Data Processing Agreement
1. About this agreement
This Data Processing Agreement (DPA) governs the processing of personal data carried out by 141kg Ltd as a processor on behalf of personal trainers (PTs) who use the Tenant app. It forms part of our Terms of Service and applies whenever a PT enters or stores personal data about their clients on the 141kg platform.
This DPA does not apply to processing where 141kg Ltd is itself the controller (for example, the PT's own account data, login activity, and the technical operation of the platform). That processing is governed by our Privacy Notice.
By using the Tenant app to record data about your clients, you accept this DPA. You do not need to sign a separate document. If you require a counter-signed copy for your records, email us at admin@141kg.com.
2. Definitions
The terms controller, processor, sub-processor, personal data, special category data, data subject, and personal data breach have the meanings given to them in UK GDPR.
Us / we / 141kg: 141kg Ltd, a company registered in England and Wales under company number 17241763, registered office Gables House, 62 Kenilworth Road, Leamington Spa, CV32 6JX.
You / the PT: the personal trainer who has created a Tenant app account and uses the platform to record data about their clients.
Client data: the personal data about the PT's clients that is processed by 141kg on the PT's behalf through the Tenant app and the Client app.
3. Roles
For client data:
- The PT is the controller. The PT decides what data to collect about clients, why, and on what lawful basis.
- 141kg is the processor. We process client data only on the PT's documented instructions, which are set out in this DPA and in the way the Tenant app and Client app operate.
This is a controller-to-processor relationship as defined in UK GDPR Article 28. We do not determine the purposes and means of processing client data, except to the extent necessary to provide the platform.
4. Subject matter, duration, nature and purpose of processing
Subject matter: processing of personal data about the PT's clients for the purpose of training planning, recording, and analysis.
Duration: for the life of the PT's account, plus the 30-day transition period after closure, plus any further period required by the retention schedule in our Privacy Notice.
Nature of processing: collection, storage, structuring, retrieval, use, transmission, restriction, deletion, backup, and sending engagement email to your clients on your instruction. Processing is automated, carried out using the Tenant app and the Client app, and our supporting infrastructure.
Purpose of processing: to provide the 141kg platform to the PT, enabling the PT to plan, record, and analyse the training of their clients, to show the PT when each of their clients last opened the Client app, to send an engagement email to a client when the PT instructs it, and to provide the clients with access to their own records.
5. Categories of data subjects and personal data
Data subjects: the PT's clients, who are aged 16 or over.
Personal data:
- Identification and contact data: name, email address, date of birth, sex (where provided).
- Authentication data: password hash (held by Supabase), login activity.
- Training data: workouts, exercises, sets, reps, weights, times, body areas, session dates and times, session notes, goals, leaderboard opt-in and display name, training history.
- Engagement data: the date the client last opened the Client app, whether the client has opted out of engagement email, and the record of engagement emails sent to them.
Special category data (UK GDPR Article 9):
- Body weight measurements.
- Heart rate (per session, optional).
- Rate of perceived exertion (RPE) on a 0 to 10 scale (per session, optional).
- Session calories (per session, optional, user-entered estimate).
Categories of data the platform does not process on the PT's behalf:
- Photos of any kind (the platform has no photo upload feature for client records; profile imagery is rendered from the client's initials).
- Injury, illness, medication, medical history, or any clinical record.
- PAR-Q or health screening questionnaire responses.
- Wellbeing or readiness fields entered by the user (sleep, soreness, stress, mood).
- Wearable device data.
- Nutrition or food intake data.
The free-text fields on the platform (session notes, goal descriptions) are not designed to hold any of the categories listed above. The PT warrants in section 6 that they will not enter such information in those fields.
If we identify any other category of personal data being processed through the platform that is not covered by the lists above, we will update this DPA and notify PTs in the app.
6. PT obligations (warranties)
As the controller of client data, you warrant to us that:
- You have a lawful basis under UK GDPR Article 6 for processing each client's personal data (usually your contract with the client).
- You will not invite or enter data about anyone under 16 years old. You will confirm a client's age before adding them to the platform.
- Before entering any special category data about a client, you have obtained their explicit consent under UK GDPR Article 9(2)(a) using the consent capture screen provided in the Tenant app. The consent screen requires the client to tick two boxes: one confirming agreement to recording, and one acknowledging the data is treated as special category health data and that consent can be withdrawn at any time.
