Legal
Data Processing Agreement
Effective May 5, 2026
Parties
This Data Processing Agreement ("DPA") is entered into between ArchAI Academy LLC ("Courtly," "Processor") and the organization that has agreed to Courtly's Terms of Service (the "Club" or "Controller"). It supplements the Terms of Service and governs the processing of personal information that the Club uploads to or generates through the Courtly platform (the "Service").
Roles
For personal information that the Club's members, guests, and staff submit through the Service:
- The Club is the data controller (or "business" under CCPA/CPRA). It determines what information is collected and how it is used.
- Courtly is the data processor (or "service provider" under CCPA/CPRA). It processes information solely on the Club's documented instructions to provide the Service.
Scope of processing
Courtly processes the following categories of personal information on behalf of the Club: full names, email addresses, phone numbers, dates of birth, family relationships, membership status, payment-method tokens (held by Stripe; Courtly stores only the last 4 digits and brand), reservation history, program-registration history, skill ratings, and waiver signatures (including the signer's name, IP address, and user-agent).
The categories of data subjects include the Club's members, family members of members, guests booking through the public booking flow, and the Club's own staff.
The purposes of processing are: providing the Service to the Club, sending transactional and marketing communications the Club instructs Courtly to send, processing payments through Stripe Connect, and providing customer support to the Club.
Sub-processors
Courtly uses the following sub-processors to deliver the Service. Each is bound by data-processing terms at least as protective as this DPA:
- Vercel Inc. — hosting and edge network (US)
- Neon Inc. — Postgres database (US East)
- Clerk Inc. — authentication and identity
- Stripe Inc. — payments and Connect
- Twilio Inc. — SMS verification codes
- Resend Inc. — transactional and marketing email
- Sentry Inc. — error tracking
- Cloudflare Inc. — bot protection (Turnstile)
- Anthropic PBC / Groq Inc. — large language model inference for matchmaking tiebreaks
Courtly will provide at least 30 days' notice (by email or in-product banner) before adding or replacing a sub-processor. The Club may object in writing; if the objection cannot be resolved, the Club may terminate the affected Service for the remainder of the current term.
Security measures
Courtly maintains administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 via sub-processor infrastructure)
- Application-layer tenant isolation (each request authenticated against an organization context)
- Logical separation of customers' data within a shared database
- Stripe-managed PCI scope; Courtly never receives raw PAN
- Access controls and audit logging on Courtly's production infrastructure
- Vulnerability monitoring via Sentry and dependency scans
Data subject requests
The Club is responsible for responding to data-subject requests (access, deletion, correction, portability, opt-out of sale). Courtly will assist the Club within 10 business days when notice of a verified request is received in writing. Courtly will not respond directly to a Club's end users except as instructed by the Club or as required by law.
Incident response
Courtly will notify the Club without undue delay, and in any event within 72 hours of confirmation, upon becoming aware of a personal data breach affecting the Club's data. The notice will describe the nature of the incident, the categories of data involved, the estimated number of affected records, the steps Courtly is taking to mitigate, and a point of contact for further questions.
California (CCPA / CPRA)
For Clubs operating in California or with California members: Courtly is a "service provider" within the meaning of the California Consumer Privacy Act, as amended by the California Privacy Rights Act. Courtly will not "sell" or "share" personal information as those terms are defined, and will not retain, use, or disclose personal information outside the direct business relationship with the Club to provide the Service. To the extent the Club's members exercise opt-out rights, Courtly will honor opt-out signals it receives from the Club.
International transfers
Courtly's infrastructure is hosted in the United States. Personal information collected from non-US data subjects may be transferred to and processed in the United States. Where required, Courtly relies on appropriate transfer safeguards as set out by sub-processor agreements.
Data retention and deletion
Courtly retains personal information for the duration of the Service and for a reasonable period thereafter to allow account reactivation, dispute resolution, and legal-hold requirements (typically up to 7 years for financial records).
On termination of the Service or written request, Courtly will delete or return all Club personal information within 60 days, except for records the Club instructs Courtly to retain or records Courtly is legally required to keep.
Audit rights
On reasonable notice (at least 30 days) and during normal business hours, the Club may request copies of Courtly's then- current security documentation and answers to a reasonable written security questionnaire. On-site audits are not permitted without separate written agreement.
Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for matters that cannot be limited under applicable law.
Acceptance
By using the Service after the Effective Date above, the Club accepts this DPA. The Club may request a counter-signed copy by emailing legal@archaiacademy.com with the Club's organization name and signatory.
This DPA is a starting framework. Operators should review with counsel before relying on it. Specific industries, jurisdictions, and customer requirements may require additional terms.