Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer (“Coach,” “you,” the Controller) and Designatic, LLC, doing business as CoachingHQ (“CoachingHQ,” the Processor). It governs CoachingHQ’s processing of Personal Data relating to your clients (“End Clients”) when you use the Service. If there is a conflict between this DPA and the Terms regarding data protection, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meaning in the Terms. “Personal Data,” “processing,” “controller,” “processor,” “sub-processor,” and “data subject” have the meanings given under applicable data protection laws (including the EU/UK GDPR and the California CPRA, as applicable). “End Client Data” means Personal Data about your End Clients that CoachingHQ processes on your behalf.

2. Scope & roles

For End Client Data, you are the controller (or processor acting for another controller) and CoachingHQ is the processor (or sub-processor). CoachingHQ will process End Client Data only on your documented instructions, which include the Terms, this DPA, your configuration of the Service, and your use of its features — unless required by law (in which case CoachingHQ will, where permitted, notify you).

3. Details of processing

Subject matter	Provision of the CoachingHQ Service (dashboards, at-risk flagging, wins pages) to the Coach.
Nature & purpose	Syncing, storing, organizing, aggregating, analyzing, and displaying End Client Data to help the Coach monitor and retain clients.
Duration	For the term of the subscription, plus the deletion/return period in Section 11.
Categories of data subjects	The Coach’s End Clients (and the Coach’s own staff/coaches, where applicable).
Categories of Personal Data	Identifiers (name, contact details), coach assignment, and health-adjacent fitness data: body weight and body stats, nutrition/macros, step counts, workout completion, goals, habits, and engagement/messaging activity.
Special-category data	The data is fitness/wellness data, which may be sensitive. The Service is not intended for HIPAA-regulated PHI or for special-category data requiring heightened protections beyond those described here. To the extent any synced data constitutes a special category of personal data under GDPR Art. 9, the Coach (as controller) is responsible for establishing a lawful basis and obtaining any explicit consent required from End Clients; CoachingHQ processes such data only on the Coach’s documented instructions and under the safeguards in this DPA.

4. Customer obligations & consent warranty

You will not instruct CoachingHQ to process End Client Data in a way that violates applicable data protection law, and you will not submit data that the Service is not designed to handle (including HIPAA PHI).

5. CoachingHQ obligations

• Instructions. Process End Client Data only on your documented instructions.
• Confidentiality. Ensure personnel authorized to process End Client Data are bound by confidentiality obligations.
• Security. Implement appropriate technical and organizational measures (Section 6).
• Assistance. Taking into account the nature of processing, reasonably assist you in responding to data-subject requests and in meeting your security, breach-notification, and (where applicable) data-protection-impact-assessment obligations.
• Cooperation. Make available information reasonably necessary to demonstrate compliance with this DPA.

6. Security measures

CoachingHQ maintains reasonable and appropriate technical and organizational measures designed to protect End Client Data, including:

• Encryption of data in transit and encryption of sensitive credentials;
• Access controls and the principle of least privilege;
• Per-tenant data isolation;
• Use of a single read-only Trainerize API key per Coach, which the Coach can revoke at any time; and
• Reliance on reputable infrastructure providers (see Section 7).

CoachingHQ’s current technical and organizational measures include: encryption of data in transit (TLS) and at rest; authentication and role-based access control via PropelAuth; least-privilege access to production systems; reliance on Cloudflare’s infrastructure security and access controls; and use of read-only Trainerize API keys scoped to each Coach. These measures will continue to mature as the program develops.

7. Sub-processors

You authorize CoachingHQ to engage the following sub-processors to process End Client Data in connection with the Service:

Sub-processor	Function	Location
Cloudflare	Hosting, storage, content delivery, security	Global / United States
Trainerize	Source system synced via the Coach’s read-only API key	United States
PropelAuth	Authentication / access control	United States
Easy Pay Direct	Payment & invoicing (Coach billing data; generally not End Client Data)	United States

CoachingHQ will impose data-protection obligations on its sub-processors that are no less protective than those in this DPA, and remains responsible for their performance. We will give you reasonable advance notice of any new sub-processor that will process End Client Data, and you may object on reasonable data-protection grounds; if we cannot resolve the objection, you may terminate the affected Service as your remedy. We will provide at least thirty (30) days’ notice by email before a new sub-processor begins processing End Client Data.

8. Data subject requests

If CoachingHQ receives a request from an End Client to exercise their rights, it will, where lawful, direct the request to you and not respond directly except to confirm the request relates to you. Taking into account the nature of processing, CoachingHQ will provide reasonable assistance to enable you to respond.

9. Personal data breaches

CoachingHQ will notify you without undue delay after becoming aware of a Personal Data breach affecting End Client Data, and will provide information reasonably available to it to help you meet your notification obligations. We will use reasonable efforts to provide this notice within seventy-two (72) hours of becoming aware.

10. International transfers

End Client Data may be processed in the United States and other locations where our sub-processors operate. Where required by applicable law, the parties will rely on a valid transfer mechanism (such as the Standard Contractual Clauses), which are incorporated by reference where applicable. [Attach/incorporate SCCs if you serve EU/UK customers.]

11. Return & deletion

On termination or expiry of the subscription, CoachingHQ will, at your choice, delete or return End Client Data, and delete existing copies, within a commercially reasonable period, and generally within ninety (90) days of termination, unless retention is required by law.

12. Audit

CoachingHQ will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality, scheduling, and security conditions. In practice, CoachingHQ expects to satisfy such requests by providing written security documentation and responses to reasonable security questionnaires.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service.

14. Governing law

This DPA is governed by the same law and venue as the Terms of Service (State of Colorado), except where applicable data protection law requires otherwise.

15. Contact

Designatic, LLC (DBA CoachingHQ)
Registered agent: Hutchinson Black and Cook, Boulder, Colorado
Mailing address: c/o Hutchinson Black and Cook, LLC (registered agent), 921 Walnut St #200, Boulder, CO 80302
Email: hello@coachinghq.ai