This Data Processing Agreement («DPA») forms an integral part of the Terms of Service. It governs MyFitnessClient's processing of the personal data that each professional manages about their clients through the Platform.
1. Parties and Scope
Whenever the professional (the «Controller») uses the Platform to process personal data of their clients, the professional is the controller and MyFitnessClient («we») acts as processor, under Article 28 of Regulation (EU) 2016/679 (GDPR).
For the data we process as controller (accounts, billing, security and the website), our Privacy Policy applies, and not this DPA.
2. Subject Matter, Duration, Nature and Purpose
Subject matter and duration: the processing of the Controller's clients' data for the duration of the contractual relationship and for as long as the account exists, without prejudice to legal retention periods. Nature and purpose: to host and process that data exclusively in order to provide the Platform's features (client management, workouts, nutrition, assessments, progress, communication and other features) and in accordance with the Controller's instructions.
3. Types of Data and Categories of Data Subjects
The processing may cover:
- Clients' identification and contact data
- Body measurements and composition, assessment results and progress photographs
- Health/anamnesis questionnaires, which may include data concerning health (special categories — Article 9 GDPR)
- Records of workouts, nutrition, habits, goals and follow-up notes
- Messages and form responses
Categories of data subjects: the Controller's clients and trainees.
4. The Controller's Instructions
We process the data only on the Controller's documented instructions. The Terms, this DPA and the Controller's use of the Platform constitute those instructions. We will inform the Controller if we consider that an instruction infringes the GDPR or other applicable data protection legislation.
5. Confidentiality
We ensure that the persons authorised to process the data are subject to a duty of confidentiality, whether of a contractual or statutory nature.
6. Security (Article 32)
We apply the appropriate technical and organisational measures described in the Security section of the Privacy Policy, taking into account the state of the art and the risks of the processing.
7. Sub-processors
The Controller gives general authorisation for engaging the sub-processors identified in the sub-processor list in the Privacy Policy, imposing on them data protection obligations equivalent to those in this DPA. Whenever we intend to add or replace a sub-processor, we will inform the Controller with reasonable advance notice; the Controller may object, on reasonable data protection grounds, within 30 days — and if the objection remains unresolved, may cease using the Service.
8. Assistance and Data Breaches
To a reasonable extent and taking into account the nature of the processing, we assist the Controller in responding to requests to exercise data subject rights (Chapter III GDPR) and in complying with the obligations of Articles 32 to 36 (security, breach notification and impact assessments).
In the event of a personal data breach affecting the Controller's data, we will notify the Controller without undue delay after becoming aware of it, with the information reasonably available so that the Controller can comply with its duties under Articles 33 and 34.
9. Deletion or Return of the Data
On termination of the Service, we delete or return the data, at the Controller's choice, save for retention required by law. The periods described in the Privacy Policy and the Terms apply — namely the retention of files for 90 days after the end of a paid subscription and the deletion or anonymisation of the account's data within a maximum of 30 days after the request.
10. Audit and Demonstration of Compliance
We make available to the Controller the information necessary to demonstrate compliance with the obligations of Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or by an auditor mandated by the Controller. Audits take place subject to reasonable prior notice, in a proportionate manner and safeguarding the confidentiality and security of other clients, primarily through documentation and responses to questionnaires.
11. International Transfers
Transfers of data outside the European Economic Area only take place with the appropriate safeguards provided for in Chapter V GDPR, as described in the Privacy Policy (adequacy decisions, including the EU-U.S. Data Privacy Framework where applicable, and/or Standard Contractual Clauses).
12. The Controller's Responsibilities
The Controller is responsible for having a valid legal basis for processing their clients' data — including explicit consent where required, in particular for health data (Article 9 GDPR) —, for providing lawful instructions and for ensuring the accuracy and lawfulness of the data it collects and entrusts to us.
13. Final Provisions
This DPA forms part of the Terms of Service; in the event of conflict regarding the processing of data under Article 28 GDPR, this DPA prevails. It is governed by Portuguese law. Terms not defined in this DPA have the meaning given to them by the GDPR.
14. Contact
For questions concerning this Agreement or the processing of data:
- Email: [email protected]