Data Processing Agreement

The Studio is the data controller for personal data of its clients (names, emails, phones, addresses, health/safety notes, booking history, payment history).

RPBis the data processor, processing this data solely on the Studio's instructions and for the purposes set out in the Terms of Service.

Identification (name, email, phone), location (city, postal code, country), demographic (birthday), booking and class attendance, payment and refund records, marketing-consent flags and timestamps, communications log (subjects + status of emails/SMS we send), referral relationships, health-and-safety notes provided by the Studio about the client.

RPB engages the following sub-processors, all of which provide GDPR-compliant data processing terms:

• Supabase — Postgres database hosting (EU region).
• Vercel — application hosting and edge functions.
• Stripe — payment processing.
• Resend — transactional email delivery.

We notify Studios 30 days in advance if we add or replace a sub-processor with material data access.

Data is encrypted in transit (TLS) and at rest. Access to production data is restricted to authorised RPB personnel and requires multi-factor authentication. We maintain audit logs of administrative access. Database backups run continuously with point-in-time recovery up to 14 days.

The Studio remains responsible for handling data subject requests (access, rectification, erasure, portability, restriction of processing). RPB provides admin tooling to fulfil these requests (customer data export, customer deletion) and will assist within a reasonable time on requests that require backend access.

RPB notifies the affected Studio within 72 hours of becoming aware of a personal data breach, providing the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

On termination of the Terms of Service, the Studio's client data is exported to the Studio and deleted from active systems within 90 days. Backup retention is up to 12 months. Booking and payment records may be retained longer where required by applicable tax law (typically 6 years in Spain).

RPB processes data within the European Economic Area where possible. Where transfers outside the EEA occur (e.g. to a sub-processor's incident-response team), Standard Contractual Clauses apply.

This DPA remains in force for as long as RPB processes personal data on behalf of the Studio. The Studio may, on reasonable notice, audit RPB's compliance with this DPA either directly or via an agreed third-party auditor.