This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and FitFocus Pty Ltd ("Processor", "FitFocus") under which FitFocus provides the coaching platform (the "Service"). It sets out the parties' obligations with respect to personal data processed in connection with the Service.
1. Definitions
Capitalised terms not defined here have the meaning given in the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the Australian Privacy Act 1988 (Cth), as applicable.
2. Subject matter and duration
The subject matter of the processing is the operation of the Service for the benefit of the Controller. The duration of the processing is the term of the underlying subscription plus any post-termination data export window.
3. Nature and purpose
The nature of the processing is: storage, transmission, display, indexing, analytics, and backup of coaching data entered by the Controller's authorised users or imported from integrated systems.
4. Categories of data subjects
- Coaches and other authorised Controller personnel.
- End clients of the Controller (clients of the coaching business).
- Leads captured through the Controller's forms and scheduling flows.
5. Categories of personal data
- Identity and contact data (names, emails, phone numbers, avatars).
- Account credentials and authentication metadata.
- Health-related data (measurements, training data, wearable metrics, form responses).
- Communications (messages, attachments, call notes).
- Financial and billing data (on the Controller side, cardholder data is held by Stripe).
Sensitive data may be processed where the Controller or its end clients choose to record it. The Controller is responsible for obtaining the necessary legal basis from end clients before entering such data.
6. Processor obligations
FitFocus will:
- Process personal data only on documented instructions from the Controller.
- Impose confidentiality obligations on personnel with access to personal data.
- Implement appropriate technical and organisational security measures (summarised on the Security page).
- Assist the Controller in responding to data subject requests and data protection impact assessments.
- Notify the Controller without undue delay after becoming aware of a personal data breach.
- At the Controller's choice, delete or return personal data at the end of the service, subject to legal retention obligations.
7. Sub-processors
The current list of sub-processors is published at fitfocus.io/legal/subprocessors. FitFocus will provide notice of proposed changes to the sub-processor list with a reasonable opportunity for the Controller to object on reasonable grounds.
8. International transfers
Where personal data is transferred outside the European Economic Area, the United Kingdom, or Australia, the parties rely on standard contractual clauses, the UK International Data Transfer Addendum, or other lawful mechanisms, as applicable.
9. Audit
On reasonable prior written notice and not more than once per year (except where a material breach has occurred), the Controller may audit FitFocus's compliance with this DPA. FitFocus may satisfy audit requirements by providing third-party attestations or reports where available.
10. Liability
Liability under this DPA is subject to the limits of liability in the underlying agreement.
11. Term and termination
This DPA remains in force for the duration of the underlying agreement and, where applicable, for any period during which FitFocus continues to process personal data on behalf of the Controller after termination.
12. Contact
Questions about this DPA should be directed to privacy@fitfocus.io.