Data Processing Agreement

Controller: The natural or legal person who determines the purposes and means of processing personal data.

Data Subject: An identified or identifiable natural person whose personal data is being processed.

Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.

Client Data: Personal data of coaching clients that is processed through our platform.

Data Protection Laws: All applicable data protection and privacy laws, including but not limited to:

• • EU General Data Protection Regulation (GDPR)
• • Swiss Federal Act on Data Protection (FADP)
• • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• • Brazil Lei Geral de Proteção de Dados (LGPD)
• • Singapore Personal Data Protection Act (PDPA)
• • And any other applicable privacy laws in jurisdictions where Services are used

3.1 Company as Data Controller

Company acts as the Data Controller for all personal data processed through the platform, including:

• • Client Data: All personal data of coaching clients processed through coach instances
• • Coach Data: Personal data of coaches using the platform
• • Direct User Data: Personal data of individuals using simplified features directly

As Controller, Company:

• • Determines what personal data is collected and how it is processed
• • Sets the purposes and means of all data processing activities
• • Implements technical and security measures
• • Handles all data subject rights requests
• • Maintains compliance with all applicable Data Protection Laws
• • Controls data retention, deletion, and international transfers

3.2 Coach Role and Responsibilities

Coaches are sophisticated users who customize their platform instance but do not control data processing. Coaches:

• • Configure their software instance (frameworks, questionnaires, assessments)
• • Facilitate client data collection through the customized interface
• • Act as intermediaries between Company and their clients
• • Must comply with the obligations set forth in this DPA

4.1 Types of Personal Data We Process

4.2 Processing Purposes

We process personal data for the following purposes:

• • Providing coaching software services and AI-powered insights
• • Facilitating coach-client interactions and progress tracking
• • Platform customization and personalization
• • Account management, billing, and customer support
• • Service improvement, analytics, and product development
• • Legal compliance, security, and fraud prevention
• • Communication about service updates and features

4.3 Categories of Data Subjects

• • Coaching clients using the platform through their coaches
• • Coaches and their authorized staff members
• • Individual users accessing platform features directly
• • Prospective customers and website visitors

5.1 Legal Basis Under GDPR/FADP

We process personal data based on:

• • Legitimate interests for service provision, improvement, and business operations
• • Contract performance for delivering requested services
• • Consent where specifically obtained for certain processing activities
• • Legal obligations for compliance and regulatory requirements

5.2 Other Jurisdictions

We maintain appropriate lawful basis for processing under all applicable Data Protection Laws.

6.1 Client Communication Requirements

Coaches must:

• • Inform clients that Company is the data controller for all platform data
• • Direct clients to Company's Privacy Policy for complete data processing information
• • Refer data subject requests to Company through designated channels
• • Not make representations about data processing that contradict Company's Privacy Policy

6.2 Data Collection Standards

Coaches must:

• • Only facilitate collection of data necessary for legitimate coaching purposes
• • Ensure clients understand how their data will be processed through the platform (see our Your Data Explained page for details)
• • Not attempt to extract or store client data outside the platform without proper authorization
• • Report any suspected data breaches or security incidents immediately

6.3 Platform Usage Compliance

Coaches agree to:

• • Use platform features only for their intended coaching purposes
• • Maintain confidentiality of client information accessed through the platform
• • Follow all platform terms of service and acceptable use policies
• • Not attempt to circumvent or disable platform security measures

6.4 Professional Standards

Coaches must:

• • Maintain appropriate professional standards in their coaching practice
• • Comply with any applicable professional licensing or certification requirements
• • Not use the platform for any unlawful or inappropriate purposes
• • Respect client privacy and maintain professional boundaries

7.1 Data Protection Compliance

Company commits to:

• • Implementing appropriate technical and organizational security measures
• • Processing data only for specified, legitimate purposes
• • Ensuring data accuracy and keeping personal data up to date
• • Retaining data only for as long as necessary
• • Providing transparent information about data processing
• • Facilitating data subject rights exercise

7.2 Security Measures

Company implements:

• • Encryption of data in transit and at rest
• • Role-based access controls
• • Regular security assessments and penetration testing
• • Staff training on data protection and security
• • Incident response and breach notification procedures
• • Business continuity and disaster recovery plans

7.3 Data Subject Rights Management

Company will directly handle all data subject requests including:

• • Right of access to personal data
• • Right to rectification of inaccurate data
• • Right to erasure ("right to be forgotten")
• • Right to restrict processing
• • Right to data portability
• • Right to object to processing
• • Rights related to automated decision-making

Response timeframes: Within 30 days (or as required by applicable law)

8.1 Data Processing Locations

Personal data may be processed in: Germany, United States, Singapore.

