Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between CoachTone ("Processor", "we", "us") and the user of the Service ("Controller", "you"). It governs the processing of personal data carried out by CoachTone on your behalf when you use the Service.

This DPA is incorporated by reference into our Terms of Service. Capitalised terms not defined here have the meaning given in the Terms of Service or the EU General Data Protection Regulation 2016/679 ("GDPR").

• "Controller", "Processor", "Personal Data", "Processing", "Data Subject", "Sub-Processor", and "Personal Data Breach" have the meanings given in Article 4 of the GDPR.
• "Client Data" means Personal Data relating to your fitness or coaching clients that you submit to the Service.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021.

The parties acknowledge and agree that, with regard to the Processing of Client Data:

• You are the Controller;
• CoachTone is the Processor; and
• CoachTone engages Sub-Processors as set out in Annex 2 to perform certain Processing activities on our behalf.

With regard to your own account data (your name, email address, billing details, and similar information you provide directly), CoachTone is a Controller. The handling of that data is governed by our Privacy Policy, not by this DPA.

3.1 Subject matter

The Processing of Client Data necessary for CoachTone to provide the Service to you in accordance with the Terms of Service.

3.2 Duration

For as long as you maintain an active account with CoachTone, plus any retention period required to fulfil our obligations under the Terms of Service or applicable law.

3.3 Nature and purpose

CoachTone processes Client Data to: receive check-in content; analyse it using an AI pipeline (running on Anthropic's API); generate adherence scorecards, awareness flags, coaching strategy recommendations, and reply drafts; store the analysis and reply for your future reference; and apply your individual coaching voice to personalise outputs.

3.4 Categories of Data Subjects

Your fitness or coaching clients whose data you submit to the Service.

3.5 Categories of Personal Data

Identification data (typically first name only), goal statements, free-text check-in content, training and nutrition adherence data, body metrics (e.g. weight), and information you choose to record about a client's injuries, training phase, dietary approach, and personal context. These categories may include special category data within the meaning of Article 9 GDPR (data concerning health).

CoachTone shall:

• (a) Documented instructions. Process Client Data only on your documented instructions, including with regard to transfers of Client Data to a third country, unless required to do so by EU or Member State law to which we are subject. The Terms of Service and your normal use of the Service constitute your documented instructions to us.
• (b) Confidentiality. Ensure that personnel authorised to process Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• (c) Security. Implement and maintain the technical and organisational measures described in Annex 1 to ensure a level of security appropriate to the risk.
• (d) Sub-processors. Engage Sub-Processors only in accordance with Section 5.
• (e) Data subject requests. Assist you, taking into account the nature of the Processing, by appropriate technical and organisational measures, in fulfilling your obligation to respond to requests from Data Subjects to exercise their rights under Chapter III of the GDPR.
• (f) Assistance. Assist you in ensuring compliance with your obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the Processing and the information available to us.
• (g) Return or deletion. At your choice, delete or return all Client Data to you after the end of the provision of the Service relating to Processing, and delete existing copies, unless EU or Member State law requires storage of the Client Data.
• (h) Audit information. Make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

You hereby grant CoachTone general written authorisation to engage the Sub-Processors listed in Annex 2 for the purpose of providing the Service.

CoachTone shall:

• Enter into a written agreement with each Sub-Processor imposing data protection terms substantially equivalent to those imposed on CoachTone under this DPA;
• Remain fully liable to you for the acts and omissions of any Sub-Processor as if they were our own;
• Inform you of any intended changes concerning the addition or replacement of Sub-Processors at least 30 days in advance, by updating the list at Annex 2 and notifying you by email or in-app notice;
• Where you reasonably object to a new Sub-Processor on data-protection grounds within 14 days of our notice, work with you in good faith to find a workable resolution. If no resolution can be reached, you may terminate the affected portion of the Service without penalty.

Some Sub-Processors are based outside the European Economic Area (EEA). Where CoachTone transfers Client Data outside the EEA to a country that does not benefit from a European Commission adequacy decision, the transfer is governed by the Standard Contractual Clauses, which are incorporated into our agreements with each non-EEA Sub-Processor.

