FlowFitness Data Processing Agreement

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is an integral part of the agreement executed between the parties (“Agreement”) for the purpose of using the Services, as defined under the Agreement. Capitalized terms used herein but not defined herein shall have the meanings ascribed to them in the Agreement.

This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data (including, without limitations, by sharing Personal Data with the other party) during the course of the Agreement and thereafter.

1. Definitions

1.2.

“Affiliates” means any entity which is controlled by, controls, or is in common control with one of the parties.

1.3.

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq. as may be amended, and all regulations promulgated thereunder.

1.4.

The terms “Controller,” “Processor,” “Data Subject,” “Processing” (and “Process”), “Personal Data Breach,” and “Special Categories of Personal Data” shall have the meanings ascribed to them under EU Data Protection Law. The terms “Business,” “Business Purpose,” “Consumer,” “Service Provider,” “Sale,” and “Sell” shall have the meanings ascribed to them in the CCPA and CPRA.

1.5.

“Data Protection Laws” means all applicable privacy and data protection laws and regulations, including GDPR, UK GDPR, CCPA, CPRA, and other applicable laws.

1.6.

“EEA” means the European Economic Area.

1.7.

“EU Data Protection Law” means:

(i) Regulation (EU) 2016/679 (GDPR);

(ii) Regulation 2018/1725;

(iii) Directive 2002/58/EC (e-Privacy Directive), as amended;

(iv) National laws implementing or replacing the foregoing;

(v) Any legislation updating the foregoing;

(vi) Any binding guidance issued by a relevant Supervisory Authority.

1.8.

“Personal Data” or “Personal Information” means any information relating to an identified or identifiable individual.

1.9.

“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.10.

“Standard Contractual Clauses” means the European Commission Decision 2021/914 of 4 June 2021.

1.11.

“Swiss Data Protection Laws” or “FADP” means the Swiss Federal Data Protection Act and related ordinances.

1.12.

“Swiss SCC” means the applicable standard data protection clauses recognized by the Swiss Federal Data Protection and Information Commissioner.

1.13.

“Shared Data” means Personal Data shared between the parties for purposes of the Services.

1.14.

“UK GDPR” means the Data Protection Act 2018 and the GDPR as incorporated into UK law.

1.15.

“UK SCC” means standard data protection clauses permitted under Article 46 of the UK GDPR.

2. Roles and Obligations

2.1.

The parties acknowledge that both FlowFitness and the Merchant act as independent Controllers regarding the Processing of Shared Data. The parties shall not act as joint Controllers. Each party is responsible for complying with applicable Data Protection Laws.

2.2.

Each party may Process Shared Data for purposes of providing or receiving the Services.

2.3.

If Shared Data includes Special Categories of Data, each party shall implement appropriate safeguards.

2.4.

Each party shall maintain a publicly accessible privacy policy compliant with applicable Data Protection Laws.

2.5.

For purposes of the CCPA (where applicable), both the Merchant and FlowFitness are Businesses and shall independently comply with their obligations.

3. Data Subject Rights & Cooperation

3.1.

If either party receives a Data Subject request concerning Shared Data processed by the other party, the receiving party shall direct the request to the appropriate party.

3.2.

The parties shall provide commercially reasonable cooperation in responding to Data Subject requests or Supervisory Authority inquiries.

3.3.

Each party shall take reasonable steps to ensure Personal Data is accurate and up to date.

4. Security Measures & Incidents

4.1.

Each party shall implement industry-standard technical and organizational safeguards to protect Shared Data.

4.2.

In the event of a Security Incident involving Shared Data, the Merchant or FlowFitness (as applicable) shall notify the other party without undue delay and no later than 48 hours after becoming aware.

4.3.

Each party shall take steps required by Data Protection Laws to mitigate and prevent further incidents.

4.4.

The parties shall cooperate in good faith to investigate and remediate any Security Incident.

5. Data Transfers

5.1.

Where GDPR, UK GDPR, or Swiss FADP apply, transfers outside the EEA, UK, or Switzerland shall occur only where lawful safeguards exist.

5.2.

Where Standard Contractual Clauses are relied upon:

  • Transfers from the EEA are subject to ANNEX I–III

  • Transfers from the UK are subject to ANNEX IV

  • Transfers from Switzerland are subject to ANNEX V

6. Termination

6.1.

This DPA becomes effective on the effective date of the Agreement and terminates automatically upon termination of the Agreement.

Annex I

Details of Personal Data (Controller to Controller)

A. List of Parties

Data Exporter(s)

Name: NovaRidge Commerce LLC – FlowFitness

611 South DuPont Highway Suite 102, Dover, 19901, DE

Contact: DPO – support@myflowfitness.com

Activities: Services under the Agreement

Role: Controller

Data Importer(s)

Name: Merchant

Address: As detailed in the Merchant Agreement

Role: Controller

B. Description of Processing and Transfer

Categories of Data Subjects

Merchant’s Customers (as defined in the Agreement)

Categories of Personal Data

  • Full name

  • Email address

  • Billing address

  • Phone number

  • Date and place of birth (if applicable)

  • Payment and transaction information

  • Credit bureau information

  • Banking information (if applicable)

  • Transaction history

Sensitive Data: N/A

Frequency: One-off

Purpose: Providing Services and processing transactions

Retention: As required to provide Services or comply with law

C. Competent Supervisory Authority

Based on the Merchant’s establishment in the EEA.

Your blueprint for 1% human performance

Train with personalized plans, smart habit tracking, recovery insights, and daily accountability that adapts to your schedule.

Your blueprint for 1% human performance

Train with personalized plans, smart habit tracking, recovery insights, and daily accountability that adapts to your schedule.

Your blueprint for 1% human performance

Train with personalized plans, smart habit tracking, recovery insights, and daily accountability that adapts to your schedule.