Legal

Data processing agreement

Draft for legal review. This is a substantive draft, not filler text — but it has not yet been reviewed by a solicitor, and it references an entity name and address that you still need to finalise (see clause 1). Do not publish this as your live DPA until both are done.

Last updated: 12 July 2026

In plain English
  • When you (the coach) use Rosta to manage your own clients' data, you're the controller and we're the processor — this agreement sets out how we handle that on your behalf.
  • We only ever process your clients' data on your instructions, to run the Service — never for our own purposes.
  • The only sub-processors we use are Supabase, Netlify, Resend and Stripe — all listed below, each doing one specific job.
  • We keep the data secure (encryption, access controls, hosted authentication) and will tell you promptly if anything goes wrong.
  • You get your data back (or we delete it) when you close your account, in line with our Privacy policy.
  • This DPA is incorporated into, and forms part of, our Terms of Service — accepting the Terms means accepting this DPA too.

1.Parties and background

This Data Processing Agreement (“DPA”) is between you, the coach using Rosta to manage your own Clients’ personal data (the “Controller”), and [YOUR FULL LEGAL NAME], trading as TRNDSTTR (a sole trader — see Terms of Service clause 2), of [ADDRESS FOR SERVICE] (“Rosta”, the “Processor”). It applies whenever Rosta processes personal data on your behalf and forms part of, and is incorporated into, our Terms of Service. Terms defined there have the same meaning here. In case of conflict on data protection matters, this DPA prevails.

2.Subject matter, duration, nature and purpose

Subject matter: Rosta’s processing of personal data that you submit about your Clients in the course of using the Service.

Duration: for as long as you hold a Rosta account, and thereafter only as needed to delete the data per clause 8.

Nature: electronic storage, hosting, transmission, backup and display of the data within the Rosta application, and sending emails you configure (such as session reminders).

Purpose: to provide you the scheduling, client-management, payment-tracking, insights and communication features of the Service, solely on your instructions.

3.Categories of data and data subjects

Data subjects: your Clients (the individuals you coach).

Categories of data: name, phone number, email address, records you create about sessions, attendance, packages/credits and payment status (e.g. paid/unpaid, amounts), and any general free-text notes you choose to enter.

Rosta has no dedicated field for health, medical or other special-category data. You must not use any general free-text field (such as client or session notes) to record such information about your Clients; doing so would be outside the scope of this DPA and at your own risk.

4.Our obligations as processor

We will:

  • process personal data only on your documented instructions (including as set out in these terms), unless required to do otherwise by law;
  • ensure people authorised to process the data are subject to confidentiality obligations;
  • implement appropriate technical and organisational security measures (see clause 7);
  • only engage sub-processors as permitted under clause 5;
  • taking into account the nature of the processing, assist you with responding to data subject requests (access, correction, deletion, etc.) so far as reasonably possible;
  • assist you in meeting your obligations around security, breach notification and data protection impact assessments, taking into account the information available to us;
  • notify you without undue delay after becoming aware of a personal data breach affecting your Clients’ data (see clause 8); and
  • at your choice, delete or return all personal data to you at the end of our relationship, and delete existing copies, per clause 9.

5.Sub-processors

You give general authorisation for us to engage the following sub-processors, each used for a specific, limited purpose:

Sub-processorPurposeLocation
SupabaseDatabase, authentication, backend hostingLondon, UK
NetlifyWebsite and application hosting (code only — no personal data at rest)Global CDN
ResendSending transactional emails (e.g. reminders)Ireland, EU
StripePayment processing (acts as an independent controller for its own regulatory obligations)International

We impose data protection terms on each sub-processor no less protective than this DPA. If we intend to add or replace a sub-processor, we will update this page and, where the change is material, tell registered coaches directly; you may object on reasonable data-protection grounds by contacting rosta@trndsttr.co.uk.

6.International transfers

Personal data is hosted with Supabase in London (UK) and processed for email delivery by Resend in Ireland (EU) — both within the UK/EEA. Netlify serves our application code globally via its CDN but does not store personal data at rest. Where a sub-processor (such as Stripe, which operates its payment network internationally) transfers personal data outside the UK/EEA, we ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or an applicable UK adequacy regulation.

7.Security measures

We maintain security measures appropriate to the risk, including:

  • encryption of data in transit (TLS) and at rest;
  • database-level access controls (row-level security) that isolate each coach’s data from every other coach;
  • hosted, industry-standard authentication rather than custom-built login handling;
  • secrets and administrative credentials kept server-side only, never exposed to the browser; and
  • regular, automated backups.

Further detail is on our Security & GDPR page.

8.Personal data breaches

If we become aware of a personal data breach affecting your Clients’ data, we will notify you without undue delay, and in any event within 72 hours of becoming aware of it, with the information reasonably available to us at the time, and will cooperate with you and provide reasonable further information as it becomes available to help you meet your own notification obligations.

9.Deletion and return of data

On termination of your account, or on request, we will — at your choice — make your Clients’ personal data available for export, or delete it, in line with the retention periods in our Privacy policy (broadly: deletion from active systems within 30 days, and from encrypted backups within a further 60 days, save for limited records we must keep for legal or tax reasons).

10.Audits and assistance

We will make available to you the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, on reasonable prior notice and subject to reasonable confidentiality protections — recognising that, as a small provider, formal on-site audits may not be practicable and we may instead provide documentation, screenshots or a call to satisfy a request.

11.Liability

Liability under this DPA is subject to the limitations and exclusions set out in clause 18 of our Terms of Service.

12.Term

This DPA takes effect when you start using the Service and continues for as long as we process personal data on your behalf under the Terms of Service, surviving termination to the extent needed to give effect to clauses 8 to 10.

13.Governing law

This DPA is governed by the law of England and Wales, consistent with clause 22 of our Terms of Service.

14.Contact

Questions about this DPA? Email rosta@trndsttr.co.uk.