Data Processing Agreement
Data Processing Agreement (DPA) — Art. 28 GDPR
Version 1.0 · Last updated: March 7, 2026
This Data Processing Agreement (hereinafter, “DPA” or “Agreement”) governs the processing of personal data carried out by Sphaira Tech on behalf of sports clubs and entities that subscribe to its services, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR) and applicable national data protection legislation.
This Agreement is automatically incorporated into and forms part of the Terms and Conditions of Sphaira Tech. By contracting or using Sphaira Tech’s services, the Club accepts the terms of this DPA.
1. Parties to the Agreement
1.1. Data Processor
- Name: Sphaira Tech (Alejandro Espinosa López)
- Tax ID (NIF): 48649484E
- Address: Calle Federico García Lorca 3, 30009, Murcia, Spain
- Email: info@sphairatech.com
- GDPR Role: Data Processor (Art. 28 GDPR)
1.2. Data Controller
The sports club, academy, association or any entity that contracts Sphaira Tech services (hereinafter, “the Club” or “the Controller”), identified by the details provided at the time of registration on the platform.
- GDPR Role: Data Controller (Art. 24 GDPR)
2. Subject Matter, Nature and Duration
Sphaira Tech will process personal data on behalf of the Club solely for the purpose of providing the contracted sports management services, which include:
- Management of players, teams, coaches and club staff
- Administration of sports and medical documentation
- Management of payments, subscriptions and invoicing
- Internal club communications (push notifications, messages)
- Training planning, squad selections and calendar management
- Statistics analysis and sports performance tracking
- Sports video storage and analysis
- Artificial intelligence features (tactical analysis, reports)
- Scouting and player evaluation
This Agreement remains in force for the entire period during which the Club maintains its contractual relationship with Sphaira Tech, and terminates upon the end of that relationship, subject to the data return or deletion obligations set out in clause 10.
3. Categories of Personal Data and Data Subjects
| Category of Data Subjects | Types of Data Processed |
|---|---|
| Adult players (≥18 years) | Name, surname, date of birth, email, phone, address, national ID, profile photo, sports data (position, squad number, team), performance statistics, attendance, health data (injuries, medical reviews), billing data |
| Minor players (<18 years) | Name, surname, date of birth, photo, sports data, sports health data, legal guardian data. Processed exclusively through legal guardians |
| Coaches and technical staff | Name, surname, email, phone, photo, credentials, role in club, platform activity history |
| Parents / legal guardians | Name, surname, email, phone, relationship with the minor, payment data (processed by Stripe) |
| Club administrators | Name, surname, email, phone, role, access credentials, administrative activity history |
Special categories of data (Art. 9 GDPR): Sphaira Tech may process health data (injuries, medical reviews, allergies) on behalf of the Club, only where the Club has obtained the explicit consent of the data subject or their legal guardian (Art. 9.2.a GDPR).
4. Controller's Instructions
Sphaira Tech will process personal data only on documented instructions from the Club and will not use them for its own purposes unrelated to the contracted services, unless required by law.
The Club’s instructions are expressed through:
- Platform configuration carried out by the Club administrator
- Features enabled or disabled by the Club in its administration panel
- Written communications sent to info@sphairatech.com
If Sphaira Tech considers that any instruction from the Club infringes the GDPR or other applicable law, it will notify the Club immediately.
5. Sphaira Tech's Obligations as Data Processor
Sphaira Tech undertakes to:
5.1. Confidentiality
- Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Not disclose the Club’s data to third parties without instruction or authorisation from the Controller, except where required by law.
5.2. Technical and organisational security measures
Implement appropriate security measures pursuant to Art. 32 GDPR, including those described in the Privacy Policy — Section 10:
- Encryption in transit (HTTPS/TLS) and at rest (AES-256)
- Secure authentication with bcrypt hashing and JWT tokens
- Role-based access control (RBAC)
- Payment data tokenisation (PCI-DSS Level 1 via Stripe)
- Biometric data stored exclusively on the user’s device
5.3. Assistance with data subject rights
Assist the Club, by appropriate technical and organisational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights (access, rectification, erasure, portability, restriction, objection).
When a data subject addresses a request directly to Sphaira Tech, we will forward it to the Club without undue delay.
5.4. Assistance with security obligations
Assist the Club in ensuring compliance with:
- Security of processing obligations (Art. 32 GDPR)
- Notification of personal data breaches to the supervisory authority (Art. 33 GDPR)
- Communication of personal data breaches to data subjects (Art. 34 GDPR)
- Carrying out Data Protection Impact Assessments where necessary (Art. 35 GDPR)
5.5. Personal data breach notification
Sphaira Tech will notify the Club, without undue delay and in any case within 72 hours of becoming aware, of any personal data breach affecting the Club’s data, in accordance with Art. 33 GDPR.
Notification will be sent to the email address of the Club administrator registered on the platform and will include at minimum: description of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
5.6. Making information available and audits
Sphaira Tech will make available to the Club all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR, and will allow and contribute to audits and inspections conducted by the Club or an auditor appointed by it.