- You will stop entering any category of special category data for any client who has not consented or who has withdrawn consent.
- You have made our Privacy Notice available to each client.
- You have your own privacy notice that tells your clients about your processing, including the categories of data, the lawful basis, your contact details, and the clients' rights. We provide a template you can adapt at https://legal.141kg.com/pt-privacy/. The template is a starting point, not legal advice; you are responsible for the content of the notice you actually give to your clients.
- You will not enter health information about a client into the platform's free-text fields (session notes, goal descriptions, or any other free-text input). This includes injuries, conditions, medications, medical history, mental health information, or anything that would constitute special category data under UK GDPR Article 9. The platform is not a clinical record system. If you need to record such information for your own practice, keep it in a separate system that is appropriate for clinical data.
- If you instruct us to send an engagement email to a client, you are the sender for the purposes of the Privacy and Electronic Communications Regulations 2003. You warrant that you have a lawful basis to email that client about your services, either their consent or the soft opt-in in regulation 22(3), and that they have not asked you to stop. We provide the mechanism and enforce the unsubscribe. We do not decide who receives an engagement email.
- You will respond to data subject rights requests from your clients in line with UK GDPR (see section 9 below). We will help with the technical side, but the legal response is yours.
- You will tell us promptly if you become aware that a client has withdrawn consent, has asked for their data to be deleted, has died, or has made any other request that affects how we should be processing their data.
7. Our obligations (as processor)
We will:
- Process client data only on your documented instructions, which are set out in this DPA and reflected in how the Tenant app and Client app operate. If we are required by UK or other law to process client data otherwise, we will tell you before doing so (unless the law prohibits us from telling you).
- Ensure that the people we authorise to access client data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures (see section 8).
- Only engage sub-processors in line with section 10.
- Send an engagement email to a client only when you instruct it. We will never send one on our own initiative, and never for any purpose of our own. Every engagement email carries an unsubscribe link. A client who unsubscribes is opted out across the whole platform, and no PT can clear that opt-out. We will not send an engagement email to a client you have not invited, and we limit sends to one per client in any 14-day period. The message body carries no client personal data and no client training data.
- Help you respond to data subject rights requests (see section 9).
- Help you comply with your obligations under UK GDPR Articles 32 to 36 (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to us.
- At your choice, delete or return all client data at the end of the processing relationship, except where UK or other law requires us to keep it. Our default is deletion in line with the retention schedule in our Privacy Notice.
- Make available to you all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in section 12.
8. Security measures
We implement and maintain the following technical and organisational measures, in line with UK GDPR Article 32:
- Encryption in transit: all connections to the platform use HTTPS (TLS 1.2 or later).
- Encryption at rest: client data stored in our database is encrypted at rest by our database provider.
- Authentication: PT accounts are protected by mandatory multi-factor authentication using a TOTP authenticator app. Client accounts use password-only authentication.
- Access controls: database row-level security ensures that one PT's data is isolated from any other PT's data, and one client's data is isolated from any other client's data.
- Least privilege: our own access to client data is limited to what is necessary to operate the platform and respond to support requests.
- Audit logging: authentication events and key data changes are logged for security and accountability.
- Backups: client data is backed up regularly. Backups are encrypted and held in the same region as the live database. Backup retention is set out in our Privacy Notice retention schedule.
- Incident response: we operate a process for identifying, investigating, and responding to suspected personal data breaches (see section 11).
9. Data subject rights
Your clients have the rights set out in UK GDPR Articles 15 to 22 (access, rectification, erasure, restriction, portability, objection, and not being subject to automated decision-making with legal or similarly significant effects).
As the controller, you are responsible for responding to these requests. We will help you with the technical side:
- Access and portability: the Tenant app provides export tools for client data in machine-readable format. The Client app also lets a client export their own data directly. If a client asks for an export and you cannot retrieve it through the app, we will provide it on request within 14 days.
- Rectification: most data can be corrected directly in the app.
- Erasure: you can delete a client and their data from the Tenant app. If the client has self-logged data in the Client app that you cannot reach, contact us and we will delete it within 14 days.
- Restriction: on request, we will mark a client's data as restricted and stop active processing.
