BestLevel

Appearance

Data Processing Agreement (DPA)

Last updated: February 2026

This Data Processing Agreement ("DPA") is an annex to the Terms and Conditions and Privacy Policy of BESTLEVEL LLC. It applies to all organizations — including educational institutions, high schools, sports clubs, and academies ("Institution" or "Data Controller") — that use the BestLevel platform and entrust athlete or student Personal Data to our infrastructure.

1. ROLE OF BESTLEVEL LLC — DATA PROCESSOR ONLY

Critical Distinction:

BESTLEVEL LLC operates exclusively as a Data Processor. We provide secure technical infrastructure (software, storage, and communication tools) to store and process Personal Data solely on behalf of and as instructed by the Institution (Data Controller).

BESTLEVEL LLC does not:

  • Determine the purposes or means of processing Personal Data.
  • Independently decide what data to collect or from whom.
  • Collect, request, or verify consent from athletes, parents, guardians, or any Data Subject.
  • Make eligibility, compliance, or enrollment decisions regarding athletes or students.
  • Contact parents, guardians, or athletes for consent or permission purposes on its own initiative.

All decisions regarding data collection, consent, parental permissions, regulatory compliance, and communication with Data Subjects are the sole and exclusive responsibility of the Institution.

1.1 Parties

  • Data Controller: The Institution (High School, Club, Academy, or individual Trainer) that uses BestLevel to manage its athletes/students. The Data Controller determines the purposes and means of processing.
  • Data Processor: BESTLEVEL LLC, a company registered in the State of Florida, United States. The Data Processor provides the technical platform and processes data only as instructed by the Data Controller.

1.2 Scope

This DPA governs the processing of Personal Data of athletes, students, and members ("Data Subjects") by BESTLEVEL LLC on behalf of the Institution. It applies whenever the Institution uploads, enters, or otherwise transmits Personal Data to the BestLevel platform.

1.3 Relationship to Other Agreements

This DPA supplements and is incorporated into the Terms and Conditions. In the event of any conflict between this DPA and the Terms and Conditions, this DPA shall prevail with respect to data processing matters.

2. DEFINITIONS

For the purposes of this DPA:

  • Personal Data: Any information relating to an identified or identifiable athlete/student, including but not limited to: name, date of birth, email address, physical measurements, performance data, health/injury records, and media content.
  • Processing: Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
  • Sub-processor: A third-party service provider engaged by BESTLEVEL LLC to assist in the processing of Personal Data.
  • Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • Educational Records: Records directly related to a student that are maintained by an educational agency or institution, as defined under FERPA. This definition applies only when the Institution is an educational agency or institution subject to FERPA.

3. INSTITUTION RESPONSIBILITIES (DATA CONTROLLER)

The Institution bears sole and complete responsibility for:

  1. Consent and Permissions: Obtaining all necessary consent, authorizations, and permissions from athletes, parents, legal guardians, and any other relevant parties before entering their data into the BestLevel platform.
  2. Parental Consent for Minors: Obtaining verifiable parental or guardian consent for all athletes under the age of 18 (or the applicable age of majority in the Institution's jurisdiction), including specific consent under COPPA for athletes under 13 in the United States.
  3. Regulatory Compliance: Complying with all applicable data protection laws and regulations in the Institution's jurisdiction, including but not limited to FERPA (for educational institutions), COPPA, GDPR, state privacy laws, and any sport-governing body requirements (e.g., SafeSport).
  4. Lawful Basis for Data Sharing: Ensuring it has a lawful basis (consent, legitimate interest, contractual necessity, or statutory exception) to share Personal Data with BESTLEVEL LLC before doing so.
  5. Data Accuracy: Ensuring that all Personal Data entered into the platform is accurate, up to date, and relevant to the intended purpose.
  6. Communication with Data Subjects: Serving as the primary point of contact for all athletes, parents, and guardians regarding their data rights, including access, correction, deletion, and portability requests.
  7. Notifications: Informing athletes, parents, and guardians that their data will be processed through BESTLEVEL LLC's platform and providing them with information about their rights.

BESTLEVEL LLC does not verify, audit, or monitor whether the Institution has obtained proper consent or meets its regulatory obligations. The Institution's use of the platform constitutes a representation that it has fulfilled all necessary legal requirements before entering data into the system.

4. BESTLEVEL LLC OBLIGATIONS (DATA PROCESSOR)

BESTLEVEL LLC commits to the following as Data Processor:

4.1 Processing Instructions

  • Process Personal Data only in accordance with the Institution's documented instructions, which are defined by the Institution's use of the platform's features and this DPA.
  • Not use Personal Data for any purpose other than providing the Service, including but not limited to: marketing, advertising, profiling, selling, or sharing data with unauthorized third parties.
  • Not independently access, modify, or disclose Personal Data except as necessary to provide the Service or as required by law.

