Data processing agreement
Last updated: 12 July 2026
- When you (the coach) use Rosta to manage your own clients' data, you're the controller and we're the processor — this agreement sets out how we handle that on your behalf.
- We only ever process your clients' data on your instructions, to run the Service — never for our own purposes.
- The only sub-processors we use are Supabase, Netlify, Resend and Stripe — all listed below, each doing one specific job.
- We keep the data secure (encryption, access controls, hosted authentication) and will tell you promptly if anything goes wrong.
- You get your data back (or we delete it) when you close your account, in line with our Privacy policy.
- This DPA is incorporated into, and forms part of, our Terms of Service — accepting the Terms means accepting this DPA too.
1.Parties and background
This Data Processing Agreement (“DPA”) is between you, the coach using Rosta to manage your own Clients’ personal data (the “Controller”), and [YOUR FULL LEGAL NAME], trading as TRNDSTTR (a sole trader — see Terms of Service clause 2), of [ADDRESS FOR SERVICE] (“Rosta”, the “Processor”). It applies whenever Rosta processes personal data on your behalf and forms part of, and is incorporated into, our Terms of Service. Terms defined there have the same meaning here. In case of conflict on data protection matters, this DPA prevails.
2.Subject matter, duration, nature and purpose
Subject matter: Rosta’s processing of personal data that you submit about your Clients in the course of using the Service.
Duration: for as long as you hold a Rosta account, and thereafter only as needed to delete the data per clause 8.
Nature: electronic storage, hosting, transmission, backup and display of the data within the Rosta application, and sending emails you configure (such as session reminders).
Purpose: to provide you the scheduling, client-management, payment-tracking, insights and communication features of the Service, solely on your instructions.
3.Categories of data and data subjects
Data subjects: your Clients (the individuals you coach).
Categories of data: name, phone number, email address, records you create about sessions, attendance, packages/credits and payment status (e.g. paid/unpaid, amounts), and any general free-text notes you choose to enter.
Rosta has no dedicated field for health, medical or other special-category data. You must not use any general free-text field (such as client or session notes) to record such information about your Clients; doing so would be outside the scope of this DPA and at your own risk.
4.Our obligations as processor
We will:
- process personal data only on your documented instructions (including as set out in these terms), unless required to do otherwise by law;
- ensure people authorised to process the data are subject to confidentiality obligations;
- implement appropriate technical and organisational security measures (see clause 7);
- only engage sub-processors as permitted under clause 5;
- taking into account the nature of the processing, assist you with responding to data subject requests (access, correction, deletion, etc.) so far as reasonably possible;
- assist you in meeting your obligations around security, breach notification and data protection impact assessments, taking into account the information available to us;
- notify you without undue delay after becoming aware of a personal data breach affecting your Clients’ data (see clause 8); and
- at your choice, delete or return all personal data to you at the end of our relationship, and delete existing copies, per clause 9.
5.Sub-processors
You give general authorisation for us to engage the following sub-processors, each used for a specific, limited purpose:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, backend hosting | London, UK |
| Netlify | Website and application hosting (code only — no personal data at rest) | Global CDN |
| Resend | Sending transactional emails (e.g. reminders) | Ireland, EU |
| Stripe | Payment processing (acts as an independent controller for its own regulatory obligations) | International |
We impose data protection terms on each sub-processor no less protective than this DPA. If we intend to add or replace a sub-processor, we will update this page and, where the change is material, tell registered coaches directly; you may object on reasonable data-protection grounds by contacting rosta@trndsttr.co.uk.
6.International transfers
Personal data is hosted with Supabase in London (UK) and processed for email delivery by Resend in Ireland (EU) — both within the UK/EEA. Netlify serves our application code globally via its CDN but does not store personal data at rest. Where a sub-processor (such as Stripe, which operates its payment network internationally) transfers personal data outside the UK/EEA, we ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or an applicable UK adequacy regulation.
7.Security measures
We maintain security measures appropriate to the risk, including:
- encryption of data in transit (TLS) and at rest;
- database-level access controls (row-level security) that isolate each coach’s data from every other coach;
- hosted, industry-standard authentication rather than custom-built login handling;
- secrets and administrative credentials kept server-side only, never exposed to the browser; and
- regular, automated backups.
Further detail is on our Security & GDPR page.