Data Processing Agreement

This DPA is entered into between Get Your Business Booming LLC ("FitCard" or "Processor") and each Trainer who has accepted FitCard's Terms of Service ("Trainer" or "Controller"). This DPA supplements the Terms of Service and forms Schedule A. On data protection matters, this DPA prevails in case of conflict.

The Trainer is the data controller and FitCard is the data processor for Client data processed via the Platform. FitCard is separately a data controller for its own purposes as described in the Privacy Policy.

Controller: The Trainer who determines purposes and means of processing Client data.

Processor: FitCard, acting on the Controller's instructions.

Data Subject: The Trainer's Clients whose data is processed.

Sub-Processor: Third parties engaged by FitCard to process data on behalf of the Controller.

FitCard processes Personal Data solely to provide the Platform under the Terms of Service. Processing commences at account creation and continues until termination plus any retention period required by law.

Data processed: Name, email, phone, booking history, session records, payment references, device identifiers, and (with consent) body metrics, progress photos, and training notes.

FitCard will: process only on documented Controller instructions; ensure personnel confidentiality; implement technical and organisational measures (Schedule 2); impose equivalent obligations on Sub-Processors; notify of new Sub-Processors with 14 days' notice and objection rights; assist with Data Subject requests; delete or return data on termination; and notify Security Incidents within 72 hours.

The Controller confirms it: has a valid legal basis for processing; has provided Data Subjects with privacy notices; has obtained explicit consent for health-adjacent data; will inform FitCard if instructions would cause a breach; and will respond to DSARs in accordance with law.

FitCard will notify the Controller without undue delay and within 72 hours of becoming aware of a Security Incident. The Controller is responsible for assessing whether notification to authorities or Data Subjects is required under Articles 33–34 GDPR.

Where FitCard transfers data outside the EEA or UK, appropriate safeguards (SCCs, UK IDTA) are in place. EU Trainer accounts are hosted on Supabase eu-central-1 (Frankfurt) by default.

Liability under this DPA is subject to the Terms of Service limitations, except: obligations to Data Subjects under applicable law; and liability for fines imposed by supervisory authorities arising from a party's breach.