Legal
Data Processing Agreement
1. About this agreement
This Data Processing Agreement (the "DPA") forms part of the 141kg Terms of Service and governs how 141kg processes personal data about your clients on your behalf when you use the platform as a personal trainer (PT).
It is required by Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. The parties
Controller: you, the PT, in your capacity as the user of the Tenant app and the person responsible for the relationship with your clients.
Processor: 141kg Ltd, a company registered in England and Wales under company number [COMPANY NUMBER], with registered office at Gables House, 62 Kenilworth Road, Leamington Spa, CV32 6JX. Email: admin@141kg.com.
By creating a PT account and accepting the Terms of Service, you accept this DPA and authorise 141kg to process your clients' personal data on the terms set out here.
3. Scope of this agreement
This DPA applies only to personal data you enter into the Tenant app about your clients (for example: client names and contact details you record, training programmes you assign, body weight records you enter, notes you make about a client's progress or injuries).
It does not apply to:
- Your own PT account data. 141kg is the controller of that data and processes it under the Privacy Notice.
- Personal data your clients enter into the Client app themselves. 141kg is the controller of that data under its direct contract with the client, and processes it under the Privacy Notice.
4. Subject matter, duration, nature and purpose
| Subject matter | Hosting and managing client records you create in the 141kg Tenant app. |
|---|---|
| Duration | For as long as you maintain an active PT account, plus the retention period set out in section 11. |
| Nature and purpose of processing | Storing, organising, retrieving, displaying, transmitting, and backing up client data to enable you to deliver personal training services through the platform. |
| Types of personal data | Client name, contact details, date of birth, sex, body weight, training programmes and history (sets, reps, weights, dates), training goals, injury notes against specific body areas, recovery and progress notes. |
| Categories of data subjects | Your clients (individuals who have engaged you as a personal trainer). |
| Special category data | None expected. You must not enter health diagnoses, clinical information, or other special category data into the platform unless you have an Article 9 lawful basis to process it. |
5. Your obligations as controller
You confirm and warrant that:
- You have a lawful basis under UK GDPR Article 6 for processing each client's personal data (in most cases, your contract with them).
- You have provided your clients with a privacy notice that meets the requirements of UK GDPR Article 13, including telling them that 141kg.com is the software provider hosting their data, and making the 141kg Privacy Notice available to them.
- You will only enter personal data into the platform that you are entitled to process.
- You will respond to your clients' data subject requests (access, correction, deletion, portability, objection) in accordance with UK GDPR.
- You will keep your account credentials secure and notify 141kg promptly if you suspect they have been compromised.
6. 141kg's obligations as processor
141kg agrees, in accordance with UK GDPR Article 28(3):
6.1 Documented instructions
To process client personal data only on your documented instructions, including with regard to transfers of personal data to a third country, unless required to do otherwise by UK or EU law. Your instructions are the actions you take through the Tenant app together with this DPA and the Terms of Service. If 141kg is required by law to process the data otherwise, we will inform you of that legal requirement before processing, unless the law prohibits us from doing so.
6.2 Confidentiality
To ensure that any person authorised to process client personal data (including 141kg staff, contractors, and sub-processors) is bound by a duty of confidentiality.
6.3 Security
To take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (HTTPS) and at rest (database-level encryption).
- Row-level security policies that restrict access to authorised users only.
- Salted password hashing handled by Supabase Auth.
- Optional multi-factor authentication available on PT accounts.
- Regular monitoring of platform access and security events.
6.4 Sub-processors
You authorise 141kg to engage the sub-processors listed in Schedule A. We will inform you of any intended changes to the sub-processor list by updating Schedule A on this page and bumping the version of this DPA. You have the right to object to the change. If we cannot accommodate your objection, you may terminate your account and we will delete the relevant data in accordance with section 11.
141kg remains liable to you for the acts and omissions of its sub-processors.
