Data Processing Agreement (DPA)

Name: StopSport
Price: 9.99 EUR
Author: StopSport

Last updated : April 1, 2026

This data processing agreement (hereinafter "DPA") supplements the Terms of Use of the Stopsport Platform and applies in the context of the relationship between the club user and FV – Fitness Vendor.

1. Definitions and Roles

Data Controller

The club using the Platform acts as data controller within the meaning of the General Data Protection Regulation (GDPR). It determines the purposes and means of processing its members' personal data in the context of managing cancellation requests.

Data Processor

FV – Fitness Vendor, publisher of the Stopsport Platform, acts as a technical data processor. Stopsport processes members' personal data solely on behalf of the club and in accordance with its instructions.

2. Purposes of Processing

Personal data is processed for the following purposes:

Receiving and transmitting cancellation requests
Processing and tracking the status of requests
Collecting cancellation fees through the payment provider
Sending email notifications (confirmation, acceptance, rejection, reminders, daily network change summaries)
Transferring collected funds to the club
Generating anonymized statistics for the club's dashboard
Inter-club transfer: when a member requests a transfer to a club within the same network or owned by the same proprietor, their contact information (name, email, phone, new address) is shared with the destination club to facilitate their onboarding. This transfer is initiated by the member through the cancellation process. In certain networks, the transfer may be mandatory in accordance with the network's terms and conditions
Network administration: management of common settings, invitations, audit log of changes
Geographic display of nearby network clubs via a mapping service (Mapbox)
Transmission of events to third-party systems via secure webhooks configured by the club or network
Management of the 30-day grace period when deleting an establishment or network
Support access: account data consultation for technical assistance purposes

3. Categories of Data Processed

Member Data (data subjects)

Last name and first name
Email address
Phone number (optional)
Cancellation reason
Questionnaire responses
Satisfaction score
Supporting document (if provided)
Payment data (processed by Stripe, not stored by Stopsport)
New address (in case of relocation or professional transfer, if provided by the member)
Geolocation data (latitude, longitude): collected via the browser with the member's consent, used solely for displaying nearby clubs via Mapbox. This data is not retained after the session

Data Shared in Inter-Club Transfers

When a member requests a transfer to a club within the same network or owned by the same proprietor, the following data is shared with the destination club: last name, first name, email address, phone number (if provided), new address, and origin club. This sharing is initiated by the member through the cancellation process and aims to facilitate their onboarding by the destination club.

Club Manager Data

Email address and login credentials
Establishment information (SIRET number, company name, address)
IBAN, BIC, and bank account holder name
Logo and customization preferences

Network Administrator Data

Email address and login credentials
First name and last name

Network Audit Log Data

Identity of the author of the modification (email, name)
Date and time of the modification
Details of changed parameters (old and new values)
Author's IP address

Audit data is retained for the lifetime of the network.

Data Transmitted via Webhooks

When the club or network configures a webhook, the following data may be included in outgoing requests: member's first and last name, email address, cancellation reason, request status, club identifier. The club is responsible for the processing of this data at the destination.

4. Processor Obligations

FV – Fitness Vendor undertakes to:

Process personal data only on documented instructions from the club
Not process data for purposes other than those defined in this agreement
Ensure the confidentiality of processed data
Ensure that persons authorized to process data are committed to confidentiality
Implement appropriate technical and organizational measures to ensure data security
Not disclose data to unauthorized third parties

5. Security Measures

Stopsport implements the following security measures:

Encryption of data in transit (HTTPS/TLS)
Secure authentication via Supabase Auth
Row Level Security (RLS) on the database, ensuring data isolation between clubs
No banking data stored on Stopsport's servers (delegated to Stripe)
Rate limiting on sensitive routes to prevent abuse
SSRF protection on webhook URLs
Signature verification on incoming webhooks (Stripe)
HMAC-SHA256 signature on outgoing webhooks

6. Sub-processors

FV – Fitness Vendor uses the following sub-processors for the operation of the Platform:

Sub-processor	Service	Location
Supabase Inc.	Database and authentication	European Union
Vercel Inc.	Hosting	United States (standard contractual clauses)
Stripe Payments Europe, Ltd.	Payment processing	EU (Ireland)
Resend Inc.	Transactional emails	United States (EU-US Data Privacy Framework)
Swan	SEPA bank transfers	France / EU
Functional Software Inc. (Sentry)	Error monitoring	United States (standard contractual clauses)
Upstash	Abuse protection (rate limiting)	European Union
Mapbox Inc.	Mapping and geolocation	United States (standard contractual clauses, DPA: https://www.mapbox.com/legal/dpa)
Anthropic PBC	Performance report generation (aggregated data only)	United States (standard contractual clauses)
Google (Search Console API)	Organic visibility analysis	United States (standard contractual clauses)

The club is informed of any change in sub-processors. In the event of a legitimate objection, the club may terminate its use of the Platform.

7. Data Retention Period

Account data: retained as long as the account is active. When an establishment or network is deleted, a 30-day grace period is applied (data retained in read-only mode). At the end of this period, data is permanently deleted
Cancellation data: 3 years after the last activity
Billing data: 10 years (legal obligation)
Technical logs: 12 months
Network audit log: retained for the lifetime of the network, deleted upon final network deletion
Geolocation data: not retained (used only during the club selection session)

Upon expiration of the retention periods, data is deleted or anonymized.

8. Data Deletion and Return

At the end of the contractual relationship, the club may request:

The return of all its data in a structured and readable format
The deletion of its data and that of its members

The request must be sent to contact@fitness-vendor.com. FV – Fitness Vendor undertakes to respond within 30 days.

Certain data may be retained beyond this period when required by law (particularly billing data).

9. GDPR Assistance

FV – Fitness Vendor undertakes to assist the club in meeting its obligations under the GDPR, including:

Responding to data subject rights requests (access, rectification, erasure, portability, objection, restriction)
Notifying the club in the event of a personal data breach within 72 hours of becoming aware of it
Providing the information necessary for conducting data protection impact assessments (DPIA) if the club requests it
Cooperating with the competent supervisory authorities

10. Data Breach Notification

In the event of a personal data breach, FV – Fitness Vendor undertakes to:

Notify the club within 72 hours of becoming aware of the breach
Provide all necessary information enabling the club to fulfill its own notification obligations to the supervisory authority and data subjects
Document the breach, its effects, and the corrective measures taken

11. Applicable Law

This agreement is governed by French law and by Regulation (EU) 2016/679 (GDPR).

12. Contact

For any questions regarding this agreement, you may contact FV – Fitness Vendor at: contact@fitness-vendor.com.