Legal

Data Processing Agreement

Version 1.0 · Effective 4 July 2026 · Between each club using FullPanel ("the Club", data controller) and FullPanel, operated by Niall O'Neill, Ireland ("the Processor"). This agreement is incorporated into every FullPanel subscription, on every plan including Free, and applies automatically — no signature required. A signed copy is available on request via support@fullpanel.net. Print or save this page for your club's records.

1. Subject matter, duration, nature and purpose

The Processor provides a club-management platform (squad management, safeguarding register, scheduling, communication, coaching plans, membership payments and fundraising). Processing lasts for the duration of the Club's use of the service and consists of storing, organising, displaying and transmitting the personal data the Club enters or imports, solely to provide the service.

2. Categories of data subjects and personal data

3. Controller instructions

The Processor processes personal data only on the Club's documented instructions — given through the Club's use of the service — unless required otherwise by EU or Irish law, in which case the Processor informs the Club before processing unless the law prohibits it. The Processor immediately informs the Club if, in its opinion, an instruction infringes the GDPR.

4. Confidentiality and security (Art. 32)

Persons authorised to process the data are bound by confidentiality. Technical and organisational measures include: EU (Ireland) data residency; encryption in transit and at rest; per-user authentication; database-enforced row-level security so each club's data is isolated and roles are restricted at the database layer (a coach can only reach their own teams; under-16s can hold no login; the Processor's own support function is structurally excluded from children's personal data); and a server-side, non-erasable audit log of administrative actions.

5. Sub-processors

The Club gives general authorisation for the sub-processors below. The Processor will notify clubs of intended changes (via the service or email), giving an opportunity to object, and imposes equivalent data-protection obligations on each sub-processor.

Sub-processorPurposeLocation / transfer mechanism
SupabaseDatabase & storageEU (Ireland)
VercelHostingEU/US — SCCs / EU-US Data Privacy Framework
ClerkAuthenticationUS — SCCs / EU-US Data Privacy Framework
StripePayment processingEU/US — Stripe GDPR programme
ResendTransactional emailUS — SCCs
AnthropicIn-app assistant & AI plan drafting (prompt text only; no model training on club data)US — SCCs

6. Assistance with data-subject rights

The service gives the Club self-serve tools to meet requests: per-member subject-access export (Admin ▸ Data & GDPR), correction (Members tab), and erasure (member deletion). For anything not self-serve, the Processor assists within 10 working days of a request to support@fullpanel.net.

7. Personal-data breaches

The Processor notifies the Club without undue delay, and in any case within 72 hours of becoming aware of a personal-data breach affecting the Club's data, with the information the Club needs for its own Art. 33/34 obligations.

8. Assistance with DPIAs

The Processor provides reasonable assistance with data-protection impact assessments and prior consultations relating to processing on the service, taking into account the information available to it.

9. Return and deletion

On termination of the subscription the Club may export its data (CSV/JSON exports in-app). Unless EU or Irish law requires retention, the Processor deletes the Club's personal data within 30 days of a deletion request following termination, and confirms deletion on request. Payment records held by Stripe follow Stripe's statutory retention.

10. Audit

The Processor makes available the information reasonably necessary to demonstrate compliance with Art. 28 and, no more than once per year and on 30 days' notice, allows an audit or inspection by the Club or its mandated auditor, at the Club's cost, in a manner that does not put other clubs' data at risk.

11. General

This agreement is governed by Irish law. If it conflicts with any other terms between the Club and the Processor, this agreement prevails for data-protection matters. Liability follows the parties' underlying service terms.