Business-customer data-processing terms for participant, staff, organization, and event information handled through Pickleball Parlor.
Effective: July 9, 2026
Version: 2026-07-09
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or signed agreement between Shiloh Systems LLC (“Provider”) and the organization using the Services (“Customer”). It applies when Provider processes personal data on Customer’s behalf through tenant, organizer, league, tournament, venue, staff, or communication features. Capitalized terms not defined here have the meaning in the main agreement.
Customer is the controller, business, or equivalent party for Customer Personal Data; Provider is the processor, service provider, or contractor, except when Provider independently determines a purpose described in its Privacy Policy. Provider will process Customer Personal Data only to provide, secure, support, and improve the contracted Services; comply with documented instructions in the agreement and Customer’s authorized use; or comply with law. Provider will inform Customer if an instruction appears to violate applicable data-protection law unless prohibited.
Provider will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and will maintain appropriate administrative, technical, and organizational safeguards proportionate to the risk. Safeguards include access controls, authentication, encrypted transport, tenant and role authorization, logging, secure development and dependency practices, provider oversight, backups, and incident procedures. Customer acknowledges that no system eliminates all risk.
Customer generally authorizes Provider to use subprocessors needed to deliver the Services, including cloud hosting and identity, payment, communications, monitoring, support, and fulfillment providers. Provider remains responsible for subprocessor obligations to the extent required by applicable law and will require data-protection terms appropriate to the service. Customer may request the current list and object to a new subprocessor on reasonable data-protection grounds; the parties will work in good faith on a commercially reasonable solution, which may include discontinuing the affected feature.
Taking into account the nature of processing and information available, Provider will reasonably assist Customer with verified data-subject requests, security and breach obligations, data-protection impact assessments, and regulator consultations required by applicable law. Provider may charge reasonable fees for assistance that is unusually burdensome or caused by Customer’s noncompliance, after advance notice.
Provider will notify Customer without undue delay after confirming unauthorized access to or acquisition, destruction, loss, alteration, or disclosure of Customer Personal Data in Provider’s control that qualifies as a personal-data breach under applicable law. Notice will include available information about the nature, likely consequences, affected data, measures taken, and a contact, and may be provided in phases. Notice is not an admission of fault. Customer is responsible for regulator and individual notices unless law assigns that duty to Provider.
During the term, Customer may use available export tools. After termination or a verified request, Provider will delete or return Customer Personal Data within a reasonable period unless law, security, financial-record, dispute, backup, or historical-event requirements permit or require retention. Retained data remains protected and is used only for the retention purpose.
Provider will make reasonably available information needed to demonstrate compliance. No more than once annually, unless required after a confirmed incident or by a regulator, Customer may request a remote review of relevant policies or independent reports. An on-site audit requires reasonable advance notice, confidentiality, minimal disruption, no access to another customer’s information, and reimbursement of reasonable costs.
Provider will not sell or share Customer Personal Data for cross-context behavioral advertising; retain, use, or disclose it outside the business purposes in the agreement except as permitted by law; combine it with personal data from unrelated sources except as permitted for a service provider or with valid consent; or use it for its own targeted advertising. Provider will notify Customer if it determines it can no longer meet an applicable service-provider obligation and will allow reasonable steps to stop and remediate unauthorized use.
The Services currently operate from the United States. If applicable law requires a transfer mechanism for Customer’s use, the parties will execute the then-current legally recognized standard terms or another valid mechanism before the restricted transfer. This online DPA does not by itself execute jurisdiction-specific standard contractual clauses or alter their mandatory text.
This DPA controls over the main agreement only for processing Customer Personal Data. Mandatory law controls over both. Provider may update this DPA prospectively to reflect law or service changes, but will not materially reduce data-protection commitments during a paid term without notice and a lawful basis.
Shiloh Systems LLC
4643 Beechland Rd, Elberon, VA 23846
michael@shiloh-systems.com