Ironstead
Anmelden30 Tage gratis testen
DPA template · As of May 8, 2026 ·

Data Processing Agreement

Agreement under Art. 28 GDPR between Coach and Platform for the processing of trainee data.

This page is only available in German in its legally binding version. The English text is a courtesy translation.

1. Subject matter

This agreement is concluded between the Coach (controller per Art. 4 No. 7 GDPR) and the Platform (processor per Art. 4 No. 8 GDPR):

Ironstead — Owner Jakob Seiffert
Kentroper Weg 60a, 59063 Hamm, Germany
Email: datenschutz@iron-stead.com
(hereinafter "Platform")

The Platform processes personal data of trainees on behalf of the Coach (training data, RPE, notes, photo uploads, chat content). This agreement governs the obligations of both parties under Art. 28 GDPR.

2. Data processed

  • Trainee master data: name, email, date of birth, gender, height, weight.
  • Training data: exercises, sets, repetitions, load, RPE, rest periods, notes.
  • Photo uploads (progress photos): only with the trainee's active consent.
  • Chat content between coach and trainee.

3. TOMs (Technical & Organizational Measures)

Encryption at rest (AES-256) and in transit (TLS 1.3). Hosting in the EU (Coolify cluster Frankfurt, Hetzner). Access restricted to authorized personnel with documented roles. Backup strategy: daily snapshots, 30-day retention.

4. Sub-processors

  • Hetzner Online GmbHHosting / infrastructure (DE).
  • Google Cloud EMEA Ltd.Vertex AI (region eu-west-3 Frankfurt). Only with trainee consent, with pseudonymization.
  • Paddle.com Market LimitedPayment processing (IE).
  • Resend Inc.Transactional emails and contact form delivery (EU region Ireland, DPA in place).

5. Platform obligations

Processing only on documented instructions from the Coach. Confidentiality of personnel. Support for right-of-access and erasure requests. Notification of data breaches within 72 hours.

6. Coach obligations

Obtaining consent from trainees (in particular for AI Critique and photo uploads). Informing trainees about the processing. Ensuring lawfulness of instructions given.

7. Deletion & Return

Upon termination, the Platform deletes all personal data within 90 days, unless a statutory retention obligation applies. A data export in JSON format can be provided on request.

Download

The legally binding PDF version is available for download here:

Coming soon
Ironstead - AVV