Data Processing Addendum (DPA)

Updated: Nov 24, 2025

This Data Processing Addendum (“Addendum”) forms part of the GymAscend App Service Agreement (the “Agreement”) between:

- GymAscend LTD (“Provider” or “Processor”), and
- Customer (“Customer” or “Controller”).

Each a “Party” and together the “Parties.”


1. DEFINITIONS
For purposes of this Addendum:
- “Controller” means the entity that determines the purposes and means of the processing of Personal Data (the Customer).
- “Processor” means the entity that processes Personal Data on behalf of the Controller (the Provider).
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Applicable Law” means all applicable data protection laws, including but not limited to:
the EU General Data Protection Regulation 2016/679 (“GDPR”);
the UK Data Protection Act 2018 and UK GDPR;
the California Consumer Privacy Act of 2018 (“CCPA”);
the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”);
the Australian Privacy Act 1988;
and any successor or equivalent legislation.
- “Subprocessor” means any third-party engaged by Provider to process Personal Data on behalf of the Controller.

2. SUBJECT MATTER AND DURATION
2.1 This Addendum governs the processing of Personal Data by Provider on behalf of Customer in connection with the Services described in the Agreement.
2.2 Processing will continue for the Term of the Agreement and until all Personal Data has been returned or deleted in accordance with Section 10.


3. ROLES OF THE PARTIES
3.1 The Customer acts as Controller.
3.2 The Provider acts as Processor and will process Personal Data only in accordance with documented instructions from the Customer, unless otherwise required by Applicable Law.


4. NATURE AND PURPOSE OF PROCESSING
Provider will process Personal Data as necessary to deliver the Services, which may include:
- Managing gym member accounts, profiles, and progress.
- Delivering fitness, nutrition, and wellness recommendations.
- Enabling communication and community feature.
- Providing analytics and reporting to the Customer.
- Hosting, storing, and backing up data.
Types of data processed may include:
- Identification data (name, email, phone number).
- Demographic data (age, gender).
- Fitness and wellness data (goals, activity, progress).
Categories of data subjects:
- Gym members (end-users).
- Customer’s staff and trainers.


5. OBLIGATIONS OF THE CUSTOMER (CONTROLLER)
The Customer shall:
5.1 Ensure it has a lawful basis for processing and sharing Personal Data with Provider.
5.2 Provide required privacy notices and obtain all necessary consents from data subjects.
5.3 Ensure data shared with Provider is accurate and up-to-date.


6. OBLIGATIONS OF THE PROVIDER (PROCESSOR)
The Provider shall:
6.1 Process Personal Data solely for the purposes of providing the Services and in accordance with Customer’s documented instructions.
6.2 Implement and maintain appropriate technical and organizational measures to protect Personal Data.
6.3 Ensure staff authorized to process data are subject to confidentiality obligations.
6.4 Notify the Customer without undue delay of any Personal Data breach, including sufficient information to enable the Customer to meet its own legal obligations.
6.5 Assist the Customer in fulfilling obligations regarding data subject rights (access, rectification, erasure, portability, objection).
6.6 Be entitled to create and retain anonymised and aggregated data derived from Personal Data and to use such data for internal business purposes, product improvement, analytics, and benchmarking. Such anonymised and aggregated data shall not identify any individual or Customer and shall no longer be considered Personal Data under this Addendum.


7. SUBPROCESSORS
Provider may use trusted third-party providers (e.g., hosting, cloud services) to deliver the Services. Provider will ensure such providers are subject to equivalent data protection obligations. A list of subprocessors is available upon request.


8. INTERNATIONAL DATA TRANSFERS
8.1 Provider may transfer Personal Data outside the EEA, UK, Canada, or Australia where necessary for service delivery.
8.2 Where such transfers occur, Provider shall ensure compliance with Applicable Law, including execution of the EU Standard Contractual Clauses or UK Addendum where required.


9. TERMINATION AND DATA RETURN
9.1 Upon termination of the Agreement, Provider shall, at the Customer’s written request, either:
- Delete all Personal Data processed on behalf of the Customer, or
- Return such Personal Data in a commonly used electronic format.
9.2 Provider may retain copies only where required by law or for backup integrity, in which case it will continue to protect such data under this Addendum.


10. LIABILITY
Each Party’s liability under this Addendum shall be subject to the limitations of liability set out in the Agreement, except where prohibited by Applicable Law.


11. PRIORITY
In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail with respect to Personal Data processing.
Download Data Processing Addendum (DPA)

We’re on a mission to transform the fitness industry, one gym at a time.

Red YouTube play button icon with white play triangle in the center.LinkedIn logoBlack inbox tray icon with an open top.Black telephone handset icon.
Blog
Contact
Legal
Get Weekly Gym-Growth Insights
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
GymAscend Black and White Logo
© 2025 GymAscend. All Rights Reserved