Data Processing Addendum (DPA)

Last updated: January 13, 2026

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and SHYDOG CREATIVE LTD ("MembersHub," "Processor," "we," "us") and governs the processing of personal data in accordance with:

  • The EU General Data Protection Regulation (GDPR)
  • The UK Data Protection Act 2018
  • Other applicable data protection laws

2. Definitions

Personal Data

Any information relating to an identified or identifiable natural person that is processed through the Service.

Processing

Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Data Controller

The Customer who determines the purposes and means of processing personal data.

Data Processor

MembersHub.app, which processes personal data on behalf of the Data Controller.

Sub-processor

Any third party engaged by MembersHub to process personal data.

Data Subject

An identified or identifiable natural person whose personal data is processed.

3. Scope and Roles

3.1 Data Controller Responsibilities

As Data Controller, you:

  • Determine what personal data is collected through your club hub
  • Are responsible for obtaining consent from your members
  • Must have a lawful basis for processing personal data
  • Are responsible for responding to data subject rights requests
  • Must ensure your privacy policy complies with applicable laws

3.2 Data Processor Responsibilities

As Data Processor, MembersHub:

  • Processes personal data only on your documented instructions
  • Implements appropriate technical and organizational measures
  • Ensures confidentiality of personnel processing data
  • Assists you in responding to data subject rights requests
  • Assists with data protection impact assessments when required
  • Deletes or returns data upon termination of services

4. Data Processing Details

4.1 Subject Matter

Processing of personal data necessary to provide the MembersHub.app service, including club management, content delivery, and member communication features.

4.2 Duration

Processing will continue for the duration of your subscription, plus 30 days for data deletion procedures, unless legally required to retain data longer.

4.3 Nature and Purpose

The processing enables:

  • Club hub creation and management
  • Content hosting and delivery
  • Member access and authentication (if applicable)
  • Push notifications and communications
  • Analytics and service improvement

4.4 Categories of Data

Customer Account Data:

  • Name, email address
  • Club details and branding
  • Payment information (processed by Stripe)
  • Usage and analytics data

End User Data (Club Members):

  • Device identifiers (for PWA functionality)
  • IP addresses and location data
  • Browser information
  • Push notification tokens (if enabled)
  • Access codes (for password-protected clubs)
  • Content interaction data

4.5 Categories of Data Subjects

  • Club administrators and account holders
  • Club members and visitors
  • Technical support users

5. Data Security Measures

MembersHub implements the following security measures:

5.1 Technical Measures

  • Encryption in transit (TLS/SSL)
  • Encryption at rest for sensitive data
  • Secure authentication and session management
  • Regular security updates and patches
  • Intrusion detection and monitoring
  • Secure backup procedures

5.2 Organizational Measures

  • Access controls and authentication requirements
  • Confidentiality agreements with personnel
  • Regular security training for staff
  • Data breach response procedures
  • Regular security audits and assessments
  • Vendor security reviews

6. Sub-processors

MembersHub engages the following sub-processors to provide the Service:

Vercel Inc.

USA

Purpose: Cloud hosting and content delivery

Safeguards: Standard Contractual Clauses

Stripe, Inc.

USA/EU

Purpose: Payment processing

Safeguards: PCI-DSS compliant, Standard Contractual Clauses

Resend

USA

Purpose: Transactional email delivery

Safeguards: Standard Contractual Clauses

Amazon Web Services (AWS)

EU/USA

Purpose: Cloud storage and database hosting

Safeguards: Standard Contractual Clauses, EU data residency options

Notice of Changes: We will notify you at least 30 days before adding or changing sub-processors. You may object to new sub-processors by contacting us within 14 days of notification.

7. International Data Transfers

Personal data may be transferred to and processed in countries outside the EEA/UK. For such transfers, we ensure appropriate safeguards:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where available
  • Additional security measures as required

8. Data Subject Rights

MembersHub will assist you in responding to data subject requests, including:

Right of Access

We will provide data exports within 30 days of request.

Right to Rectification

You can update data through your dashboard or contact us.

Right to Erasure

Data deleted within 30 days unless legally required to retain.

Right to Data Portability

We provide data in structured, machine-readable format.

Right to Restrict Processing

Processing can be restricted upon valid request.

Right to Object

You may object to certain processing activities.

9. Data Breach Notification

In the event of a personal data breach:

  • MembersHub will notify you without undue delay upon becoming aware
  • Notification will be made within 72 hours where feasible
  • We will provide all necessary information to assess the breach
  • We will assist in notifying supervisory authorities if required
  • We will document all breaches and remedial actions taken

10. Data Deletion and Return

Upon termination of your subscription:

  • You have 30 days to export your data
  • After 30 days, we will securely delete all personal data
  • Backup copies are deleted within 90 days
  • Data required for legal compliance may be retained longer
  • We will provide written certification of deletion upon request

11. Audit Rights

Upon reasonable notice, you may:

  • Request information about our data processing practices
  • Review relevant security documentation
  • Request audit reports (SOC 2, ISO certifications where available)

Physical audits may be conducted once per year with 60 days' notice and at your expense.

12. Liability and Indemnification

Each party is liable for damages caused by its own breach of this DPA. MembersHub's liability is subject to the limitations in the Terms of Service, except where prohibited by law.

13. Governing Law

This DPA is governed by the laws of England and Wales. The parties submit to the jurisdiction of the courts of England and Wales for any disputes arising from this DPA.

14. Contact for Data Protection

For data protection inquiries or to exercise your rights:

SHYDOG CREATIVE LTD

Data Protection Officer

Company No. 10913802

Registered in England & Wales

Email: hello@membershub.app

Subject: Data Protection Inquiry