Data Processing Agreement
How Centro processes data on behalf of your club
Last updated: March 14, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service (withcentro.com/terms) between Centro ("Processor," "we," "us," or "our") and the club, organization, or individual that has created an account on the Centro platform ("Controller," "you," or "your"). This DPA governs the processing of personal data that you submit to the Centro platform on behalf of your members.
By using the Centro platform, you agree to this DPA. If you do not agree, you may not use the platform to process personal data.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable individual, including but not limited to names, email addresses, phone numbers, dates of birth, physical addresses, payment information, medical information, and emergency contact details.
"Member Data" means Personal Data about your club's members, including club owners, administrators, coaches, parents, players, and any other individuals whose data you enter into the Centro platform.
"Processing" means any operation performed on Personal Data, including collection, storage, use, retrieval, transmission, modification, and deletion.
"Data Controller" (or "Controller") means the entity that determines the purposes and means of Processing Personal Data. Under this DPA, the Controller is you — the club or organization using Centro.
"Data Processor" (or "Processor") means the entity that processes Personal Data on behalf of the Controller. Under this DPA, the Processor is Centro.
"Sub-processor" means a third-party service provider engaged by Centro to assist in Processing Personal Data.
"Data Subject" means the individual to whom Personal Data relates — your club's members, parents, players, coaches, and other personnel.
"Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data that apply to the parties, including but not limited to the Children's Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) where applicable, and Florida state privacy laws.
2. Roles and Responsibilities
2.1 You as Data Controller
You determine what Personal Data is collected, why it is collected, and how it is used within your club's operations on the Centro platform. You are responsible for:
- Ensuring you have a lawful basis for collecting and processing Member Data
- Obtaining all necessary consents from Data Subjects, including parental consent for players under 13 as required by COPPA
- Informing your members about how their data will be used, including that it will be processed by Centro
- Ensuring the accuracy of data you enter into the platform
- Complying with all Applicable Data Protection Laws in your jurisdiction
- Responding to data access, correction, and deletion requests from your members
- Determining your own data retention policies within the platform
2.2 Centro as Data Processor
Centro processes Member Data solely on your behalf and according to your instructions (as expressed through your use of the platform's features). We are responsible for:
- Processing Member Data only for the purposes of providing the Centro platform and related services
- Implementing appropriate technical and organizational security measures to protect Member Data
- Not selling, renting, or sharing Member Data with third parties for their own purposes
- Assisting you in responding to Data Subject requests where technically feasible
- Notifying you of any data breach affecting your Member Data
- Returning or deleting Member Data upon termination of your account, in accordance with Section 9 of this DPA
- Ensuring our Sub-processors are bound by equivalent data protection obligations
3. Data We Process
The following categories of Personal Data may be processed through the Centro platform, depending on the features you use:
Account and Identity Data: Names, email addresses, phone numbers, profile information of club staff, coaches, parents, and players.
Player Data: Names, dates of birth, jersey numbers, positions, team assignments, skill evaluations, attendance records, and development tracking data.
Medical and Emergency Data: Medical conditions, allergies, medications, emergency contact names and phone numbers, as provided by parents or guardians during registration.
Financial Data: Invoice amounts, payment history, payment method types (note: full credit card numbers are processed by Stripe and never stored on Centro's servers), and billing addresses.
Communication Data: Messages sent between club members through the Centro messaging system.
Document Data: Files uploaded to the platform including waivers, signed documents, medical forms, and other club documents.
Registration Data: Information submitted through public registration and tryout forms.
4. Sub-processors
Centro uses the following third-party Sub-processors to provide the platform. Each Sub-processor processes data only as necessary for their specific function:
| Sub-processor | Function | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing | Payment details, billing info, transaction records | United States |
| Clerk | Authentication and identity | Name, email, authentication credentials | United States |
| Neon | Database hosting | All platform data (encrypted at rest) | United States |
| Vercel | Application hosting and CDN | Request data, IP addresses, application data | United States (global CDN) |
| Vercel Blob | File storage | Uploaded documents and images | United States |
| Resend | Email delivery | Email addresses, email content | United States |
| Pusher | Real-time messaging | Chat messages (in transit only, not stored) | United States |
| Upstash | Rate limiting | IP addresses, request counts (ephemeral) | United States |
We will notify you before adding or replacing any Sub-processor that processes Member Data. We provide at least 30 days' notice before any Sub-processor change takes effect. If you object to a new Sub-processor, you may terminate your account.
We ensure that all Sub-processors are contractually bound to protect Personal Data to at least the same standard as this DPA.
5. Security Measures
Centro implements the following technical and organizational measures to protect Member Data:
Encryption: All data is encrypted in transit using TLS 1.2+ (HTTPS) and encrypted at rest in our database.
Authentication: Multi-factor authentication available through Clerk. All user sessions are securely managed with short-lived tokens.
