Version 1.0, Effective 2026-06-26

Reeplayer, Inc. ("Reeplayer," "we," "us," or "our") is a Delaware corporation with its principal place of business at 4213 Jackson Avenue, Culver City, California 90232, USA. Our Privacy Policy promises that every vendor we use to help run Reeplayer operates under a written data processing agreement, that we maintain a published list of our sub-processors, and that we apply extra care to data relating to minors. This document is how we keep that promise. It has two parts.

Part A is the Sub-processor List: the categories of outside vendors (sub-processors) we use to provide Reeplayer, what each category does, and what categories of data it touches. Part B is the Data Processing Addendum: the commitments that bind every sub-processor in Part A, whatever the category.

This document is consistent with, and should be read together with, our Privacy Policy (in particular Section 6 on AI and machine learning and Section 8 on how we share information) and our Terms of Service. Capitalized terms we do not define here have the meaning given in the Privacy Policy and the Terms of Service. "Personal data" and "personal information" are used interchangeably and have the broad meaning the applicable privacy law gives them.

This is Version 1.0, Effective 2026-06-26. We may update it as described in Section A.3.

Part A. Sub-processor List

A.1 What a sub-processor is, and why we use them

A sub-processor is an outside company that processes personal data on our behalf to help us provide Reeplayer. We use sub-processors for things we do not run entirely ourselves, such as hosting and storing footage, delivering video, running AI and computer-vision processing, measuring usage, supporting customers, sending email, and taking payments. Using sub-processors is normal and necessary to run a modern service. It does not change our promises to you. Every sub-processor is bound by the commitments in Part B, and we remain responsible to you for the personal data we entrust to them.

The list below describes the categories of sub-processors we use, and for each category the purpose, the categories of data involved, the specific vendor, and the region where it processes data. We keep this list current, and we may add or change a category or vendor as described in Section A.3.

A.2 The categories of sub-processors we use

Category What it does (purpose) Categories of data it may process Named vendor Region Cloud hosting and storage Hosts and stores Reeplayer's systems and your footage, runs our application and database infrastructure, and keeps backups. Footage (video and audio), performance and game statistics, account and profile information, device and camera data, usage and analytics data, approximate location or region, and support communications. May include personal data of account holders, minors as filmed subjects, and bystanders. Amazon Web Services (AWS) and Google Cloud Platform United States Content delivery Delivers and streams footage, clips, and highlights to viewers reliably and quickly, including caching content closer to viewers. Footage (video and audio), clips and highlights, device and connection data, IP address, and approximate location or region. Amazon Web Services (AWS) and Google Cloud Platform United States AI and computer-vision processing Helps run and improve the AI and computer-vision features that detect plays, track the ball and action, cut clips and highlights, and compute statistics. Footage (video and audio), performance and game statistics, and derived tracking data. May include footage of minors as filmed subjects. Identity stays on jersey number, roster, and account, never on a learned face. Amazon Web Services (AWS) and Google Cloud Platform United States Analytics Measures how the app and website are used and how the service performs, so we can fix problems and improve Reeplayer. App and website usage and analytics data, device identifiers, IP address, approximate location or region, and diagnostic and crash data. PostHog and Google United States Customer support Runs our support tools so we can answer questions, resolve issues, and handle privacy and rights requests. Account and profile information, support communications, and the details a person includes when they contact us, including a parent or guardian acting for a child. Google and Intercom United States Communications and email Sends service messages, account and transactional emails, and, where permitted, marketing about Reeplayer, and handles related messaging. Account and profile information, email address, contact details, and message content and engagement data. Google United States Payment processing Processes payments for subscriptions and hardware and handles billing. Billing contact details, limited payment information (such as the last digits and type of card and confirmation of payment), and purchase records. We do not store full payment card numbers ourselves. Stripe United States

A.3 We maintain this list and give notice of new sub-processors

We maintain this Sub-processor List and keep it current. When we add a new sub-processor, or change one in a way that materially affects the personal data it processes, we update this list and give notice consistent with our Privacy Policy and any agreement we have with you. Where we provide a way to subscribe to changes to this list, you can use it to receive notice. We apply extra care to data relating to minors when we select, engage, and oversee sub-processors. Nothing in this list is a representation that we use every category at all times; we use the categories needed to provide the service.

Part B. Data Processing Addendum

This Part B sets out the commitments that bind each sub-processor in Part A. We require these commitments from every sub-processor through a written data processing agreement before that sub-processor handles personal data on our behalf. We refer to a sub-processor here as the "Processor" and to Reeplayer as the "Controller," using the meanings the applicable privacy law gives those terms. These commitments are the baseline; a given agreement may add more, but it may not fall below this baseline.

B.1 Process only on Reeplayer's instructions, and only to provide the service

The Processor processes personal data only to provide its services to Reeplayer, and only on Reeplayer's documented instructions, including with respect to transfers of personal data, unless a law the Processor is subject to requires otherwise, in which case the Processor informs Reeplayer of that legal requirement before processing, unless the law prohibits that notice on important grounds of public interest. The Processor does not process the personal data for any other purpose.

B.2 No reuse for the Processor's own purposes

The Processor does not use, retain, disclose, or otherwise process the personal data for its own purposes or for the benefit of anyone other than Reeplayer. The Processor does not sell the personal data, does not "share" it for cross-context behavioral advertising, and does not combine it with personal data the Processor receives from or on behalf of others, or collects on its own, except as permitted by the applicable privacy law to provide the service to Reeplayer. The Processor is prohibited from the activities the CCPA and CPRA prohibit for a service provider or contractor with respect to the personal data.

B.3 No training of the Processor's own models

The Processor does not use the personal data to train, develop, fine-tune, or improve its own artificial intelligence or machine-learning models, or any model offered to anyone other than Reeplayer. This limit applies to footage and to all other personal data. It restates, at the sub-processor level, the line drawn in Sections 6 and 8 of our Privacy Policy: an outside service may process the data to provide its services to Reeplayer, but it may not turn that data into its own model or product.

B.4 Confidentiality

The Processor keeps the personal data confidential and ensures that the people it authorizes to process the data are bound by an appropriate duty of confidentiality, whether by contract or by a statutory duty, and process the data only as needed to perform their work for Reeplayer.

B.5 Security: appropriate technical and organizational measures

The Processor implements and maintains appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, taking into account the nature of the data and the risks of the processing. These measures include, as appropriate, access controls, encryption in transit, segregation of data, logging and monitoring, secure development and configuration, personnel security, and regular testing and review of the measures. The Processor applies extra care to the measures that protect data relating to minors.

B.6 Assistance with data-subject requests

The Processor assists Reeplayer, by appropriate technical and organizational measures and taking into account the nature of the processing, in responding to requests from individuals to exercise their rights under the applicable privacy law, such as the rights to access, correct, delete, restrict, port, or object. If an individual sends a rights request directly to the Processor, the Processor does not respond on its own (except to confirm the request relates to Reeplayer) and promptly forwards the request to Reeplayer.

B.7 Assistance with security, breach, and impact-assessment obligations

The Processor assists Reeplayer in meeting Reeplayer's own obligations relating to security of processing, notification of personal-data breaches to regulators and affected individuals, data protection impact assessments, and prior consultation with a supervisory authority, in each case taking into account the nature of the processing and the information available to the Processor. The Processor makes available to Reeplayer the information reasonably necessary to demonstrate compliance with these commitments and allows for and contributes to audits or inspections that Reeplayer or its authorized auditor reasonably conducts, on reasonable notice and subject to confidentiality.

B.8 Breach notification without undue delay

The Processor notifies Reeplayer without undue delay after becoming aware of a personal-data breach affecting the personal data, and in any event in time for Reeplayer to meet its own notification deadlines. The notice includes the information reasonably available to the Processor about the breach, including its nature, the categories and approximate number of individuals and records affected to the extent known, the likely consequences, and the measures taken or proposed to address it and to mitigate harm. The Processor applies extra care, and treats the matter with added urgency, where a breach could affect data relating to minors.

B.9 Deletion or return on termination

On termination or expiry of its services to Reeplayer, the Processor, at Reeplayer's choice, deletes or returns the personal data it processes on Reeplayer's behalf and deletes existing copies, unless a law the Processor is subject to requires it to keep the data, in which case the Processor keeps it only as long and only to the extent that law requires and continues to protect it under these commitments.

B.10 Engaging further sub-processors only under equivalent terms, with notice

The Processor does not engage another sub-processor to process the personal data without prior authorization from Reeplayer, which may be specific or general. Where Reeplayer gives general authorization, the Processor informs Reeplayer of any intended addition or replacement of a further sub-processor in time for Reeplayer to object. When the Processor engages a further sub-processor, it does so under a written agreement that imposes data-protection commitments at least equivalent to those in this Part B, and the Processor remains fully responsible to Reeplayer for that further sub-processor's performance.

B.11 Extra care for data relating to minors

Reeplayer films youth sports, so much of the personal data relates to children, including children who appear only as filmed subjects and never held an account. The Processor applies extra care to data relating to minors across every commitment in this Part B, including by limiting access to that data to those who need it, applying heightened security to it, treating any breach that may affect it with added urgency, and assisting Reeplayer with its obligations to children and their parents and guardians under laws such as the Children's Online Privacy Protection Act. The Processor does not use data relating to a minor for any purpose other than providing its services to Reeplayer, and the prohibition on training the Processor's own models in Section B.3 applies with particular force to data relating to minors.

B.12 International transfers

Where the personal data is transferred from the EEA, the United Kingdom, or another region whose law restricts cross-border transfers, the Processor processes it only under an appropriate transfer mechanism, such as the Standard Contractual Clauses approved by the European Commission and the UK addendum or an equivalent mechanism, together with any additional measures the law requires. This Part B is intended to support and operate alongside those mechanisms.

B.13 Order of precedence

These commitments are the baseline for every sub-processor. If a written data processing agreement with a sub-processor conflicts with this Part B, the provision that gives greater protection to the personal data, and to data relating to minors in particular, controls. Nothing in a sub-processor agreement may reduce the protections described in our Privacy Policy.

Closing note: a customer-facing DPA is a separate B2B variant

This document covers Reeplayer's sub-processors, the vendors that process personal data on Reeplayer's behalf when Reeplayer is the controller. It is a different document from a customer-facing data processing addendum, which is the agreement Reeplayer would sign when an enterprise customer, such as a school, a club, a league, or a district, is the controller and Reeplayer acts as a processor for that customer. That customer-facing DPA is a separate B2B variant, with its own controller-to-processor commitments, its own description of the processing, and its own transfer terms. We will add it when an enterprise relationship needs it. Until then, the consumer and participant relationship is governed by our Terms of Service and Privacy Policy, and this document governs our use of sub-processors.