ClubPal as your data processor
When your club uses ClubPal to manage memberships, registrations, session bookings, and payments, your club acts as the Data Controller and ClubPal acts as the Data Processor. This means ClubPal processes personal data belonging to your members only on your club's behalf and in accordance with your documented instructions.
Our Data Processing Agreement (DPA) sets out the legal framework for this relationship, including how we handle your members' personal data, the security measures we apply, your rights to audit our practices, and the conditions under which data may be deleted or returned when you stop using ClubPal.
UK GDPR obligations
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, any organisation that uses a third party to process personal data on its behalf must have a written data processing agreement in place. The DPA documents both parties' obligations and protects your club's members.
Key commitments in the agreement include:
- ClubPal processes member data only as instructed by your club.
- Appropriate technical and organisational security measures are maintained.
- Data Subject rights requests are handled promptly and transparently.
- Personal data breaches are reported to your club without undue delay.
- Data is deleted within 10 business days of service cessation.
- Subprocessors (listed in Appendix A) are limited to Microsoft Azure, Stripe, and Square.
Download the agreement
You can download the current version of the ClubPal Data Processing Agreement below. The document includes all clauses required by UK GDPR Articles 28 and 32, as well as Appendix A listing our approved subprocessors.