6.5 Assisting with data subject rights
To assist you, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling your obligation to respond to requests from your clients exercising their rights under UK GDPR.
6.6 Assisting with security, breach notification, and impact assessments
To assist you in ensuring compliance with your obligations under Articles 32 to 36 of UK GDPR, taking into account the nature of the processing and the information available to 141kg. In particular, 141kg will:
- Notify you without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting client data.
- Provide you with the information you need to notify the ICO and (where required) the affected data subjects.
- Provide reasonable assistance with any data protection impact assessment you carry out.
6.7 Return or deletion at end of services
At your choice, to delete or return all client personal data to you after the end of your use of the platform, and to delete existing copies unless UK or EU law requires storage of the personal data. See section 11 for the practical mechanism.
6.8 Demonstrating compliance
To make available to you all information necessary to demonstrate compliance with Article 28 obligations, and to allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. Audits will be at your cost, conducted on reasonable notice, no more than once per year unless there is a documented concern, and subject to confidentiality.
7. International transfers
Client personal data is stored on Supabase infrastructure in the EU (eu-west-1, Ireland). Transfers between the UK and the EEA are covered by mutual adequacy decisions and require no additional safeguards.
Where any sub-processor handles data outside the UK or EEA, 141kg will rely on a UK adequacy decision or implement appropriate safeguards (for example, Standard Contractual Clauses with the UK addendum, or the UK International Data Transfer Agreement).
8. Personal data breaches
If 141kg becomes aware of a personal data breach affecting client data, we will notify you without undue delay and in any event within 72 hours. The notification will describe:
- The nature of the breach, including the categories and approximate number of data subjects and records affected.
- The likely consequences.
- The measures taken or proposed to address the breach and mitigate its effects.
- A contact point for further information.
You remain responsible for notifying the ICO (within 72 hours of becoming aware of the breach, where required) and the affected clients (where required).
9. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA excludes or limits any liability that cannot be excluded or limited under UK law.
10. Term and termination
This DPA takes effect when you accept the Terms of Service and continues for as long as 141kg processes client personal data on your behalf. It terminates automatically when you close your PT account or stop using the platform.
11. Deletion or return of data
When this DPA terminates, you have 30 days to export your client data using the tools available in the Tenant app or by emailing admin@141kg.com. After 30 days, 141kg will delete the client data from active systems within a further 30 days.
Backup copies may persist for up to 35 days after deletion from active systems, after which they are overwritten in the normal course of backup rotation.
141kg may retain anonymised data (data from which no individual client can be identified) and audit log entries (which may include references to client data) for the periods set out in the Privacy Notice, where required for legal, regulatory, or evidential purposes.
12. Changes to this DPA
141kg may update this DPA from time to time to reflect changes in law, sub-processor arrangements, or platform features. When we do, we will:
- Bump the version number at the top of this page.
- Notify active PTs by email or in-app message, with a summary of material changes.
- For material changes that affect your rights, give at least 30 days' notice before the change takes effect.
If you do not accept a material change, you may close your account before the new version takes effect.
13. Governing law and jurisdiction
This DPA is governed by the laws of England and Wales. Any dispute will be subject to the exclusive jurisdiction of the courts of England and Wales.
14. Contact
For any question about this DPA, contact us at admin@141kg.com.
Schedule A: Approved sub-processors
As at the version date above, 141kg uses the following sub-processors to deliver the platform:
| Sub-processor | Purpose and location |
|---|---|
| Supabase | Database hosting and authentication. Data stored in eu-west-1 (Ireland). Contract in place with Standard Contractual Clauses where applicable. |
| Vercel | Web application hosting (serves the Tenant and Client apps). EU regions. Contract in place. |
| Cloudflare | DNS and edge network. Global infrastructure. Contract in place. |
The list above is current as at the version date and supersedes any previous version. If 141kg engages a new sub-processor, this schedule will be updated and the version of the DPA will be bumped.