ArenaIQ
Log in

ArenaIQ

Data Processing Agreement (DPA)

This DPA is an integral part of the ArenaIQ Terms of Use and applies automatically between ArenaIQ (data processor) and the customer (data controller) when the customer accepts the Terms of Use. No separate signature is required.

Last updated: July 2026 · Version 1.0

This agreement is entered into in accordance with Article 28 of the EU General Data Protection Regulation (GDPR). By registering an account or activating a subscription in ArenaIQ, the customer accepts the terms below.

1. Parties

Data controller (the Customer): the organization whose users have registered an account and/or entered into a subscription in ArenaIQ. Data processor (the Provider): ArenaIQ, which provides the service at arenaiq.se. The Customer is the data controller for personal data entered into the service (including sponsor contacts). The Provider processes such data solely on the Customer's behalf.

2. Subject matter, duration and purpose

Subject matter: The Provider's processing of personal data in order to deliver the ArenaIQ service to the Customer. Duration: For as long as the Customer's account/subscription is active, plus a wind-down period of no more than 30 days after termination (see section 10). Purpose: Storage, analysis, AI-based processing, communication and reporting around the Customer's sponsors, contracts and activities, plus operation and support of the service.

3. Nature of processing (Annex 1)

Categories of data subjects: • The Customer's internal users (the club's / organization's staff) • The Customer's sponsors and prospects (contacts at companies and organizations) Types of personal data: • Identity and contact data (name, email, phone, address, role) • Organizational data (company name, org. number, industry) • Communication and contract data (email correspondence, contract drafts, activations, notes) • Financial data linked to sponsorship deals (contract value, renewal dates) • Technical data about the Customer's users (IP, session, login timestamps) Special categories (art. 9 GDPR): Not processed. The Customer must not upload sensitive personal data to the service.

4. Obligations of the Customer (data controller)

The Customer is responsible for: • Having a legal basis under art. 6 GDPR for all processing initiated in the service. • Informing data subjects (including sponsor contacts) about the processing in accordance with art. 13-14 GDPR. • Only entering personal data that is necessary and relevant for the purpose. • Not uploading special categories of personal data or data on criminal offences. • Handling data subject requests (access, rectification, deletion) primarily on their own.

5. Obligations of the Provider (data processor)

The Provider shall: • Only process personal data on the Customer's documented instructions (the Terms of Use and this DPA constitute documented instructions). • Ensure that persons processing the data are committed to confidentiality. • Implement the technical and organizational security measures set out in Annex 2 (section 7). • Assist the Customer in responding to data subject requests (art. 12-22 GDPR) with appropriate technical and organizational measures. • Assist the Customer with security measures, breach notifications and impact assessments (art. 32-36 GDPR). • Delete or return personal data as set out in section 10 after the end of the agreement. • On request, provide the Customer with the information needed to demonstrate compliance with art. 28 GDPR.

6. Subprocessors (Annex 3)

The Customer grants the Provider general prior authorization to engage the following subprocessors: • Supabase Inc. (EU region) – database, authentication and file storage. • Stripe Payments Europe Ltd. – payments and invoicing. Standard Contractual Clauses apply for transfers to the US. • Resend Inc. – outbound email. Standard Contractual Clauses apply. • Cloudflare Inc. – CDN, DNS and security proxy for arenaiq.se. • Lovable AB (via Lovable AI Gateway) – AI model calls for assistant features. Personal data is minimized as described in section 6 of the GDPR policy (pseudonymization of sponsor contacts). • Firecrawl – web enrichment for the Customer's prospect searches. The current list is published on this page. The Provider shall notify the Customer at least 30 days before a new subprocessor is engaged or replaced. If the Customer has reasonable objections, the Customer may terminate the agreement early.

7. Security measures (Annex 2)

The Provider applies, among others, the following technical and organizational security measures (art. 32 GDPR): • Encryption in transit (TLS/HTTPS) and at rest with the underlying providers. • Isolation of customer data per organization via Row Level Security (RLS) directly in the database. • Role-based access control inside the organization (e.g. who sees invoices and subscription data). • Multi-factor authentication for administrative access to the production environment. • Logging of administrative events in the production environment. • Regular backups with defined recovery times. • Pseudonymization of sponsor contacts before data is sent to AI models. • Segregated development, test and production environments. • Contracts with subprocessors ensuring an equivalent level of protection. The Provider continuously evaluates and updates the measures.

8. International transfers

Personal data is stored primarily within the EU/EEA. Where a subprocessor's service entails a transfer to a third country (e.g. the US), the EU Commission's Standard Contractual Clauses (SCC) apply, along with any supplementary measures required under Schrems II and EDPB recommendations.

9. Personal data breaches

In the event of a personal data breach affecting the Customer's data, the Provider shall notify the Customer without undue delay after becoming aware of the incident, so the Customer can fulfill its obligation to notify the Swedish Authority for Privacy Protection (IMY) within 72 hours. The notification shall include available information about the type of breach, categories and approximate number of data subjects affected, likely consequences and measures taken or proposed.

10. Deletion and return

At the end of the agreement, the Provider shall, at the Customer's choice, either return or delete all personal data processed on the Customer's behalf, at the latest within 30 days. Underlying transaction and invoicing data may need to be kept longer to comply with Swedish bookkeeping law (up to 7 years). The Customer can at any time request an export of its data in a structured format.

11. Audits and information

The Customer has the right, once per year and with reasonable notice, to request documentation showing that the Provider fulfills its obligations under this DPA (e.g. summaries of security measures, subprocessor list, incident procedures). Physical on-site audits can be agreed separately and are performed at the Customer's expense, unless otherwise required by mandatory law.

12. Liability and disputes

Limitations of liability and dispute resolution follow what is set out in the Terms of Use. Swedish law shall apply to this DPA. Disputes shall be settled by the general courts of Sweden.

13. Changes

The Provider may update this DPA to reflect changes in the law, new subprocessors or improved procedures. Material changes are communicated via email and/or in-app notice at least 30 days before they take effect. The current version is always shown at the top of this page.

14. Do you need a signed copy?

For most customers, this DPA – in combination with accepted Terms of Use – is legally sufficient under art. 28 GDPR. If your procurement or internal policy requires a separately signed document, please contact us and we will send you a signing-ready version.