Skip to main content
Klubio Logo
Valikko
Kokeile ilmaiseksi

Tietojenkäsittelysopimus

Viimeksi päivitetty: 13 June 2026

Kieli:English·Eesti

Data Processing Agreement

This Data Processing Agreement (the "DPA") forms part of, and is subject to, the agreement under which the Customer subscribes to the Klubio platform (the "Principal Agreement"). It governs the Processing of Personal Data by the Processor on behalf of the Controller and is entered into to comply with Article 28 of Regulation (EU) 2016/679 (the "GDPR").

The Parties

Processor: Qbit Software OÜ, an Estonian private limited company, registry code 17099698, registered at Heki tee 3, 74001 Harjumaa, Estonia, which operates the "Klubio" platform (the "Processor" or "Klubio"). "Klubio" is a trademark of Klubio LLC, a limited liability company organised in Wyoming, USA, used by the Processor under licence. Klubio LLC does not process personal data on behalf of the Controller and is not a party to this DPA.

Controller: the club, association or organisation that has entered into the Principal Agreement and uses the Klubio platform to manage its members and operations (the "Controller" or "Customer"). The Controller's identity and contact details are those provided during onboarding and recorded in the Processor's records.

The Controller and the Processor are each a "Party" and together the "Parties".

Background and roles

The Controller (typically a sports club or non-profit association, including Estonian MTÜs) determines the purposes and means of Processing the Personal Data of its members, athletes, guardians, staff and applicants. The Processor provides the Klubio software-as-a-service platform, through which such Personal Data is Processed. With respect to that member data, the Controller acts as data controller and the Processor acts as data processor.

This DPA does not apply to Personal Data for which the Processor is itself the controller (for example, the Customer's own account, billing and platform-usage data), which is governed by the Klubio Privacy Policy.

1. Definitions

Capitalised terms not defined in this DPA have the meaning given to them in the GDPR. "Personal Data", "Processing", "Data Subject", "Special Category Data", "Supervisory Authority" and "Personal Data Breach" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by the Processor to Process Personal Data on the Controller's behalf. "Applicable Data Protection Law" means the GDPR and any Estonian or EU/EEA law supplementing it, including the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

2. Subject matter, duration, nature and purpose

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are described in Annex B. The Processing will continue for the duration of the Principal Agreement, subject to Section 10 (return and deletion).

3. Obligations of the Processor

The Processor shall:

  1. Process only on documented instructions. Process Personal Data only on the Controller's documented instructions — including as to international transfers — unless required to do otherwise by EU or Member State law, in which case the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest. The Principal Agreement, this DPA and the Controller's use of the platform's configuration options constitute the Controller's documented instructions.

  2. Notify unlawful instructions. Immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

  3. Ensure confidentiality. Ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  4. Implement security measures. Implement and maintain the technical and organisational measures set out in Annex C, in accordance with Article 32 GDPR.

  5. Engage Sub-processors only under Section 5.

  6. Assist with Data Subject rights. Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests to exercise Data Subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).

  7. Assist with compliance obligations. Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of Processing and the information available to the Processor.

  8. Support audits. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, in accordance with Section 8.

  9. Delete or return data. At the end of the provision of services, delete or return all Personal Data in accordance with Section 10.

4. Obligations of the Controller

The Controller shall:

  1. Comply with its own obligations as a controller under Applicable Data Protection Law, including establishing a lawful basis for the Processing and, where required, obtaining valid consent (including parental consent for children below the applicable digital-consent age — 13 in Estonia).

  2. Provide its Data Subjects with all required transparency information (privacy notices) regarding the Processing carried out through the platform.

  3. Issue only lawful instructions and be solely responsible for the accuracy, quality and legality of the Personal Data and the means by which it acquired it.

  4. Be responsible for the data it chooses to enter into the platform, including Special Category Data (such as health and injury data) and children's data, and for restricting access within its own organisation through the platform's role and permission settings.

5. Sub-processors

The Controller grants the Processor general written authorisation to engage Sub-processors. A current list of Sub-processors is maintained at the Klubio Sub-processors page and forms Annex D to this DPA.

The Processor shall: (a) impose on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA; (b) remain fully liable to the Controller for the performance of each Sub-processor's obligations; and (c) inform the Controller of any intended addition or replacement of a Sub-processor, giving the Controller the opportunity to object on reasonable data-protection grounds within 14 days of being informed. If the Controller objects and the Parties cannot resolve the objection, the Controller may terminate the affected services.

6. International transfers

The Processor stores and Processes Personal Data within the European Economic Area (EEA) wherever reasonably practicable. Where Processing by a Sub-processor involves a transfer of Personal Data to a country outside the EEA without an adequacy decision, the Processor shall ensure that an appropriate transfer mechanism under Chapter V GDPR is in place — in particular the European Commission's Standard Contractual Clauses (2021/914) together with any supplementary measures required. Annex D identifies, for each Sub-processor, its location and the applicable transfer safeguard.

7. Personal Data Breaches

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification shall, to the extent available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. The Processor shall cooperate with the Controller and take reasonable steps to mitigate and remediate the breach. The Controller is responsible for any notification to the Supervisory Authority and to affected Data Subjects under Articles 33 and 34 GDPR.

