Vollyze 日本語

Vollyze Team Data Processing Addendum

Version: July 14, 2026
Effective date: July 14, 2026

This Team Data Processing Addendum ("DPA") forms part of the Vollyze Terms of Service between Vollyze ("Vollyze" or "Processor") and the school, club, company, association, or other organization using a Staff or Team workspace ("Customer"). If an individual creates the workspace for an organization, that individual represents that the individual is authorized to bind the organization to this DPA.

1. Roles and Scope

Customer is the controller, business, or equivalent party that determines why and how Team Personal Data is processed. Vollyze is the processor, service provider, or contractor that processes Team Personal Data only to provide and secure the Service under Customer's documented instructions.

This DPA applies to personal data entered into, synchronized through, or generated for a Staff or Team workspace ("Team Personal Data"). It does not apply to accountless Free local records that remain only on a device, or to information for which Vollyze independently determines purposes and means, such as its own minimal security and legal-compliance records.

2. Customer Instructions and Responsibilities

Customer instructs Vollyze to process Team Personal Data to authenticate adult staff; manage teams, rosters, invitations, roles, and permissions; synchronize match and practice records; create reports; provide live sharing; generate requested AI summaries; secure the Service; provide support; and delete data.

Customer will:

  1. process Team Personal Data lawfully, fairly, and transparently;
  2. have authority and any required consent to register and share player information, including information about minors;
  3. provide required notices to players, parents or guardians, staff, and other data subjects;
  4. limit data to what is necessary for legitimate team activity;
  5. assign access only to authorized adult Head Coaches, Coaches, and Managers;
  6. respond to data-subject requests as controller; and
  7. not instruct Vollyze to process unlawful, unnecessary, or prohibited data.

Customer must not use Vollyze as a medical record system or enter government identifiers, payment-card data, precise location, diagnosis, treatment records, or other special-category data unless Vollyze has expressly agreed in writing to that processing.

3. Vollyze Obligations

Vollyze will:

  1. process Team Personal Data only on documented instructions, including the Terms, this DPA, in-App actions, and written support requests;
  2. notify Customer if an instruction appears to violate applicable data-protection law, unless prohibited by law;
  3. ensure persons authorized to process Team Personal Data are bound by confidentiality;
  4. maintain the technical and organizational measures in Appendix 2;
  5. assist Customer, taking into account the nature of processing, with data-subject rights, security, breach response, impact assessments, and regulator consultations where reasonably required;
  6. delete or return Team Personal Data as described in Section 8; and
  7. make information reasonably necessary to demonstrate compliance available under Section 9.

Vollyze will not sell Team Personal Data, use it for cross-context behavioral advertising, or use it outside the direct business relationship with Customer. Vollyze will not combine it with personal data received from another customer except as allowed by applicable law to provide or secure the Service.

4. Personnel and Confidentiality

Access to production Team Personal Data is limited to persons who need access to operate, secure, support, or comply with law for the Service. Those persons are subject to confidentiality obligations and least-privilege access controls.

5. Subprocessors

Customer authorizes the subprocessors in Appendix 3. Vollyze remains responsible for requiring each subprocessor to protect Team Personal Data under terms that are materially consistent with this DPA for its assigned processing.

Vollyze will update the public subprocessor section of this DPA before adding a subprocessor that materially changes Team Personal Data processing and, where reasonably practicable, provide advance notice through the App, website, or Customer's account email. Customer may object on reasonable data-protection grounds by contacting Vollyze before the change takes effect. The parties will work in good faith on a reasonable alternative; if none is available, Customer may stop using the affected feature and terminate the affected Team workspace.

6. Security and Incident Notice

Vollyze will maintain security measures appropriate to the risk and described in Appendix 2. If Vollyze becomes aware of a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Team Personal Data ("Personal Data Breach"), Vollyze will notify Customer without undue delay and provide information reasonably available to support Customer's legal obligations. Notice is not an admission of fault.

Customer is responsible for securing its devices, Apple IDs, email accounts, login credentials, invitation links, staff access, and exported files.

7. Data-Subject Requests

Customer may use the App's record editing, Team-management, Team-ending, member-removal, and account-deletion controls to respond to a request. If Vollyze directly receives a request relating to Team Personal Data, Vollyze will, where legally permitted, direct the requester to Customer and notify Customer. Vollyze will not independently respond except on Customer's documented instruction or as required by law.

