ClarityCaddie

EU DPA v3 — Effective 25 May 2026

Data Processing Agreement

European Union — GDPR (Regulation (EU) 2016/679)

Effective: 25 May 2026 — Published: 21 May 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between ClarityCaddie Limited (“ClarityCaddie”, “we”, “us”) and your organisation (“you”, “Controller”) for use of the ClarityCaddie coach or academy services. It governs our processing of personal data belonging to your students, including students who are minors, as part of delivering those services.

This DPA is legally binding from the date you accept our Terms of Service or enter into a separate services agreement with us that incorporates this DPA by reference.

What’s changed since EU DPA v2 (effective 25 May 2026)

We’ve made the following changes in this version:

  • OpenAI added as a disclosed sub-processor in §6.5 for audio transcription (voice capture converted to text), with transfer mechanism: EU SCCs Module 3.

Your statutory rights under EU data protection law are not affected by anything in this DPA.

1. Definitions

The following capitalised terms have the meanings set out here. Terms not defined here carry their meaning under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

  • “Services” means the ClarityCaddie coach portal, academy portal, and connected player application that we provide to you.
  • “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” have the meanings given in GDPR.
  • “Sub-processor” means any third-party processor we engage to process Personal Data on your behalf in connection with the Services.
  • “Student” means any Data Subject whose Personal Data you direct us to process, including coach-connected players and academy-connected learners.
  • “Minor” means a Student below the age of majority in the member state in which they reside.
  • “Guardian” means a parent, legal carer, or authorised guardian who manages a ClarityCaddie Guardian Account on behalf of a Minor under the age of digital consent applicable in the member state in which the Minor resides (16 by default under Article 8(1) GDPR, or such lower age as the member state has set, down to a minimum of 13).
  • “Guardian Account” means a ClarityCaddie account operated by a Guardian on behalf of a Minor.
  • “Data Sharing Agreement” or “DSA” means an in-product access grant by which a Student (or their Guardian) authorises a specific coach’s or academy staff member’s access to that Student’s Personal Data, within one of three access scopes.
  • “Safeguarding Concern” means a reasonable indication arising from our systems or processing that a Minor may be at risk of harm, abuse, self-harm, or imminent danger.

2. Subject Matter, Duration, Nature, Purpose

  • Subject matter. Processing of Student Personal Data in connection with the Services.
  • Duration. The term of your subscription, plus any wind-down period agreed between us.
  • Nature. Collection, storage, structured organisation, AI-assisted transcription and summarisation, retention, deletion, and disclosure as described in this DPA.
  • Purpose. Enabling mental-performance coaching between you and your Students through the ClarityCaddie platform.

3. Categories of Personal Data

We process the following categories of Student Personal Data on your behalf:

  • Account information. Name, email address, age band, authentication tokens, Guardian relationship (where applicable), and account settings.
  • Mental performance data. Student-captured thoughts, Locker entries, round reflections, pre-shot routines, and Honest Debrief content.
  • Voice data. Voice captures, raw audio (subject to Section 3.1), and transcripts.
  • AI-derived insights. Summaries, pattern detection, and structured content generated by our AI systems from Student input.
  • Coach–Student relationship data. DSAs, connection status, coach access logs, scope grants, and disconnection records.
  • Safeguarding-relevant signals. Platform-generated flags where our systems detect patterns suggesting a possible Safeguarding Concern.

3.1 Voice handling specifics

Voice processing operates as follows:

  • Raw audio recordings are retained on our servers only for as long as required to complete transcription — up to 24 hours. After transcription completes, raw audio is deleted.
  • We transcribe audio to text only. We do not perform voiceprint analysis, biometric identification, or acoustic emotion recognition.
  • Transcripts and AI-derived summaries become part of the Student’s record and are retained under Section 12.
  • Coaches and academy staff with an appropriate DSA scope see the structured summary of voice content, not the raw transcript.

3.2 Special category data (Article 9 GDPR)

Mental performance data and AI-derived insights may, in some cases, reveal information about a Student’s mental state or wellbeing. Where such content constitutes special category Personal Data under Article 9 GDPR, we process it on the following lawful bases:

  • For Students (including Minors accessing services through a Guardian Account): explicit consent obtained at account creation and subscription, under Article 9(2)(a) GDPR.
  • For processing undertaken in connection with the Safeguarding Disclosure Protocol (Section 6.3): substantial public interest in the protection of children, under Article 9(2)(g) GDPR, read with the member-state child-protection law applicable to the Minor.

Enhanced security measures apply to special category data, including access-control restrictions, audit logging of all reads, and exclusion from aggregated platform data outputs that could contribute to re-identification.

4. Data Subjects

We process Personal Data of Students who access the Services under the authority of your account, including:

  • Adult Students (aged 18 and over, or the age of majority in the member state of residence).
  • Minor Students at or above the age of digital consent applicable in their member state of residence who access the Services through a direct account (16 by default under Article 8(1) GDPR, or such lower age as the member state has set).
  • Minor Students below the age of digital consent applicable in their member state of residence who access the Services through a Guardian Account. In this case, the Guardian is the legal rights-holder for the Minor’s Personal Data and exercises Data Subject rights on the Minor’s behalf.