4.2 Confidentiality

  • Ensure that all personnel authorized to process Personal Data are bound by obligations of confidentiality.
  • Limit access to Personal Data to authorized personnel on a strict need-to-know basis.

4.3 Platform Tools

BESTLEVEL LLC provides the following tools to assist the Institution in meeting its compliance obligations. The responsibility for using these tools correctly lies entirely with the Institution:

  • Parent/Guardian Email fields: The platform supports a dedicated parent/guardian email field for minor athletes. The Institution is responsible for entering this information.
  • Under-13 athlete flagging: The platform allows marking athletes as under 13 years of age, which routes account-related communications to the parent/guardian email instead of the athlete's email. The Institution is responsible for accurately flagging these athletes.
  • Data export: The Institution can export its data at any time.
  • Individual deletion: The Institution can request deletion of specific athlete data.

5. FERPA PROVISIONS (EDUCATIONAL INSTITUTIONS ONLY)

Applicability: This section applies only when the Institution is an educational agency or institution subject to the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g (e.g., public and private K-12 schools, school districts, colleges, and universities that receive federal funding). Sports clubs, private academies, and other non-educational organizations should skip this section — the remaining sections of this DPA apply to all Institutions regardless of type.

5.1 School Official Designation

When the Institution is subject to FERPA, BESTLEVEL LLC may be designated as a "school official" with a "legitimate educational interest" under 34 CFR § 99.31(a)(1)(i)(B), as it provides a service that the Institution would otherwise use its own employees to perform. Under this designation:

  • BESTLEVEL LLC is under the direct control of the Institution with respect to the use and maintenance of education records.
  • BESTLEVEL LLC is subject to the requirements of 34 CFR § 99.33(a) regarding re-disclosure of personally identifiable information from education records.
  • BESTLEVEL LLC will not re-disclose personally identifiable information from education records to any third party, except to its authorized Sub-processors (Section 8) as necessary to provide the Service, or as required by law.

5.2 Institution's FERPA Responsibilities

The Institution, as the educational agency subject to FERPA, is solely responsible for:

  • Including BESTLEVEL LLC in its annual FERPA notification to parents/eligible students as a "school official" with access to education records.
  • Determining and documenting its legitimate educational interest basis for sharing student data with BESTLEVEL LLC.
  • Designating the types of data shared as appropriate (e.g., directory information under 34 CFR § 99.37, or education records under the school official exception).
  • Obtaining any required parental consent before sharing student data with BESTLEVEL LLC where FERPA or applicable state law requires such consent.
  • Responding to parent/eligible student requests for access to, amendment of, or complaints about education records.

5.3 BESTLEVEL LLC's FERPA Commitments

BESTLEVEL LLC agrees to:

  • Process education records only as instructed by the Institution and for the purposes specified in this DPA.
  • Not use education records for any purpose other than providing the Service to the Institution.
  • Maintain the confidentiality of education records.
  • Return or destroy education records upon termination of services or upon request by the Institution, as described in Section 10.

Disclaimer: BESTLEVEL LLC's commitments under this section are contingent upon the Institution's accurate designation of BESTLEVEL LLC as a school official in its FERPA annual notification and the Institution's compliance with its own FERPA obligations. BESTLEVEL LLC shall not be liable for any FERPA violation resulting from the Institution's failure to meet its obligations under this section.

6. COPPA PROVISIONS (ALL INSTITUTIONS WITH ATHLETES UNDER 13)

Applicability: This section applies to all Institutions — educational or not — that use BestLevel to manage data of athletes under 13 years of age in the United States.

6.1 Roles Under COPPA

Under the Children's Online Privacy Protection Act (COPPA):

  • The Institution is the party that collects and provides Personal Data of children under 13 to the platform. The Institution acts as the operator's agent or, in educational contexts, relies on the school consent exception.
  • BESTLEVEL LLC is a service provider that stores and processes data on behalf of the Institution. BESTLEVEL LLC does not independently collect any Personal Data directly from children under 13.

6.2 What BESTLEVEL LLC Does NOT Do

BESTLEVEL LLC does not:

  • Directly interact with, collect information from, or communicate with children under 13 for the purpose of obtaining consent or personal information.
  • Request, collect, or verify parental consent in any form.
  • Contact parents or guardians to request permissions, authorizations, or consent.
  • Determine whether an athlete is a minor or verify age information — the Institution provides this data.
  • Independently decide to send communications to children or their parents/guardians outside of the automated notifications triggered by the Institution's use of the platform.

6.3 What BESTLEVEL LLC Does

BESTLEVEL LLC provides the technical infrastructure to:

  • Store and process data that the Institution has entered, including data of athletes under 13.
  • Route automated account-related communications (e.g., welcome emails, activation emails) to the parent/guardian email instead of the athlete's email, when the Institution has flagged the athlete as under 13 and provided a parent/guardian email.
  • Restrict platform features as necessary to ensure data of minors is handled in accordance with the Institution's instructions.

