Data Processing Agreement
Agreement under Art. 28 GDPR between Coach and Platform for the processing of trainee data.
1. Subject matter
This agreement is concluded between the Coach (controller per Art. 4 No. 7 GDPR) and the Platform (processor per Art. 4 No. 8 GDPR):
Ironstead — Owner Jakob Seiffert
Kentroper Weg 60a, 59063 Hamm, Germany
Email: datenschutz@iron-stead.com
(hereinafter "Platform")
The Platform processes personal data of trainees on behalf of the Coach (training data, RPE, notes, photo uploads, chat content). This agreement governs the obligations of both parties under Art. 28 GDPR.
2. Data processed
- Trainee master data: name, email, date of birth, gender, height, weight.
- Training data: exercises, sets, repetitions, load, RPE, rest periods, notes.
- Photo uploads (progress photos): only with the trainee's active consent.
- Chat content between coach and trainee.
3. TOMs (Technical & Organizational Measures)
Encryption at rest (AES-256) and in transit (TLS 1.3). Hosting in the EU (Coolify cluster Frankfurt, Hetzner). Access restricted to authorized personnel with documented roles. Backup strategy: daily snapshots, 30-day retention.
4. Sub-processors
- Hetzner Online GmbH — Hosting / infrastructure (DE).
- Google Cloud EMEA Ltd. — Vertex AI (region eu-west-3 Frankfurt). Only with trainee consent, with pseudonymization.
- Paddle.com Market Limited — Payment processing (IE).
- Resend Inc. — Transactional emails and contact form delivery (EU region Ireland, DPA in place).
- Functional Software, Inc. d/b/a Sentry — App crash and error diagnostics (EU data region). Pseudonymous technical telemetry only; personal data is removed on-device before transmission. DPA in place.
- Apple Inc. — Delivery of push notifications on iOS (Apple Push Notification service, APNs). A device push token and the notification content are transmitted; any transfer to the USA relies primarily on the EU-US Data Privacy Framework, complemented by the EU Standard Contractual Clauses.
- Google LLC (Firebase / FCM) — Delivery of push notifications on Android (Firebase Cloud Messaging, FCM). A device push token and the notification content are transmitted; any transfer to the USA relies primarily on the EU-US Data Privacy Framework, complemented by the EU Standard Contractual Clauses and the Google Cloud / Firebase Data Processing Addendum.
- 650 Industries, Inc. (Expo) — Push relay forwarding notifications to APNs and FCM (exp.host). A device push token and the notification content are transmitted; any transfer to the USA is safeguarded by the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) as the appropriate safeguard.
5. Platform obligations
Processing only on documented instructions from the Coach. Confidentiality of personnel. Support for right-of-access and erasure requests. Notification of data breaches within 72 hours.
6. Coach obligations
Obtaining consent from trainees (in particular for AI Critique and photo uploads). Informing trainees about the processing. Ensuring lawfulness of instructions given.
7. Deletion & Return
Upon termination, the Platform deletes all personal data within 90 days, unless a statutory retention obligation applies. A data export in JSON format can be provided on request.
Download
The legally binding PDF version is available for download here: