Data Processing Addendum

Quick Plays processes personal data to provide the basketball coaching platform described in our Terms — diagramming plays, managing rosters, planning practices, sharing content within and between teams. Processing lasts as long as the underlying agreement and ends on account termination.

• Coach data: email, display name, sign-in metadata, content authored.
• Roster data: player names, jersey numbers, positions, status, optional contact email, optional season statistics.
• Activity data: events emitted by the app to power dashboards (play created, play saved, etc.) — see the events taxonomy in our Privacy Policy.

We never process payment data; there is no paid plan today. We never process special-category data (health, biometric, etc.).

The Controller (your organization) determines what data is entered and for what purpose. Quick Plays acts only on documented instructions — typically the configuration set in the admin surface (account settings, sharing toggles, invite flows). We do not use Controller data for our own purposes, do not sell it, and do not use it to train AI models.

We use a small number of sub-processors to operate the service — all in the United States. The current list lives at /legal/subprocessors. Changes are published there with a last-updated date; material additions get a heads-up via the in-app notification bell before they take effect. Object to a new sub-processor within 30 days of notice by emailing the contact below.

See Privacy Policy → Security for the technical and organisational measures. Notably: HTTPS in transit, Postgres row-level security at rest, server-side moderation of public content, append-only audit logs (rolling out in our org tier), no plaintext passwords (passwordless OTP only), and Supabase’s SOC 2 Type II posture on the underlying database.

Quick Plays surfaces self-service data export and deletion in Settings — see Privacy Policy → Your rights. For requests originating from a data subject that cannot complete self-service (locked out of OTP, etc.) we work through the Controller’s admin contact. SLA: 30 days for access / rectification / deletion requests; faster for verified-urgent cases.

All Controller data is stored in Supabase’s us-west-2 region (Oregon, USA). The application bundle is served via Cloudflare’s global edge network from origin in the US. Quick Plays does not transfer Controller data outside the US.

We will notify the Controller without undue delay (typically within 72 hours of confirmed identification) of any personal-data incident affecting Controller data, with the facts known at the time, scope of affected records, remediation steps, and a point of contact for follow-up.

On termination of the underlying agreement, Quick Plays returns or deletes Controller data within 30 days. Backup snapshots may contain residual copies for up to 30 additional days before rolling off.

To request a counter-signed copy of this DPA, email [email protected] with your organization name, governing-law jurisdiction, and a point of contact. Turnaround: a few business days. If you need custom contract paper (e.g. an institutional MSA + your own DPA attachment), reach out and we’ll work through it.