5. Coach and Academy Staff Access Scope

Student Personal Data is made available to coaches and academy staff connected to your account under Data Sharing Agreements. DSAs operate at three scopes, enforced at our database layer:

  • AGGREGATE_ONLY. Access limited to anonymised patterns and counts. No individual-Student identification.
  • TAXONOMY_VIEW. Access to structured, categorised summaries without raw journal content.
  • FULL_VISIBILITY. Access to structured summaries and transcribed content.

All coach and academy staff reads of Student Personal Data are recorded in an access log. The access log is made available to the Student — or, for a Minor accessing through a Guardian Account, to the Guardian — on request.

For Minor Students, we apply additional operational defaults: coach visibility defaults to the scope appropriate to a coaching relationship with a young person, and any FULL_VISIBILITY grant requires explicit Guardian approval.

6. Our Obligations as Processor

6.1 Documented instructions

We process Student Personal Data only on your documented instructions, except where we are required by Union or member-state law to do otherwise, or where Section 6.3 (Safeguarding Disclosure Protocol) applies. Where we are required by law to process Personal Data other than on your instructions, we will inform you of that legal requirement before processing, unless the law prohibits us from doing so on important grounds of public interest.

6.2 Confidentiality

We ensure that persons authorised to process Student Personal Data are bound by obligations of confidentiality, whether contractual or statutory.

6.3 Safeguarding Disclosure Protocol

Where we detect language or patterns in a Minor Student’s content that suggest a Safeguarding Concern — including but not limited to indicators of abuse, self-harm, or imminent risk — we may act in line with our safeguarding policy. This action may include notifying the Guardian, notifying you as the Controller, and, where appropriate, notifying safeguarding authorities or law enforcement in the relevant jurisdiction.

We act in these circumstances in reliance on:

  • Article 6(1)(d) GDPR (vital interests of the data subject) where there is a risk to life;
  • Article 6(1)(e) GDPR (public task) read with member-state child-protection law applicable to the Minor;
  • Article 9(2)(g) GDPR (substantial public interest) where special category data is disclosed.

We will notify you of any such action without undue delay, unless doing so would prejudice the safeguarding outcome, a criminal investigation, or the welfare of the Minor.

6.4 Security measures

We implement and maintain appropriate technical and organisational measures to protect Student Personal Data, including:

  • Encryption of Personal Data in transit and at rest;
  • Role-based access controls, reviewed regularly;
  • An audit log of coach and academy staff reads of Student Personal Data, available to Data Subjects (or Guardians) on request;
  • Multi-factor authentication for administrative access to Student Personal Data;
  • Regular security reviews and penetration testing;
  • Enhanced controls for special category data as described in Section 3.2.

We are targeting SOC 2 Type 1 attestation during Q3 2026, with SOC 2 Type 2 planned for 2027.

6.5 Sub-processors

We engage the following Sub-processors to provide the Services:

  • Supabase— Database, authentication, and file storage. Location: EU (Frankfurt). Transfer mechanism: intra-EEA processing (no international transfer).
  • Vercel— Application hosting and edge compute. Location: Global edge network (EU and US). Transfer mechanism: EU SCCs Module 3 (processor-to-processor) for US edge routing.
  • Fireworks AI— Structured AI generation. Location: United States. Transfer mechanism: EU SCCs Module 3.
  • Anthropic— Narrative AI summaries for Finch. Location: United States. Transfer mechanism: EU SCCs Module 3.
  • OpenAI— Audio transcription (voice capture converted to text). Location: United States. Transfer mechanism: EU SCCs Module 3.
  • ElevenLabs— Text-to-speech for the Finch voice. Location: United States. Transfer mechanism: EU SCCs Module 3.
  • Sentry— Error monitoring and diagnostics. Location: United States. Transfer mechanism: EU SCCs Module 3.
  • Resend— Transactional email delivery. Location: United States. Transfer mechanism: EU SCCs Module 3.

We maintain written agreements with each Sub-processor that impose data protection obligations no less protective than those in this DPA.

We will notify you by email, to the address registered on your account, at least 30 days before adding or replacing a Sub-processor in connection with the Services. You may object in writing, on reasonable data-protection grounds, to any new Sub-processor. We will work with you in good faith to resolve the objection. If no resolution can be reached, you may terminate the affected part of the Services without penalty.

6.6 International transfers

Where we transfer Student Personal Data outside the European Economic Area — including transfers to Sub-processors located in the United States — we rely on one of:

  • Adequacy decisions in force under Article 45 GDPR from time to time;
  • The Standard Contractual Clauses in the form set out in Commission Implementing Decision (EU) 2021/914, selecting Module 3 (processor-to-processor) as appropriate to our relationship with the Sub-processor;
  • Where we act as controller for onward transfers of aggregated outputs under Section 7, the Standard Contractual Clauses Module 1 (controller-to-controller).

