Data Processing Agreement (DPA)

Last updated: October 12, 2024

This Data Processing Agreement ("DPA") is entered into between the User ("Data Controller" or "Client") and Fitcore ("Data Processor" or "Processor"), in compliance with the General Data Protection Regulation (GDPR - Regulation EU 2016/679).

1. Definitions

The terms used in this DPA have the meaning assigned by the GDPR, including but not limited to:

• Personal Data: any information relating to an identified or identifiable natural person;
• Processing: any operation or set of operations performed on personal data;
• Data Controller: the entity that determines the purposes and means of processing personal data;
• Data Processor: the entity that processes personal data on behalf of the Data Controller;
• Data Subject: the natural person to whom the personal data relates.

2. Subject Matter and Duration

This DPA governs the processing of personal data carried out by Fitcore, as Data Processor, on behalf of and under the instructions of the Client, in the context of providing the Fitcore platform services.

This DPA enters into force on the date of acceptance of the Terms and Conditions and remains valid throughout the entire term of the service provision contract.

3. Nature and Purpose of Processing

Nature of processing: Storage, organization, consultation, use, communication, conservation, and erasure of personal data.

Purpose of processing: Provision of gym management, client management, training plans, nutritional plans, physical assessments, and other functionalities made available by the Fitcore platform.

Type of personal data: Identification data, contact data, anthropometric data, health data (when applicable), physical activity data, nutritional data, and other data entered by the Client.

Categories of data subjects: End clients of the Data Controller (athletes, gym members, personal trainer clients, etc.) and staff authorized by the Client.

4. Obligations of the Data Processor (Fitcore)

Fitcore undertakes to:

1. Process personal data only in accordance with the documented instructions of the Client, including with regard to transfers of personal data to third countries or international organizations;
2. Ensure that persons authorized to process personal data have committed themselves to confidentiality;
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
   • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
   • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
   • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.
4. Assist the Client, by appropriate technical and organizational measures, in fulfilling the obligation to respond to requests for exercising data subject rights;
5. Assist the Client in ensuring compliance with security obligations, data breach notifications, impact assessments, and prior consultation;
6. Delete or return all personal data to the Client after the end of the provision of services, and delete existing copies, unless Union or national law requires the storage of data;
7. Make available to the Client all information necessary to demonstrate compliance with obligations under the GDPR and allow audits.

5. Obligations of the Data Controller (Client)

The Client undertakes to:

1. Ensure that they have a valid legal basis for the processing of personal data entered into the Fitcore platform;
2. Provide data subjects with all legally required information, including the identity of the Data Controller and the Data Processor;
3. Obtain necessary consents when legally applicable;
4. Ensure that processing instructions given to Fitcore comply with GDPR and other applicable legislation;
5. Properly manage access, permissions, and internal policies for platform use;
6. Respond to data subject requests regarding the exercise of their rights;
7. Notify Fitcore, without undue delay, of any personal data breach of which they become aware.

6. Sub-processing

The Client authorizes Fitcore to engage other sub-processors for the processing of personal data, provided that:

1. Fitcore informs the Client of any intended changes concerning the addition or replacement of sub-processors;
2. The Client has the opportunity to object to such changes;
3. The sub-processor is bound by obligations equivalent to those set out in this DPA;
4. Fitcore remains fully liable to the Client for the performance of the sub-processor's obligations.

The list of current sub-processors is available upon request at [email protected] and includes cloud hosting providers, payment processing services, and other essential technical infrastructure providers.

7. International Data Transfers

Fitcore undertakes not to transfer personal data to third countries or international organizations outside the European Economic Area (EEA), unless:

1. The Client gives instructions to that effect;
2. There is an adequacy decision from the European Commission;
3. Appropriate safeguards are implemented (standard contractual clauses, binding corporate rules, etc.);
4. A specific derogation provided for in the GDPR applies.

8. Personal Data Breaches

In the event of a personal data breach, Fitcore undertakes to:

1. Notify the Client without undue delay after becoming aware of the breach;
2. Provide sufficient information to enable the Client to fulfil its obligations to notify supervisory authorities and data subjects;
3. Implement appropriate measures to remedy the breach and mitigate its adverse effects;
4. Document all personal data breaches, including the facts, effects, and corrective measures taken.

9. Data Subject Rights

Fitcore will assist the Client in responding to data subject requests regarding the exercise of their rights, including:

• Right of access;
• Right to rectification;
• Right to erasure ("right to be forgotten");
• Right to restriction of processing;
• Right to data portability;
• Right to object;
• Right not to be subject to automated decision-making.

Data subjects should direct their requests directly to the Client (Data Controller). Should Fitcore receive requests directly, it will forward them to the Client without undue delay.

10. Audit and Compliance

The Client has the right to conduct audits, including inspections, to verify Fitcore's compliance with the obligations set out in this DPA. Audits shall be:

1. Conducted with reasonable prior notice (minimum 30 days);
2. Carried out in a manner that does not unduly disrupt Fitcore's activities;
3. Subject to confidentiality obligations;
4. Limited to once per year, except in case of data breach or requirement from a competent authority.

11. Liability and Indemnification

Each party shall be liable for damages caused by breach of its obligations under this DPA, under the terms provided for in the GDPR and other applicable legislation.

The Client releases Fitcore from liability for any unlawful processing resulting from instructions given by the Client or from actions and omissions of the Client or its staff.

12. Termination

Upon termination of the service provision contract, Fitcore shall:

1. Delete all personal data, including copies, within a maximum period of 30 days;
2. May retain the data only if required by law, informing the Client of such obligation.

The Client may, before termination, request the return of data in a structured, commonly used, and machine-readable format.

13. Applicable Law and Dispute Resolution

This DPA is governed by the laws of the European Union and the Portuguese Republic.

Any dispute arising from or related to this DPA shall be submitted to the jurisdiction of the Portuguese courts.

14. Contacts

For questions related to this DPA or the processing of personal data, Clients may contact:

Fitcore
Email: [email protected]

‍

This document constitutes an integral part of the Terms and Conditions and the Privacy Policy of Fitcore.