Data Processing Agreement (DPA)
Last updated: April 9, 2026
This Data Processing Agreement (the “DPA” or “Agreement”) is entered into between the trainer using the Platform (the “Data Controller” or the “Trainer”) and Arian Roque, operating under the Rutinize brand (the “Data Processor” or the “Provider”; contact: [email protected]).
This DPA forms an integral part of the Terms of Use for Trainers and applies to the extent that the Provider processes personal data of the Trainer’s clients on behalf of the Trainer.
1. Definitions
- Personal Data: any information about an identified or identifiable natural person entered into the Platform.
- Processing: any operation performed on Personal Data.
- Data Controller: the Trainer, who determines the purposes and means of processing their clients’ data.
- Data Processor: the Provider (Rutinize), who processes data on behalf of the Trainer.
- Sub-processor: any third party engaged by the Provider for specific processing activities.
- Data Subject: the natural person to whom Personal Data relates (primarily the Trainer’s clients).
- Data Breach: a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- Applicable Regulations: GDPR, UK GDPR, LGPD (Brazil), PIPEDA/Quebec Law 25 (Canada), CCPA/CPRA (California), and any other applicable data protection law.
2. Acknowledgment of roles
- The Trainer acts as Data Controller for their clients’ Personal Data: they determine what data to request, for what purpose and for how long.
- The Provider acts as Data Processor for that same data, solely to the extent necessary to provide the Platform.
- The Provider acts as an independent Data Controller with respect to the Trainer’s own data (account, access, billing), governed by the Privacy Policy for Trainers.
3. Subject matter, purpose and duration of processing
3.1 Subject matter
The Provider will process Client data solely to provide the Platform services, including:
- Storage and management of client profiles.
- Storage of dynamic form responses.
- Management of training histories, plans, routines, metrics and progressions.
- Processing of country data for tax purposes (if the Trainer enables that feature).
- Content personalization by language and time zone.
- Detection and resolution of technical errors.
3.2 Types of data processed
- Basic identification: name, email address.
- Location and preferences: country, language, time zone.
- Form responses: content depends on what the Trainer configures; may include health data, injury history, goals, body measurements or other information.
- Training data: routines, loads, sets, reps, frequency, progressions, performance metrics.
- Tax data: client’s country when the Trainer enables the tax management feature.
The Provider does not control the categories of data the Trainer requests via dynamic forms. If the Trainer collects special categories (e.g., health data under GDPR Art. 9), the Trainer is responsible for having the appropriate legal basis.
3.3 Duration
The Provider will process Personal Data for as long as the Trainer maintains an active account and the relevant client remains associated with that account.
4. Trainer’s instructions and use limitation
The Provider will process data only in accordance with the Trainer’s documented instructions and will not use it for its own commercial purposes, profile building for third-party sale, targeted advertising or any purpose incompatible with providing the Platform.
5. Provider’s obligations
5.1 Confidentiality
The Provider will ensure that persons authorized to process the data are subject to appropriate confidentiality obligations.
5.2 Security
The Provider will implement appropriate technical and organizational measures, including:
- Encryption in transit (HTTPS/TLS) and, where technically feasible, at rest.
- Role-based access controls.
- Secure authentication mechanisms.
- Incident detection, investigation and notification procedures.
- Regular backups.
5.3 Assistance to the Trainer
The Provider will assist the Trainer, to the extent possible, in responding to data subject rights requests and in complying with security, breach notification and impact assessment obligations.
6. Sub-processors
The Provider may engage sub-processors to provide the services. Current sub-processors:
| Sub-processor | Function | Location |
|---|---|---|
| Railway Corp. | Hosting infrastructure | USA |
| Cloudflare, Inc. | Domain management and network | USA |
| Mailgun / Sinch | Email delivery | USA/EU |
| Stripe, Inc. | Payment processing | USA |
The Provider will impose equivalent data protection obligations on sub-processors. The Trainer accepts the use of these sub-processors upon accepting the Terms of Use. The Provider will notify the Trainer with reasonable advance notice of any changes to the sub-processor list, giving the Trainer the opportunity to object.
7. International transfers
Sub-processors are based in the USA. The Provider endeavors to ensure that transfers are carried out with adequate safeguards (EU Standard Contractual Clauses, UK ICO Addendum, or equivalent mechanisms for other jurisdictions).
8. Data breach notification
If the Provider becomes aware of a data breach affecting the Trainer’s data, it will notify the Trainer without undue delay and in any case within 72 hours of becoming aware.
The notification will include: description of the breach, categories and approximate number of affected data subjects, Provider contact details, likely consequences and measures taken or proposed.
9. Data subject rights
The Provider will technically assist the Trainer in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) within the timeframes set by applicable law.
10. Data Protection Impact Assessments (DPIAs)
If the Trainer considers that the processing requires a DPIA under GDPR Art. 35, the Provider will supply available Platform information relevant to that assessment.
11. Audits
The Trainer has the right to verify the Provider’s compliance with this DPA through documentation review or reasonable audits agreed in advance, with a minimum 30-day notice period except in justified emergencies.
12. Deletion or return of data
Upon termination of the service contract, the Provider will securely delete or anonymize the Trainer’s clients’ Personal Data within 30 days of the Trainer’s request or account closure. The Trainer may request a data export beforehand through the Platform’s available channels.
13. Records of processing activities
The Provider will maintain records of processing activities carried out on behalf of the Trainer as required by GDPR Art. 30(2).
14. Liability
The liability of the Parties under this DPA is governed by the Terms of Use for Trainers. Each Party is responsible for the consequences arising from its own non-compliance.
15. Governing law
This DPA is governed by the laws of Canada. For EU-based Trainers, GDPR provisions are mandatory and prevail over any conflicting provisions.
16. Acceptance
By receiving access credentials to the Platform and beginning to use it, the Trainer accepts this DPA and its obligations to the same extent as the Terms of Use for Trainers.
17. Contact
For any question relating to this DPA: [email protected]