ApexGoApexGo
✦ StudioLoginGet Started
DRAFT — pending solicitor review. This page is a working draft. The final wording will be reviewed by a UK solicitor before public launch. Do not rely on this text as definitive legal advice.

Data Processing Agreement

Last updated: 27 May 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between you (the club, event organiser or other business using ApexGo — the "Controller") and ApexGo (the "Processor") under our Terms of Service. It governs ApexGo's processing of personal data about your supporters, members, ticket buyers and other end customers.

Where you are an ApexGo dashboard user (a club admin), ApexGo is the controller of your own personal data — that processing is described in our Privacy Policy, not this DPA.

2. Subject matter, nature, purpose and duration

Subject matter. ApexGo provides hosted ticketing, memberships, bar / point-of-sale and shop services. As part of operating those services on your behalf we process personal data your end customers submit through them.

Nature and purpose. Processing consists of: collecting end-customer data via the surfaces we provide; storing it in our database; making it available to you via the dashboard; transmitting it to the sub-processors listed in Section 5 (e.g. Stripe for payment, Resend for email) as needed to operate the service.

Duration. For as long as your ApexGo subscription remains active, plus the retention windows in Section 8.

3. Types of personal data

Depending on which ApexGo features you enable, we process the following categories of end-customer personal data on your behalf:

  • Identification: full name, email address, postal address, phone number.
  • Transactional: ticket / order history, scan-in records, membership tier and renewal dates, basket contents, abandoned-cart records.
  • Financial: card-payment tokens (raw card data is held by Stripe — see Section 5); refund history; cash-payment ledger entries from the bar / gate till.
  • Communication: emails sent to customers through our broadcast and confirmation flows, email-preference state.
  • Account credentials: hashed passwords (where the club uses member logins or shop accounts), email-verification tokens.
  • Behavioural (only when the club enables analytics): page views and event traffic on the club's ticket / shop surfaces.

4. Categories of data subjects

End customers of the Controller: supporters, ticket buyers, season-ticket holders, members, bar customers, online-shop customers and recipients of broadcast emails the Controller sends through the platform.

5. Sub-processors

ApexGo uses the following sub-processors to deliver the service. We carry out reasonable due diligence before engaging any sub-processor and bind each by contract to data-protection obligations no less protective than this DPA. By accepting this DPA you authorise the use of these sub-processors.

List last reviewed: 27 May 2026.

Sub-processorServiceData categoriesLocation & transfer mechanism
Stripe Payments Europe, Ltd.
Privacy & DPA →		Payment processing for ticket sales, shop checkout and ApexGo platform subscriptions. Hosts the card-entry iframe shown during checkout so we never touch raw card data.Cardholder name, Card / bank details (Stripe holds; we hold tokens), Email, Billing address, Transaction history, IP address (anti-fraud)Ireland (primary). Onward transfers to Stripe affiliates including the United States for processing, settlement and anti-fraud analysis.
UK IDTA + EU Standard Contractual Clauses (Stripe-published).
Resend, Inc.
Privacy & DPA →		Transactional email delivery — order confirmations, ticket emails, password resets, email-verification links, broadcast emails sent by clubs.Email address, Recipient name, Email body content, Delivery + bounce metadataUnited States (Delaware).
UK IDTA + EU Standard Contractual Clauses with the UK Addendum.
IONOS SE
Privacy & DPA →		Server hosting, network bandwidth and operating-system infrastructure for the ApexGo application and PostgreSQL database. Encrypted disks at rest.All categories — IONOS hosts the application servers and database. Data is encrypted at rest; IONOS has no key access.Germany / European Economic Area.
No international transfer required — data stays within the EEA.
Heart Internet Limited (livedns.co.uk)
Privacy & DPA →		Authoritative DNS hosting for apexgo.co.uk and customer custom-domain records managed via our dashboard.Hostnames, IP addresses (resolver-side; no end-user data)United Kingdom.
No international transfer — UK-only operation.

Changes to the sub-processor list.We may add or replace sub-processors. We will update this page at least 30 days before any material change takes effect; the "Last reviewed" date above always reflects the live state. Where you reasonably object to a new sub-processor on data-protection grounds, you may terminate the affected features and we will refund any prepaid plan fees for the unused period.

We additionally use infrastructure services (Let's Encrypt for TLS certificate issuance, Caddy for on-demand TLS at custom-domain edges, Linux operating-system components) which do not process personal data on our behalf and so are not listed as sub-processors.

6. Controller obligations

You (the Controller) agree to:

  • have a lawful basis under UK GDPR Article 6 for each processing activity you direct us to perform;
  • provide your end customers with an appropriate privacy notice (your own, or — by default — the platform-level notice we host at apexgo.co.uk/privacy);
  • respond to data-subject requests from your end customers, using the dashboard tools we provide;
  • configure the features you enable in line with your own compliance posture (e.g. do not enable Google Analytics on customer-facing pages unless you have a lawful basis under PECR);
  • provide accurate, lawful instructions to us — including where you want personal data deleted, exported or rectified.

