Data Processing Addeundum (DPA)

Last update: 2026-04-18

1. Parties

This Data Processing Addendum (“DPA”) forms part of the agreement between:

Customer (the “Controller”), and
Clubtrack (the “Processor”),

in connection with the use of Clubtrack’s platform and services (the “Services”).

2. Purpose and Scope

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in accordance with the General Data Protection Regulation.

The Processor shall process Personal Data solely on behalf of the Controller and in accordance with the Controller’s documented instructions.

3. Roles of the Parties

The Controller determines the purposes and means of the processing of Personal Data.

The Processor processes Personal Data on behalf of the Controller.

The Processor shall not process Personal Data for its own purposes.

4. Subject Matter and Duration

Subject Matter

Processing of Personal Data in connection with the provision of Clubtrack’s fan data platform, including analytics, segmentation, and campaign activation.

Duration

Processing shall continue for the duration of the Agreement, unless otherwise required by applicable law.

5. Nature and Purpose of Processing

The Processor processes Personal Data to provide the Services, including:

Data integration and unification
Fan analytics and insights
Segmentation and audience management
Campaign activation and communication tools
Performance tracking and reporting

6. Types of Personal Data

Depending on the Controller’s use of the Services, Personal Data may include:

Identification data (e.g., name, email address, phone number)
Account and profile data
Transactional data (e.g., purchases, tickets)
Behavioral data (e.g., interactions, engagement)

7. Categories of Data Subjects

Fans
Customers
Users of the Controller

8. Processor Obligations

The Processor shall:

8.1 Instructions

Process Personal Data only on documented instructions from the Controller, unless required by law.

8.2 Confidentiality

Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.

8.3 Security

Implement appropriate technical and organizational measures, including:

Encryption in transit and at rest
Access control and authentication
Monitoring and logging
Backup and recovery systems

8.4 Assistance to Controller

Assist the Controller in fulfilling its obligations regarding:

Data subject rights
Security
Data protection impact assessments (where applicable)

9. Data Subject Rights

The Processor shall, to the extent legally permitted, assist the Controller in responding to requests from data subjects, including:

Access
Rectification
Erasure (“right to be forgotten”)
Data portability
Objection to processing

10. Subprocessors

10.1 Authorization

The Controller provides general authorization for the Processor to engage subprocessors.

10.2 Obligations

The Processor shall:

Ensure subprocessors are bound by data protection obligations equivalent to this DPA
Remain fully liable for subprocessors’ performance

10.3 List of Subprocessors

A current list of subprocessors shall be made available at:

www.clubtrack.io/subprocessors

11. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), such transfers shall be governed by appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission

12. Data Breach Notification

The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data breach.

Such notification shall include:

Nature of the breach
Categories and approximate number of data subjects affected
Likely consequences
Measures taken or proposed

13. Audits

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

Audits shall:

Be subject to reasonable notice
Not unreasonably interfere with business operations
Be conducted no more than once per year (unless required by law or incident)

14. Data Retention and Deletion

Upon termination of the Agreement, the Processor shall:

Delete or return all Personal Data to the Controller
Delete existing copies unless required by law

Unless otherwise agreed, data shall be deleted within a reasonable timeframe (e.g., 30 days).

15. Security Measures

The Processor implements appropriate technical and organizational measures designed to protect Personal Data, including:

Encryption
Access controls
Infrastructure security
Monitoring and incident detection

Liability

Each party’s liability under this DPA shall be subject to the limitations set out in the Agreement.

. Governing Law

This DPA shall be governed by the same law as the Agreement, unless otherwise required by applicable data protection laws.

. Order of Precedence

In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

19. Contact

For any inquiries regarding this Data Processing Addeundum, you can contact us at hello@clubtrack.io.

Clubtrack, Inc.
131 Continental
Dr Suite 305 Newark,
Delaware 19713
United States
+1 740-272-5893

1. Parties

This Data Processing Addendum (“DPA”) forms part of the agreement between:

Customer (the “Controller”), and
Clubtrack (the “Processor”),

in connection with the use of Clubtrack’s platform and services (the “Services”).

2. Purpose and Scope

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in accordance with the General Data Protection Regulation.

The Processor shall process Personal Data solely on behalf of the Controller and in accordance with the Controller’s documented instructions.

3. Roles of the Parties

The Controller determines the purposes and means of the processing of Personal Data.

The Processor processes Personal Data on behalf of the Controller.

