ClimbSoft Logo
Last updated: 2026

Data Processing Agreement

(hereinafter "DPA")

ANNEX No. 1 TO THE CLIMBSOFT GENERAL TERMS AND CONDITIONS

This DPA is concluded in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR") between:

  • the Processor – Anna Šebestíková, a self-employed individual (sole trader) with place of business at Máchova 643/13, České Budějovice 7, 370 01 České Budějovice, Czech Republic, Business ID No. (IČO): 10855599, registered in the Trade Licensing Register (hereinafter the "Processor"), and
  • the Customer, who accepted the ClimbSoft General Terms and Conditions (hereinafter the "GTC") upon Registration and who, in relation to the data of Data Subjects, acts as controller (hereinafter the "Controller"),

(the Processor and the Controller together the "Parties").

Capitalised terms not expressly defined in this DPA have the meaning given to them in the GTC and in the ClimbSoft Privacy Policy.

1. Subject and Application of the DPA

1.1 This DPA governs the rights and obligations of the Parties in the processing of personal data that the Processor carries out on behalf of the Controller through the Service.

1.2 This DPA applies exclusively where the Customer acts, in relation to the personal data entered into the Service, as a controller within the meaning of Article 4(7) GDPR. In particular:

  • a Customer acting as a business entity that processes the personal data of Data Subjects (in particular athletes, clients, test subjects) through the Service,
  • a Consumer who, through the Service, systematically processes the personal data of other persons in a manner that goes beyond purely personal or household activity within the meaning of Article 2(2)(c) GDPR, and thereby becomes a controller of such data.

1.3 This DPA does not apply where a Consumer uses the Service exclusively to process their own personal data. In such a case, the Provider is an independent controller in relation to such data and the processing is governed by the Privacy Policy.

1.4 This DPA forms an integral part of the GTC and becomes valid and effective upon the Controller's acceptance of the GTC during Registration. By accepting the GTC, the Controller confirms that the DPA satisfies the requirement of written form within the meaning of Article 28(9) GDPR.

1.5 At the Controller's explicit request, the Processor may provide the DPA as a separate document for signature. In such a case, the separately signed DPA prevails over this Annex.

2. Specification of the Processing

2.1 The subject matter, nature, purpose, categories of data, and categories of Data Subjects are specified in Annex A to this DPA.

2.2 The Controller acknowledges that a substantial part of the processing concerns special categories of personal data under Article 9(1) GDPR, in particular health and physiological data, and where applicable biometric data processed for the purpose of uniquely identifying a natural person. The Controller declares that it has a valid legal basis under Article 9(2) GDPR for such data, in particular:

  • the explicit consent of the Data Subject under point (a), or
  • another legal basis under Article 9(2) GDPR (in particular point (h) for preventive medicine and the assessment of working capacity, or point (j) for scientific research).

2.3 The duration of the processing corresponds to the duration of the contractual relationship under the GTC and the Retention Period under Article 15 of the GTC.

3. Controller's Instructions

3.1 The Processor processes personal data solely on the basis of the documented instructions of the Controller. The following are considered documented instructions:

  • acceptance of the GTC and this DPA during Registration,
  • the settings and configurations made by the Controller in the Account,
  • the entry of data into the Service by the Controller or its Users,
  • the activation of individual Service features, including AI Features and integrations with third-party devices,
  • written instructions sent by the Controller to the e-mail address info@climbsoft.eu.

3.2 The Processor informs the Controller without undue delay if it considers that an instruction of the Controller infringes the GDPR or other data protection legislation.

3.3 The Processor is entitled to process data contrary to the Controller's instructions only to the extent required by EU law or the law of a Member State. In such a case, the Processor informs the Controller, unless such notification is prohibited.

3.4 The Processor will not use the Controller's personal data for its own purposes, in particular not for marketing, the development and training of artificial intelligence, or any purpose beyond the provision of the Service, without the Controller's explicit consent. This does not limit the Processor's right to use aggregated and anonymised data pursuant to clause 7.4 of the GTC.

4. Obligations of the Processor

4.1 The Processor undertakes to:

  • ensure that persons authorised to process personal data are bound by an obligation of confidentiality,
  • adopt and maintain technical and organisational measures pursuant to Article 32 GDPR as specified in Annex B,
  • assist the Controller in fulfilling its obligations under Articles 32 to 36 GDPR (security of processing, breach notification, impact assessment, prior consultation),
  • assist the Controller, by appropriate technical and organisational measures, in responding to requests from Data Subjects to exercise their rights,
  • forward to the Controller, without undue delay, any request from a Data Subject who has contacted the Processor directly.

4.2 The Processor provides the assistance under clause 4.1 taking into account the nature of the processing and the information available to the Processor.

