Data Processing Agreement
Effective Date: 9 March 2026
1. What This Agreement Covers
This Data Processing Agreement ("DPA") is between StudioFlow (the data processor) and you, the fitness instructor using StudioFlow (the data controller).
It applies to all personal data belonging to your clients that you store or process using StudioFlow — including contact details, class records, form responses, and communication history.
This DPA forms part of and is incorporated into the StudioFlow Terms of Service. By accepting the Terms of Service, you also accept this DPA. No signature is required.
2. Definitions
- Personal data — any information relating to an identified or identifiable natural person (your clients)
- Processing — any operation performed on personal data, including storing, sending, or deleting it
- Data controller — you, the instructor, who determines the purposes and means of processing your clients' data
- Data processor — StudioFlow, which processes that data only on your behalf and according to your instructions
- Sub-processor — a third-party service that StudioFlow uses to help deliver the service (e.g. Twilio for SMS)
- GDPR — the General Data Protection Regulation (EU) 2016/679
3. How We Process Your Clients' Data
StudioFlow will only process your clients' personal data:
- To provide the StudioFlow service as described in the Terms of Service
- According to your instructions as given through your use of the app
- As required by law — in which case we will inform you unless prohibited from doing so
We will not process your clients' data for any other purpose, including our own marketing or analytics.
4. Confidentiality
StudioFlow ensures that any staff or contractors with access to your clients' personal data are bound by appropriate confidentiality obligations. Access is limited to those who need it to provide the service.
5. Security
StudioFlow implements technical and organisational measures to protect your clients' personal data against unauthorised access, accidental loss, or destruction. These include:
- Encryption in transit (HTTPS/TLS) and at rest
- JWT-based authentication with short-lived tokens
- Rate limiting and account lockout protections
- Access controls limiting who within StudioFlow can access data
- Data stored on AWS infrastructure in the EU (eu-west-1)
In the event of a personal data breach affecting your clients' data, we will notify you without undue delay and no later than 72 hours after becoming aware of it, providing sufficient information for you to meet your own notification obligations under GDPR.
6. Sub-Processors
You authorise StudioFlow to use the following sub-processors to deliver the service. Each is engaged under a contract with appropriate data protection obligations.
| Sub-processor | Purpose | Location |
|---|---|---|
| AWS | Cloud infrastructure and data storage | EU (Ireland) |
| Twilio | SMS delivery | USA (SCCs) |
| AWS SES | Email delivery | EU (Ireland) |
| Meta (WhatsApp Business API) | WhatsApp messaging | USA (SCCs) |
| PostHog | Analytics (instructor usage data only) | USA (SCCs) |
| Crisp | Customer support | EU (France) |
SCCs = Standard Contractual Clauses, the GDPR-approved mechanism for transferring data outside the EU. We will notify you by email or in-app notification at least 14 days before adding or replacing any sub-processor. If you object, you may terminate your account.
7. Helping You Meet Your GDPR Obligations
As your data processor, StudioFlow will assist you in meeting your obligations as a data controller, including:
- Data subject rights: If one of your clients contacts StudioFlow directly to exercise a GDPR right (access, erasure, portability, etc.), we will forward the request to you promptly so you can respond as the data controller
- Data breach notification: We will notify you of breaches affecting your clients' data within 72 hours (see Section 5)
- Data Protection Impact Assessments: We will provide reasonable assistance if you need to carry out a DPIA relating to your use of StudioFlow
8. Audit Rights
You have the right to audit StudioFlow's compliance with this DPA. In practice, we will respond to reasonable written information requests to demonstrate compliance. Where an on-site audit is required, this must be agreed in advance, conducted at your cost, and subject to reasonable confidentiality obligations.
9. Data Deletion on Termination
When your StudioFlow account is deleted — whether by you or by us — we will permanently delete all personal data belonging to your clients within 30 days, unless we are required to retain specific records by law.
If you require a copy of your clients' data before deletion, request it by emailing Loading... before closing your account.
10. Your Responsibilities as Data Controller
This DPA does not reduce your own obligations under GDPR. As the data controller, you remain responsible for:
- Having a lawful basis to collect and process your clients' data
- Providing your clients with a privacy notice that explains how their data is used
- Obtaining explicit consent for health or medical data collected via forms
- Ensuring your clients have consented to receive SMS, email, and WhatsApp communications from you
- Responding to any data subject rights requests from your clients
11. Governing Law
This DPA is governed by the laws of Ireland. Any disputes arising from it are subject to the exclusive jurisdiction of the Irish courts.
12. Contact
For any questions about this DPA or to exercise your rights under it, contact us at Loading.... We aim to respond within 48 hours.
StudioFlow — Ireland
Email: Loading...
Response time: We aim to respond within 48 hours