Podyx Data Processing Agreement

Version 1.0

Effective 30 June 2026

Last updated 30 June 2026

1. Background and roles

This Data Processing Agreement("DPA") forms part of the Terms of Service between Podyx Pte. Ltd.("Podyx", "Processor") and the Studio that accepts theTerms ("you", "Controller"). It applies to Podyx's processingof personal data relating to your End Users that we process on your behalf inproviding the Services ("End User Personal Data").

For End User Personal Data, youare the controller and Podyx is the processor. Where data protection law treatsPodyx as an independent controller of certain data (for example, our ownaccount and billing data), our Privacy Policy applies to that data, not thisDPA.

If there is a conflict betweenthis DPA and the Terms on the subject of data protection, this DPA prevails.

2. Definitions

"Data Protection Law"means all privacy and data protection laws that apply to the processing underthis DPA, including the EU General Data Protection Regulation (GDPR), the UKGDPR, and Singapore's Personal Data Protection Act (PDPA), as applicable.

"Controller","Processor", "Data Subject", "Personal Data","Processing", and "Personal Data Breach" have the meaningsgiven in the GDPR. "Sub-processor" means any third party we engage toprocess End User Personal Data. "Standard Contractual Clauses" or"SCCs" means the clauses approved for lawful international transfersunder the applicable Data Protection Law.

3. Scope and duration of processing

We process End User PersonalData only to provide the Services and only for as long as the Terms are inforce, plus any retention period set out in this DPA and the Privacy Policy.The subject matter, nature, purpose, duration, categories of data, andcategories of data subjects are set out in Annex 1.

4. Your responsibilities as Controller

You confirm that: you have alawful basis to collect and process End User Personal Data and to have usprocess it; you have given your End Users any required notices and obtained anyrequired consents; your instructions to us comply with Data Protection Law; andthe End User Personal Data you put into the Services is accurate and lawfullyobtained. You are responsible for the privacy and cookie notices on yourbooking page and for responding to your End Users about their data.

5. Our responsibilities as Processor

We will:

5.1 Process on instructions.Process End User Personal Data only on your documented instructions, includingthose given through the Services, unless required by law to do otherwise, inwhich case we will notify you unless the law prohibits it.

5.2 Confidentiality.Ensure that personnel authorised to process the data are bound byconfidentiality obligations.

5.3 Security. Implementthe technical and organisational measures set out in Annex 2,appropriate to the risk.

5.4 Assist you. Takinginto account the nature of the processing, provide reasonable assistance tohelp you respond to Data Subject requests and meet your obligations onsecurity, breach notification, and data protection impact assessments.

5.5 Data Subject requests.Promptly notify you if we receive a request from one of your End Users to exercisetheir rights, and not respond directly except to confirm the request relates toyou, unless legally required or authorised by you.

5.6 Breach notification.Notify you without undue delay after becoming aware of a Personal Data Breachaffecting End User Personal Data, and provide the information you reasonablyneed to meet your own notification obligations.

5.7 Deletion or return.On termination, delete or return End User Personal Data in line with the onehundred and eighty (180) day retention and deletion process described in theTerms and Privacy Policy, unless retention is required by law.

5.8 Records and demonstratingcompliance. Make available information reasonably necessary to demonstratecompliance with this DPA.

6. Sub-processors

You give general authorisationfor us to engage Sub-processors to process End User Personal Data. Our currentSub-processors are listed in Annex 3, which we may update from time totime as our Services evolve. We impose data protection obligations on eachSub-processor that are no less protective than those in this DPA, and we remainresponsible for their performance.

7. International transfers

The Services are hosted onAmazon Web Services, and End User Personal Data is currently processed andstored in the United States, with the region subject to change as we operatethe Services. Where providing the Services involves transferring End User PersonalData across borders, we use a lawful transfer mechanism, such as an adequacydecision or the relevant Standard Contractual Clauses, and apply appropriatesafeguards.

8. Audits

We will make available theinformation needed to demonstrate compliance with this DPA and allow for andcontribute to audits, including inspections, conducted by you or an auditor youmandate, on reasonable notice, no more than once a year except where requiredby a regulator or following a Personal Data Breach, subject to confidentialityand to not unreasonably disrupting our operations. We may satisfy auditrequests by providing third-party certifications or reports where available.

9. Liability and general

Each party's liability underthis DPA is subject to the limitations of liability in the Terms. This DPA isgoverned by the same law and dispute resolution terms as the Terms (Singaporelaw, SIAC arbitration with the court carve-out). If any part of this DPA isinvalid, the rest remains in effect.

Annex 1 - Details of processing

Subject matter: Provisionof the Podyx booking and studio operations platform to the Controller.

Nature and purpose:Hosting, storage, and processing of End User Personal Data to enable bookings,payment routing, scheduling, communications, packages, promotions, and relatedstudio operations features.

Duration: For the term ofthe Terms, plus the 180-day post-cancellation retention period, unless longerretention is legally required.

Categories of data subjects:The Controller's End Users (the Studio's customers and prospective customers)and, where applicable, the Controller's staff users.

Categories of personal data:Identification and contact data (name, email, phone); booking and session data(history, attendance, preferences); transaction and purchase metadata (amounts,payment method type, status, promo and credit usage; full card data is held bythe payment processor, not Podyx); communications and notification data; andany additional information the Controller chooses to collect through configurablefields.

Special category data:Not intended. The Controller must not use the Services to process specialcategory data except where lawful and agreed in writing.

Annex 2 - Technical and organisational security measures

•       Encryptionof data in transit (TLS) and encryption at rest for stored data.

•       Role-basedaccess controls and least-privilege access for staff.

•       Authenticationcontrols, including hashed credentials and secure login.

•       Networkand application security controls, logging, and monitoring.

•       Regularbackups and a documented restoration process.

•       Vulnerabilitymanagement and patching.

•       Personnelconfidentiality obligations and security awareness.

•       Incidentresponse and breach handling procedures.

•       Vendordue diligence for Sub-processors.

Annex 3 - List of Sub-processors

Sub-processor

Purpose

Amazon Web Services

Cloud hosting and storage

Stripe

Subscription billing and payment routing

Square

Payment routing

Google

Calendar sync and maps

Intercom

Customer support and in-product messaging

Resend

Transactional and notification email

Say hello to Podyx 2.0.

Your studio's new operating system is live. Everything you run on, in one place.

Start 30 Days Free Trial