141kg
Legal

Data Processing Agreement

Version: 2026-07-12-a

Effective from: 12 July 2026

1. About this agreement

This Data Processing Agreement (DPA) governs the processing of personal data carried out by 141kg Ltd as a processor on behalf of personal trainers (PTs) who use the Tenant app. It forms part of our Terms of Service and applies whenever a PT enters or stores personal data about their clients on the 141kg platform.

This DPA does not apply to processing where 141kg Ltd is itself the controller (for example, the PT's own account data, login activity, and the technical operation of the platform). That processing is governed by our Privacy Notice.

By using the Tenant app to record data about your clients, you accept this DPA. You do not need to sign a separate document. If you require a counter-signed copy for your records, email us at admin@141kg.com.

2. Definitions

The terms controller, processor, sub-processor, personal data, special category data, data subject, and personal data breach have the meanings given to them in UK GDPR.

Us / we / 141kg: 141kg Ltd, a company registered in England and Wales under company number 17241763, registered office Gables House, 62 Kenilworth Road, Leamington Spa, CV32 6JX.

You / the PT: the personal trainer who has created a Tenant app account and uses the platform to record data about their clients.

Client data: the personal data about the PT's clients that is processed by 141kg on the PT's behalf through the Tenant app and the Client app.

3. Roles

For client data:

This is a controller-to-processor relationship as defined in UK GDPR Article 28. We do not determine the purposes and means of processing client data, except to the extent necessary to provide the platform.

4. Subject matter, duration, nature and purpose of processing

Subject matter: processing of personal data about the PT's clients for the purpose of training planning, recording, and analysis.

Duration: for the life of the PT's account, plus the 30-day transition period after closure, plus any further period required by the retention schedule in our Privacy Notice.

Nature of processing: collection, storage, structuring, retrieval, use, transmission, restriction, deletion, backup, and sending engagement email to your clients on your instruction. Processing is automated, carried out using the Tenant app and the Client app, and our supporting infrastructure.

Purpose of processing: to provide the 141kg platform to the PT, enabling the PT to plan, record, and analyse the training of their clients, to show the PT when each of their clients last opened the Client app, to send an engagement email to a client when the PT instructs it, and to provide the clients with access to their own records.

5. Categories of data subjects and personal data

Data subjects: the PT's clients, who are aged 16 or over.

Personal data:

Special category data (UK GDPR Article 9):

Categories of data the platform does not process on the PT's behalf:

The free-text fields on the platform (session notes, goal descriptions) are not designed to hold any of the categories listed above. The PT warrants in section 6 that they will not enter such information in those fields.

If we identify any other category of personal data being processed through the platform that is not covered by the lists above, we will update this DPA and notify PTs in the app.

6. PT obligations (warranties)

As the controller of client data, you warrant to us that:

7. Our obligations (as processor)

We will:

8. Security measures

We implement and maintain the following technical and organisational measures, in line with UK GDPR Article 32:

9. Data subject rights

Your clients have the rights set out in UK GDPR Articles 15 to 22 (access, rectification, erasure, restriction, portability, objection, and not being subject to automated decision-making with legal or similarly significant effects).

As the controller, you are responsible for responding to these requests. We will help you with the technical side:

We do not respond to data subject rights requests from your clients directly, except where the client cannot reach you. In that case we will help the client and tell you about the request as soon as possible.

10. Sub-processors

You give us general authorisation to engage sub-processors to provide the platform. We use the following sub-processors:

Sub-processor Role Location of processing Transfer safeguard
Vercel Application hosting United States (with EU/UK regions used where available) UK IDTA / EU SCCs with UK Addendum
Supabase Database and authentication EU (Ireland, AWS) UK adequacy decision for EU; UK IDTA for any non-EU support access
Fastmail Corporate email (admin@141kg.com and similar) Australia UK IDTA
Resend Transactional email (invites, password resets, account notifications, engagement email sent on a PT instruction) United States UK IDTA / EU SCCs with UK Addendum

Before adding or replacing a sub-processor that processes client data, we will notify PTs in the Tenant app at least 14 days in advance. You may object on reasonable data protection grounds by emailing admin@141kg.com within that period. If we cannot find an acceptable solution, you may terminate this DPA and your account by giving notice in writing, and we will delete or return your client data in line with section 7.

We remain responsible for the acts and omissions of our sub-processors in respect of their obligations under this DPA, in the same way as for our own.

11. Personal data breach notification

If we become aware of a personal data breach affecting client data, we will:

You remain responsible for assessing whether the breach must be notified to the ICO, for making that notification, and for any notification to affected data subjects under Article 34.

12. Audits

You have the right to audit our compliance with this DPA. In practice, we expect most audit needs to be met by:

If you require an on-site or third-party audit, we will discuss reasonable arrangements with you, including timing, scope, and which areas can be inspected without compromising the security of other PTs' data. You will pay our reasonable costs of facilitating the audit unless the audit reveals a material breach of this DPA by us.

13. International transfers

Where personal data is transferred outside the UK to a country not covered by a UK adequacy decision, we rely on the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum, as appropriate. The sub-processors and transfer safeguards are set out in section 10.

If a future change in law affects the validity of these safeguards, we will work with you in good faith to put alternative safeguards in place before continuing the transfers.

14. Retention and deletion

Retention periods for all categories of client data are set out in the retention schedule in our Privacy Notice at https://legal.141kg.com/privacy/. That schedule is the single source of truth and overrides any retention period stated elsewhere.

On termination of your account, you have 30 days to export client data using the tools in the Tenant app or by emailing admin@141kg.com. After that period, your client data is deleted from active systems in line with the retention schedule, except where we are required to retain certain information for legal, accounting, or regulatory reasons. Data may persist in backups for up to 30 days after live deletion in line with normal backup rotation.

15. Liability

The liability provisions in our Terms of Service apply to this DPA. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under UK law.

You agree to indemnify us against any claim brought by your clients or any third party arising from your failure to comply with this DPA, including (without limitation) any failure to obtain valid Article 9(2)(a) consent, any processing of data about a person under 16, or any failure to make our Privacy Notice available to a client. This does not apply to claims caused by our own breach of this DPA.

16. Changes to this DPA

We may update this DPA from time to time. When we do, we will:

If you do not accept a material update, you may terminate this DPA and your account in line with our Terms of Service. We will delete or return your client data in line with section 7.

17. Governing law

This DPA is governed by the laws of England and Wales. Any dispute will be subject to the exclusive jurisdiction of the courts of England and Wales (the same jurisdiction that applies to PTs under our Terms of Service).

18. Contact

For anything about this DPA, email admin@141kg.com.