S
StopSport
FR

Data Processing Agreement (DPA)

Last updated : March 9, 2026

This data processing agreement (hereinafter "DPA") supplements the Terms of Use of the Stopsport Platform and applies in the context of the relationship between the club user and FV – Fitness Vendor.

1. Definitions and Roles

Data Controller

The club using the Platform acts as data controller within the meaning of the General Data Protection Regulation (GDPR). It determines the purposes and means of processing its members' personal data in the context of managing cancellation requests.

Data Processor

FV – Fitness Vendor, publisher of the Stopsport Platform, acts as a technical data processor. Stopsport processes members' personal data solely on behalf of the club and in accordance with its instructions.

2. Purposes of Processing

Personal data is processed for the following purposes:

  • Receiving and transmitting cancellation requests
  • Processing and tracking the status of requests
  • Collecting cancellation fees through the payment provider
  • Sending email notifications (confirmation, acceptance, rejection, reminders)
  • Transferring collected funds to the club
  • Generating anonymized statistics for the club's dashboard

3. Categories of Data Processed

Member Data (data subjects)

  • Last name and first name
  • Email address
  • Phone number (optional)
  • Cancellation reason
  • Questionnaire responses
  • Satisfaction score
  • Supporting document (if provided)
  • Payment data (processed by Stripe, not stored by Stopsport)

Club Manager Data

  • Email address and login credentials
  • Establishment information (SIRET number, company name, address)
  • IBAN, BIC, and bank account holder name
  • Logo and customization preferences

4. Processor Obligations

FV – Fitness Vendor undertakes to:

  • Process personal data only on documented instructions from the club
  • Not process data for purposes other than those defined in this agreement
  • Ensure the confidentiality of processed data
  • Ensure that persons authorized to process data are committed to confidentiality
  • Implement appropriate technical and organizational measures to ensure data security
  • Not disclose data to unauthorized third parties

5. Security Measures

Stopsport implements the following security measures:

  • Encryption of data in transit (HTTPS/TLS)
  • Secure authentication via Supabase Auth
  • Row Level Security (RLS) on the database, ensuring data isolation between clubs
  • No banking data stored on Stopsport's servers (delegated to Stripe)
  • Rate limiting on sensitive routes to prevent abuse
  • SSRF protection on webhook URLs
  • Signature verification on incoming webhooks (Stripe)
  • HMAC-SHA256 signature on outgoing webhooks

6. Sub-processors

FV – Fitness Vendor uses the following sub-processors for the operation of the Platform:

Sub-processorServiceLocation
Supabase Inc.Database and authenticationEuropean Union
Vercel Inc.HostingUnited States (standard contractual clauses)
Stripe Payments Europe, Ltd.Payment processingEU (Ireland)
Brevo (formerly Sendinblue)Transactional emailsFrance / EU
UpstashAbuse protection (rate limiting)European Union

The club is informed of any change in sub-processors. In the event of a legitimate objection, the club may terminate its use of the Platform.

7. Data Retention Period

  • Account data: retained as long as the account is active, then deleted within 30 days after account deletion
  • Cancellation data: 3 years after the last activity
  • Billing data: 10 years (legal obligation)
  • Technical logs: 12 months

Upon expiration of the retention periods, data is deleted or anonymized.

8. Data Deletion and Return

At the end of the contractual relationship, the club may request:

  • The return of all its data in a structured and readable format
  • The deletion of its data and that of its members

The request must be sent to contact@fitness-vendor.com. FV – Fitness Vendor undertakes to respond within 30 days.

Certain data may be retained beyond this period when required by law (particularly billing data).

9. GDPR Assistance

FV – Fitness Vendor undertakes to assist the club in meeting its obligations under the GDPR, including:

  • Responding to data subject rights requests (access, rectification, erasure, portability, objection, restriction)
  • Notifying the club in the event of a personal data breach within 72 hours of becoming aware of it
  • Providing the information necessary for conducting data protection impact assessments (DPIA) if the club requests it
  • Cooperating with the competent supervisory authorities

10. Data Breach Notification

In the event of a personal data breach, FV – Fitness Vendor undertakes to:

  • Notify the club within 72 hours of becoming aware of the breach
  • Provide all necessary information enabling the club to fulfill its own notification obligations to the supervisory authority and data subjects
  • Document the breach, its effects, and the corrective measures taken

11. Applicable Law

This agreement is governed by French law and by Regulation (EU) 2016/679 (GDPR).

12. Contact

For any questions regarding this agreement, you may contact FV – Fitness Vendor at: contact@fitness-vendor.com.