Legal — Profesionales
Acuerdo de Tratamiento de Datos
DPA — Artículo 28 del Reglamento (UE) 2016/679 (RGPD)
This Data Processing Agreement ("DPA") is entered into between FitResa (Susanoo SAS), as data processor, and any Professional subscribed to the FitResa platform, as data controller. It is accepted electronically upon Professional account creation and forms an addendum to FitResa's Terms of Service and Terms of Sale. It is mandatory under Article 28 of the General Data Protection Regulation (GDPR — Regulation EU 2016/679).
Parties
The Processor
Susanoo SAS, registered at 7 RUE DU GENERAL LECLERC, 94350 VILLIERS-SUR-MARNE, SIRET 882 462 849 000 10, represented by Hervé BOYER. Hereinafter "FitResa".
The Controller
Any natural or legal person who has created a Professional account on the FitResa platform and accepted these terms. Hereinafter "the Professional".
Article 1 — Subject matter and duration
This DPA sets out the rights and obligations of FitResa as a processor of personal data that the Professional, as data controller, entrusts to it in connection with the use of the FitResa platform.
FitResa processes this data on behalf of the Professional to provide the SaaS services described in the ToS and GTS (schedule management, bookings, client database, communications).
This DPA takes effect on the date of acceptance by the Professional and remains in force for the duration of the subscription. It terminates automatically upon cancellation or expiry of the subscription.
Article 2 — Nature, purpose and characteristics of processing
| Characteristic | Description |
|---|---|
| Subject matter | Provision of FitResa SaaS services: schedule management, bookings, client relationship and communications |
| Nature of operations | Collection, recording, organisation, structuring, storage, consultation, communication, erasure |
| Purposes | Enable the Professional to manage their sports/wellness business and client relationships via the FitResa platform |
| Duration | Duration of the Professional's subscription + 30 days for data export after termination |
| Territory | European Union |
Article 3 — Personal data processed
| Data category | Examples | Data subjects |
|---|---|---|
| Identity data | Name, first name, email, phone | Professional's End Users (clients) |
| Booking data | Date, time, service type, status, history | Professional's End Users |
| Health data (optional) | Injuries, contraindications, medical information entered in client profiles | Professional's End Users |
| Payment data | Stripe transaction reference (not card data) | Professional's End Users |
| Communication data | History of emails/SMS sent via the platform | Professional's End Users |
Article 4 — Sub-processors
The Professional authorises FitResa to engage the following sub-processors. FitResa undertakes to notify the Professional by email of any addition or replacement of a sub-processor with 30 days' notice, during which the Professional may object.
| Sub-processor | Role | Country | GDPR guarantees |
|---|---|---|---|
| Stripe | Payments (subscriptions) | USA | SCCs + DPA |
| Resend | Transactional emails | UE | DPA |
| SMSFactor / SMS Partner | SMS sending | France (UE) | DPA |
| Anthropic (Claude API) | AI features | USA | DPA + SCCs |
| Ionos SE | VPS hosting | UE | DPA |
Article 5 — FitResa's obligations (Processor)
FitResa undertakes to:
- Process personal data only on documented instructions from the Professional, unless required otherwise by law — the ToS and this DPA constitute the documented instructions.
- Ensure that persons authorised to process the data are subject to appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures as required by Article 32 GDPR (TLS/AES-256 encryption, access control, logging, backups).
- Comply with the conditions for engaging sub-processors (see Article 4).
- Assist the Professional, to the extent possible, in fulfilling its obligation to respond to data subject rights requests.
- Assist the Professional in meeting its obligations regarding security, data breaches, DPIAs and prior consultation.
- Notify the Professional without undue delay (and within 72 hours at most) upon becoming aware of a personal data breach affecting their data.
- Delete or return all personal data to the Professional at the end of the contract, at the Professional's choice, and delete existing copies unless legally required to retain them.
- Make available all information necessary to demonstrate compliance with this DPA, and allow for audits.
Article 6 — Professional's obligations (Controller)
The Professional undertakes to:
- Collect their clients' personal data in compliance with the GDPR (legal basis, information notices, retention periods).
- Only instruct FitResa to carry out lawful processing under the GDPR.
- Inform their clients (End Users) that FitResa is used as a processor, including in their own privacy policy.
- Obtain explicit consent from their clients for any processing of sensitive data (including health data entered in client profiles).
- Respond to data subject rights requests forwarded by FitResa.
- Immediately notify FitResa of any instruction that appears to violate the GDPR or other applicable regulation.
Article 7 — Transfers outside the European Union
FitResa may engage sub-processors established outside the European Union (notably Stripe and Anthropic, based in the United States). These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission or an equivalent mechanism. FitResa undertakes to keep the sub-processor list up to date and to inform the Professional of any changes (see Article 4).
Article 8 — Data security
FitResa implements the following security measures:
• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Secure authentication via magic link (no plaintext password stored)
• Role-based access control (RBAC) — each Professional only accesses their own data
• Access logging and sensitive operation auditing
• Regular and tested backups
• Monitoring and alerts for abnormal activity
FitResa commits to maintaining these measures and adapting them to evolving risks and technologies.
Article 9 — Personal data breaches
In the event of a personal data breach within the meaning of Article 4(12) GDPR (destruction, loss, alteration, unauthorised disclosure or access), FitResa undertakes to:
1. Notify the Professional without undue delay and within 72 hours of becoming aware of the breach.
2. Provide a description of the nature of the breach, the categories of data and individuals affected, and the measures taken or planned.
3. Assist the Professional in meeting its notification obligations to the CNIL and affected individuals where necessary.
Article 10 — Data return and deletion
Upon expiry or termination of the subscription, FitResa undertakes to:
• Allow the Professional to export their data (client database, booking history) in a structured format for 30 days following the end of the subscription.
• Permanently delete all personal data of the Professional's clients after this period, unless legally required to retain them.
• Confirm deletion by email upon the Professional's request.
Article 11 — Audits and documentation
The Professional may at any time request that FitResa provide the information necessary to demonstrate compliance with this DPA. FitResa will provide available information (internal policies, certifications, audit results) within a reasonable timeframe.
On-site audits are possible upon written reasoned request, with 30 days' notice and subject to agreement on practical terms. Audit costs are borne by the Professional unless non-compliance is found.
Article 12 — Governing law and final provisions
This DPA is governed by French law and Regulation (EU) 2016/679 (GDPR). In case of conflict between the DPA and the ToS/GTS, the DPA prevails for all matters relating to personal data protection.
This DPA may be modified by FitResa to reflect legal or regulatory changes. Any material change will be notified to the Professional with 30 days' notice.
The Processor
Susanoo SAS
7 RUE DU GENERAL LECLERC, 94350 VILLIERS-SUR-MARNE
SIRET 882 462 849 000 10
The Controller
The subscribed Professional — identified by their FitResa account
Electronically accepted at registration