Version 1.0 · Effective 4 July 2026 · Between each club using FullPanel ("the Club", data controller) and FullPanel, operated by Niall O'Neill, Ireland ("the Processor"). This agreement is incorporated into every FullPanel subscription, on every plan including Free, and applies automatically — no signature required. A signed copy is available on request via niallmoneill@gmail.com. Print or save this page for your club's records.
The Processor provides a club-management platform (squad management, safeguarding register, scheduling, communication, coaching plans, membership payments and fundraising). Processing lasts for the duration of the Club's use of the service and consists of storing, organising, displaying and transmitting the personal data the Club enters or imports, solely to provide the service.
The Processor processes personal data only on the Club's documented instructions — given through the Club's use of the service — unless required otherwise by EU or Irish law, in which case the Processor informs the Club before processing unless the law prohibits it. The Processor immediately informs the Club if, in its opinion, an instruction infringes the GDPR.
Persons authorised to process the data are bound by confidentiality. Technical and organisational measures include: EU (Ireland) data residency; encryption in transit and at rest; per-user authentication; database-enforced row-level security so each club's data is isolated and roles are restricted at the database layer (a coach can only reach their own teams; under-16s can hold no login; the Processor's own support function is structurally excluded from children's personal data); and a server-side, non-erasable audit log of administrative actions.
The Club gives general authorisation for the sub-processors below. The Processor will notify clubs of intended changes (via the service or email), giving an opportunity to object, and imposes equivalent data-protection obligations on each sub-processor.
| Sub-processor | Purpose | Location / transfer mechanism |
|---|---|---|
| Supabase | Database & storage | EU (Ireland) |
| Vercel | Hosting | EU/US — SCCs / EU-US Data Privacy Framework |
| Clerk | Authentication | US — SCCs / EU-US Data Privacy Framework |
| Stripe | Payment processing | EU/US — Stripe GDPR programme |
| Resend | Transactional email | US — SCCs |
| Anthropic | In-app assistant & AI plan drafting (prompt text only; no model training on club data) | US — SCCs |
The service gives the Club self-serve tools to meet requests: per-member subject-access export (Admin ▸ Data & GDPR), correction (Members tab), and erasure (member deletion). For anything not self-serve, the Processor assists within 10 working days of a request to niallmoneill@gmail.com.
The Processor notifies the Club without undue delay, and in any case within 72 hours of becoming aware of a personal-data breach affecting the Club's data, with the information the Club needs for its own Art. 33/34 obligations.
The Processor provides reasonable assistance with data-protection impact assessments and prior consultations relating to processing on the service, taking into account the information available to it.
On termination of the subscription the Club may export its data (CSV/JSON exports in-app). Unless EU or Irish law requires retention, the Processor deletes the Club's personal data within 30 days of a deletion request following termination, and confirms deletion on request. Payment records held by Stripe follow Stripe's statutory retention.
The Processor makes available the information reasonably necessary to demonstrate compliance with Art. 28 and, no more than once per year and on 30 days' notice, allows an audit or inspection by the Club or its mandated auditor, at the Club's cost, in a manner that does not put other clubs' data at risk.
This agreement is governed by Irish law. If it conflicts with any other terms between the Club and the Processor, this agreement prevails for data-protection matters. Liability follows the parties' underlying service terms.