Data Processing Agreement

1. Definitions

As used in this Data Processing Agreement, the following terms have the meanings set forth below:

• "Controller" means Caliplaces s.r.o., a legal entity incorporated under Czech law with registered address at Uralská 689/7, Bubeneč (Praha 6), 160 00 Praha and IČO 23311207, who determines the purposes and means of Processing.
• "Processor" means a Trainer or Coach offering services through the Caliplaces platform, who processes Personal Data on behalf of and under the instructions of the Controller.
• "Data Subject" means any individual to whom Personal Data relates, including users who book training or coaching sessions through the Caliplaces platform.
• "Personal Data" means any information relating to a Data Subject that is identified or identifiable, as defined in Article 4(1) GDPR.
• "Processing" means any operation performed on Personal Data, such as collection, recording, organization, storage, use, transmission, or deletion, as defined in Article 4(2) GDPR.
• "Sub-processor" means any natural or legal person (other than an employee of the Processor) who processes Personal Data on behalf of the Processor.
• "Data Subject Rights" means rights of Data Subjects under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data as defined in Article 33 GDPR.

2. Subject Matter and Duration of Processing

2.1 Duration

This Data Processing Agreement comes into effect on the date the Trainer accepts the Caliplaces Terms of Service and/or this Agreement (as presented through the Caliplaces platform or during onboarding), and continues for the duration of the Trainer's engagement with the Caliplaces platform and any active client relationships, unless earlier terminated in accordance with Section 13 below.

2.2 Subject Matter

This Agreement governs the Processing of Personal Data by the Processor (Trainer) on behalf of the Controller (Caliplaces) for the purposes of delivering training, coaching, and fitness services booked through the Caliplaces platform. The Processor shall Process Personal Data only to the extent necessary to provide the booked services and in accordance with the instructions of the Controller.

3. Nature and Purpose of Processing

3.1 Purpose of Processing

The purpose of Processing is to enable the Trainer to deliver fitness, coaching, or training services that have been booked and contracted for by users through the Caliplaces platform. This includes:

• Scheduling and managing training sessions
• Communicating with users regarding sessions, timing, and location
• Providing personalized training advice and feedback
• Tracking session history and client progress
• Managing location-based session delivery
• Recording and processing payment information for session fees (as applicable)

3.2 Nature of Processing

The nature of Processing shall be limited to collection, recording, organization, storage, adaptation, retrieval, consultation, use, transmission within the platform, and deletion of Personal Data as necessary to provide the services. The Processor shall not use Personal Data for any purpose other than performing the services unless explicitly authorized in writing by the Controller.

4. Types of Personal Data Processed

The Processor may Process the following categories of Personal Data:

• Identification data: User name, email address, phone number
• Booking information: Session dates, times, duration, type of service
• Session history: Records of past and scheduled training sessions
• Communication data: Messages exchanged between user and trainer within the platform
• Location data: Location of training sessions (as provided by the user or agreed upon)
• Health/fitness information: Any fitness goals, health conditions, or preferences shared by the user for session customization (if applicable)
• Profile information: User-provided photos, bio, and trainer qualifications
• Payment information: Limited payment details as necessary for transaction processing (handled primarily by Caliplaces; Trainer may only see transaction summaries)

5. Categories of Data Subjects

The Personal Data Processed relates to the following categories of Data Subjects:

• End users (buyers): Individuals who book and pay for training or coaching sessions through the Caliplaces platform
• Platform users: Registered members of the Caliplaces platform who may interact with trainers
• Session participants: Any individuals participating in or attending training sessions arranged through the platform

6. Obligations of the Processor (Trainer)

6.1 Processing Only on Instructions

The Processor shall Process Personal Data only on documented instructions from the Controller, including regarding international transfers, unless required to do so by Union or Member State law. The Processor shall inform the Controller without undue delay if a legal request compels the Processor to Process Personal Data in a manner not compliant with this Agreement or applicable law.

6.2 Confidentiality Obligations

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or under an appropriate legal obligation of confidentiality. The Processor shall not disclose, share, or otherwise make available Personal Data to any third party except:

• To employees or agents of the Processor who need access to provide the services
• As required by law or court order
• With the prior written authorization of the Controller
• To authorized Sub-processors under Section 8

6.3 Security Measures (Article 32 GDPR)

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

• The pseudonymization and encryption of Personal Data
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems
• The ability to restore the availability and access to Personal Data in a timely manner in the event of an incident
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures
• Secure user access protocols and password management
• Regular security updates and patches
• Training of staff on data protection and security practices
• Procedures for secure deletion or return of Personal Data upon termination

The Processor shall document the measures taken and provide evidence of their implementation to the Controller upon reasonable request. The specific measures are detailed in Annex B.