We conduct Transfer Impact Assessments where required under Schrems II and European Data Protection Board guidance, and apply supplementary measures (including encryption and pseudonymisation) where the assessment requires them.

6.7 Data Subject rights assistance

We assist you, by appropriate technical and organisational measures, in responding to Data Subject requests under GDPR, including:

  • Right of access (Article 15);
  • Right to rectification (Article 16);
  • Right to erasure (Article 17);
  • Right to restrict processing (Article 18);
  • Right to data portability (Article 20);
  • Right to object (Article 21);
  • Rights relating to automated decision-making and profiling (Article 22).

Where a Minor Student uses a Guardian Account, Data Subject rights are exercised by the Guardian on the Minor’s behalf. When a Minor reaches the age of majority in their member state of residence, rights transition to the now-adult Data Subject.

6.8 Data Protection Impact Assessments

We assist you, to the extent the information is in our possession and reasonably required, with Data Protection Impact Assessments under Article 35 GDPR and prior consultation with the competent supervisory authority under Article 36.

6.9 Personal Data Breach notification

We notify you of any Personal Data Breach affecting Student Personal Data without undue delay, and in any event within 72 hours of our becoming aware of it. Our notification will include, to the extent known at the time, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures we have taken or propose to take.

6.10 Audit cooperation

We make available to you all information reasonably necessary to demonstrate compliance with our obligations under this DPA and Article 28 GDPR. We allow for and contribute to audits and inspections conducted by you, or by an auditor mandated by you, on reasonable prior notice and at reasonable intervals. Audits must not unreasonably interfere with the normal course of our business.

6.11 Return or deletion on termination

On termination of the Services, we will delete or, at your written request, return all Student Personal Data to you, except to the extent that Union or member-state law requires retention. Personal Data deletion completes within 30 days of termination. Anonymised safeguarding and regulatory records may be retained for up to 7 years where required by law or for legitimate safeguarding purposes, as described in our Terms of Service.

7. Where We Act as Controller

We act as Processor for the Student Personal Data you share with us. However, where we combine de-identified data across our platform to produce aggregated analytical outputs — as described in our Terms of Service — we act as Controller for those aggregated outputs.

Aggregated outputs are produced to a minimum cohort size that prevents re-identification of any individual Student. Special category data, and data derived from Minor Students, are subject to enhanced de-identification standards before inclusion in any aggregated output.

Deletion of a Student’s account removes that Student from future aggregations. Prior aggregated outputs (research already published, product improvements already shipped) are not invalidated by such deletion, consistent with GDPR treatment of properly aggregated, de-identified data.

8. Your Obligations as Controller

You agree that you:

  • Have the lawful basis required under GDPR to provide Student Personal Data to us for the purposes set out in this DPA;
  • Have obtained any consents required from Students, or from Guardians on behalf of Minors, including consent to the processing of any special category data;
  • Are responsible for your own compliance with the safeguarding duties placed on you by law in your member state;
  • Provide us with instructions in writing (including through the ordinary use of the Services);
  • Respond to Data Subject requests that are routed to you through us;
  • Inform us of any Data Subject complaints, supervisory authority enquiries, or regulatory actions relating to our processing on your behalf.

9. Guardian Account Routing

Where a Minor Student’s account is operated through a Guardian Account, the Guardian is the legal rights-holder for Data Subject rights under GDPR. You may route Data Subject rights requests originating from a Guardian to us for assistance, and we will assist in line with Section 6.7.

When a Minor reaches the age of majority in their member state of residence, rights transition to the now-adult Data Subject, who may exercise them directly through the Services.

10. Term and Termination

This DPA remains in force for the duration of your subscription to the Services. On termination, the obligations in Sections 6.9, 6.10, 6.11, and 7 continue to apply to the extent relevant to any ongoing retention or wind-down activity.

Either party may terminate this DPA on 30 days’ written notice where the other is in material breach of its data protection obligations under this DPA and has not remedied the breach within 30 days of written notice requiring remedy.

11. Liability

Nothing in this DPA limits or excludes either party’s liability to the extent such limitation or exclusion would be void or unenforceable under GDPR or other applicable Union or member-state law. Subject to that, the liability framework set out in your main services agreement with us applies to this DPA.

12. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Ireland. The courts of the Republic of Ireland have jurisdiction to determine any dispute arising under this DPA. This clause does not limit any right you may have to bring proceedings in another jurisdiction where permitted by applicable law, including proceedings before the supervisory authority in the member state where you or the affected Data Subject is established or resident.

13. Contact

For all matters relating to this DPA — Data Subject rights requests routed through you, Personal Data Breach notifications, Sub-processor objections, and any other question — please contact: hello@claritycaddie.com

ClarityCaddie Limited, Unit 5, The Mill, 10-12 Keats Lane, Earl Shilton, LE9 7DQ, United Kingdom

Questions? Contact support