8. Audit

The Processor shall make available to the Controller, on reasonable request and no more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach), the information and documentation reasonably necessary to demonstrate compliance with this DPA — which may take the form of up-to-date certifications, third-party audit reports or a written description of the technical and organisational measures. On-site inspections shall be conducted on reasonable prior notice, during business hours, in a manner that does not disrupt the Processor's operations or compromise the confidentiality of other customers' data.

9. Liability

Each Party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law.

10. Term, return and deletion

This DPA takes effect on the effective date of the Principal Agreement and continues for as long as the Processor Processes Personal Data on the Controller's behalf. On termination or expiry of the Principal Agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data Processed on the Controller's behalf and delete existing copies, within 30 days, unless EU or Member State law requires storage of the Personal Data. In particular, accounting records (including issued invoices) are retained for the statutory period required by the Estonian Accounting Act (currently 7 years), after which they are deleted. Personal Data held in routine backups is deleted in accordance with the Processor's backup-rotation cycle.

11. Governing law and jurisdiction

This DPA is governed by the laws of the Republic of Estonia and, where applicable, the EU. The competent Supervisory Authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). Disputes are subject to the jurisdiction agreed in the Principal Agreement.

Annex A — Parties and contacts

  • Processor: Qbit Software OÜ, registry code 17099698, Heki tee 3, 74001 Harjumaa, Estonia. Data-protection contact: info@klubio.eu.

  • Controller: the Customer identified in the Principal Agreement; contact details as provided during onboarding.

Annex B — Description of the Processing

Subject matter: provision of the Klubio club-management platform to the Controller.

Duration: the term of the Principal Agreement, plus any statutory retention period.

Nature and purpose of Processing: hosting, storage, organisation, retrieval, display and transmission of Personal Data for the purposes of club and membership administration, training and attendance management, communications and notifications, billing and invoicing, contract and consent management, and — where the Controller enables it — athlete medical/injury management.

Categories of Data Subjects:

  • Club members and athletes, including children;

  • Parents, guardians and emergency/pickup contacts;

  • Coaches, administrators and other club staff;

  • Applicants and prospective members.

Categories of Personal Data:

  • Identity and contact data: name, email, phone, date of birth, national identification number, address;

  • Membership and participation data: group/team membership, attendance, training records, RSVPs;

  • Guardian and relationship data: guardian names and contacts, relationship, pickup and notification permissions;

  • Financial and billing data: invoices, payments, billing overrides;

  • Contract and consent data: agreements signed, signatory name and email, IP address and timestamp of signature;

  • Communications data: emails sent/received via the platform, in-app notifications, notification preferences;

  • Special Category Data (Article 9 GDPR), where the Controller enables and uses the medical features: health data including allergies, medical comments, medical check-up dates, injuries and diagnoses, anatomical injury localisation (body map), return-to-play/availability status, medical test results, and injury-related file attachments.

Special Category Data note: the Controller is responsible for establishing a valid Article 9 condition (typically explicit consent, or another applicable condition) before entering health data, and for restricting access to authorised staff via the platform's permission controls. The Processor applies field-level encryption to designated health fields as described in Annex C.

Frequency of Processing: continuous, for the duration of the Principal Agreement.

Annex C — Technical and organisational measures (Article 32)

Note: this Annex summarises the measures and should be kept in sync with the internal "Technical and Organisational Measures (TOMs)" record. Confirm each item reflects current production reality before publishing.

  • Encryption in transit: all platform traffic is served over HTTPS/TLS.

  • Encryption at rest: the database and object storage are encrypted at rest by the hosting provider. In addition, designated Special Category fields (e.g. allergies, medical comments, injury diagnoses and notes) and stored accounting credentials are encrypted at the application layer using AES-256-GCM.

  • Access control: role-based access control scopes data by club and by role/permission; members, coaches and administrators see only the data their permissions allow. Medical data is restricted to authorised roles.

  • Tenant isolation: data is logically segregated per club (tenant) at the application layer.

  • Storage of files: document and medical attachments are stored in a private object-storage bucket, not publicly accessible.

  • Authentication: credential-based authentication with secure password handling; session expiry and cleanup.

  • Pseudonymisation/minimisation: access to special-category data is minimised to authorised personnel; the platform supports account deactivation and deletion workflows.

  • Resilience and backup: regular backups maintained by the hosting provider; managed database backups via the hosting provider (DigitalOcean) with point-in-time recovery, retained approximately 7 days.

  • Logging: changes to certain sensitive records (e.g. medical status) are logged with the acting user and timestamp..

Annex D — Authorised Sub-processors

The current list of Sub-processors, including each Sub-processor's purpose, location and transfer safeguard, is maintained at the Klubio Sub-processors page and is incorporated into this DPA by reference. As at 13 June 2026 it comprises (at least): the transactional email provider (Postmark / Wildbit), the hosting and object-storage provider DigitalOcean, Amsterdam, the payment processor Maksekeskus AS, and — only where the Controller enables an accounting integration — the relevant Estonian accounting provider (Merit Aktiva or Excellent Books).