used or expired invitation records are deleted no later than seven days after use or expiration. Expired entitlement records are deleted within 12 months unless needed for a transaction, dispute, fraud, or legal obligation.
Deleted database rows may remain in restricted disaster-recovery backups for up to seven days where provider backups are available, after which they expire through the provider lifecycle. Backups are not used for ordinary processing. Team logo objects are deleted separately and are not included in database backups.
At Customer's written request submitted before termination, Vollyze will provide reasonable assistance with an available export. After deletion, data may not be recoverable.
9. Compliance Information and Audits
Vollyze will provide this DPA, relevant security descriptions, and reasonably available compliance information. No more than once per year, unless required after a Personal Data Breach or by a regulator, Customer may request additional written information reasonably necessary to verify compliance. An on-site or third-party audit requires prior written agreement, reasonable scope and notice, confidentiality, protection of other customers, and Customer payment of reasonable costs unless applicable law requires otherwise.
10. International Processing
The primary production database and Team storage are configured in
Tokyo, Japan (ap-northeast-1). Supabase operational
processing and OpenAI AI processing may occur in other countries. Where
applicable law requires a transfer mechanism, Vollyze will rely on an
applicable adequacy decision or contractual safeguards in its agreements
with subprocessors and will reasonably assist Customer with transfer
information.
Customer authorizes these transfers for the processing described in this DPA. Customer should not enable a requested AI feature if Customer's rules prohibit the disclosed cross-border processing.
11. Government Requests
Unless prohibited by law, Vollyze will notify Customer of a legally binding request for Team Personal Data. Vollyze will review the request, disclose only what is legally required, and challenge overbroad requests where there are reasonable grounds to do so.
12. Conflict and Term
This DPA applies while Vollyze processes Team Personal Data for Customer. If this DPA conflicts with the Terms regarding Team Personal Data, this DPA controls. Liability and governing-law provisions in the Terms apply to this DPA except where applicable law requires otherwise.
Appendix 1 - Processing Details
| Item | Description |
|---|---|
| Subject matter | Adult-staff Team workspace, roster, match and practice records, reports, sharing, synchronization, requested AI summaries, security, support, and deletion |
| Duration | Active Team term plus the limited deletion and retention periods in Section 8 |
| Data subjects | Adult coaches, managers, staff, players including minors, and persons named in authorized team records |
| Data categories | Names/display names, jersey number, position, school year/grade, role, permission, team membership, team logo, match and practice data, performance statistics, evaluations and notes, account/authentication identifiers, subscription entitlement, and audit metadata |
| Sensitive data | Not intended for medical records or special-category data; current player condition fields remain local to the device |
| Frequency | Continuous during Customer's active use and only when a requested feature requires processing |
Appendix 2 - Security Measures
- TLS/HTTPS for data in transit
- Token-based authentication and expiring sessions
- Role and permission enforcement for adult staff
- PostgreSQL Row Level Security and service-role isolation
- Least-privilege production administration
- Rate limiting and sensitive-operation audit logs
- Secrets stored outside source code and release binaries
- Separation of local Free data from Team cloud processing
- Immediate primary-service cleanup when a Team is ended
- In-App account deletion and Team termination
- Daily retention cleanup for audits, invitations, and expired entitlement metadata
- OpenAI Responses requests configured with
store: false - Release checks, backup monitoring, and restoration procedures
Appendix 3 - Authorized Subprocessors
| Subprocessor | Purpose | Primary location / transfer | Retention notes |
|---|---|---|---|
| Supabase, Inc. | Authentication, PostgreSQL database, Storage, Edge Functions, synchronization | Primary Team database and storage: Tokyo, Japan
(ap-northeast-1); operational processing may occur
elsewhere |
Active Team term; restricted daily backups, where available, up to 7 days |
| OpenAI, L.L.C. | Requested AI match summaries and coaching briefs | May process in the United States or other disclosed provider locations | store: false; default abuse-monitoring logs up to 30
days; no model training by default |
| Google LLC | Support email only when Customer deliberately sends Team Personal Data | May process outside Japan | Under the support mailbox and provider retention controls |
Apple is an independent provider for App Store purchases and Sign in with Apple and is not authorized by this DPA to process Team roster, match, or practice content.
Contact
© 2026 Vollyze. All rights reserved.