- Withdrawal of consent for special category data: the client can withdraw consent in the Client app, or by emailing admin@141kg.com. When they do, we notify you in the Tenant app and you must stop entering that category of data.
We do not respond to data subject rights requests from your clients directly, except where the client cannot reach you. In that case we will help the client and tell you about the request as soon as possible.
10. Sub-processors
You give us general authorisation to engage sub-processors to provide the platform. We use the following sub-processors:
| Sub-processor | Role | Location of processing | Transfer safeguard |
|---|---|---|---|
| Vercel | Application hosting | United States (with EU/UK regions used where available) | UK IDTA / EU SCCs with UK Addendum |
| Supabase | Database and authentication | EU (Ireland, AWS) | UK adequacy decision for EU; UK IDTA for any non-EU support access |
| Fastmail | Corporate email (admin@141kg.com and similar) | Australia | UK IDTA |
| Resend | Transactional email (invites, password resets, account notifications, engagement email sent on a PT instruction) | United States | UK IDTA / EU SCCs with UK Addendum |
Before adding or replacing a sub-processor that processes client data, we will notify PTs in the Tenant app at least 14 days in advance. You may object on reasonable data protection grounds by emailing admin@141kg.com within that period. If we cannot find an acceptable solution, you may terminate this DPA and your account by giving notice in writing, and we will delete or return your client data in line with section 7.
We remain responsible for the acts and omissions of our sub-processors in respect of their obligations under this DPA, in the same way as for our own.
11. Personal data breach notification
If we become aware of a personal data breach affecting client data, we will:
- Notify you without undue delay after becoming aware.
- Provide the information you need to fulfil your own notification obligations to the ICO under UK GDPR Article 33, including (so far as we know) the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.
- Cooperate with you in investigating and mitigating the breach.
You remain responsible for assessing whether the breach must be notified to the ICO, for making that notification, and for any notification to affected data subjects under Article 34.
12. Audits
You have the right to audit our compliance with this DPA. In practice, we expect most audit needs to be met by:
- The information set out in this DPA and our Privacy Notice.
- Written responses to specific questions you send us at admin@141kg.com.
- Copies of relevant policies, sub-processor agreements, and security documentation on request, where we hold them.
If you require an on-site or third-party audit, we will discuss reasonable arrangements with you, including timing, scope, and which areas can be inspected without compromising the security of other PTs' data. You will pay our reasonable costs of facilitating the audit unless the audit reveals a material breach of this DPA by us.
13. International transfers
Where personal data is transferred outside the UK to a country not covered by a UK adequacy decision, we rely on the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum, as appropriate. The sub-processors and transfer safeguards are set out in section 10.
If a future change in law affects the validity of these safeguards, we will work with you in good faith to put alternative safeguards in place before continuing the transfers.
14. Retention and deletion
Retention periods for all categories of client data are set out in the retention schedule in our Privacy Notice at https://legal.141kg.com/privacy/. That schedule is the single source of truth and overrides any retention period stated elsewhere.
On termination of your account, you have 30 days to export client data using the tools in the Tenant app or by emailing admin@141kg.com. After that period, your client data is deleted from active systems in line with the retention schedule, except where we are required to retain certain information for legal, accounting, or regulatory reasons. Data may persist in backups for up to 30 days after live deletion in line with normal backup rotation.
15. Liability
The liability provisions in our Terms of Service apply to this DPA. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under UK law.
You agree to indemnify us against any claim brought by your clients or any third party arising from your failure to comply with this DPA, including (without limitation) any failure to obtain valid Article 9(2)(a) consent, any processing of data about a person under 16, or any failure to make our Privacy Notice available to a client. This does not apply to claims caused by our own breach of this DPA.
16. Changes to this DPA
We may update this DPA from time to time. When we do, we will:
- Bump the version number at the top of this document.
- Show you the updated DPA in the Tenant app the next time you log in.
- Where the change is material, ask you to acknowledge it before continuing.
If you do not accept a material update, you may terminate this DPA and your account in line with our Terms of Service. We will delete or return your client data in line with section 7.
17. Governing law
This DPA is governed by the laws of England and Wales. Any dispute will be subject to the exclusive jurisdiction of the courts of England and Wales (the same jurisdiction that applies to PTs under our Terms of Service).
18. Contact
For anything about this DPA, email admin@141kg.com.