6.4 Institution's Sole Responsibility

The Institution is solely and entirely responsible for:

  • Obtaining verifiable parental consent before adding any athlete under 13 to the platform (whether through direct parental consent, the school consent exception under COPPA, or any other legally valid mechanism).
  • Providing accurate age information and correctly flagging athletes as under 13 in the platform.
  • Entering the parent/guardian email for all athletes under 13.
  • Responding to parental requests to review, delete, or refuse further collection of their child's data.
  • Ensuring that the data shared with BESTLEVEL LLC was collected lawfully and with proper consent.

For full details on how the platform handles children's data, see our Privacy Policy — Section 8.

7. DATA PROCESSING DETAILS

7.1 Categories of Data Subjects

  • Athletes/students enrolled in the Institution's programs
  • Parents/guardians of minor athletes (contact email only, as provided by the Institution)
  • Coaches and staff of the Institution who use the platform

7.2 Types of Personal Data Processed

CategoryData Elements
IdentityFull name, date of birth, gender, country
ContactEmail address, parent/guardian email (for minors, as provided by the Institution)
Athletic PerformanceTraining progress, workout completion, exercise metrics, performance testing results
Physical MeasurementsHeight, weight (for athletic tracking)
Health/InjuryInjury records, availability status, recovery tracking (for coaching communication purposes only — not medical records)
Media ContentPhotos and videos of training sessions (uploaded by the Institution or with the Institution's consent)
TechnicalDevice information, app usage data, IP address

7.3 Purposes of Processing

BESTLEVEL LLC processes Personal Data solely for the following purposes, as instructed by the Institution:

  1. Providing the athletic training management platform and mobile application
  2. Enabling communication between coaches and athletes/parents as configured by the Institution
  3. Tracking athletic performance and training progress
  4. Managing team rosters, groups, and athlete availability
  5. Processing payments (when applicable, via Stripe)
  6. Providing technical support and maintaining service reliability
  7. Generating aggregated, de-identified analytics for platform improvement (no individual data is exposed)

7.4 Duration of Processing

Personal Data is processed for the duration of the Institution's active subscription with BESTLEVEL LLC, plus any applicable retention period as described in Section 9 of this DPA.

8. SUB-PROCESSORS

8.1 Authorized Sub-processors

BESTLEVEL LLC uses the following sub-processors to deliver its services. By accepting this DPA, the Institution grants general authorization for these sub-processors:

Sub-processorPurposeLocationPrivacy Policy
Firebase (Google Cloud)Authentication, database, push notificationsUSA / GlobalLink
Cloudflare (R2 & Workers)File storage, CDN, serverless functionsUSA / GlobalLink
StripePayment processingUSALink
SupabaseStructured data storageUSALink
ModalServerless GPU video processingUSALink
PostHogProduct analytics (anonymized usage data only)USA / EULink

All sub-processors are contractually bound to protect Personal Data and process it only as necessary to provide their respective services.

8.2 Sub-processor Changes

BESTLEVEL LLC will notify the Institution of any intended changes to its sub-processors (additions or replacements) at least 30 days in advance by updating this page. The Institution may object to such changes by contacting BESTLEVEL LLC within the 30-day notice period. If the objection cannot be reasonably resolved, the Institution may terminate its subscription.

9. DATA RETENTION AND DELETION

9.1 Retention During Active Subscription

While the Institution maintains an active subscription, Personal Data is retained and available through the platform. BESTLEVEL LLC does not independently decide to delete data during an active subscription.

9.2 Retention After Termination

Upon termination or expiration of the Institution's subscription:

  • 30-day grace period: The Institution has 30 days to export any data it needs.
  • Deletion: After the grace period, BESTLEVEL LLC will delete or de-identify all Personal Data associated with the Institution within 60 days, unless retention is required by applicable law.
  • Confirmation: The Institution may request written confirmation of data deletion.

9.3 Inactive Account Deletion

Accounts with no login activity for 12 consecutive months are considered inactive. BESTLEVEL LLC will:

  1. Send a notification email to the account holder 30 days before scheduled deletion.
  2. If no activity occurs during the 30-day notice period, automatically delete the account and all associated data, including all athlete/student data tied to the account.
  3. Paid accounts with an active subscription will not be considered inactive regardless of login activity.

9.4 Individual Data Deletion Requests

Requests for deletion of a specific athlete's or student's data should be directed by the Data Subject (or their parent/guardian) to the Institution (Data Controller) first. The Institution may then instruct BESTLEVEL LLC to delete the data, or the Data Subject may contact BESTLEVEL LLC at contact@thebestlevel.com as a secondary channel. Such requests will be processed within 30 days.

