For coaching businesses
Data processing addendum
This addendum describes SheetFit’s processor commitments for personal data a coach controls.
Effective 11 July 2026
Scope and roles
This DPA forms part of the SheetFit terms or signed order. The customer is controller and SheetFit is processor for client data. Processing covers hosting, displaying, synchronizing, backing up, securing, supporting, exporting, and deleting client programs and workout activity for the subscription term.
Instructions and confidentiality
SheetFit processes personal data only on documented customer instructions, including configuration and ordinary product use, unless law requires otherwise. Personnel with access are subject to confidentiality obligations and access is limited by role.
Security measures
- Encryption in transit and provider-managed encryption at rest.
- Server-only Firestore data access, Firebase session verification, and session revocation.
- Encrypted Google refresh tokens, hashed high-entropy client links, and narrow Drive permissions.
- Signed, replay-safe Stripe webhooks; environment-separated secrets; bounded scheduled jobs; and account audit events.
- Self-service export, retention controls, and resumable deletion steps.
Subprocessors
Authorized subprocessors are Google Cloud/Firebase, Google Workspace APIs, Stripe, Vercel, and Resend. SheetFit remains responsible for their processor obligations and will provide reasonable notice of material additions so customers can object on substantiated data-protection grounds.
Assistance and incidents
Taking into account the nature of processing, SheetFit assists with data-subject requests, impact assessments, regulator consultations, and security obligations. We will notify affected customers without undue delay after confirming a personal-data breach and share available facts, likely impact, and remediation.
Deletion, audits, and transfers
At the end of service, the customer may export and delete data through account settings. Required billing records and an anonymous deletion receipt may remain. SheetFit will provide information reasonably necessary to demonstrate compliance and supports one reasonable audit annually under confidentiality. International transfers rely on applicable adequacy decisions or standard contractual clauses and supplementary measures.
Execute the DPA
A customer that needs a countersigned copy, subprocessors annex, or transfer addendum can contact privacy@sheetfit.app with its legal entity name and account email.