Data Processing Agreement
(Annex to the Terms of Service of the TeamCash service)
Effective date: April 9, 2026
1. Parties
Controller of personal data (hereinafter the “Controller”):
The user of the TeamCash service who has created a user account and enters personal data of their team members (in particular players, coaches, and other members) into the Service. The identity of the Controller is defined by the information provided during registration in the Service.
Processor of personal data (hereinafter the “Processor”):
- Name: Tomáš Prokop
- Registered address: Šrámkova 3213/12, 400 11 Ústí nad Labem – Severní Terasa
- IČO: 19173326
- Contact email: info@tymovakasa.cz
2. Introductory Provisions
2.1 This Data Processing Agreement (hereinafter the “Agreement” or “DPA”) is concluded in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR) and forms an integral part of the Terms of Service of the TeamCash service (hereinafter the “Terms of Service”).
2.2 The Controller concludes this Agreement with the Processor simultaneously with expressing consent to the Terms of Service upon registration of a user account in the Service.
2.3 In the event of a conflict between this Agreement and the Terms of Service, this Agreement shall prevail with respect to the processing of personal data.
3. Subject Matter and Purpose of Processing
3.1 The subject matter of processing is the provision of the TeamCash service to the Controller, within which the Controller enters and manages personal data of their team members.
3.2 The purpose of processing is to enable the Controller to manage team members, their fines, contributions, payments, and the status of the team treasury through the Service.
3.3 Nature of processing: Automated processing of personal data through a cloud application, in particular storage, organisation, structuring, display, retrieval, modification, deletion, and export of data.
4. Duration of Processing
4.1 Processing takes place for the entire period during which the Controller has an active user account in the Service.
4.2 The Agreement terminates simultaneously with the termination of the Controller’s user account in the Service.
4.3 After termination of the Agreement, the Processor proceeds in accordance with Article 11 of this Agreement.
5. Types of Personal Data and Categories of Data Subjects
5.1 Categories of data subjects whose personal data may be processed within the Service:
- Members of teams managed by the Controller (in particular players, coaches, assistants, and other members)
- Including minors (typically in youth teams)
5.2 Types of personal data processed:
- Identification data: first name, last name, and optionally a nickname
- Contact data: email address, phone number (if entered)
- Photographs (if uploaded)
- Team membership data (role, position, date of addition)
- Financial records: recorded fines, contributions, payments, balance
- Activity records within the team
5.3 The Service does not process special categories of personal data under Article 9 GDPR (sensitive data concerning health, ethnic origin, political opinions, etc.). The Controller undertakes not to enter such data into the Service.
6. Obligations and Rights of the Controller
6.1 The Controller is solely responsible for:
- The existence of a legal basis for processing the personal data of team members (in particular the consent of the data subjects, the legitimate interest of the club, a membership relationship, a contractual relationship, or the consent of legal guardians in the case of minors)
- Fulfilling the duty to inform data subjects (Articles 13 and 14 GDPR), in particular informing team members about how their data is processed, who the controller is, and what rights they have
- Handling data subject requests (access, rectification, erasure, restriction of processing, objection, portability) — the Processor provides assistance to the Controller pursuant to Article 9 of this Agreement
- Decisions regarding activating or deactivating the public team overview sharing feature and the consequences of such decisions (see Privacy Policy, Article 6)
- The accuracy and currency of the entered data
- The lawfulness of processing within the meaning of Article 6 GDPR
6.2 The Controller issues instructions to the Processor regarding the processing of personal data through the use of the Service itself (creating, modifying, deleting records). Only written instructions sent to info@tymovakasa.cz shall be deemed instructions other than those issued in this manner.
7. Obligations of the Processor
7.1 The Processor undertakes to:
a) Process personal data solely on the basis of documented instructions from the Controller, including transfers to third countries (which take place only through approved sub-processors listed in Article 8 and always with appropriate safeguards).
b) Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c) Implement appropriate technical and organisational measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk, as set out in Article 10 of this Agreement.
d) Engage sub-processors only under the conditions set out in Article 8 of this Agreement.
e) Assist the Controller in fulfilling its obligations to respond to requests for the exercise of data subjects’ rights, see Article 9.
f) Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR (security, breach notification, impact assessment).
g) Upon termination of the provision of services, delete or return all personal data to the Controller and delete existing copies, unless Union or Member State law requires storage of the personal data concerned (see Article 11).
h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for audits pursuant to Article 12 of this Agreement.
i) Immediately inform the Controller if, in its opinion, a given instruction infringes the GDPR or other data protection legislation.
8. Sub-processors
8.1 The Controller grants the Processor general authorisation to engage further processors (hereinafter “sub-processors”) under the conditions set out in this Agreement.
8.2 Current list of sub-processors engaged in the provision of the Service:
| Sub-processor | Purpose of processing | Location of processing | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Cloud database, authentication, file storage | EU (Frankfurt, eu-central-1) | DPA, EU |
| Vercel, Inc. | Application hosting, edge functions, analytics | EU/USA | DPA + SCC |
| Resend, Inc. | Sending transactional emails | EU/USA | DPA + SCC |
| Stripe Payments Europe, Limited | Payment processing and invoicing | Ireland / EU | DPA |
8.3 The Processor undertakes to impose on sub-processors the same data protection obligations as are set out in this Agreement, by way of contracts or standard DPAs provided by the respective sub-processors.
