Last updated: 2026-05-24

Our subprocessors

CoDi Tennis uses the third-party services listed below to operate the platform. Each one processes some part of your personal data on our behalf, under a written contract that requires the service to handle your data per our instructions and per applicable privacy law.

This page is updated whenever we add, remove, or materially change a subprocessor. Subscribe to the privacy@coaching.direct notify list if you want advance notice of changes (typical lead time: 30 days).

The 30-second version

Your data goes to a handful of named companies: Stripe (payments), Supabase (database, hosted in Sydney), Vercel (web hosting), Resend (transactional email), Anthropic (future AI features, no live data yet), Sintra (admin marketing tools).
Each one has a contract with us requiring them to handle your data per our instructions + per the relevant privacy law.
We’ll tell you 30 days before adding a new one if you subscribe to our notify list.

How to read this list

Role = what they do for us.
Data categories = the kinds of personal data they touch.
Hosting location = where the data physically lives (primary region; cross-region replication may apply for high-availability).
Safeguard = the contractual mechanism we rely on for cross-border transfers (EU Standard Contractual Clauses, the EU-US Data Privacy Framework, vendor self-certification, etc.).
Last reviewed = when CoDi Tennis last audited the subprocessor’s security posture + contract terms.

Active subprocessors

Vercel ↗ privacy policy

Role: Application hosting + edge CDN for the CoDi Tennis web app.
Data categories: Request metadata (IP, user-agent, timing) for edge routing. No personal-data persistence on Vercel — the app is stateless at this tier.
Hosting location: Primary: Global edge with US-based control plane. Compute regions configurable per route.
Safeguard: Vercel Inc. (US) — EU-US Data Privacy Framework certified. DPA in force.
Last reviewed: 2026-05-24

Supabase ↗ privacy policy

Role: Primary application database (PostgreSQL) + authentication + file storage.
Data categories: All user-account, booking, payment-reference, coach-cert, junior-progress, and audit-log data. The canonical store.
Hosting location: Primary: ap-southeast-2 (Sydney, Australia). Backups replicated to a second AU region.
Safeguard: Supabase Inc. (US) — EU Standard Contractual Clauses (Module 2 controller→processor) in force. DPA at supabase.com/dpa.
Last reviewed: 2026-05-24

Stripe ↗ privacy policy

Role: Payment processing, Stripe Connect for coach payouts, Stripe Tax for GST/VAT calculation, Stripe Identity (when used).
Data categories: Cardholder data (Stripe-hosted forms — never touches our servers, PCI SAQ-A), payer name + email + billing address, payout-bank details for coaches, transaction history.
Hosting location: Primary: US + Ireland (Stripe processes globally with regional routing). AU local-currency settlement via Stripe Australia.
Safeguard: Stripe Payments Australia Pty Ltd (ABN 30 600 250 121) + Stripe Inc. (US) — EU-US Data Privacy Framework certified. DPA at stripe.com/legal/dpa. PCI DSS Level 1.
Last reviewed: 2026-05-24

Resend ↗ privacy policy

Role: Transactional email delivery (booking confirmations, password resets, WWCC alerts, EOI welcome).
Data categories: Recipient email address, email subject + body content (which may contain names + booking metadata). Stored for 30 days for delivery troubleshooting + bounce-handling.
Hosting location: Primary: US (us-east-1). EU data residency option available — not currently enabled (under review).
Safeguard: Resend Inc. (US) — DPA in force. EU-US DPF status: not yet certified at time of last review.
Last reviewed: 2026-05-24

Anthropic ↗ privacy policy

Role: AI inference for future form-analysis + drill-recommendation features (not yet live in production; pre-disclosed here for transparency).
Data categories: Pose-skeleton coordinate data + stroke type + drill metadata. NOT video itself, NOT child names, NOT identifying information. See /legal/privacy §12 for the per-request data minimisation.
Hosting location: Primary: US.
Safeguard: Anthropic PBC (US) — DPA pending engagement (no production data flows today). EU Standard Contractual Clauses to be adopted before any EU-resident user’s pose data is processed.
Last reviewed: 2026-05-24 (status: pending — not yet processing)

