Data Processing Addendum

1. Overview

Park Sync, LLC, a Delaware limited liability company qualified to do business in California ("Park Sync"), acts as a service provider / data processor on behalf of the park operator (the data controller). We process reservations, waivers, profile information, and payment metadata solely for the purpose of running the park's booking platform. We do not sell personal data and we do not use park patron data for any purpose other than operating the Service on the park's instructions.

2. Data We Process

On behalf of each park operator, Park Sync processes the following categories of personal data:

• Player profile: email address, optional name, and optional phone number.
• Reservation metadata: court or field identifier, start and end times, prices, and booking status.
• Waiver acceptance metadata: name, email, signed-at timestamp, IP address, and user agent captured at the moment the waiver is accepted.
• Payment metadata: Stripe PaymentIntent identifier, amount, currency, and status. Park Sync never stores card numbers, CVVs, or other raw payment credentials.

3. Subprocessors

Park Sync engages a short list of vetted vendors to deliver the Service. See the current list at /legal/dpa/subprocessors. We provide at least 30 days' prior written notice before adding or replacing a subprocessor (60 days for Enterprise and Municipal customers on request). Park operators may subscribe to subprocessor-change notices at legal@parksync.net.

AI-assisted administrator features (support-ticket drafts, daily digests, runbook Q&A) route through Vercel AI Gateway to an LLM provider (currently Anthropic) under a zero-data-retention attestation. AI inference is never invoked on player-visible flows. See the subprocessor register for the current provider(s).

4. Data Subject Rights

Park Sync will assist controllers in responding to data subject requests — access, correction, deletion, and portability — within the timelines required by applicable law: up to 45 days under the CCPA/CPRA, extendable once by an additional 45 days with notice to the data subject, and within 30 days (one month) under the GDPR or UK GDPR, extendable by two further months where necessary per Article 12(3). Patrons can reach us directly at privacy@parksync.net to initiate a request.

5. Security

• Encryption: all data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Row-level security: every Supabase table has row-level security enabled so park operators only see their own park's data.
• Penetration testing: an independent third-party penetration test will be completed within twelve months of the DPA effective date and annually thereafter; engagement summaries available on request under confidentiality.

6. Data Retention

Retention by data category:

Controllers may request earlier deletion at any time, subject to applicable legal holds. Data in encrypted backups is purged on the rolling schedule above and is not restored except in response to a disaster-recovery event.

7. Request a Signed DPA

Park operators, resellers, and enterprise customers can request a countersigned copy of the full Data Processing Addendum by emailing legal@parksync.net. Please include your park or organization name and the jurisdictions where you operate.