← Back to home
Data Processing Addendum
Effective Date: March 20, 2026 • Last Updated: March 2026
This Data Processing Addendum ("DPA") supplements the BallBot Terms of Service and describes how BallBot processes personal data on behalf of Coaches.
1. Roles
- Data Controller: The Coach. You decide what Client data to collect, why to collect it, and how to use it within BallBot.
- Data Processor: BallBot. We store, process, and transmit Client data on your behalf according to your instructions (as expressed through your use of BallBot features and configurations).
2. Scope of Processing
BallBot processes Client data for the following purposes, as directed by the Coach:
- Storing and displaying client records (names, contact info, activity, skill level, notes).
- Sending and receiving messages on the Coach's behalf (email via Resend, WhatsApp via Twilio).
- Syncing data to the Coach's Google Calendar and Google Contacts.
- Generating AI-powered content (draft messages, lesson plans, email parsing, template personalization) via Google Gemini.
- Processing payments (via Stripe, where the Coach has enabled payment features).
- Providing read-only Client portal access (schedule, classes, messages).
3. Data Categories Processed
| Category | Examples | Sensitivity |
|---|
| Identity data | Full name, preferred name | Standard |
| Contact data | Email, phone, WhatsApp number, address | Encrypted (AES-256-GCM) |
| Activity data | Sport/activity, skill level, session history, attendance | Standard |
| Communication data | Messages, email content, form submissions | Standard |
| Financial data | Payment history, balances (card data handled by Stripe) | No card data stored by BallBot |
4. Sub-Processors
BallBot uses the following sub-processors to deliver the Service:
| Sub-Processor | Purpose | Location |
|---|
| Supabase (AWS) | Database, authentication, file storage | United States |
| Vercel | Application hosting | United States |
| Google (Gemini API) | AI processing | United States |
| Google (Gmail, Calendar, Contacts APIs) | Email, calendar, contacts integration | United States |
| Stripe | Payment processing | United States |
| Twilio | WhatsApp messaging | United States |
| Resend | Email delivery | United States |
We will notify you before adding or replacing a sub-processor that handles Client data. If you object to a new sub-processor, you may terminate your subscription.
5. Security Measures
BallBot implements the following technical and organizational measures to protect Client data:
- Encryption at rest (Supabase/AWS default encryption) and in transit (TLS/HTTPS).
- Application-level encryption of sensitive fields (AES-256-GCM).
- Multi-tenant isolation via Row Level Security (RLS) on all database tables.
- API key authentication with 90-day expiration and scope controls.
- Webhook signature verification for inbound data from Stripe and Twilio.
- Per-endpoint rate limiting to prevent abuse.
- Security headers (CSP, HSTS, X-Frame-Options) on all responses.
- Audit logging of all significant data processing activities.
6. Data Deletion
Upon termination of the Coach's account, BallBot will delete all Client data within 30 days. The Coach may request earlier deletion by contacting hello@ballbot.coach. Deletion is permanent and cannot be reversed after the 30-day retention period.
7. Data Breach Notification
In the event of a personal data breach affecting Client data, BallBot will:
- Notify the affected Coach(es) by email within 72 hours of becoming aware of the breach.
- Provide a description of the nature of the breach, the categories of data affected, and the measures taken to address it.
- Cooperate with the Coach in fulfilling any notification obligations the Coach may have to their Clients or regulatory authorities.
8. Coach Rights
As the Data Controller, you have the right to:
- Access all Client data stored in BallBot via the dashboard, API, MCP, or CLI.
- Export your data at any time by contacting hello@ballbot.coach.
- Request deletion of specific Client records or your entire account.
- Instruct BallBot on how to process data (by configuring features, automation modes, and AI settings).
- Disable AI processing if you do not wish Client data to be sent to Google Gemini.
9. Cooperation
BallBot will assist the Coach in responding to requests from the Coach's Clients to access, correct, or delete their personal data, to the extent technically feasible.