10. DATA RETURN AND DESTRUCTION

10.1 Upon Termination

At the end of the service relationship, the Institution may request:

  • Data Export: A copy of all Personal Data in a commonly used, machine-readable format (CSV/JSON).
  • Data Deletion: Complete deletion of all Personal Data from BESTLEVEL LLC's active systems and sub-processors.

10.2 Certification

Upon request, BESTLEVEL LLC will provide written certification that all Personal Data has been deleted from active systems within 90 days of the request. Residual copies in encrypted backup systems may persist for up to an additional 90 days before being overwritten through standard backup rotation.

11. SECURITY MEASURES

BESTLEVEL LLC implements the following technical and organizational security measures to protect Personal Data:

11.1 Technical Measures

  • Encryption in transit: All data transmitted between clients and servers uses TLS 1.2 or higher.
  • Encryption at rest: Data stored in Firebase Firestore, Supabase, and Cloudflare R2 is encrypted at rest using AES-256 or equivalent.
  • Authentication: Firebase Authentication with secure token-based access and custom claims for role-based access control.
  • Signed URLs: Private media files (videos, images) are protected by time-limited signed URLs (1-hour expiry) that require authentication.
  • Access Controls: Role-based access ensures that coaches/trainers can only access data of athletes within their own organization.
  • Infrastructure: All services are hosted on enterprise-grade cloud infrastructure with SOC 2 and/or ISO 27001 certified providers.

11.2 Organizational Measures

  • All personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Access to production systems is limited to authorized personnel on a strict need-to-know basis.
  • Regular security reviews and infrastructure monitoring are conducted.
  • Incident response procedures are documented and maintained.

12. DATA BREACH NOTIFICATION

12.1 Notification Timeline

In the event of a Data Breach affecting Personal Data processed under this DPA, BESTLEVEL LLC will:

  1. Notify the Institution within 72 hours of becoming aware of the breach.
  2. Provide all reasonably available information about the breach, including:
    • Nature and scope of the breach
    • Categories and approximate number of Data Subjects affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach and mitigate its effects
  3. Cooperate with the Institution in investigating and remediating the breach.

12.2 Institution's Obligations After Breach Notification

Upon receiving a breach notification, the Institution is solely responsible for:

  • Determining whether and how to notify affected Data Subjects (athletes, parents, guardians, students).
  • Notifying relevant regulatory authorities as required by applicable law (including FERPA, state breach notification laws, and any sport-governing body requirements).
  • Communicating with parents and guardians about the breach and any remediation steps.

BESTLEVEL LLC will cooperate with and assist the Institution, but does not independently notify Data Subjects about breaches — this responsibility lies with the Data Controller.

13. AUDITS AND COMPLIANCE

13.1 Audit Rights

The Institution may, upon reasonable written notice (at least 30 days), request evidence of BESTLEVEL LLC's compliance with this DPA. BESTLEVEL LLC will make available:

  • Documentation of security measures and practices
  • Information about sub-processor compliance
  • Records of any data breaches and their resolution

Audit requests shall be limited to once per calendar year and shall not unreasonably interfere with BESTLEVEL LLC's business operations.

13.2 Cooperation

BESTLEVEL LLC will reasonably cooperate with the Institution to respond to inquiries from regulatory bodies or auditors regarding the processing of Personal Data. The Institution is responsible for managing and responding to any such inquiries — BESTLEVEL LLC's role is limited to providing factual information about its data processing activities.

14. LIMITATION OF LIABILITY AND DISCLAIMERS

Important Disclaimers:

  • BESTLEVEL LLC shall not be liable for any violation of FERPA, COPPA, GDPR, or any other data protection regulation resulting from the Institution's failure to obtain proper consent, provide accurate data, correctly flag minor athletes, or otherwise fulfill its obligations as Data Controller.
  • BESTLEVEL LLC shall not be liable for any claim, damage, or penalty arising from the Institution's decision to share Personal Data with the platform without proper authorization or lawful basis.
  • BESTLEVEL LLC provides tools and infrastructure — the responsibility for using them correctly and in compliance with applicable law rests entirely with the Institution.
  • The total liability of BESTLEVEL LLC under this DPA is subject to the limitations set forth in the Terms and Conditions.

15. GOVERNING LAW

This DPA is governed by and construed in accordance with the laws of the State of Florida, United States, consistent with the Terms and Conditions.

16. CONTACT

For questions about this Data Processing Agreement or to request a customized DPA for your Institution, contact:

For Institutions:

If your school, district, or organization requires a signed, bilateral version of this DPA with institution-specific terms, please contact us at contact@thebestlevel.com and we will prepare a customized agreement for execution.

© 2026 BESTLEVEL LLC. All rights reserved.

This Data Processing Agreement is effective as of the last update date indicated at the beginning of the document.