Data Processing Agreement

This data processing agreement (the DPA) is a binding exhibit to our Terms of Service. It applies wherever FleetFixer Ltd (acting as processor) processes personal data on behalf of a club or business customer (acting as controller) through the Maintenance, Learn, and Race platforms. Where this DPA and the Terms of Service conflict on the handling of personal data, this DPA prevails. Terms used here that are defined in the UK GDPR carry the meaning given in that legislation.

The controller is the club or business that has a subscription with us and that loads personal data into the platform. The controller decides why and how that personal data is processed.

The processor is FleetFixer Ltd, a private company limited by shares registered in England and Wales (company number 17254651), with its registered office at 167-169 Great Portland Street, London, England, W1W 5PF. We process personal data only to provide the platforms to the controller.

This DPA takes effect when the controller accepts the Terms of Service and continues for as long as the subscription is in place. It ends when the subscription ends, subject to the return and deletion steps in section 8.

We process personal data only on the controller's documented instructions and only for the purpose of providing and supporting the platforms. The Terms of Service, this DPA, and the configuration choices the controller makes in the product together form those documented instructions. If we believe an instruction would breach data protection law, we will tell the controller. We will also tell the controller if we are required by law to process personal data for another purpose, unless that law forbids us from doing so.

The subject matter of the processing is the operation of the FleetFixer platforms. The nature and purpose is hosting, storing, organising, and making available the controller's fleet, learning, and racing data, and providing related support. The duration matches the subscription term.

Categories of data subjects may include club and squad members, athletes, coaches, parents and guardians, and the controller's own staff and administrators.

Types of personal data may include:

• Contact and account details, such as name, email address, and role within the club.
• Training, attendance, and performance records.
• Maintenance, inventory, and operational records that reference named individuals.
• Optional wearable and fitness data synced from a connected device.

We make sure that everyone we authorise to process the controller's personal data is bound by an appropriate duty of confidentiality, whether by contract of employment or by another binding obligation. We limit access to personal data to those staff who need it to provide or support the platforms, and that duty of confidentiality continues after their engagement with us ends.

Taking account of the state of the art, the costs of implementation, and the nature and risks of the processing, we maintain technical and organisational measures appropriate to protect personal data. These currently include:

• Encryption of personal data in transit and at rest.
• Multi-tenant isolation in Firestore so that each controller's data is logically separated from every other controller's data.
• Role-based access controls that limit what each user and member of staff can see and do.
• Audit logging of significant access and administrative actions.

We keep these measures under review and may update them as long as the level of protection does not fall. You can read more in our security statement.

The controller gives general authorisation for us to engage sub-processors to help deliver the platforms. The current list, together with what each one does, is published on our sub-processors page.

Before we add or replace a sub-processor that processes the controller's personal data, we will give at least 30 days notice (for example, by updating that page or by email). The controller may object on reasonable data protection grounds within that period, and we will work with the controller in good faith to address the concern. We place data protection obligations on each sub-processor that are equivalent to those in this DPA, and we remain responsible to the controller for the performance of each sub-processor we engage.

Taking into account the nature of the processing, we will provide reasonable assistance to help the controller meet its own obligations under data protection law. This includes:

• Helping the controller respond to requests from data subjects exercising their rights, such as access, correction, deletion, and portability, by providing appropriate technical measures where the controller cannot action a request itself.
• Helping the controller keep the processing secure and meet its duties under Articles 32 to 36, including support with breach handling and with data protection impact assessments and prior consultation where they are needed.

If a data subject contacts us directly about the controller's data, we will refer them to the controller and will not respond on the controller's behalf unless the controller asks us to.

We will notify the controller without undue delay after becoming aware of a personal data breach affecting the controller's data. Our notification will describe, as far as we can at the time, the nature of the breach, the likely consequences, the measures we have taken or propose to take, and a point of contact for more information. We will provide further detail as our investigation progresses so the controller can meet its own reporting duties to the ICO and to affected individuals. Our process is set out in our data breach notification policy.

At the end of the contract, the controller can choose to have its personal data returned or deleted. After the subscription ends, we keep the data available for a 30-day recovery window so the controller can export it or reactivate the account. Once that window closes, we delete the controller's personal data from our active systems, and it ages out of routine backups in the ordinary course.

We may keep personal data for longer only where the law requires us to retain it, and only for as long as that legal requirement lasts. While any such data is retained, this DPA continues to apply to it.

We make available to the controller the information reasonably needed to demonstrate our compliance with this DPA and with Article 28 of the UK GDPR. We will also allow for and contribute to reasonable audits, including inspections, conducted by the controller or by an auditor the controller appoints. To respect the security and confidentiality of other customers, audits are carried out on reasonable prior notice, no more than once a year unless a regulator requires otherwise or a breach has occurred, during business hours, and in a way that does not disrupt our operations. Where available, we may meet an audit request by providing existing reports or documentation.

Some of our sub-processors may process personal data outside the United Kingdom. Where they do, we rely on a lawful transfer mechanism. Where UK adequacy regulations apply to the destination country, we rely on that adequacy. Otherwise we put in place appropriate safeguards, normally the Standard Contractual Clauses together with the UK International Data Transfer Addendum, or the UK International Data Transfer Agreement, along with any supplementary measures needed to protect the data. Details of where each sub-processor operates are noted on our sub-processors page.

We may update this DPA from time to time, for example to reflect changes in the law, in our sub-processors, or in how the platforms work. When we make a material change, we will update the date at the top of this page and take reasonable steps to bring the change to the controller's attention, such as a notice in the product or an email. If a change would materially reduce the protection given to personal data, we will give the controller advance notice so it can review the change before it takes effect. Continuing to use the platforms after a change takes effect confirms acceptance of the updated DPA.

This DPA is governed by the laws of England and Wales, in line with the Terms of Service.

If you have questions about this DPA or want to discuss your processing arrangements, contact us at hello@fleetfixer.io. By post: FleetFixer Ltd, 167-169 Great Portland Street, London, England, W1W 5PF.