Data Processing Addendum

Polo HQ LTD

Effective Date: March 5th 2026

Last Updated: March 5th 2026

This Data Processing Addendum forms part of the Terms of Service governing the use of the Polo HQ platform operated by Polo HQ LTD. It defines the responsibilities of Polo HQ LTD and organisations using the platform in relation to the processing of personal data.

This Addendum applies where organisations upload, store, manage, or otherwise process personal data through the Polo HQ platform.

1. Parties

This Data Processing Addendum is entered into between:

Polo HQ LTD, a company incorporated in England and Wales with company number 17059471 and registered office at 43 Diamond Ridge, Camberley, Surrey, GU15 4LB, United Kingdom (“Processor”).

and

The organisation or entity using the Polo HQ platform to manage its operational activities (“Controller”).

2. Scope of Processing

The Controller uses the Polo HQ platform to manage operational activities relating to polo organisations, including player management, scheduling, document storage, administrative records, and financial or operational information.

In doing so, the Controller may upload or store personal data relating to players, staff, contractors, members, or other individuals associated with the organisation.

The Processor provides the technical infrastructure required to host, store, and process this information within the platform.

3. Roles of the Parties

The Controller determines the purposes and means of processing personal data uploaded to the platform.

The Processor processes personal data solely for the purpose of providing and maintaining the platform services described in the Terms of Service.

The Processor does not determine how organisations use the personal data they upload and does not independently access, analyze, or use such data except where necessary to operate, maintain, or secure the platform.

4. Categories of Data Subjects

Data subjects whose personal data may be processed through the platform include:

• players
• team members
• organisation staff
• contractors
• administrators
• participants associated with polo organisations

Data relating to minors aged 13 to 17 may also be processed where organisations upload such information as part of their operational management.

5. Categories of Personal Data

Personal data processed through the platform may include:

• names
• contact information such as email addresses and phone numbers
• dates of birth
• organisational roles or participation information
• availability or scheduling information
• documents uploaded by organisations

Organizations may also upload documents that contain personal or sensitive information including identification records, contracts, visa documents, or other operational materials.

The Processor does not control the type of documents uploaded by organisations.

6. Lawful Basis for Processing

The Controller is responsible for ensuring that any personal data uploaded to the platform is processed in accordance with applicable data protection laws.

This includes ensuring that the Controller has a lawful basis for processing such data and that appropriate notices or consents have been obtained where required.

The Processor processes personal data only on documented instructions from the Controller, as reflected in the use of the platform and the Terms of Service.

7. Security Measures

Polo HQ LTD implements technical and organisational measures designed to protect personal data processed within the platform.

These measures include secure infrastructure environments, authentication controls, encrypted communication protocols, and restricted system access.

The Processor regularly maintains and monitors infrastructure security in order to protect the confidentiality, integrity, and availability of personal data stored within the platform.

8. Subprocessors

The Processor relies on certain third-party service providers to deliver infrastructure necessary to operate the platform.

These providers act as subprocessors and may process personal data solely for the purpose of providing their infrastructure services.

Current subprocessors include:

Supabase
Database infrastructure and data storage hosted on Amazon Web Services.

Vercel
Application hosting and deployment infrastructure.

Resend
Transactional email delivery services.

Stripe
Payment processing and subscription billing services.

These subprocessors operate under contractual obligations designed to ensure the protection of personal data.

The Processor may update or replace subprocessors where necessary to maintain or improve the platform infrastructure.

9. International Data Transfers

Some subprocessors used by the Processor operate infrastructure located outside the United Kingdom.

As a result, personal data may be transferred to jurisdictions including the United States.

Where such transfers occur, appropriate safeguards are implemented to ensure that personal data is protected in accordance with UK data protection laws.

These safeguards may include contractual data protection commitments and security measures implemented by the subprocessors.

10. Data Subject Rights

Individuals whose personal data is stored within the platform may have certain rights under applicable data protection laws, including rights of access, correction, deletion, or restriction of processing.

Because organisations act as Data Controllers, requests relating to personal data should generally be directed to the organisation responsible for managing that data.

The Processor will provide reasonable assistance to organisations where necessary to support the fulfillment of such requests.

11. Data Breach Notification

If the Processor becomes aware of a personal data breach affecting data stored within the platform, the Processor will notify the relevant Controller without undue delay.

The Processor will provide available information regarding the nature of the breach and cooperate with the Controller where necessary to address the incident.

12. Data Retention and Deletion

The Processor retains personal data only for the period necessary to provide the platform services.

When an organisation terminates its use of the platform, the Controller may request deletion of its data where appropriate.

The Processor may retain certain information for limited periods where necessary for security, legal compliance, or operational continuity.

13. Confidentiality

Personnel and contractors of the Processor who have access to personal data are subject to confidentiality obligations.

Access to personal data is restricted to individuals who require such access in order to operate or maintain the platform.

14. Liability

Each party remains responsible for complying with its respective obligations under applicable data protection laws.

Nothing in this Addendum limits or excludes liability where such limitation would be unlawful under applicable data protection legislation.

15. Governing Law

This Data Processing Addendum is governed by the laws of England and Wales.

Any disputes relating to this Addendum shall be subject to the jurisdiction of the courts of England and Wales.

16. Relationship with the Terms of Service

This Addendum forms part of and should be read together with the Terms of Service governing the Polo HQ platform.

In the event of any conflict between this Addendum and the Terms of Service relating to data protection matters, this Addendum shall prevail.

17. Contact Information

Questions relating to this Data Processing Addendum may be directed to:

Polo HQ LTD
43 Diamond Ridge
Camberley, Surrey
GU15 4LB
United Kingdom

Email: info@polohq.com