6.4 Sub-Processor Restrictions

The Processor shall not engage Sub-processors without prior authorization from the Controller. The Processor shall ensure that any Sub-processor is bound by the same data protection obligations as set forth in this Agreement and shall remain liable to the Controller for any failure of the Sub-processor to fulfill its data protection obligations. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object on reasonable grounds relating to data protection.

6.5 Assisting with Data Subject Rights

The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to Data Subject rights requests, including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restrict processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)

The Processor shall provide reasonable cooperation and assistance to the Controller, including by providing access to requested data, certifying deletion, or otherwise facilitating the Controller's response to Data Subject requests without undue delay.

6.6 Breach Notification Obligations

The Processor shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware of a Personal Data Breach. The notification shall include:

• Description of the Breach and affected Personal Data
• Likely consequences of the Breach
• Measures taken or proposed to address the Breach and mitigate harm
• The Processor's contact point for further information

The Processor shall provide any assistance reasonably necessary for the Controller to meet its own breach notification obligations to supervisory authorities and Data Subjects.

6.7 Return or Deletion of Personal Data

Upon termination or expiration of this Agreement, the Processor shall, at the Controller's choice, either:

• Delete all Personal Data in its possession or control (except where required by law to retain); or
• Return all Personal Data to the Controller in a commonly used, machine-readable format

The Processor shall certify completion of deletion or return within 30 days of termination, unless longer retention is legally required.

6.8 Audit and Inspection Rights

The Processor shall allow and contribute to audits and inspections by the Controller or the Controller's authorized representatives (including external auditors and compliance consultants). The Processor shall cooperate fully with supervisory authorities in exercising their powers to investigate compliance with the GDPR.

7. Obligations of the Controller (Caliplaces)

7.1 Legal Basis and Lawfulness

The Controller shall ensure that Processing is lawful and that it has a valid legal basis for the Processing of Personal Data as described in this Agreement. The Controller shall ensure compliance with all applicable data protection laws and regulations.

7.2 Clear Instructions

The Controller shall provide the Processor with clear, documented instructions regarding the Processing of Personal Data. Any changes to instructions shall be communicated to the Processor in writing. The Processor may decline to process data if instructions are unlawful or conflict with applicable law.

7.3 Data Quality

The Controller shall ensure that Personal Data provided to the Processor is accurate, complete, and collected lawfully. The Controller shall ensure it has obtained necessary consents from Data Subjects and that it has provided required privacy information to Data Subjects.

7.4 Assistance with Security

The Controller shall reasonably cooperate with the Processor in implementing appropriate security measures and shall inform the Processor promptly of any security incidents or concerns the Controller becomes aware of.

8. Sub-Processing

8.1 Authorization for Sub-processors

The Processor may not engage Sub-processors without prior written authorization from the Controller. Initially, the Processor shall not engage Sub-processors except through the Caliplaces platform itself (which may use third-party service providers as described in its Privacy Policy). Any other Sub-processor requires prior written consent from the Controller.

8.2 Sub-processor Terms

The Processor shall ensure that each Sub-processor is bound by data protection obligations that are materially equivalent to those set out in this Agreement. The Processor shall remain liable to the Controller for any failure of a Sub-processor to fulfill its data protection obligations.

8.3 Information About Sub-processors

The Processor shall provide the Controller with a list of any authorized Sub-processors and shall inform the Controller of any intended changes (addition or replacement of Sub-processors), giving the Controller the opportunity to object to such changes on reasonable grounds relating to data protection.

9. International Data Transfers

9.1 Scope of Transfers

To the extent the Processor transfers Personal Data to countries outside the European Union, European Economic Area, or other jurisdictions deemed adequate by the European Commission, the Processor shall ensure that such transfers are subject to appropriate safeguards as required by Article 46 GDPR.

9.2 Standard Contractual Clauses (SCCs)

Where necessary, the Processor shall execute the European Commission's Standard Contractual Clauses or other legally approved transfer mechanisms to ensure adequate protection of Personal Data transferred outside the EEA. The Processor shall inform the Controller immediately of any changes in the legal framework governing international transfers that may require modification of these safeguards.