For Sub-Processors located in the United States, CoachTone has conducted a Transfer Impact Assessment for each provider and applies appropriate supplementary measures as recommended by the European Data Protection Board, including the use of zero-retention API processing where available, encryption in transit (TLS 1.2 or higher), encryption at rest, and contractual prohibitions on the use of Client Data for model training.

CoachTone shall notify you of any Personal Data Breach affecting Client Data without undue delay and, where feasible, within 48 hours of becoming aware of it. The notification will include, to the extent then known:

• The nature of the breach, categories and approximate number of Data Subjects affected, and categories and approximate number of Client Data records concerned;
• The likely consequences of the breach;
• The measures we have taken or propose to take to address the breach and mitigate its effects.

Notification will be made to the email address associated with your CoachTone account. You acknowledge that, as Controller, you are responsible for any onward notifications to your supervisory authority and to your clients as required by Articles 33 and 34 of the GDPR.

Where CoachTone receives a request directly from one of your clients seeking to exercise their data-protection rights, we will, to the extent legally permitted, redirect the request to you without acting on it. You remain responsible for responding to your clients' requests.

We provide the following self-service tools to assist you in responding:

• Access & portability: a one-click export of all Client Data you have submitted, available from the Billing page;
• Rectification: in-app editing of every client and check-in record;
• Erasure: in-app deletion of individual clients (which cascades to their check-in history) and one-click deletion of your entire account.

We will make available to you, on reasonable written request and no more than once per twelve-month period, the information necessary to demonstrate our compliance with this DPA. This information may include third-party audit reports, security certifications, completed self-assessment questionnaires, or written responses to specific questions.

On-site audits will be considered only where: (a) you provide evidence that documentation alone is insufficient to satisfy a regulator's reasonable enquiry; (b) reasonable advance written notice is given; and (c) the audit is conducted under terms (including confidentiality, scope, and cost-sharing) reasonably acceptable to both parties.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitation of liability provisions of the Terms of Service. The aggregate cap on CoachTone's liability under the Terms of Service applies in aggregate to all claims under both the Terms of Service and this DPA.

This DPA takes effect on the date you accept the Terms of Service and continues for the duration of your account. On termination of your account, the deletion or return obligations in Section 4(g) apply.

Sections 7 (Breach Notification, in respect of breaches occurring before termination), 9 (Audits, for 12 months after termination), and 10 (Liability) survive termination.

In the event of any conflict between this DPA, the Terms of Service, and any Standard Contractual Clauses entered into between the parties, the order of precedence is: (1) the Standard Contractual Clauses, (2) this DPA, (3) the Terms of Service.

CoachTone implements and maintains the following measures to protect Client Data:

Encryption

• All Client Data in transit is encrypted using TLS 1.2 or higher.
• All Client Data at rest is encrypted at the storage layer.

Access control

• Application-level isolation: every database query is scoped to the authenticated coach's user identifier; cross-coach data access is impossible at the application layer.
• Production database access is restricted to a small set of personnel and requires multi-factor authentication.
• Authentication is provided by Clerk; passwords are never stored on CoachTone servers.

Network and application security

• HTTP Strict Transport Security (HSTS), Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers applied to all responses.
• Server-side input validation and parameter binding on every request.
• Rate limiting on sensitive endpoints to deter abuse.
• Application errors are reported to a monitoring system configured to redact request bodies and disable collection of IP addresses, cookies, and HTTP headers; check-in content is never sent.

Supply-chain security

• Each Sub-Processor is selected on the basis of a written DPA and applicable transfer mechanism.
• API requests to AI Sub-Processors carry zero-retention flags where available.

Operational security

• Production deployment is automated and version-controlled.
• Backups of personal data are encrypted and retained in line with the retention schedule in our Privacy Policy.
• An incident-response procedure is in place covering detection, containment, notification, and post-incident review.

The following Sub-Processors are engaged by CoachTone to process Client Data on our behalf as of the effective date of this DPA:

We will update this list and notify you in advance of any changes in accordance with Section 5.

For all matters relating to this DPA:

CoachTone — Legal
Ireland
Legal: legal@coachtone.net
Privacy: privacy@coachtone.net