Data Processing Agreement

Article 1. Subject Matter

This Agreement governs the terms under which the Club (hereinafter: "Controller") entrusts personal data processing to ClubSystem (hereinafter: "Processor") in connection with the provision of the ClubSystem SaaS service — a table (billiard / sports) booking management system, as described in the Terms of Service.

This Agreement enters into force upon conclusion of the Service agreement (i.e., completion of registration and acceptance of the Terms of Service).

Processor: Bartosz Olchówka, ul. Reja 55/54, 50-343 Wrocław, Poland, VAT ID: PL8451894280. Contact: contact@clubsystem.app.

Article 2. Scope and Purpose of Processing

Purpose of processing: Provision of the Service — enabling management of table reservations, handling customer registration and verification, storing booking history, and sending SMS and email messages to the Controller's customers.

Categories of personal data processed on behalf of the Controller:

• phone numbers of the Controller's customers,
• first and last names of the Controller's customers (if provided),
• email addresses of the Controller's customers (if provided),
• booking history (date, time, table, duration),
• temporary SMS verification codes.

Registration data of the club owner/administrator used to create a ClubSystem account (name, email address, phone number) is processed by ClubSystem in the capacity of an independent data controller under the Terms of Service and falls outside the scope of this Agreement.

Categories of data subjects: end customers of the Controller (persons making table reservations) and employees and administrators of the Controller (club staff).

Duration of processing: for the duration of the Service agreement, and after its termination — for 30 days to allow data export, followed by secure deletion (Art. 9).

Article 3. Obligations of the Processor

The Processor undertakes to:

1. Process personal data only on documented instructions of the Controller, unless required to do so by Union or Member State law.
2. Ensure confidentiality — persons authorised to process the data shall be bound by confidentiality obligations.
3. Implement appropriate technical and organisational measures (Article 32 GDPR): encryption in transit and at rest, access control, regular backups, security monitoring.
4. Manage sub-processors in accordance with Article 5.
5. Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, objection).
6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
7. Make available all information necessary to demonstrate compliance and allow for audits (Article 8).
8. Immediately inform the Controller if any instruction given infringes GDPR in the Processor's opinion.

Article 4. Obligations of the Controller

The Controller undertakes to:

1. Use the Service in accordance with the Terms of Service and ClubSystem's Privacy Policy.
2. Collect personal data from customers in accordance with applicable law, in particular on the basis of an appropriate legal ground under Article 6 GDPR.
3. Fulfil data subject rights requests via the Service's interface or by contacting the Processor.
4. Inform its customers (in its own privacy policy) of the use of ClubSystem as a data processor.

Article 5. Sub-processors

The Controller grants the Processor general authorisation to engage the sub-processors listed below. The Processor shall notify the Controller of any intended addition or replacement of a sub-processor at least 14 days in advance.

Where a sub-processor fails to fulfil its data protection obligations, the Processor remains fully liable to the Controller for the performance of that sub-processor's obligations (Article 28(4) GDPR).

Currently approved sub-processors:

For US-based sub-processors, transfers are carried out on the basis of the EU–US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs).

Article 6. Personal Data Breaches

The Processor shall notify the Controller without undue delay — and in any event no later than 48 hours after becoming aware — of any personal data breach (Article 4(12) GDPR). This window is intentionally shorter than the 72-hour period afforded to controllers, so as to preserve the Controller's ability to meet its own reporting obligation.

The notification shall include at minimum:

• a description of the nature of the breach,
• the categories and approximate number of data subjects and records concerned,
• the likely consequences of the breach,
• measures taken or proposed to address the breach.

Security disclosures and breach reports directed to the Processor should be sent to: contact@clubsystem.app.

The Controller is solely responsible for assessing whether the breach must be reported to the supervisory authority and/or communicated to affected data subjects.

Article 7. Data Subject Rights

The Processor shall promptly forward to the Controller any requests from data subjects made directly to the Processor, and shall not respond to such requests independently without the Controller's authorisation.

The Processor shall provide tools within the Service interface that allow the Controller to fulfil data subject rights, including data export and deletion.

Article 8. Audits and Inspections

The Controller has the right to carry out audits and inspections to verify compliance with this Agreement, no more than once per year and with at least 14 days' prior notice. The cost of the audit is borne by the Controller, unless the audit reveals non-compliance by the Processor.

Article 9. Return or Deletion of Data upon Termination

Upon termination of the Service agreement, the Controller has 30 days to choose between downloading all data (CSV/JSON export via the administration panel) or requesting immediate secure deletion. If no written instruction is received within this period, the Processor shall proceed with deletion.

After the 30-day period, the Processor shall irrevocably delete all data belonging to the Controller and its customers — including copies held by sub-processors — unless retention is required by applicable law. The Processor shall confirm deletion in writing within 14 days upon request.

Article 10. Liability

The Processor shall be liable for damage caused by processing only where it has not complied with obligations under GDPR or this Agreement, or where it has acted outside or contrary to the Controller's documented instructions.

Liability for indirect or consequential losses (including loss of profits) is excluded between the parties, except in cases of wilful misconduct or gross negligence. The Processor's total aggregate liability is limited to the net fees paid by the Controller in the 12 months preceding the damaging event.

These limitations do not apply to liability under GDPR Article 82 towards data subjects, or to liability that cannot be excluded under mandatory applicable law.

Article 11. Final Provisions

This Agreement is governed by Polish law. Matters not regulated herein shall be governed by the Polish Civil Code and applicable data protection legislation, including GDPR and the Polish Act on the Protection of Personal Data of 10 May 2018. Any disputes shall be subject to the jurisdiction of the courts of Wrocław, Poland.

Amendments require written or electronic form, except for updates to the sub-processor list (Art. 5), which the Processor may make unilaterally with the required notice period.

Polish version of this Agreement is available at /pl/umowa-powierzenia/.