8.4 Changes to the list of sub-processors: The Processor reserves the right to change the list of sub-processors. The Processor shall inform the Controller of the addition or replacement of a sub-processor at least 30 days in advance by updating this Agreement and/or by email to the address provided at registration. The Controller has the right to terminate the contractual relationship by deleting their user account before the change takes effect if they object to the new sub-processor. If the Controller has an active (prepaid) PRO plan at that time, they are entitled to a pro-rata refund of the subscription for unused months, by analogy with Article 9.4 of the Terms of Service.
8.5 Where a sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor’s obligations.
9. Assistance to the Controller with Data Subject Requests
9.1 The Processor shall assist the Controller, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller’s obligation to respond to requests for the exercise of data subjects’ rights (access, rectification, erasure, restriction, objection, portability).
9.2 The Service enables the Controller to independently exercise most data subject rights directly through the user interface (editing data, deleting records, exporting data).
9.3 If the Controller requires additional assistance from the Processor (e.g. export of specific data in a structured format), it may request this by email at info@tymovakasa.cz. The Processor shall respond without undue delay, within 14 days at the latest.
9.4 If a data subject contacts the Processor directly with a request relating to data processed on behalf of the Controller, the Processor shall refer them to the relevant Controller and inform the Controller of the request.
10. Security of Processing
10.1 Having regard to the nature, scope, context, and purposes of processing and to the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Processor has implemented the following technical and organisational measures:
- Encryption of data in transit (HTTPS/TLS on all communication channels)
- Encrypted password storage using a secure hash (bcrypt)
- Row Level Security (RLS) at the database level, ensuring that each Controller has access only to their own team’s data
- User authentication and authorisation via Supabase Auth
- Regular data backups with recovery capability
- Security updates for technologies and libraries in use
- Logging and monitoring of system access
- Restricted access to the production database, limited to essential personnel and under strictly controlled conditions
10.2 The Processor regularly reviews the adequacy of these measures and updates them as necessary in light of technological developments and emerging threats.
11. Procedure upon Termination of the Agreement
11.1 Upon termination of this Agreement (typically by deletion of the Controller’s user account), the Processor shall:
a) Delete all personal data processed under this Agreement. Upon requesting account deletion, a 7-day grace period begins during which the Controller may restore the account by logging in again. After this period expires, personal data is permanently deleted.
b) Exception for accounting and tax documents: Tax documents (invoices) related to payments for the PRO plan are retained by the Processor as the Service operator under statutory obligations for a period of 10 years in accordance with Act No. 563/1991 Coll., on Accounting. These documents are retained on the basis of the Processor’s own legal obligation, not on the basis of this Agreement.
c) Exception for team financial history: Where financial records were part of a team that continues to be operated by another controller (e.g. when one admin leaves and the team continues under a different admin), the records are preserved in the application. The reference to the deleted administrator in historical financial records is removed (set to an empty value). Upon permanent deletion of a player by the team administrator, historical financial records are preserved with the original name in order to maintain the integrity of the team’s accounting history. Conversely, where the team is no longer operated, the records are deleted together with the other data.
d) Backups: Backups containing data may exist for the period strictly necessary to ensure system recoverability (typically 7 days), after which they are overwritten.
11.2 Upon the Controller’s request, the Processor shall provide a data export in a structured, commonly used, and machine-readable format before deleting the data.
12. Audit and Inspection
12.1 The Processor shall enable the Controller to demonstrate compliance with the obligations set out in Article 28 GDPR and in this Agreement by providing relevant information upon request.
12.2 Given the nature of the Service (a cloud application with a large number of users), a physical on-site audit is practically not feasible. The parties have therefore agreed that compliance shall be demonstrated in the following ways:
a) By providing documentation of technical and organisational measures (Article 10)
b) By providing copies of DPAs with sub-processors upon request
c) By responding to specific written questions from the Controller regarding processing
12.3 The Processor shall respond to requests for information without undue delay, within 30 days at the latest.
12.4 Costs associated with audit requests beyond the scope of ordinary responses (e.g. repeated extensive requests) may be charged by the Processor to the Controller at a reasonable rate.
13. Notification of Security Breaches
13.1 The Processor shall notify the Controller of any personal data breach affecting data processed on behalf of the Controller without undue delay and, where feasible, within 48 hours of becoming aware of it.
13.2 The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of data subjects and records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its possible adverse effects
13.3 The Controller is then responsible for fulfilling its own obligation to notify the supervisory authority of the breach (Article 33 GDPR) and, where applicable, to communicate the breach to the affected data subjects (Article 34 GDPR), if required.
14. Final Provisions
14.1 This Agreement is governed by the law of the Czech Republic, in particular the GDPR and Act No. 110/2019 Coll.
14.2 The Processor may amend this Agreement under the same conditions as it may amend the Terms of Service (Article 9 of the Terms of Service). The Controller shall be informed of any amendments by email at least 30 days in advance.
14.3 This Agreement enters into force on 9 April 2026.
14.4 By consenting to the Terms of Service upon registration of a user account, the Controller simultaneously accepts this Agreement in its entirety.
Ústí nad Labem, April 9, 2026