Allfitup

Privacy Policy

View all legal documents

Effective date: 2026-04-27

Parties and scope

This DPA applies when AllFitUp processes Customer Personal Data on behalf of a Customer in connection with the Services. The Customer is the controller or business responsible party. AllFitUp is the processor, service provider, or equivalent role, except where AllFitUp independently processes data for its own account, billing, security, analytics, legal, or business purposes.

Definitions

  • “Customer Personal Data” means personal data submitted to the Services by or on behalf of Customer, including Client data, team member data, check-ins, messages, progress photos, forms, and coaching records.
  • “Data Protection Laws” means privacy, data protection, and security laws applicable to the processing, including GDPR, UK GDPR, Korean PIPA, CCPA/CPRA, and similar laws where applicable.
  • “Sub-processor” means a third-party processor engaged by AllFitUp to process Customer Personal Data.

Customer instructions

AllFitUp will process Customer Personal Data only according to Customer’s documented instructions, including these Terms, product settings, support requests, and lawful directions, unless required by law. If AllFitUp believes an instruction violates Data Protection Laws, it may suspend the instruction and notify Customer where appropriate.

Customer responsibilities

  • Customer must have a lawful basis for collecting, using, sharing, and processing Customer Personal Data.
  • Customer must provide required privacy notices and obtain consents, including explicit consent for sensitive or health-related data where required.
  • Customer must ensure that data entered into AllFitUp is accurate, necessary, proportionate, and lawful.
  • Customer must configure permissions, team access, client invitations, exports, and integrations responsibly.
  • Customer must not use the Services for unlawful or high-risk medical processing outside the intended scope of the platform.

AllFitUp obligations

  • Process Customer Personal Data according to this DPA and Customer instructions.
  • Maintain appropriate technical and organizational measures designed to protect Customer Personal Data.
  • Ensure personnel with access to Customer Personal Data are bound by confidentiality obligations.
  • Assist Customer reasonably with data subject requests, security incidents, data protection impact assessments, and regulatory inquiries where required and reasonably possible.
  • Delete or return Customer Personal Data after termination according to the Data Deletion Policy, subject to legal retention, backups, security, and dispute requirements.

Security measures

AllFitUp’s security measures may include access controls, encryption in transit, authentication controls, logging, monitoring, backups, least-privilege access, vendor review, secure development practices, vulnerability management, and incident response processes. Specific measures may evolve over time as the Services mature.

Subprocessors

Customer authorizes AllFitUp to engage Sub-processors to provide hosting, storage, analytics, payments, support, email, security, AI infrastructure, and other services. AllFitUp will impose data protection obligations on Sub-processors that are materially protective of Customer Personal Data. AllFitUp will provide a list of Sub-processors upon request. Where required, AllFitUp will give notice of material Sub-processor changes and allow objections based on reasonable data protection grounds.

International transfers

Where Customer Personal Data is transferred internationally and transfer safeguards are required, the parties will use appropriate mechanisms such as adequacy decisions, standard contractual clauses, UK addendum, Korean transfer consent mechanisms, or other lawful safeguards. Customer authorizes AllFitUp to make such transfers as needed to provide the Services.

Security incidents

AllFitUp will notify Customer without undue delay after becoming aware of a confirmed personal data breach involving Customer Personal Data, as required by applicable law. The notice may include available information about the nature of the incident, affected data, likely consequences, mitigation steps, and recommended actions. Customer is responsible for notifying Clients, regulators, or other parties where required, unless law places that obligation on AllFitUp.

Data subject requests

If AllFitUp receives a request from a Client concerning Customer Personal Data, AllFitUp may direct the requester to the Customer unless required by law to respond. AllFitUp will provide reasonable assistance for access, correction, deletion, export, objection, restriction, or consent withdrawal requests where required and technically feasible.

Audits

Upon reasonable written request, AllFitUp will provide information necessary to demonstrate compliance with this DPA, such as security summaries, policies, certifications if any, or responses to reasonable questionnaires. On-site audits require prior written agreement, reasonable scope, confidentiality protections, and reimbursement of costs unless required by law.

Return and deletion

Upon termination, AllFitUp will delete or return Customer Personal Data according to the Data Deletion Policy, unless retention is required for legal, tax, security, backup, dispute, abuse prevention, or compliance reasons. Backup deletion may occur according to standard backup rotation schedules.

Liability

Liability under this DPA is subject to the limitations and exclusions in the Terms of Service unless prohibited by applicable law.

Got a question? Send us a message

Contact Form