Home / Legal Documents / Trainers
Trainers

Data Processing Agreement (DPA)

Last updated: April 9, 2026

This Data Processing Agreement (the “DPA” or “Agreement”) is entered into between the trainer using the Platform (the “Data Controller” or the “Trainer”) and Arian Roque, operating under the Rutinize brand (the “Data Processor” or the “Provider”; contact: [email protected]).

This DPA forms an integral part of the Terms of Use for Trainers and applies to the extent that the Provider processes personal data of the Trainer’s clients on behalf of the Trainer.


1. Definitions


2. Acknowledgment of roles


3. Subject matter, purpose and duration of processing

3.1 Subject matter

The Provider will process Client data solely to provide the Platform services, including:

3.2 Types of data processed

The Provider does not control the categories of data the Trainer requests via dynamic forms. If the Trainer collects special categories (e.g., health data under GDPR Art. 9), the Trainer is responsible for having the appropriate legal basis.

3.3 Duration

The Provider will process Personal Data for as long as the Trainer maintains an active account and the relevant client remains associated with that account.


4. Trainer’s instructions and use limitation

The Provider will process data only in accordance with the Trainer’s documented instructions and will not use it for its own commercial purposes, profile building for third-party sale, targeted advertising or any purpose incompatible with providing the Platform.


5. Provider’s obligations

5.1 Confidentiality

The Provider will ensure that persons authorized to process the data are subject to appropriate confidentiality obligations.

5.2 Security

The Provider will implement appropriate technical and organizational measures, including:

5.3 Assistance to the Trainer

The Provider will assist the Trainer, to the extent possible, in responding to data subject rights requests and in complying with security, breach notification and impact assessment obligations.


6. Sub-processors

The Provider may engage sub-processors to provide the services. Current sub-processors:

Sub-processorFunctionLocation
Railway Corp.Hosting infrastructureUSA
Cloudflare, Inc.Domain management and networkUSA
Mailgun / SinchEmail deliveryUSA/EU
Stripe, Inc.Payment processingUSA

The Provider will impose equivalent data protection obligations on sub-processors. The Trainer accepts the use of these sub-processors upon accepting the Terms of Use. The Provider will notify the Trainer with reasonable advance notice of any changes to the sub-processor list, giving the Trainer the opportunity to object.


7. International transfers

Sub-processors are based in the USA. The Provider endeavors to ensure that transfers are carried out with adequate safeguards (EU Standard Contractual Clauses, UK ICO Addendum, or equivalent mechanisms for other jurisdictions).


8. Data breach notification

If the Provider becomes aware of a data breach affecting the Trainer’s data, it will notify the Trainer without undue delay and in any case within 72 hours of becoming aware.

The notification will include: description of the breach, categories and approximate number of affected data subjects, Provider contact details, likely consequences and measures taken or proposed.


9. Data subject rights

The Provider will technically assist the Trainer in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) within the timeframes set by applicable law.


10. Data Protection Impact Assessments (DPIAs)

If the Trainer considers that the processing requires a DPIA under GDPR Art. 35, the Provider will supply available Platform information relevant to that assessment.


11. Audits

The Trainer has the right to verify the Provider’s compliance with this DPA through documentation review or reasonable audits agreed in advance, with a minimum 30-day notice period except in justified emergencies.


12. Deletion or return of data

Upon termination of the service contract, the Provider will securely delete or anonymize the Trainer’s clients’ Personal Data within 30 days of the Trainer’s request or account closure. The Trainer may request a data export beforehand through the Platform’s available channels.


13. Records of processing activities

The Provider will maintain records of processing activities carried out on behalf of the Trainer as required by GDPR Art. 30(2).


14. Liability

The liability of the Parties under this DPA is governed by the Terms of Use for Trainers. Each Party is responsible for the consequences arising from its own non-compliance.


15. Governing law

This DPA is governed by the laws of Canada. For EU-based Trainers, GDPR provisions are mandatory and prevail over any conflicting provisions.


16. Acceptance

By receiving access credentials to the Platform and beginning to use it, the Trainer accepts this DPA and its obligations to the same extent as the Terms of Use for Trainers.


17. Contact

For any question relating to this DPA: [email protected]