Back

Data Processing Agreement (DPA)

FAQTermsPrivacy PolicyAI/Data TransparencyData Processing Agreement

1. Definitions

“UK GDPR”, “Data Controller”, “Data Processor”, “Joint Controller”, “Personal Data”, and “Processing” have the meanings assigned under UK GDPR and the Data Protection Act 2018.

“Player Data” means personal data relating to athletes or players uploaded by an Organisation or its staff, including minors.

“AI Coach Platform” means the digital platform provided by VIA Academy for storing methodologies, training content, IDPs, and AI-generated prompts.

2. Subject matter, duration & purpose of processing

2.1 VIA Academy will process personal data only for delivering the Course and enabling use of the AI Coach Platform.

2.2 Processing continues for the duration of the Course and for the period outlined in the Privacy Policy.

2.3 Purposes include:

  • Providing digital services
  • Storing training methodologies
  • Generating developmental insights
  • Supporting mentorship
  • Administering club visits
  • Ensuring safeguarding
  • Maintaining platform security

3. Nature & types of data processed

VIA Academy may process the following on behalf of the Controller:

3.1 Participant Data

  • Names
  • Contact details
  • Course progress
  • Attendance
  • Assignments and uploads
  • Mentorship notes

3.2 Player Data (if uploaded by coaches)

  • Names or initials
  • Age/playing group
  • Photos (optional)
  • IDPs and developmental notes
  • Performance information
  • Session planning requirements

3.3 Special Category Data

VIA Academy does not require or request sensitive data (health, ethnicity, biometrics) and Controllers must not upload such data unless absolutely necessary and covered by explicit consent.

4. Legal basis for AI processing

Processing is based on:

  • 4.1 Contractual necessity – required to deliver the Platform.
  • 4.2 Legitimate interests – improving the quality and relevance of prompts.
  • 4.3 Consent – required for minors’ data or optional features.
  • 4.4 No unnecessary or excessive personal data will be uploaded.
  • 4.5 It will communicate data protection responsibilities to all Participants.

5. Processing Obligations

VIA Academy shall:

  • 5.1 Process data only on documented instructions from the Controller.
  • 5.2 Implement appropriate technical and organisational security measures.
  • 5.3 Ensure staff are subject to confidentiality obligations.
  • 5.4 Assist with Controller obligations (subject access, erasure, portability).
  • 5.5 Notify the Controller of data breaches without undue delay.
  • 5.6 Maintain audit logs and access controls.
  • 5.7 Not subcontract processing without ensuring subcontractor compliance.

6. Sub-Processors

6.1 VIA Academy uses sub-processors for:

  • Cloud hosting
  • AI model hosting
  • Email platforms
  • Analytics tools
  • Payment gateways

6.2 All sub-processors are subject to UK GDPR–compliant contractual obligations.

6.3 VIA Academy will provide a list upon request.

7. International Transfers

Transfers outside the UK use:

  • UK International Data Transfer Agreement (IDTA); or
  • ICO-approved Standard Contractual Clauses (SCCs)

8. Data Subject Rights

VIA Academy will support the Controller in responding to rights requests including:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection

9. Security Measures

Measures include:

  • Encryption in transit & at rest
  • Role-based access
  • Firewalls and anti-malware
  • Staff training in safeguarding & data protection

10. Data Breachers

10.1 VIA Academy will notify the Controller without undue delay upon becoming aware of a breach.

10.2 The Controller is responsible for notifying the ICO and affected individuals unless otherwise agreed.

11. Data Retention & Deletion

Upon termination of the Course or expiry of the AI Coach Platform licence:

  • Participant data is retained per the Privacy Policy
  • AI Coach Platform content is deleted or anonymised at the end of 2025/26 season
  • Player Data uploaded by coaches may be deleted upon Controller request

Backups may persist for legally required periods.

12. Audit Rights

Controllers may request evidence of VIA's security and compliance controls.

Physical audits require 30 days’ notice and may incur charges.

13. Liability

Liability is subject to the Main Agreement’s limitation clauses.

14. Term & Termination

This Agreement begins when the Controller first provides data and continues until:

  • Course completion, and
  • All data is deleted or returned

15. Governing Law

England & Wales law applies.Disputes follow the Main Agreement.

ContactFAQTermsPrivacyData TransparencyDPA
© Copyright 2024 KaiZhan. All rights reserved.