Skip to content
Pitch Perfect

Data processing agreement

Last updated: 4 June 2026

This Data Processing Agreement (DPA) is between a club, as data controller, and Pitch Perfect, as data processor, under UK GDPR. It forms part of the agreement between the club and Pitch Perfect.

1. Parties and roles

This DPA is between the club identified in the relevant order or account (the Controller) and Nation FC Ltd, trading as Pitch Perfect (the Processor). The Controller determines the purposes and means of processing; the Processor processes personal data only on the Controller's documented instructions.

2. Subject matter, duration, nature and purpose

The Processor processes personal data to provide the Pitch Perfect platform: transcribing feedback, drafting reports, supporting coach review and approval, detecting safeguarding and sensitive content, and delivering approved reports. Processing continues for the duration of the agreement between the parties.

3. Categories of data and data subjects

Data subjects include children (players), their parents and guardians, and club staff.

Personal data includes names, dates of birth, contact details, audio recordings, transcripts, development reports, and delivery and access records. It may incidentally include special-category data, which the Processor is designed to detect, route to the Controller's Designated Safeguarding Officer, and exclude from parent-facing output.

4. Processor obligations

The Processor will:

  • Process personal data only on the Controller's documented instructions, including for international transfers, unless required by law.
  • Ensure people authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures.
  • Engage sub-processors only under written terms offering equivalent protection, and inform the Controller of changes.
  • Assist the Controller in responding to data subject rights requests.
  • Assist with security, breach notification and data protection impact assessments.
  • Notify the Controller without undue delay on becoming aware of a personal data breach.
  • At the Controller's choice, delete or return personal data at the end of the service, except where retention is required by law.
  • Make available the information needed to demonstrate compliance and allow for audits.

5. Sub-processors

The Controller authorises the Processor to use the following sub-processors: Supabase and Vercel (hosting and storage), OpenAI and, where configured, Anthropic (speech to text and report drafting), Resend (email), Twilio (SMS and WhatsApp), Sentry (error monitoring) and Stripe (payments). Data sent to speech-to-text and language model providers is not used to train their models.

6. International transfers

Where a sub-processor processes personal data outside the United Kingdom, the parties rely on appropriate safeguards, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.

7. Liability and precedence

Liability under this DPA is subject to the limitations agreed in the main agreement between the parties. If there is a conflict between this DPA and the main agreement on data protection matters, this DPA prevails.

8. Acceptance

This DPA is accepted by the Controller on creating an account or signing the order, and by the Processor on providing the service.