Data Processing Addendum (DPA)

Last updated: 27/10/2025

This DPA forms part of the agreement between Customer (Controller) and Pitch Time (Processor) when Pitch Time processes Personal Data on Customer's behalf.

Processor: Pitch Time (ABN: TBC), TBC (Victoria, Australia)

Contact: use our contact page

1. Subject matter & duration

Processing Personal Data to deliver the Service as described in the primary agreement, for the subscription term and any data return period.

2. Nature & purpose

Hosting, storage, transmission, display, analytics (as configured), and support.

3. Types of data & data subjects

Data subjects: coaches, club administrators, players (including minors) and guardians where entered by Customer.

Data types: names, contact info, team/player/match data, identifiers, usage logs; no special categories unless provided by Customer.

4. Roles & instructions

Customer is the Controller; Pitch Time is the Processor. We process Personal Data only on documented instructions, including the primary agreement and this DPA.

5. Confidentiality

Personnel with access to Personal Data are bound by confidentiality obligations.

6. Security measures

We implement appropriate technical and organisational measures (TOMs) described at https://pitchtime.app/security and in Annex 2. Measures may be updated to maintain or improve protection.

7. Sub-processors

Customer authorises the sub-processors listed at https://pitchtime.app/subprocessors. We will impose data-protection terms no less protective than this DPA and notify material changes (Customer may object on reasonable grounds).

8. International transfers

For transfers outside jurisdictions with adequacy, the parties incorporate the EU Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum. We will implement supplementary measures as needed.

9. Data subject requests

Taking into account the nature of processing, we will assist Customer with appropriate measures to respond to access, deletion, and other requests.

10. Personal data breaches

We will notify Customer without undue delay after becoming aware of a Personal Data Breach and provide information/cooperation reasonably required.

11. Audit & compliance

Upon written request, we will make available information necessary to demonstrate compliance and allow audits by Customer or an independent auditor mandated by Customer, subject to reasonable notice, confidentiality, and frequency limits.

12. Return & deletion

Upon termination/expiry, upon Customer's written instruction, we will delete or return Personal Data, unless retention is required by law. Aggregated/anonymised data may be retained.

13. Liability & precedence

Liability is governed by the primary agreement. If there is a conflict between this DPA and the primary agreement, this DPA prevails for data-protection matters.

14. Governing law

This DPA is governed by the laws of Victoria, Australia, subject to incorporated SCCs (and the UK Addendum) for international transfers.

Annex 1 — Processing details

Controller

Customer

Processor

Pitch Time (ABN: TBC), TBC (Victoria, Australia)

Purpose

Provide the Pitch Time Service

Data subjects

Coaches, admins, players, guardians

Categories

Names, contact info, team/player/match data, identifiers, usage logs

Retention

As configured by Customer and required for the Service

Annex 2 — Security measures (summary)

Encryption in transit (TLS 1.2+) and at rest
Role-based access controls; MFA/SSO for staff tools
Network/app firewalls; logical segregation
Backups and disaster-recovery procedures
Vulnerability management and patching
Secure development practices and code review
Incident response plan and logging/monitoring

Questions about our DPA? Contact us