The Processor shall not process Personal Data for its own purposes.

4. Subject Matter and Duration

Subject Matter

Processing of Personal Data in connection with the provision of Clubtrack’s fan data platform, including analytics, segmentation, and campaign activation.

Duration

Processing shall continue for the duration of the Agreement, unless otherwise required by applicable law.

5. Nature and Purpose of Processing

The Processor processes Personal Data to provide the Services, including:

Data integration and unification
Fan analytics and insights
Segmentation and audience management
Campaign activation and communication tools
Performance tracking and reporting

6. Types of Personal Data

Depending on the Controller’s use of the Services, Personal Data may include:

Identification data (e.g., name, email address, phone number)
Account and profile data
Transactional data (e.g., purchases, tickets)
Behavioral data (e.g., interactions, engagement)

7. Categories of Data Subjects

Fans
Customers
Users of the Controller

8. Processor Obligations

The Processor shall:

8.1 Instructions

Process Personal Data only on documented instructions from the Controller, unless required by law.

8.2 Confidentiality

Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.

8.3 Security

Implement appropriate technical and organizational measures, including:

Encryption in transit and at rest
Access control and authentication
Monitoring and logging
Backup and recovery systems

8.4 Assistance to Controller

Assist the Controller in fulfilling its obligations regarding:

Data subject rights
Security
Data protection impact assessments (where applicable)

9. Data Subject Rights

The Processor shall, to the extent legally permitted, assist the Controller in responding to requests from data subjects, including:

Access
Rectification
Erasure (“right to be forgotten”)
Data portability
Objection to processing

10. Subprocessors

10.1 Authorization

The Controller provides general authorization for the Processor to engage subprocessors.

10.2 Obligations

The Processor shall:

Ensure subprocessors are bound by data protection obligations equivalent to this DPA
Remain fully liable for subprocessors’ performance

10.3 List of Subprocessors

A current list of subprocessors shall be made available at:

www.clubtrack.io/subprocessors

11. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), such transfers shall be governed by appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission

12. Data Breach Notification

The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data breach.

Such notification shall include:

Nature of the breach
Categories and approximate number of data subjects affected
Likely consequences
Measures taken or proposed

13. Audits

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

Audits shall:

Be subject to reasonable notice
Not unreasonably interfere with business operations
Be conducted no more than once per year (unless required by law or incident)

14. Data Retention and Deletion

Upon termination of the Agreement, the Processor shall:

Delete or return all Personal Data to the Controller
Delete existing copies unless required by law

Unless otherwise agreed, data shall be deleted within a reasonable timeframe (e.g., 30 days).

15. Security Measures

The Processor implements appropriate technical and organizational measures designed to protect Personal Data, including:

Encryption
Access controls
Infrastructure security
Monitoring and incident detection

Liability

Each party’s liability under this DPA shall be subject to the limitations set out in the Agreement.

. Governing Law

This DPA shall be governed by the same law as the Agreement, unless otherwise required by applicable data protection laws.

. Order of Precedence

In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

Data Processing Addeundum (DPA)

1. Parties

2. Purpose and Scope

3. Roles of the Parties

4. Subject Matter and Duration

Subject Matter

Duration

5. Nature and Purpose of Processing

6. Types of Personal Data

7. Categories of Data Subjects

8. Processor Obligations

8.1 Instructions

8.2 Confidentiality

8.3 Security

8.4 Assistance to Controller

9. Data Subject Rights

10. Subprocessors

10.1 Authorization

10.2 Obligations

10.3 List of Subprocessors

11. International Data Transfers

12. Data Breach Notification

13. Audits

14. Data Retention and Deletion

15. Security Measures

Liability

. Governing Law

. Order of Precedence

19. Contact

1. Parties

2. Purpose and Scope

3. Roles of the Parties

4. Subject Matter and Duration

Subject Matter

Duration

5. Nature and Purpose of Processing

6. Types of Personal Data

7. Categories of Data Subjects

8. Processor Obligations

8.1 Instructions

8.2 Confidentiality

8.3 Security

8.4 Assistance to Controller

9. Data Subject Rights

10. Subprocessors

10.1 Authorization

10.2 Obligations

10.3 List of Subprocessors

11. International Data Transfers

12. Data Breach Notification

13. Audits

14. Data Retention and Deletion

15. Security Measures

Liability

. Governing Law

. Order of Precedence

19. Contact