9.3 Limitation on Transfers

The Processor shall not transfer Personal Data outside the EEA except:

• With the prior written authorization of the Controller
• To the extent expressly authorized by this Agreement
• As required by law, with prompt notice to the Controller

Currently, the Caliplaces platform operates primarily within the EU. Any transfers are subject to appropriate safeguards and the Controller's explicit authorization.

10. Data Breach Notification

10.1 72-Hour Notification Requirement

The Processor shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data in its Processing. Notification shall be sent by email or through the Caliplaces platform messaging system to the contact email address provided in the Processor's Caliplaces account.

10.2 Content of Breach Notification

The notification shall include at minimum:

• A description of the Breach
• The categories and approximate number of Data Subjects affected
• The categories and approximate volume of Personal Data involved
• The likely consequences of the Breach
• Measures taken or proposed to address the Breach and mitigate harm
• The Processor's contact point for further information

10.3 Continued Cooperation

The Processor shall cooperate fully with the Controller in investigating the Breach and shall provide such information and assistance as the Controller reasonably requests, including cooperation with supervisory authorities and support for Data Subject notifications if required.

11. Audit Rights and Cooperation

11.1 Right to Audit

The Controller shall have the right to audit the Processor's compliance with this Agreement, including through:

• Review of security practices and documentation
• Inspection of premises where Processing occurs (at reasonable times and with reasonable notice)
• Review of Processor policies and procedures related to Personal Data
• Assessment of Sub-processors and their compliance

11.2 Cooperation with Authorities

The Processor shall cooperate with the Controller and with supervisory authorities (such as the Czech Office for Personal Data Protection/ÚOOÚ) in fulfilling their oversight duties. The Processor shall respond to reasonable requests from the Controller or supervisory authorities regarding compliance.

11.3 Cost Allocation

The Controller shall bear the costs of its own audits. Where the Controller requests additional or specialized audits beyond industry-standard practices, the reasonable costs may be borne by the Controller. Audits triggered by a Breach or suspected non-compliance may be at the Processor's expense if non-compliance is found.

12. Liability and Indemnification

12.1 Processor Liability

The Processor shall be liable to the Controller for damages caused by Processing of Personal Data in violation of this Agreement or applicable GDPR obligations, to the extent the Processor is responsible for the violation. The Processor's liability shall be limited as follows:

• For direct damages: up to 100,000 EUR or the value of services provided by the Processor in the 12 months preceding the claim, whichever is higher
• For indirect or consequential damages: the Processor shall not be liable unless a higher limit is mandated by applicable law

12.2 Exemptions from Liability

The Processor shall not be liable for damages resulting from:

• Instructions from the Controller that conflict with applicable law
• Processing conducted in compliance with documented instructions from the Controller
• Breaches caused by the Controller's failure to implement security measures on its systems
• Breaches resulting from events beyond the Processor's reasonable control (force majeure)

12.3 Indemnification

The Processor shall indemnify, defend, and hold harmless the Controller from third-party claims, damages, and costs (including reasonable attorney fees) arising from the Processor's violation of this Agreement or applicable data protection laws, except where the violation results from the Controller's instructions or failure to implement security measures.

13. Term and Termination

13.1 Duration

This Data Processing Agreement begins when the Processor accepts the Caliplaces Terms of Service or this Agreement and continues for the duration of the Processor's engagement with the Caliplaces platform, unless earlier terminated.

13.2 Termination by Controller

The Controller (Caliplaces) may terminate this Agreement and the Processor's access to the platform for:

• Material breach of this Agreement or the Trainer Terms of Service
• Persistent non-compliance with data protection obligations
• Termination of the Processor's account with Caliplaces
• At-will termination with 30 days' notice

13.3 Termination by Processor

The Processor may terminate engagement with the Caliplaces platform in accordance with the Trainer Terms of Service, provided that the Processor continues to comply with this Agreement regarding any data retained.

13.4 Effect of Termination

Upon termination of this Agreement:

• The Processor shall immediately cease Processing Personal Data except as required by law
• The Processor shall delete or return Personal Data within 30 days, unless legally required to retain it
• The Processor shall certify deletion or return in writing
• The Processor's confidentiality and security obligations shall survive termination
• Sections addressing liability and indemnification shall survive termination

13.5 Survival of Obligations

Sections 6.2 (Confidentiality), 6.3 (Security Measures), 6.7 (Return or Deletion), 12 (Liability), and this Section 13.5 shall survive termination of this Agreement indefinitely or for such period as required by applicable law.

14. Annex A: Details of Processing

Subject Matter of Processing

Delivery of fitness training, coaching, and related services booked through the Caliplaces platform.