Access Controls: Role-based access control (RBAC) limits data access within each club. Coaches see only their teams' data. Parents see only their children's data. Multi-tenant architecture ensures complete data isolation between clubs.
Payment Security: Payment processing is handled by Stripe, which is PCI-DSS Level 1 certified. Centro never stores, processes, or transmits full credit card numbers.
Infrastructure: The platform is hosted on Vercel's infrastructure with automatic security updates, DDoS protection, and geographic redundancy.
Monitoring: Server-side logging and error tracking for security events. Rate limiting on all public endpoints and API routes.
Audit Logging: All significant actions (data creation, modification, deletion, access, exports) are logged with timestamps and user identification.
6. Data Breach Notification
In the event of a security breach that results in unauthorized access to, or loss or disclosure of, Member Data:
We will notify you without undue delay and in any event within 72 hours of becoming aware of the breach.
Our notification will include: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures we are taking to address the breach and mitigate its effects.
We will cooperate with you in notifying affected Data Subjects and relevant authorities as required by Applicable Data Protection Law.
You are responsible for determining whether and how to notify your own members, in accordance with your legal obligations.
7. Data Subject Rights
If a member of your club (a Data Subject) contacts Centro directly with a request to access, correct, delete, or port their data, we will:
- Direct the Data Subject to contact your club, as the Data Controller, to handle the request.
- Notify you of the request within 5 business days.
- Assist you in fulfilling the request through the platform's existing features (such as data export, member deletion, and profile editing) or through reasonable technical assistance.
You are responsible for responding to Data Subject requests within the timeframes required by Applicable Data Protection Law.
8. Children's Data and COPPA Compliance
Centro is designed for youth sports organizations and processes data about minors (players under 18, including children under 13).
Controller's Responsibility
You, as the club, are the operator under COPPA with respect to the collection of children's Personal Data. You are responsible for obtaining verifiable parental consent before entering a child's information into the Centro platform. Centro's public registration forms include parental consent mechanisms, but you are responsible for ensuring these are properly used.
Centro's Commitments
We do not collect Personal Data directly from children. All player data is entered by parents, coaches, or club administrators. We do not use children's data for marketing or advertising purposes. We do not disclose children's data to third parties except as described in this DPA (Sub-processors). We support parental review, correction, and deletion of children's data through the platform's features.
If we become aware that a child's data has been entered into the platform without proper parental consent, we will work with you to either obtain consent or delete the data.
9. Data Retention and Deletion
While your account is active: Member Data is retained as long as you maintain it on the platform. You can delete individual member records, messages, documents, and other data at any time through the platform's administrative features.
Upon account termination: We will make your data available for export for 90 days following account closure. After 90 days, all Member Data associated with your club will be permanently and irreversibly deleted from our systems, including backups (within 30 additional days for backup rotation).
Financial records: Payment records and transaction data may be retained for up to 7 years as required by tax and financial regulations, even after account deletion.
Aggregated data: We may retain anonymized, aggregated data that cannot identify individual Data Subjects for the purpose of improving the platform. This data is not Personal Data.
10. International Data Transfers
Centro is operated from the United States. All Sub-processors listed in Section 4 are based in or primarily process data in the United States. If you or your members are located outside the United States, Personal Data will be transferred to the United States for processing.
For transfers subject to the GDPR, we rely on Standard Contractual Clauses or other lawful transfer mechanisms as appropriate.
11. Audits and Compliance
Upon reasonable request and subject to confidentiality obligations, we will provide you with information necessary to demonstrate our compliance with this DPA. This may include:
- Summaries of our security measures and practices
- Copies of relevant third-party security certifications or audit reports (where available from our Sub-processors)
- Responses to reasonable written questionnaires about our data protection practices
We are not required to provide access to our source code, proprietary systems, or other clubs' data.
12. Limitation of Liability
Centro's total liability under this DPA is subject to the limitation of liability provisions in our Terms of Service. We are not liable for data protection failures caused by:
- Your failure to obtain necessary consents from Data Subjects
- Your entry of inaccurate or unauthorized data into the platform
- Your failure to comply with Applicable Data Protection Laws
- Actions of your club's authorized users (owners, admins, coaches) within the platform
- Third-party services you integrate with separately from Centro
13. Term and Termination
This DPA remains in effect for as long as you have an active Centro account. It automatically terminates when your account is closed, subject to the data retention obligations in Section 9.
Sections that should survive termination: Sections 6 (Data Breach Notification), 9 (Data Retention and Deletion), 11 (Audits), and 12 (Limitation of Liability).
14. Changes to This DPA
We may update this DPA from time to time. Material changes will be communicated via email at least 30 days before they take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated DPA. If you do not agree, you may close your account.
15. Contact Us
For questions about this DPA or our data processing practices:
Centro
Email: support@withcentro.com
Miami, Florida, United States
For data protection inquiries specifically, you may also contact: privacy@withcentro.com