Audit requests must be submitted with reasonable prior notice (minimum 30 calendar days) and in writing to info@sphairatech.com. Costs associated with on-site audits shall be borne by the Club.
6. Club's Obligations as Data Controller
The Club, as Data Controller, undertakes to:
- Have obtained informed consent from data subjects (or their legal guardians in the case of minors) before entering their data into the Sphaira Tech platform.
- Have informed data subjects about the processing of their data, including the identity and details of Sphaira Tech as data processor.
- Ensure that the instructions given to Sphaira Tech for data processing comply with the GDPR and other applicable law.
- Not enter into the platform any personal data that is not strictly necessary for the club’s sports management.
- Ensure that only authorised club personnel access the platform and the data of data subjects.
- Keep data subjects’ information up to date and properly handle any requests to exercise rights received directly.
- Notify Sphaira Tech immediately if it becomes aware of any incident that may affect data security.
7. Sub-processors
The Club authorises Sphaira Tech to engage the following sub-processors for the provision of services. Sphaira Tech guarantees that these sub-processors provide sufficient guarantees of GDPR compliance and that contracts with them include the same data protection obligations:
| Sub-processor | Country / HQ | Purpose | Transfer safeguard |
|---|---|---|---|
| Stripe, Inc. | USA | Payment processing and subscription billing | EU-U.S. Data Privacy Framework (DPF) |
| Firebase / Google LLC | USA | Push notification delivery | EU-U.S. Data Privacy Framework (DPF) |
| OpenAI, Inc. | USA | AI for tactical analysis and reports (pseudonymised data) | EU-U.S. Data Privacy Framework (DPF) + own DPA |
| Backblaze, Inc. | EU (eu-central) | Sports video storage | Data hosted in the EU |
| Google LLC (Gmail SMTP) | USA | Transactional email delivery | EU-U.S. Data Privacy Framework (DPF) |
| Resend, Inc. | USA | Transactional email delivery | EU-U.S. Data Privacy Framework (DPF) |
| Activa Network | France (EU) | Main database hosting | Data hosted in the EU (no international transfer) |
Sphaira Tech will notify the Club at least 30 days in advance of any planned changes to sub-processors. The Club may object to such changes by written notice to info@sphairatech.com within 15 days of notification.
8. International Data Transfers
International data transfers carried out by Sphaira Tech or its sub-processors are based on:
- EU-U.S. Data Privacy Framework (DPF): recognised as adequate by the European Commission. Stripe, Google, OpenAI and Resend are certified under this framework.
- Standard Contractual Clauses (SCCs): approved by the European Commission (Decision 2021/914) as an additional or alternative safeguard where appropriate.
- EU-hosted data: the main database and video files are hosted on servers in the European Union.
For data sent to OpenAI, automatic prior pseudonymisation is applied: player names, coaches, teams and locations are replaced by tokens before transmission, minimising the exposure of identifiable data.
9. Data Retention Periods
Sphaira Tech will retain the Club’s personal data for the time strictly necessary for the provision of contracted services. The specific periods are those set out in the Privacy Policy — Section 9.
In no case will data be retained beyond the maximum period legally admissible for each type of data, unless the Controller gives express instructions to the contrary that are lawful.
10. Return or Deletion of Data at the End of Service
Once the contractual relationship between the Club and Sphaira Tech has ended:
- Data export (up to 90 days after cancellation): the Club may request the export of all its data in standard format (CSV, JSON or PDF) within 90 days of service cancellation, by sending a request to info@sphairatech.com.
- Definitive deletion: once the export period has elapsed (or earlier if the Club expressly requests it), Sphaira Tech will permanently and irrecoverably delete all the Club’s personal data from its systems within a maximum of 30 days.
- Deletion confirmation: Sphaira Tech will send the Club written confirmation of the complete deletion of data once carried out.
- Retention for legal obligation: data that must be retained for a legal obligation (e.g., financial data for 5 years) will not be deleted, but will be restricted and not used for any other purpose.
11. Liability
Sphaira Tech shall be liable to the Club for breach of the obligations set out in this DPA directly attributable to it, on the terms and within the limits established in the Terms and Conditions — Section 10.
The Club shall be liable to data subjects and supervisory authorities for compliance with its obligations as Data Controller, including obtaining valid consents and properly informing data subjects.
12. Governing Law and Dispute Resolution
This DPA is governed by Regulation (EU) 2016/679 (GDPR), the Spanish Organic Law 3/2018 (LOPDGDD) and other applicable Spanish and European data protection legislation.
For the resolution of any dispute arising from this Agreement, the parties submit to the jurisdiction of the Courts and Tribunals of Murcia, Spain, without prejudice to the competence of the Spanish Data Protection Agency (AEPD) as supervisory authority.
13. Contact
For any questions regarding this DPA or the processing of data in connection with Sphaira Tech’s services:
- Email: info@sphairatech.com (subject: “DPA / Data Processing Agreement”)
- Phone/WhatsApp: +34 623 91 17 72
- Postal address: Calle Federico García Lorca 3, 30009, Murcia, Spain
This Agreement was last updated on March 7, 2026 (version 1.0). For our other policies: