Data Processing Agreement (DPA)

The terms "personal data", "processing", "controller", "processor", "sub-processor", "data subject", "breach" and "supervisory authority" have the meanings given to them in Articles 4 and 28 of Regulation (EU) 2016/679 (GDPR). "Service" means the Athleex SaaS platform available at athleex.com.

The Processor processes the Controller's athletes' personal data solely for the purpose of providing the Service. This DPA has the same duration as the main agreement (Terms of Service) and terminates concurrently. The Controller remains solely responsible for the lawfulness of the relationship with its athletes, for collecting consent under Art. 9 (health data) and providing the Art. 13/14 GDPR notice.

Nature: storage, organisation, consultation, modification, communication (only to the Controller and the relevant athletes), erasure.

Purpose: management of the PT-athlete relationship — training programs, nutrition plans, biometrics, progress photos, invoicing.

Categories of data subjects: athletes of the Controller and the Controller's contacts.

Categories of data: identifiers (name, email, phone), profile data (date of birth, city), health data (Art. 9 GDPR — weight, measurements, photos, workouts) processed only with explicit consent of the data subject, payment data (Stripe token), chat content.

Athleex undertakes to:

• process personal data only on documented instructions from the Controller (registration, use of the Service, and acceptance of the Terms constitute documented instructions);
• ensure that persons authorised to process the data have committed themselves to confidentiality;
• implement technical and organisational measures pursuant to Art. 32 GDPR (see §7);
• assist the Controller with appropriate technical measures to fulfil data subject rights (Arts. 15-22 GDPR);
• assist the Controller in complying with the obligations under Arts. 32-36 GDPR;
• at the Controller's choice, delete or return personal data at the end of the relationship (see §12);
• make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow audits (see §11).

The Controller undertakes to:

• obtain valid consent from athletes for processing of health data (Art. 9 GDPR);
• provide athletes with the privacy notice required by Arts. 13/14 GDPR — Athleex publishes its own notice accessible to athletes in six languages;
• not submit to Athleex special categories of data other than those contemplated by the Service;
• verify the actual age of athletes and obtain parental consent where applicable (Art. 8 GDPR);
• ensure that its access credentials are protected and immediately report any compromise to info@athleex.com.

The Controller grants Athleex general authorisation to engage sub-processors. The current list is published at athleex.com/legal/sub-processors and includes, among others: Hetzner Online GmbH (DE), Stripe Payments Europe Ltd. (IE/US), Resend Inc. (US), Meta Platforms Ireland Ltd. (IE/US), Apple Inc. (US, push), Google Ireland Ltd. (IE/US, maps/geocoding/analytics).

Athleex notifies the Controller by email of the addition or replacement of a sub-processor at least 30 days before activation. The Controller may object on documented data-protection grounds. Absent a timely objection, the sub-processor is deemed accepted.

Athleex contractually imposes on each sub-processor the same data-protection obligations as those set out in this DPA, in line with Art. 28(4) GDPR.

• Encryption in transit (TLS 1.2+) and at rest (Hetzner encrypted volumes; application-layer encryption for Art. 9 data).
• bcrypt password hashing; signed JWT session tokens.
• Application-layer access control (Prisma row-scoping by trainerId/athleteId).
• Daily encrypted backups, 30-day retention.
• Technical logging with automatic PII redaction; 90-day retention.
• Immutable consent audit trail (table ConsentLog, Art. 7(1) GDPR).
• Breach-notification procedure (see §10) — internal runbook BREACH-RESPONSE.md.
• Periodic backup-restore drills; secret rotation every 90 days.
• MFA TOTP/passkey roadmap (Q3 2026).

Special-category data (Art. 9 — biometric, health) is never transferred outside the EEA. It remains on Hetzner systems in Germany.

For other personal data, transfers to US sub-processors are based on:

• EU-US Data Privacy Framework (Commission adequacy decision, 10 Jul 2023), where the sub-processor is certified; and/or
• Standard Contractual Clauses (Commission Decision 2021/914) together with supplementary measures documented in our SCC-TIA-2026.md.

Athleex assists the Controller with appropriate technical and organisational measures to handle requests from data subjects under Arts. 15-22 GDPR. Athleex makes available directly to the athlete:

• data export in PDF and JSON (Arts. 15 and 20);
• account deletion (Art. 17) with deletion of data within 30 days of the request, except where retention is required by law (e.g. invoicing data: 10 years);
• revocation of specific consents (Art. 9, profiling Art. 22, marketing).

In the event of a personal data breach in the Athleex environment (including a breach by a sub-processor), the Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware, providing the information required by Art. 33(3) GDPR (nature, categories and approximate number of data subjects and records, likely consequences, measures taken or proposed). Notification is sent to the Controller's email registered on the Service.

The Processor will make available to the Controller, on reasoned written request, the information necessary to demonstrate compliance with this DPA, including its security policies and any sub-processor audit reports. If further investigation is necessary, the Controller may request — with reasonable notice and at its own expense — an audit performed by an independent third party bound by confidentiality, save for technical reasons preventing the audit (in which case the parties will agree on alternative measures).

At the end of the relationship the Processor will, at the Controller's choice communicated within 30 days of termination, delete or return in a structured commonly-used format (JSON) all personal data subject to the processing. Absent such choice within 30 days, the data is deleted. Athleex may retain encrypted backups for the time strictly necessary for rotation (30 days) before final deletion.

The Processor's liability under this DPA is subject to the limitations set out in the Terms of Service of the main agreement, except where such limitation is excluded by applicable law (in particular for liability under Art. 82 GDPR).

This DPA is governed by Italian law and, where applicable, by the GDPR. Any dispute is subject to the exclusive jurisdiction of the courts of Bergamo, Italy, without prejudice to the data subject's mandatory rights to pursue their own forum or to lodge a complaint with the supervisory authority (Italian Garante Privacy, Spanish AEPD, French CNIL, German BfDI).

For any communication relating to this DPA write to our self-appointed DPO: info@athleex.com. Expected response time: 5 business days (within 30 days for data subject requests under Art. 12 GDPR).