Sintra ↗ privacy policy

Role: Marketing automation + AI-assisted content drafting (admin-side only; no end-user data flows through Sintra).
Data categories: Marketing-copy drafts, public brand assets, admin user identity for tool access. NO end-user personal data.
Hosting location: Primary: US.
Safeguard: Sintra AI Inc. (US) — admin tooling only; not a subprocessor of end-user personal data per Article 28 definition. Listed here for transparency.
Last reviewed: 2026-05-24

Backy Check (procurement in progress) ↗ privacy policy

Role: State-by-state WWCC + criminal-history verification for coaches (not yet contracted; in procurement at time of last review per RD #145).
Data categories: Coach name + DOB + state + WWCC card number. Used to query state registers + return current status.
Hosting location: Primary: Australia.
Safeguard: Pending contract signing. DPA + SCC review by user-engaged legal counsel before any production data flows.
Last reviewed: 2026-05-24 (status: pre-contract — no data flowing yet)

Infrastructure-only, non-subprocessor

The following services support CoDi Tennis operations but do not process personal data on our behalf, so they are not subprocessors in the GDPR Article 28 sense:

GitHub — source-code hosting. Contains no production personal data (config and code only).
Cloudflare — DNS resolution only. We do not run Cloudflare Workers or use Cloudflare R2 for user data.
Microsoft OneDrive — admin documentation (this repository’s working files). No production end-user data.
Sentry (planned) — error monitoring. When live, will be configured with strict PII scrubbing (no request bodies, no cookies, IP address masking). Will be moved to the “Active subprocessors” list above when it goes live.

Decommissioned subprocessors

We retain a record of subprocessors we have stopped using, so the full data-lineage history is auditable.

None at this time. When a subprocessor is decommissioned, it will be listed here with the date of removal and the destination of any migrated data.

Notice of changes

Material additions or replacements get 30 days’ advance notice via this page (updated Last updated date at the top) + an email to the privacy notify list. Object to a proposed change by replying to that email — if your objection cannot be reasonably accommodated, we will work with you to find an alternative or provide an exit path.

Questions

Email privacy@coaching.direct with any question about a subprocessor, a request for a copy of a specific DPA, or a complaint about how a subprocessor handled your data. We aim to acknowledge within 3 business days.

Our subprocessors

The 30-second version

Your data goes to a handful of named companies: Stripe (payments), Supabase (database, hosted in Sydney), Vercel (web hosting), Resend (transactional email), Anthropic (future AI features, no live data yet), Sintra (admin marketing tools).
Each one has a contract with us requiring them to handle your data per our instructions + per the relevant privacy law.
We’ll tell you 30 days before adding a new one if you subscribe to our notify list.

How to read this list

Role = what they do for us.

Data categories = the kinds of personal data they touch.

Hosting location = where the data physically lives (primary region; cross-region replication may apply for high-availability).

Safeguard = the contractual mechanism we rely on for cross-border transfers (EU Standard Contractual Clauses, the EU-US Data Privacy Framework, vendor self-certification, etc.).

Last reviewed = when CoDi Tennis last audited the subprocessor’s security posture + contract terms.