5. Sub-processors

5.1 The Controller grants the Processor a general authorisation to engage other processors in the processing (hereinafter "Sub-processors").

5.2 The current list of Sub-processors is available on the Website.

5.3 The Processor informs the Controller of any intended addition or replacement of a Sub-processor at least 14 days in advance by updating the list on the Website and by notice in the application.

5.4 The Controller has the right to object to a change of Sub-processor on data protection grounds within 14 days of the notice. In the event of an objection, the Parties will attempt to reach an amicable solution. If no agreement is reached, the Controller is entitled to terminate the contractual relationship without penalty as of the date of the planned engagement of the Sub-processor.

5.5 The Processor imposes on the Sub-processor the same data protection obligations as it has under this DPA, and remains fully liable to the Controller for the performance of those obligations by the Sub-processors.

6. Personal Data Breaches

6.1 The Processor notifies the Controller of a personal data breach without undue delay, and at the latest within 24 hours of becoming aware of it.

6.2 The notification contains, where possible and to the extent the Processor has the information available:

  • a description of the nature of the breach, the categories and approximate number of Data Subjects concerned,
  • the categories and approximate number of records concerned,
  • the likely consequences of the breach,
  • the measures taken or proposed to address and mitigate the breach,
  • a contact point for the responsible person or other point of contact.

6.3 Where it is not possible to provide all the information at the same time, the Processor provides it in phases without undue delay.

7. International Data Transfers

7.1 The Processor is entitled to transfer personal data outside the European Economic Area (EEA) only while maintaining the safeguards under Chapter V GDPR, in particular:

  • on the basis of a European Commission adequacy decision under Article 45 GDPR, or
  • on the basis of Standard Contractual Clauses approved by the European Commission under Article 46(2)(c) GDPR.

7.2 The activation by the Controller of an integration with a third-party device or service that involves a transfer of data outside the EEA is considered a documented instruction of the Controller for such a transfer.

7.3 The Processor provides the Controller, on request, with a copy of the specific safeguards for a given transfer.

8. Audit and Inspection

8.1 The Processor provides the Controller with the information necessary to demonstrate compliance with the obligations under Article 28 GDPR and this DPA.

8.2 The Processor primarily fulfils the obligation to provide information by providing:

  • current certificates,
  • reports from independent information security audits,
  • documentation of the technical and organisational measures under Annex B.

8.3 The Controller has the right to carry out an audit of the Processor where the information under clause 8.2 is insufficient or where there is a reasonable suspicion of a breach of this DPA. The following conditions apply to the audit:

  • the audit may be carried out at most once a year, except in the event of a security incident,
  • the audit must not lead to the disclosure of data of other Controllers or jeopardise the security of the Service for other Controllers,
  • the Controller gives at least 30 days' notice of the audit,
  • the audit must not unreasonably interfere with the Processor's operations,
  • the audit takes place during the Processor's working hours,
  • the auditor is bound by an obligation of confidentiality towards the Processor,
  • the costs of the audit are borne by the Controller, except where the audit reveals a serious breach of this DPA by the Processor.

9. Return and Deletion of Data

9.1 After the provision of the Service ends, the Controller has the right, during the Retention Period under Article 15 of the GTC, to export its data in a structured, commonly used, and machine-readable format.

9.2 After the expiry of the Retention Period, the Processor deletes or anonymises the Controller's active personal data. Data contained in backups will be deleted as part of the ordinary backup rotation cycle, but no later than 30 days after the expiry of the Retention Period.

9.3 The Processor does not retain personal data after the periods under clauses 9.1 and 9.2, unless EU or Member State law requires their further retention.

10. Liability

10.1 The Parties are liable for damage caused by a breach of obligations under the GDPR and this DPA to the extent set out in Article 82 GDPR.

10.2 The maximum liability of the Processor for damage arising from a breach of this DPA is limited in accordance with clause 12.3 of the GTC, i.e. to the amount closer to one of the following:

  • the total amount of payments received from the Controller for the Service during the last 12 months before the event giving rise to the claim for damages, or
  • EUR 5,000.

10.3 The limitation under clause 10.2 does not apply in cases where it is excluded by EU or Member State law, in particular in the case of intentional breach or gross negligence.

10.4 Fines imposed on the Controller by a supervisory authority are, for the purposes of the limitation of liability under clause 10.2, considered damage where the Processor is responsible for their imposition. This is without prejudice to the allocation of liability between controller and processor under Article 82 GDPR or to the Processor's direct obligations towards the supervisory authority.

11. Duration and Termination

11.1 This DPA is effective for the duration of the contractual relationship under the GTC and to the extent of the processing of personal data within the meaning of clause 1.2 of this DPA.

