Data Processing Agreement (DPA)

Last updated: May 27, 2026

This Data Processing Agreement (hereinafter "DPA") is entered into between:

• The Data Controller: the sports club or fitness facility using the AdCoach AI Platform (hereinafter "the Client");
• The Data Processor: Fitness Vendor SAS, RCS Cherbourg 921 713 418, 41 Les Bertrands, 50470 Tollevast, France (hereinafter "the Publisher").

This DPA forms an integral part of the AdCoach AI Terms of Service and Sale (ToS) and applies to all processing of personal data performed by the Publisher on behalf of the Client in the context of Platform use.

1. Definitions

For the purposes of this DPA, the following terms have the meaning given to them by the GDPR (Regulation (EU) 2016/679):

• "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data;
• "Data Controller": the Client, who determines the purposes and means of processing;
• "Data Processor": the Publisher, who processes personal data on behalf of the Data Controller;
• "Sub-processor": any subcontractor engaged by the Publisher to process data under this DPA;
• "Personal Data": any information relating to an identified or identifiable natural person;
• "Data Breach": any security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data;
• "Documented Instructions": the Controller's instructions to the Publisher delivered through Platform features (OAuth connection, sync, CRM import, account deletion).

2. Subject Matter and Scope of Processing

The Publisher processes the following personal data on behalf of the Client (Scopes A and C of the ToS), within the limits defined by this DPA:

Scope A - Meta Advertising Data

• Categories of data: advertising account data, campaigns, ad sets, ads, performance insights (impressions, clicks, spend, ROAS), Meta leads (name, email, phone number of the club's prospects)
• Data subjects: prospects and clients of the club who have interacted with the Client's Meta advertising
• Purpose: display and analysis of the Client's advertising performance in the AdCoach AI Platform

Scope C - CRM Import

• Categories of data: contacts imported by the Client (names, emails, phone numbers, subscription data)
• Data subjects: current and former club members
• Purpose: customer lifetime value (LTV) analysis, prospect tracking, real ROAS calculation

Scope Not Covered by This DPA

The Publisher acts as a data controller (not a processor) for: Client authentication data, technical security logs, billing data. These processing activities are covered by the Privacy Policy.

3. Categories of Data and Data Subjects

No special category data within the meaning of Article 9 of the GDPR (health data, biometric data, etc.) is processed under this DPA, unless agreed in writing by the Parties in advance.

4. Documented Instructions

The Publisher processes data only on documented instructions from the Client, materialized by actions taken through the Platform:

• Connecting the Meta account (OAuth): instruction to access advertising data
• Initiating a synchronization: instruction to collect the latest insights
• Importing a CRM file: instruction to process contact data
• Deleting the account: instruction to erase all data

If an instruction is contrary to the GDPR or applicable regulations, the Publisher will immediately notify the Client by email.

The Publisher does not process data for purposes other than those defined above, except for aggregated and irreversibly anonymized data, which may be used for service improvement and sector benchmark production.

5. Confidentiality

The Publisher ensures that persons authorized to process personal data under this DPA are subject to an appropriate confidentiality obligation, whether contractual or statutory.

The Publisher limits access to personal data to only those staff members who need it for the performance of their duties. All access to production data is logged in the Platform's technical logs.

6. Security (Article 32 GDPR)

The Publisher implements the following technical and organizational measures to ensure a level of security appropriate to the risk:

Technical Measures

• Encryption at rest: Meta OAuth tokens encrypted in Supabase Vault (AES-256); data at rest encrypted by AWS (Supabase infrastructure, eu-west-3 Paris)
• Encryption in transit: TLS 1.3 on all communications (Platform, APIs, subprocessors)
• Data isolation: Postgres Row-Level Security (RLS) - policy USING (user_id = auth.uid()) ensuring cryptographic isolation of each Client
• Authentication: magic link without password, single-use tokens, automatic session expiration
• HMAC signatures: all communications between AdCoach AI and the centralized backend service (integrations.fitness-vendor.com) are signed with HMAC-SHA256 with anti-replay nonce (Upstash Redis cache, 6 minutes)
• Logging: access and error logs retained 12 months, Sentry monitoring with automatic PII scrubbing

Organizational Measures

• Production data access limited to authorized technical personnel
• Defined and documented incident response process
• Secret management policy: regular rotation of API keys and application secrets
• EU hosting for personal data (AWS eu-west-3 Paris)

7. Sub-processors

The Publisher is authorized by the Client to engage the sub-processors listed on the Subprocessors page of the Platform.

