Data Processing Agreement (DPA)
Last updated: March 25, 2026
1. Introduction
This Data Processing Agreement (hereinafter, “DPA”) is an annex to the Terms and Conditionsbetween Digital Technologies OU (“Pilotium”, “Data Processor”) and the client (“Client”, “Data Controller”). The purpose of this DPA is to ensure compliance with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and other applicable data protection legislation.
By using Pilotium’s services, the Client accepts the terms of this DPA.
2. Roles of the Parties
- Data Controller: The Client, who determines the purposes and means of the processing of the personal data of their leads, members and gym clients.
- Data Processor: Pilotium (Digital Technologies OÜ), which processes personal data on behalf of and under the instructions of the Client in accordance with this DPA.
Pilotium also acts as data controller of its own data (Client account data, billing data, platform usage data), the processing of which is governed by the Privacy Policy.
3. Personal Data Processed
In the course of providing the Service, Pilotium may process the following categories of personal data on behalf of the Client:
| Data category | Examples |
|---|---|
| Lead identification data | Name, telephone number, email, city |
| Interaction data | WhatsApp messages with AI agents, responses to lead capture forms, trial class bookings |
| Survey data | Responses from gym members (anonymised for audience profiles) |
| Campaign data | Advertising metrics associated with leads (impressions, clicks, conversions) |
Categories of data subjects:Leads (potential gym clients), current gym members (in the case of surveys), individuals who interact with the Client’s advertisements.
4. Purpose and Duration of Processing
Pilotium shall process personal data exclusively for the following purposes:
- Management of advertising campaigns on the Advertising Platforms (Meta, Google, TikTok, Snapchat) on behalf of the Client
- Lead qualification through artificial intelligence agents
- Management of trial class bookings
- Generation of performance reports and analytics for the Client
- Notifications to the Client regarding new leads and campaign status
Processing shall be maintained for the duration of the Client’s subscription and for 30 days following cancellation (retention period). After that period, data shall be deleted in accordance with section 9.
5. Obligations of Pilotium as Data Processor
Pilotium undertakes to:
- Process personal data solely in accordance with the Client’s documented instructions and for the purposes set out in this DPA, unless required to do so by law (in which case, Pilotium shall inform the Client in advance, except where prohibited by law)
- Ensure that all persons authorised to process the data have committed themselves to confidentiality
- Implement the technical and organisational security measures described in section 7
- Not sub-contract the processing without the Client’s prior authorisation, in accordance with section 6
- Assist the Client in fulfilling their obligations to respond to requests from data subjects to exercise their rights (access, rectification, erasure, portability, etc.)
- Assist the Client in fulfilling their obligations regarding security of processing, breach notification, data protection impact assessments and prior consultation with the supervisory authority
- At the Client’s choice, delete or return all personal data once the provision of the service has ended, in accordance with section 9
- Make available to the Client all information necessary to demonstrate compliance with the obligations set out in GDPR Art. 28
6. Sub-processors
The Client grants Pilotium a general authorisation to engage sub-processors. The current sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Meta Platforms, Inc. | Advertisement publishing and management | EU/US (DPF) |
| Google LLC | Advertisement publishing and management | EU/US (DPF) |
| TikTok Inc. | Advertisement publishing and management | US/Singapore (SCC) |
| Anthropic PBC | AI conversational agent | US (DPF) |
| Hetzner Online GmbH | Server and database hosting | EU (Germany) |
| Brevo (Sendinblue) SAS | Transactional email delivery | EU (France) |
| Resend Inc. | Transactional email delivery | US (DPF) |
Pilotium shall inform the Client of any addition or replacement of sub-processors with a minimum of 30 days’ prior notice. If the Client objects to a new sub-processor on justified data protection grounds, and the objection is not resolved within 30 days, the Client may terminate the contract without penalty.
Pilotium warrants that all sub-processors are bound by data protection obligations equivalent to those set out in this DPA.
7. Security Measures
Pilotium implements the following technical and organisational measures to protect personal data:
- Encryption: TLS 1.2+ in transit, AES-256-CBC at rest
- Access control: Role-based access (principle of least privilege), SSH key authentication, passwords hashed with bcrypt
- Network security: Firewall (UFW), intrusion protection (fail2ban), DDoS protection (Cloudflare)
- Hosting: Servers located in the EU (Hetzner Online GmbH, Germany)
- Backups: Regular backups within the EU
- Payment data:Processed by Stripe (PCI-DSS certified); card data is not stored on Pilotium’s servers
- Confidentiality: All personnel with access to personal data are subject to confidentiality obligations
- Monitoring: Continuous system monitoring and security alerts
8. Security Breaches
In the event of a security breach affecting personal data processed on behalf of the Client, Pilotium shall:
- Notify the Client without undue delay, and in any event within 48 hours of becoming aware of the breach
- Provide the Client with all available information regarding the nature of the breach, the categories of data affected, the likely consequences and the measures taken or proposed to remedy it
- Cooperate fully with the Client to fulfil the obligations of notification to the supervisory authority (Art. 33 GDPR) and to data subjects (Art. 34 GDPR)
- Document all security breaches and the remedial measures taken
9. Return and Deletion of Data
Following the cancellation of the Client’s subscription:
- The Client may request the export of their lead and campaign data during the 30 days following cancellation
- After the 30-day retention period, Pilotium shall delete all personal data processed on behalf of the Client, unless retention is required by law (in which case, the data shall be kept blocked and accessible solely for the purpose of fulfilling that legal obligation)
- Pilotium shall provide the Client with written confirmation of deletion, upon request
10. Data Subject Rights
If Pilotium receives a request from a data subject (lead or other individual whose data is processed on behalf of the Client) to exercise their rights under the GDPR (access, rectification, erasure, portability, objection, etc.):
- Pilotium shall inform the Client of such request without undue delay
- Pilotium shall not respond directly to the request, unless authorised by the Client or required by law
- Pilotium shall provide the Client with such reasonable assistance as may be necessary to respond to the request
11. International Transfers
Where the processing of personal data on behalf of the Client involves transfers outside the European Economic Area, Pilotium warrants that appropriate safeguards are in place:
- Adequacy decisions of the European Commission (Art. 45 GDPR)
- EU-U.S. Data Privacy Framework (DPF) for participating providers
- Standard Contractual Clauses (SCCs) approved by the European Commission for all other cases
12. Audit
Pilotium shall make available to the Client all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and in GDPR Art. 28. The Client (or a designated auditor, subject to confidentiality) may conduct an annual audit, with a minimum of 30 days’ prior notice, during business hours and without interfering with Pilotium’s operations.
13. Liability
Each party’s liability in connection with this DPA is governed by the limitations set out in the Terms and Conditions. Nothing in this DPA limits the liability of either party towards data subjects or before data protection authorities pursuant to the GDPR.
14. Term
This DPA enters into force upon acceptance of the Terms and Conditions and shall remain in effect for as long as Pilotium processes personal data on behalf of the Client. The obligations of confidentiality and those relating to the deletion of data shall survive the termination of this DPA.
15. Governing Law
This DPA is governed by the same law applicable to the Terms and Conditions (the laws of the Republic of Estonia for EU clients).
16. Contact
For any enquiries relating to this DPA or to the processing of personal data, please contact us at [email protected].