7. Processor obligations

ApexGo agrees to:

  • process personal data only on documented instructions from you (the Terms of Service, this DPA, and dashboard configuration form the documented instructions);
  • ensure personnel authorised to access personal data are bound by a confidentiality obligation;
  • implement appropriate technical and organisational measures (Section 9) to keep personal data secure;
  • not engage a sub-processor without complying with Section 5;
  • assist you with responding to data-subject rights requests by providing the tools and information reasonably required;
  • assist you with your obligations under UK GDPR Articles 32-36 (security, breach, DPIA, prior consultation) taking into account the nature of the processing;
  • delete or return personal data on termination as set out in Section 10.

8. International transfers

Where personal data is transferred outside the UK to a country without a UK adequacy decision, the transfer is protected by one of the lawful mechanisms recognised by the Information Commissioner's Office — typically the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses. The specific mechanism for each sub-processor is set out in the table above.

9. Security measures (Article 32)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, we implement the following technical and organisational measures:

  • Encryption in transit: TLS 1.2+ for all client-server traffic; HTTPS-only on every public surface; HSTS where supported.
  • Encryption at rest: database disks encrypted at the host level; backups stored encrypted off-site.
  • Access control: role-based access (Owner / Admin / Staff with menu-level permissions); database access restricted to a single application-role credential; per-developer SSH keys for server access; no shared passwords.
  • Tenant isolation: a custom Prisma extension and static-analysis lint (lib/prisma-extension-safety-net, scripts/lint-tenant-isolation.ts) enforce that every query against a multi-tenant model carries an explicit organisation scope; cross-organisation reads are flagged at code review and marked SAFE: cross-tenant intentional at the source line.
  • Auditing: append-only audit rows for plan changes, ownership transfers, data-subject-rights requests, and Stripe webhook deliveries.
  • Secrets management: deployment-time environment variables; no secrets in version control.
  • Backups: automated daily PostgreSQL dumps; pre-migration dumps before any schema change; 30-day retention.
  • Testing: tenant-leak test fixtures and CI runs that exercise cross-organisation isolation on every code change.

10. Personal data breach notification

We will notify you of any personal data breach affecting your end customers without undue delay and in any case within 72 hours of becoming aware of it. Our notification will include, to the extent known at the time:

  • the nature of the breach, including the categories and approximate number of data subjects and records concerned;
  • the likely consequences;
  • the measures we have taken or propose to take to address the breach and mitigate its possible adverse effects;
  • the name and contact details of our point of contact for follow-up.

Where we cannot provide all of the above within 72 hours, we will provide the information in phases as it becomes available, without further undue delay.

11. Audit rights

On reasonable written notice and no more than once per calendar year (unless required more frequently by a regulator or to investigate a personal data breach), we will make available to you the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

Audits must take place during normal working hours, must respect the confidentiality and security of other clubs' data, and the requesting party bears its own costs.

12. Data-subject rights assistance

We provide the following tools to help you fulfil end-customer rights requests:

  • per-customer search + export from the dashboard;
  • per-customer record edit (rectification) from the dashboard;
  • per-customer deletion / anonymisation from the dashboard (transactional records are anonymised rather than hard-deleted in line with UK accounting law);
  • email broadcast opt-out is honoured automatically via per-recipient preferences.

Where a customer contacts ApexGo directly, we will redirect them to you (the Controller) and notify you of the request within five working days.

13. Deletion and return of personal data on termination

On termination of your ApexGo subscription:

  • for 30 days from the termination date, you can request a complete export of all personal data we hold on your behalf, in a structured machine-readable format;
  • at the end of that 30-day window, we will delete or anonymise the personal data, except for records we are required by UK law to retain (e.g. financial transaction records retained for tax purposes for up to 6 years), which will be securely held with all identifying fields anonymised;
  • backups containing personal data will age out of our backup retention window (30 days) and will not be selectively edited; we will not restore from a backup containing your data after the deletion date.

14. Liability and indemnity

Liability under this DPA is governed by the limitations and exclusions set out in the Terms of Service. This DPA does not increase the aggregate cap.

15. Governing law and changes

This DPA is governed by the laws of England and Wales. We may update this DPA from time to time. Material changes will be notified via the dashboard and by email to the registered owner of each organisation at least 30 days before they take effect.

16. Contact

DPA matters: privacy@apexgo.co.uk. Security incidents: security@apexgo.co.uk. Full company registration details and registered office address will appear here following the solicitor review referenced at the top of this page.