8. Return, Retention, and Deletion

During an active Team, Customer may access and export data using available App features. When the Team Owner completes Team termination, Vollyze deletes shared roster, match, practice, report, invitation, AI-cache, Team-name, and Team-logo data from the primary service.

Account deletion removes associated personal server data that Vollyze is not required to retain. De-identified operational audit records are retained for no more than 12 months. Used or expired invitation records are deleted no later than seven days after use or expiration. Expired entitlement records are deleted within 12 months unless needed for a transaction, dispute, fraud, or legal obligation.

Deleted database rows may remain in restricted disaster-recovery backups for up to seven days where provider backups are available, after which they expire through the provider lifecycle. Backups are not used for ordinary processing. Team logo objects are deleted separately and are not included in database backups.

At Customer's written request submitted before termination, Vollyze will provide reasonable assistance with an available export. After deletion, data may not be recoverable.

9. Compliance Information and Audits

Vollyze will provide this DPA, relevant security descriptions, and reasonably available compliance information. No more than once per year, unless required after a Personal Data Breach or by a regulator, Customer may request additional written information reasonably necessary to verify compliance. An on-site or third-party audit requires prior written agreement, reasonable scope and notice, confidentiality, protection of other customers, and Customer payment of reasonable costs unless applicable law requires otherwise.

10. International Processing

The primary production database and Team storage are configured in Tokyo, Japan (ap-northeast-1). Supabase operational processing and OpenAI AI processing may occur in other countries. Where applicable law requires a transfer mechanism, Vollyze will rely on an applicable adequacy decision or contractual safeguards in its agreements with subprocessors and will reasonably assist Customer with transfer information.

Customer authorizes these transfers for the processing described in this DPA. Customer should not enable a requested AI feature if Customer's rules prohibit the disclosed cross-border processing.

11. Government Requests

Unless prohibited by law, Vollyze will notify Customer of a legally binding request for Team Personal Data. Vollyze will review the request, disclose only what is legally required, and challenge overbroad requests where there are reasonable grounds to do so.

12. Conflict and Term

This DPA applies while Vollyze processes Team Personal Data for Customer. If this DPA conflicts with the Terms regarding Team Personal Data, this DPA controls. Liability and governing-law provisions in the Terms apply to this DPA except where applicable law requires otherwise.

Appendix 1 - Processing Details

Item Description
Subject matter Adult-staff Team workspace, roster, match and practice records, reports, sharing, synchronization, requested AI summaries, security, support, and deletion
Duration Active Team term plus the limited deletion and retention periods in Section 8
Data subjects Adult coaches, managers, staff, players including minors, and persons named in authorized team records
Data categories Names/display names, jersey number, position, school year/grade, role, permission, team membership, team logo, match and practice data, performance statistics, evaluations and notes, account/authentication identifiers, subscription entitlement, and audit metadata
Sensitive data Not intended for medical records or special-category data; current player condition fields remain local to the device
Frequency Continuous during Customer's active use and only when a requested feature requires processing

Appendix 2 - Security Measures

  • TLS/HTTPS for data in transit
  • Token-based authentication and expiring sessions
  • Role and permission enforcement for adult staff
  • PostgreSQL Row Level Security and service-role isolation
  • Least-privilege production administration
  • Rate limiting and sensitive-operation audit logs
  • Secrets stored outside source code and release binaries
  • Separation of local Free data from Team cloud processing
  • Immediate primary-service cleanup when a Team is ended
  • In-App account deletion and Team termination
  • Daily retention cleanup for audits, invitations, and expired entitlement metadata
  • OpenAI Responses requests configured with store: false
  • Release checks, backup monitoring, and restoration procedures

Appendix 3 - Authorized Subprocessors

Subprocessor Purpose Primary location / transfer Retention notes
Supabase, Inc. Authentication, PostgreSQL database, Storage, Edge Functions, synchronization Primary Team database and storage: Tokyo, Japan (ap-northeast-1); operational processing may occur elsewhere Active Team term; restricted daily backups, where available, up to 7 days
OpenAI, L.L.C. Requested AI match summaries and coaching briefs May process in the United States or other disclosed provider locations store: false; default abuse-monitoring logs up to 30 days; no model training by default
Google LLC Support email only when Customer deliberately sends Team Personal Data May process outside Japan Under the support mailbox and provider retention controls

Apple is an independent provider for App Store purchases and Sign in with Apple and is not authorized by this DPA to process Team roster, match, or practice content.

Contact

[email protected]

© 2026 Vollyze. All rights reserved.

Privacy Policy Terms of Service Team DPA Support