Trainery

Data Processing Agreement (Addendum to the Terms of Service)

Last updated: May 14, 2026

This Data Processing Agreement (the "DPA") forms an integral part of the Terms of Service (the "Agreement") between the Customer (the "Controller") and the Provider — Individual entrepreneur (ФОП) [[Last Name First Name Patronymic]], Tax ID (РНОКПП) [[XXXXXXXXXX]] (the "Processor", "TraineryApp").

This DPA reflects the parties' agreement on the processing of personal data relating to data subjects in the European Union and the European Economic Area, and applies whenever TraineryApp processes personal data on behalf of the Customer. Where required by EU GDPR Art. 28, this DPA satisfies the contract requirement.

1. Definitions

Terms not defined herein bear the meaning given in the GDPR (Regulation (EU) 2016/679) or the Agreement. In particular:

  • "Personal Data" — any information relating to an identified or identifiable natural person, processed by TraineryApp on the Customer's behalf via the Service.
  • "Processing" — any operation performed on Personal Data within the meaning of GDPR Art. 4(2).
  • "Sub-processor" — a third party engaged by TraineryApp to process Personal Data.
  • "Data Subject" — the natural person to whom Personal Data relates (typically a member, trainer or staff person of the Customer's organization).

2. Subject Matter, Duration, Nature and Purpose

  • Subject matter: processing of Personal Data necessary to provide the TraineryApp Service.
  • Duration: for the term of the Agreement, plus any post-termination retention period set out in the Privacy Policy.
  • Nature and purpose: hosting, structuring, retrieving, displaying, transmitting and deleting Personal Data to enable bookings, scheduling, member management, notifications and analytics.
  • Categories of Data Subjects: Customer's members, trainers, administrative staff, prospective members.
  • Categories of Personal Data: identifiers (name, email, phone), profile data, booking and attendance records, pass / membership records, communications metadata, technical/log data.
  • Special categories of data: the Customer agrees not to upload special-category data (GDPR Art. 9, including health data) absent prior written agreement.

3. Roles of the Parties

The Customer is the Controller of Personal Data of its members, trainers and staff. TraineryApp is the Processor, processing such Personal Data only on the Customer's documented instructions, including with regard to transfers, except as required by Union or Member State law.

4. Processor Obligations

TraineryApp shall:

  • process Personal Data only on documented instructions from the Customer (the Agreement, the Service configuration, and direct written instructions);
  • ensure that personnel authorized to process Personal Data are bound by confidentiality;
  • implement appropriate technical and organizational measures (Section 7) to ensure a level of security appropriate to the risk;
  • respect the conditions for engaging Sub-processors set out in Section 6;
  • assist the Customer, taking into account the nature of the processing, in fulfilling its obligation to respond to Data Subject requests (Section 5);
  • assist the Customer in ensuring compliance with GDPR Arts. 32–36 (security, breach notification, DPIAs);
  • at the Customer's choice, delete or return all Personal Data after the end of provision of services, unless retention is required by Union or Member State law;
  • make available to the Customer all information necessary to demonstrate compliance with GDPR Art. 28 and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (Section 9).

5. Data Subject Requests

TraineryApp shall promptly notify the Customer of any Data Subject request received directly. TraineryApp shall not respond to such requests itself except on the Customer's instructions or as required by law. TraineryApp provides functionality within the Service for the Customer to fulfill access, rectification, erasure, restriction, portability and objection requests; where additional assistance is needed, TraineryApp will provide it taking into account the nature of processing.

6. Sub-processors

The Customer provides general written authorization for TraineryApp to engage Sub-processors. The current list of Sub-processors is published in the Privacy Policy, Section 6.

TraineryApp shall:

  • impose, by way of contract, data protection obligations on Sub-processors that are no less protective than those in this DPA;
  • remain fully liable to the Customer for the performance of each Sub-processor's obligations;
  • provide at least 30 days' prior notice (via email or in-app announcement) of intended changes to Sub-processors. The Customer may object on reasonable data-protection grounds; failing resolution, the Customer may terminate the Agreement.

7. Security Measures (GDPR Art. 32)

TraineryApp implements and maintains appropriate technical and organizational measures, including:

  • encryption of data in transit (TLS 1.2+);
  • encryption at rest where supported by the underlying storage;
  • password hashing using modern algorithms (Argon2 / bcrypt);
  • physical isolation of databases between Customer organizations (database-per-tenant architecture);
  • role-based access control with the principle of least privilege;
  • centralized logging and monitoring of security events;
  • regular backups, with backup encryption and tested restore procedures;
  • periodic review of access rights of personnel;
  • incident response plan with defined escalation roles;
  • vendor due diligence prior to onboarding Sub-processors.

8. Personal Data Breach

TraineryApp shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Customer's data. The notification will describe, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach. TraineryApp cooperates with the Customer's notification obligations under GDPR Arts. 33–34.

9. Audits

TraineryApp shall make available to the Customer, on request and no more than once per calendar year (except after a confirmed incident), information necessary to demonstrate compliance with this DPA, in the form of:

  • responses to a written security questionnaire;
  • copies of relevant third-party audit reports or certifications, where available;
  • summary of technical and organizational measures.

On-site audits may be conducted by the Customer (or an independent auditor mandated by the Customer and bound by confidentiality) on at least 30 days' written notice, during business hours, in a manner that does not unreasonably disrupt operations. Costs of an on-site audit are borne by the Customer unless the audit reveals a material non-compliance.

10. International Transfers

TraineryApp's primary processing occurs in the EU (Hetzner, Germany). Where Personal Data is transferred to a Sub-processor in a third country lacking an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) — Module Two (Controller to Processor) between the Customer and TraineryApp, and Module Three (Processor to Sub-processor) between TraineryApp and the relevant Sub-processor. Both parties hereby agree to be bound by such SCCs as if signed.

11. Return or Deletion of Personal Data

On termination of the Agreement, TraineryApp deletes Personal Data from production systems within 30 days, with backups purged within an additional 30 days. The Customer may, before termination, export Personal Data through the Service. Where continued retention is required by applicable law, TraineryApp retains only the data and for the period required, and protects it as set out in this DPA.

12. Liability

Liability under this DPA is governed by the limitations and exclusions set out in Section 7 of the Agreement, without prejudice to mandatory provisions of GDPR Art. 82 regarding compensation of Data Subjects.

13. Order of Precedence

In case of conflict between this DPA, the Agreement and the SCCs (where applicable), the SCCs prevail, then this DPA, then the Agreement.

14. Acceptance

This DPA is automatically incorporated by reference into the Agreement upon the Customer's acceptance of the Terms of Service. Customers requiring a counter-signed copy may request one from privacy@trainery.app.