Active subprocessors

Vercel ↗ privacy policy

Role: Application hosting + edge CDN for the CoDi Tennis web app.
Data categories: Request metadata (IP, user-agent, timing) for edge routing. No personal-data persistence on Vercel — the app is stateless at this tier.
Hosting location: Primary: Global edge with US-based control plane. Compute regions configurable per route.
Safeguard: Vercel Inc. (US) — EU-US Data Privacy Framework certified. DPA in force.
Last reviewed: 2026-05-24

Supabase ↗ privacy policy

Role: Primary application database (PostgreSQL) + authentication + file storage.
Data categories: All user-account, booking, payment-reference, coach-cert, junior-progress, and audit-log data. The canonical store.
Hosting location: Primary: ap-southeast-2 (Sydney, Australia). Backups replicated to a second AU region.
Safeguard: Supabase Inc. (US) — EU Standard Contractual Clauses (Module 2 controller→processor) in force. DPA at supabase.com/dpa.
Last reviewed: 2026-05-24

Stripe ↗ privacy policy

Role: Payment processing, Stripe Connect for coach payouts, Stripe Tax for GST/VAT calculation, Stripe Identity (when used).
Data categories: Cardholder data (Stripe-hosted forms — never touches our servers, PCI SAQ-A), payer name + email + billing address, payout-bank details for coaches, transaction history.
Hosting location: Primary: US + Ireland (Stripe processes globally with regional routing). AU local-currency settlement via Stripe Australia.
Safeguard: Stripe Payments Australia Pty Ltd (ABN 30 600 250 121) + Stripe Inc. (US) — EU-US Data Privacy Framework certified. DPA at stripe.com/legal/dpa. PCI DSS Level 1.
Last reviewed: 2026-05-24

Resend ↗ privacy policy

Role: Transactional email delivery (booking confirmations, password resets, WWCC alerts, EOI welcome).
Data categories: Recipient email address, email subject + body content (which may contain names + booking metadata). Stored for 30 days for delivery troubleshooting + bounce-handling.
Hosting location: Primary: US (us-east-1). EU data residency option available — not currently enabled (under review).
Safeguard: Resend Inc. (US) — DPA in force. EU-US DPF status: not yet certified at time of last review.
Last reviewed: 2026-05-24

Anthropic ↗ privacy policy

Role: AI inference for future form-analysis + drill-recommendation features (not yet live in production; pre-disclosed here for transparency).
Data categories: Pose-skeleton coordinate data + stroke type + drill metadata. NOT video itself, NOT child names, NOT identifying information. See /legal/privacy §12 for the per-request data minimisation.
Hosting location: Primary: US.
Safeguard: Anthropic PBC (US) — DPA pending engagement (no production data flows today). EU Standard Contractual Clauses to be adopted before any EU-resident user’s pose data is processed.
Last reviewed: 2026-05-24 (status: pending — not yet processing)

Sintra ↗ privacy policy

Role: Marketing automation + AI-assisted content drafting (admin-side only; no end-user data flows through Sintra).
Data categories: Marketing-copy drafts, public brand assets, admin user identity for tool access. NO end-user personal data.
Hosting location: Primary: US.
Safeguard: Sintra AI Inc. (US) — admin tooling only; not a subprocessor of end-user personal data per Article 28 definition. Listed here for transparency.
Last reviewed: 2026-05-24

Backy Check (procurement in progress) ↗ privacy policy

Role: State-by-state WWCC + criminal-history verification for coaches (not yet contracted; in procurement at time of last review per RD #145).
Data categories: Coach name + DOB + state + WWCC card number. Used to query state registers + return current status.
Hosting location: Primary: Australia.
Safeguard: Pending contract signing. DPA + SCC review by user-engaged legal counsel before any production data flows.
Last reviewed: 2026-05-24 (status: pre-contract — no data flowing yet)

Infrastructure-only, non-subprocessor

The following services support CoDi Tennis operations but do not process personal data on our behalf, so they are not subprocessors in the GDPR Article 28 sense:

GitHub — source-code hosting. Contains no production personal data (config and code only).

Cloudflare — DNS resolution only. We do not run Cloudflare Workers or use Cloudflare R2 for user data.

Microsoft OneDrive — admin documentation (this repository’s working files). No production end-user data.

Sentry (planned) — error monitoring. When live, will be configured with strict PII scrubbing (no request bodies, no cookies, IP address masking). Will be moved to the “Active subprocessors” list above when it goes live.

Notice of changes