The Publisher undertakes to:

• Impose on its sub-processors data protection obligations equivalent to those of this DPA;
• Notify the Client by email at least 30 days before adding any new sub-processor likely to process the Client's data;
• Include in this notification: the new sub-processor's identity, location, service rendered, and applicable transfer guarantees for transfers outside the EU.

The Client has a right to object within the 30-day period. The objection must be reasoned and transmitted by email to contact@fitness-vendor.com. In the event of an unresolved legitimate objection, the Client may terminate the ToS without fees.

In the event of an addition without prior notification resulting from an operational emergency, the Publisher informs the Client as soon as possible.

8. Data Subject Rights

The Publisher assists the Client in meeting its obligation to respond to data subject rights requests (access, rectification, erasure, portability, objection, restriction), within the deadlines provided by the GDPR.

When a data subject addresses a request directly to the Publisher, the Publisher transfers it to the Client without delay.

The Publisher makes available to the Client the technical tools for exercising these rights:

• CSV/JSON data export from Settings - My Data (portability)
• Account deletion from Settings - My Data (erasure)
• Direct contact: contact@fitness-vendor.com (response time: 30 days)

9. Data at End of Contract

Upon the effective date of Client account termination:

1. Export available for 30 days: the Client has 30 days to export all their data in CSV/JSON format from the Platform, in accordance with Regulation (EU) 2022/2065 (Data Act);
2. Automatic deletion at Day +30: upon expiration of the 30-day period, the Publisher proceeds with the permanent and irreversible deletion of all Client data (Meta advertising data, AI conversations, imported CRM data, prospect data) from all its processing systems, including those of its sub-processors;
3. Legal exceptions: technical security logs are retained 12 months; billing data is retained 10 years pursuant to legal accounting obligations. These data are not covered by this DPA (processing for own account).

Upon written request from the Client, the Publisher issues a deletion certificate within 15 business days.

10. Data Breach (Articles 33-34 GDPR)

In the event of a personal data breach affecting data processed on behalf of the Client, the Publisher will:

1. Notify the Client without undue delay and at most within 72 hours of becoming aware of the breach;
2. Provide the Client with the information necessary to notify the CNIL (nature of the breach, approximate categories and volumes of data and data subjects, likely consequences, measures taken or planned);
3. Document the breach in an internal register (facts, effects, corrective measures) made available to the Client on request;
4. Take appropriate corrective measures without delay to remedy the breach and limit its consequences.

Notification to the Publisher is made by email to contact@fitness-vendor.com with the subject "URGENT DATA BREACH".

11. Audits and Documentation

The Publisher makes available to the Client, upon written request, the information necessary to demonstrate compliance with the obligations of this DPA, including:

• The current list of sub-processors
• The main technical and organizational security measures
• Sub-processor compliance attestations (DPAs, certifications)

In the event of a direct audit request, the Parties agree on a reasonable notice period (minimum 30 days), a scope limited to the Client's data, and practical modalities to be jointly defined. Audit costs are at the Client's expense.

12. Transfers Outside the EU

Any transfer of personal data to a third country (outside the European Economic Area) is governed by appropriate safeguards, in accordance with Chapter V of the GDPR:

• Standard Contractual Clauses (SCCs) version 2021/914 of the European Commission for transfers to Anthropic (USA), Vercel (USA), Resend (USA), Sentry (USA), Upstash (USA)
• EU-US Data Privacy Framework (adequacy decision 2023) for transfers to DPF-certified providers
• EU data for Supabase (AWS eu-west-3 Paris) and Stripe (Dublin, Ireland)

The full list and legal frameworks are available on the Subprocessors page.

Annex - Technical and Organizational Security Measures

DPA Contact

For any request relating to this DPA: contact@fitness-vendor.com

Subject: "AdCoach AI DPA - [your request]"

Response time: 7 business days.