11.2 The provisions concerning the obligation of confidentiality, the deletion of data, and liability remain in force after the termination of this DPA.

12. Final Provisions

12.1 This DPA is governed by the GDPR and, as appropriate, by the generally binding legal regulations of the country of the Processor's place of business, unless this conflicts with the mandatory provisions of the consumer law of the country of the Controller's habitual residence, where the Controller is a Consumer.

12.2 In the event of a conflict between this DPA and the GTC, the provisions of this DPA prevail to the extent that they govern the processing of personal data in the position of Processor.

12.3 The Processor is entitled to amend this DPA unilaterally to the extent necessary to ensure compliance with the GDPR or other legal regulations. The Processor informs the Controller of any such change at least 30 days before it takes effect.

12.4 The Parties undertake to resolve disputes arising from this DPA primarily by agreement. In the event of a court dispute, the competent court is the court at the Processor's place of business (Czech Republic), unless this conflicts with the mandatory rules on jurisdiction in consumer disputes under EU law.

12.5 The following form an integral part of this DPA:

  • Annex A – Specification of the Processing,
  • Annex B – Technical and Organisational Measures.

12.6 This DPA takes effect on the date of its publication on the Website, as Annex No. 1 to the GTC.

Annex A – Specification of the Processing

Subject matter of the processing

Processing of personal data pursuant to clause 2.3 of the Privacy Policy.

Nature of the processing

  • Storage of data in a database and on servers.
  • Structuring, organisation, and visualisation of data.
  • Technical transfer of data within the system.
  • Creation and storage of backups.
  • Logging of events and activities (including technical logs that may contain identifiers of Data Subjects for operational and incident-resolution purposes).
  • Profiling and generation of analytical outputs within AI Features (Plans marked with "+").
  • Transfer of data to third parties for integrations activated by the Controller.

Purpose of the processing

Provision of the Service within the scope of the chosen Plan under the GTC, in particular the collection, analysis, and visualisation of athletes' physiological, health, and performance data.

Duration of the processing

For the duration of the contractual relationship under the GTC and during the Retention Period under Article 15 of the GTC.

Categories of Data Subjects

  • Athletes, clients, and test subjects of the Controller.
  • Members of clubs, academies, and other organisations of the Controller.
  • Users of the Controller (coaches, doctors, physiotherapists, researchers).
  • Other persons whose data the Controller enters into the Service.

Ordinary categories of personal data

  • Identification data (first name, surname, date of birth, gender).
  • Contact data (e-mail, telephone).
  • Data on membership in an organisation.
  • Comments, notes, training diaries.
  • Technical and operational data (IP addresses, logs, metadata).

Special categories under Article 9 GDPR

Health and physiological data under Article 9(1) GDPR, and biometric data only to the extent processed for the purpose of uniquely identifying a natural person:

  • Anthropometric data (height, weight, BMI, body composition).
  • Cardiovascular data (heart rate, HRV).
  • Muscle oxygenation and haemodynamic data (NIRS).
  • Force-parameter data.
  • Performance data and training records.
  • Injury and rehabilitation data.
  • Other health and physiological data according to the functionality of the Plan.

Annex B – Technical and Organisational Measures

The Processor applies appropriate technical and organisational measures within the meaning of Article 32 GDPR, having regard to the particular sensitivity of the processed data (special categories under Article 9 GDPR).

Technical measures

  • Encryption of data in transit (TLS 1.3 or higher).
  • Encryption of data at rest (AES-256).
  • Role-based access control following the principle of least privilege.
  • Multi-factor authentication (MFA) for all Users, as set out in clause 7.2 of the GTC.
  • Pseudonymisation of sensitive data where appropriate.
  • Audit logs of user activity and data access.
  • Regular automated data backups.
  • Regular security testing and system updates.
  • Protection against unauthorised access (firewall, IDS/IPS).
  • Segregation of data of different Controllers (multi-tenant isolation).
  • Procedures for restoring the availability of and access to data in the event of a physical or technical incident (disaster recovery, business continuity).

Organisational measures

  • An obligation of confidentiality for all employees and collaborators.
  • Regular training on data protection and cybersecurity.
  • Procedures for managing security incidents, including notification deadlines.
  • Procedures for managing access rights, including the revocation of access upon termination of employment.
  • Provision of assistance to the Controller in carrying out a data protection impact assessment (DPIA) under Article 35 GDPR.
  • Regular assessment of the effectiveness of the technical and organisational measures, having regard to the nature, scope, and context of the processing.
  • Procedures for handling requests from Data Subjects.

Updating of measures

The Processor regularly reviews and updates the technical and organisational measures in order to maintain an appropriate level of security in light of technological developments, threats, and the state of the art.