8.2 International Transfer Safeguards

Where data is transferred internationally, Company ensures:

• • Transfers comply with applicable Data Protection Laws
• • Appropriate safeguards are implemented (Standard Contractual Clauses, adequacy decisions, etc.)
• • Data subject rights remain fully protected
• • Onward transfer restrictions are respected

8.3 Subprocessors

Company may engage third-party service providers to assist with data processing:

• • Current subprocessors are listed at: Subprocessors
• • All subprocessors are contractually bound to equivalent data protection standards
• • Objections to new subprocessors can be raised through our support channels

9.1 Retention Periods

• • Active coaching relationships: Data retained while coaching relationship is active
• • Account closure: Data deleted immediately after account closure request
• • Legal requirements: Data may be retained longer where required by law
• • Anonymized analytics: Aggregated, anonymized data may be retained indefinitely

9.2 Data Deletion Process

• • Coaches may request client data deletion through platform controls
• • Clients may request deletion directly through our privacy contact
• • Deletion completed within 30 days of verified request
• • Legal holds may delay deletion where required by law

10.1 Incident Response

In case of a personal data breach, Company will:

• • Contain and investigate the breach immediately
• • Assess risks to data subjects
• • Notify supervisory authorities within 72 hours where required
• • Notify affected individuals when high risk is identified
• • Provide regular updates on investigation progress

10.2 Coach Notification

Company will notify coaches of breaches affecting their clients:

• • Within 72 hours of breach discovery
• • Including available details about the incident
• • With guidance on any required coach actions
• • With updates as investigation progresses

11.1 Compliance Monitoring

Company maintains:

• • Records of all processing activities
• • Documentation of security measures
• • Regular compliance assessments
• • Incident response logs

12.1 Company Liability

As the data controller, Company accepts primary liability for:

• • Data protection law compliance
• • Security of personal data
• • Data subject rights fulfillment
• • Breach notification requirements

12.2 Coach Responsibilities

Coaches remain liable for:

• • Compliance with this DPA and platform terms
• • Professional obligations to their clients
• • Accurate representation of Company's data practices
• • Proper use of platform features

12.3 Limitation of Liability

Nothing in this DPA limits Company's liability for:

• • Data protection violations caused by Company's actions
• • Security breaches due to Company's negligence
• • Failure to fulfill data controller obligations

13.1 DPA Updates

This DPA may be updated to reflect:

• • Changes in applicable Data Protection Laws
• • Updates to our data processing practices
• • Regulatory guidance or requirements
• • Business model changes

13.2 Notification Process

Material changes will be communicated:

• • 30 days in advance where possible
• • Through platform notifications and email
• • With updated effective dates clearly marked
• • Continued use constitutes acceptance of changes

14.1 Effect of Termination

Upon termination of coach account:

• • Client data will be deleted according to our retention policy
• • Coach may request immediate deletion of all associated client data
• • Data export options available before account closure
• • This DPA remains effective until all data is deleted

14.2 Survival of Terms

The following sections survive termination:

• • Data deletion obligations
• • Liability provisions
• • Confidentiality requirements
• • Dispute resolution procedures

16.1 Governing Law

This DPA is governed by the laws of Delaware, United States, without regard to conflict of law principles. However, all data protection obligations contained herein shall be interpreted and applied in accordance with:

• • Swiss Federal Act on Data Protection (FADP) for data subjects located in Switzerland
• • EU General Data Protection Regulation (GDPR) for data subjects located in the European Union
• • Other applicable data protection laws based on the data subject's location

16.2 Dispute Resolution

16.3 Severability

Invalid provisions do not affect the validity of the remainder of this DPA.

16.4 Entire Agreement

This DPA, together with our Terms of Service and Privacy Policy, constitutes the complete agreement regarding data processing.