EasyYouthClub
Features Pricing About Contact
Sign In Book a Demo
Legal

Data Processing Agreement

How we handle the personal data you upload about your members, staff and parents.

Last updated: April 2026

About this DPA

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer (the “Data Controller”) and Jon Hubbard t/a Technoliga (the “Data Processor”), the trading entity behind EasyYouthClub.

It applies whenever the Customer uploads personal data into the EasyYouthClub platform and is designed to satisfy the requirements of Article 28 of the UK GDPR.

Roles

  • The Customer is the Data Controller: it determines the purposes and means of processing the personal data uploaded into its Tenant Site.
  • Jon Hubbard t/a Technoliga is the Data Processor: we process Customer Data only on documented instructions from the Customer, primarily by providing the Service.
  • The Customer remains responsible for establishing the lawful basis for processing, obtaining and recording any required consents, responding to data subject rights, and complying with safeguarding and other regulatory obligations.

Categories of data

Customer Data uploaded to EasyYouthClub may include the following categories of personal data:

  • Staff: names, contact details, addresses, DBS certificate numbers and dates, qualifications, training records, employment history and payroll-related information.
  • Members (young people, often under 18): names, dates of birth, addresses, medical information, dietary requirements, photo and trip consents, attendance records and safeguarding notes.
  • Parents and guardians: names, contact details and relationship to the member.
  • Special category data (UK GDPR Article 9), where the Customer chooses to record it — for example health and medical information, ethnicity or religious beliefs.

Purposes

We process Customer Data solely to provide the EasyYouthClub Service to the Customer and to fulfil our obligations under the Terms of Service. We will not use Customer Data for our own purposes, sell it, or share it with third parties except as set out in this DPA.

Sub-processors

We engage the following categories of sub-processor to deliver the Service:

  • Cloud infrastructure / hosting provider (UK or EEA region)
  • Email delivery provider (such as Postmark or AWS SES)
  • SMS provider (such as Twilio), where the Customer enables SMS
  • Payment processor (Stripe), for billing the Customer

A current sub-processor list is available on request. We will give the Customer at least 30 days’ notice of any new or replacement sub-processor. The Customer may object on reasonable grounds; if the parties cannot agree a way forward, the Customer may terminate the affected service for convenience.

Security measures

We implement appropriate technical and organisational measures to protect Customer Data, including:

  • Encryption in transit (TLS 1.2 or higher) and encryption at rest
  • Database-per-tenant isolation — each Customer’s operational data is stored in a dedicated database, with no shared tables across tenants
  • Role-based access controls and the principle of least privilege for our staff
  • Audit logging of administrative actions
  • Regular automated backups, encrypted at rest
  • Annual security review and ongoing vulnerability monitoring

Data subject requests

If a data subject (such as a parent, member or member of staff) approaches us directly with a rights request relating to Customer Data, we will refer them to the Customer.

We will assist the Customer in responding to data subject requests within reasonable timescales, and the Service provides tools to export, correct and delete personal data so the Customer can fulfil requests itself.

Data breach notification

If we become aware of a personal data breach affecting Customer Data, we will notify the Customer without undue delay, and in any event within 72 hours of becoming aware. Our notification will include the information the Customer reasonably needs to meet its own breach reporting obligations under the UK GDPR.

International transfers

By default, Customer Data is stored on infrastructure located in the United Kingdom or the European Economic Area. Where any transfer of Customer Data outside the UK is necessary — for example to a sub-processor with support staff overseas — the transfer is protected by the UK’s International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.

Audits

  • The Customer may request reasonable evidence of our compliance with this DPA — for example, summaries of our security policies, the most recent penetration test report, or sub-processor information.
  • For enterprise customers, on-site or remote audits are available with reasonable advance notice and at the Customer’s cost. Audits must not unreasonably interfere with our normal operations.

Termination of processing

  • On termination of the Service, the Customer may export Customer Data for a further 30 days.
  • We will delete or return all Customer Data within 30 days of the end of the subscription, unless we are required to retain it by law.
  • Customer Data may persist in encrypted backups for up to a further 90 days, after which it is permanently deleted as part of our standard backup rotation.

Liability

Liability under this DPA is governed by, and subject to, the limitations set out in the Terms of Service.

Contact

For any question relating to this DPA, or to request our current sub-processor list, email [email protected].

Postal address:

Jon Hubbard t/a Technoliga
2 Sweetbriar Road
Melksham
Wiltshire SN12 6FR
United Kingdom

Have questions about our policies?

We’re happy to walk you through anything in plain English. Get in touch and we’ll come back to you within one business day.

Contact us