Duration of Processing

For the duration of the Processor's engagement with Caliplaces and for such period as retention is necessary to fulfill legal obligations or user requests. Personal Data shall generally be deleted or anonymized within 12 months after termination of the Processor's account, unless longer retention is required by law or requested by the Controller.

Nature and Purpose of Processing

Processing of Personal Data to manage session bookings, deliver services, communicate with clients, maintain session history, manage location information, and provide customer support.

Types of Personal Data

• Identification: name, email, phone number
• Booking details: session type, date, time, duration, location
• Session history and progress tracking
• Communication records
• Location data for sessions
• Health/fitness information (if voluntarily provided by users)
• Profile information

Categories of Data Subjects

• Users who book training or coaching sessions
• Registered members of the Caliplaces platform
• Session participants

Categories of Recipients

• Caliplaces platform employees and support staff
• Sub-processors authorized by the Controller
• Legal and compliance personnel as required
• Supervisory authorities as required by law

Retention Period

Personal Data shall be retained for the duration of the client relationship and such reasonable period thereafter as is necessary to fulfill legal obligations, respond to claims, or as requested by Data Subjects. Unless otherwise specified, Personal Data shall not be retained for more than 12 months after termination of the Processor's account unless required by law or court order.

15. Annex B: Technical and Organisational Measures

Overview

The Processor shall implement and maintain the following technical and organisational measures to protect Personal Data in accordance with Article 32 GDPR:

Technical Measures

• Encryption: Encryption of Personal Data in transit (TLS/SSL) and at rest where technologically feasible
• Access controls: Strong password requirements, multi-factor authentication for platform access, role-based access controls limiting data access to authorized personnel
• Secure storage: Storage of Personal Data on secure, password-protected devices and systems
• Network security: Use of firewalls and security measures to protect against unauthorized access
• Regular updates: Timely installation of security patches and system updates on all devices used to process Personal Data
• Incident response: Procedures for detecting, logging, and responding to security incidents
• Backup and recovery: Regular backups and disaster recovery procedures to restore access to Personal Data in case of incidents
• Secure deletion: Use of secure deletion methods (e.g., overwriting, shredding) when permanently removing Personal Data

Organisational Measures

• Personnel training: Training for Processor employees on data protection obligations, confidentiality, and security practices, provided at least annually
• Confidentiality agreements: Confidentiality obligations for all persons with access to Personal Data
• Access restrictions: Limiting access to Personal Data to employees and agents who need access to provide the services
• Data protection policies: Clear written policies and procedures for handling Personal Data, including requirements to comply with this Agreement and applicable law
• Incident procedures: Documented procedures for responding to suspected data breaches, including notification protocols and investigative processes
• Third-party management: Due diligence and contractual safeguards for any Sub-processors
• Monitoring and auditing: Periodic review of security measures and compliance with data protection obligations
• Data subject access: Procedures for facilitating Data Subject rights requests, including access, rectification, deletion, and portability
• Documentation: Maintenance of records demonstrating implementation of these measures and willingness to make such records available to the Controller upon reasonable request

Risk Assessment

The Processor shall conduct a periodic risk assessment (at least annually or when circumstances change) to identify potential risks to the security and integrity of Personal Data. The Processor shall adjust measures based on identified risks and shall share the results of significant risk assessments with the Controller upon reasonable request.

Compliance and Certification

The Processor shall maintain records documenting implementation of these measures. Where applicable and available, the Processor shall maintain relevant certifications (such as ISO 27001) or shall provide evidence of compliance through audits, assessments, or security reports upon request.

General Provisions

Entire Agreement

This Data Processing Agreement, together with the Caliplaces Trainer Terms of Service and Privacy Policy, constitutes the entire agreement regarding the Processing of Personal Data and supersedes all prior negotiations and understandings.

Amendments

Caliplaces reserves the right to amend this Agreement to comply with applicable law or to improve data protection practices. Significant amendments shall be communicated to Trainers at least 30 days in advance. Continued use of the platform constitutes acceptance of amendments.

Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the Czech Republic and the GDPR. For questions regarding compliance, the supervisory authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů – ÚOOÚ).

Contact Information

For questions, concerns, or breach notifications related to this Data Processing Agreement, please contact:

• Email: legal@caliplaces.com
• Data Protection Officer: dpo@caliplaces.com
• Address: Caliplaces s.r.o., Uralská 689/7, Bubeneč (Praha 6), 160 00 Praha