Legal
Data Processing Addendum
Last updated: 21 May 2026
This Data Processing Addendum applies where CatchLab processes personal data on behalf of a club, team, federation, or other customer. The customer is the controller and CatchLab is the processor, unless the parties agree otherwise in writing.
1. Subject Matter And Duration
CatchLab processes customer personal data to provide rowing performance analytics, session storage, platform access, integrations, support, security, and related services. Processing lasts for the term of the relevant order, pilot, subscription, or written agreement, plus any retention period needed for export, deletion, legal compliance, backups, or dispute handling.
2. Processing Activities
- Creating and managing club, coach, athlete, crew, device, and license records.
- Uploading, storing, downloading, and deleting raw Peach session archives.
- Processing telemetry into session summaries, stroke data, piece analytics, GPS files, parquets, charts, and generated FIT files.
- Connecting to Intervals.icu, TrainingPeaks, or other training platforms where instructed.
- Fetching, previewing, merging, transferring, or deleting third-party activity data where a user chooses those workflows.
- Providing authentication, access control, support, troubleshooting, logging, and security monitoring.
3. Categories Of Personal Data
| Category | Data |
|---|---|
| Users and coaches | Name, email, role, club, login records, permissions, support records. |
| Athletes | Name, short name, club/team, tags, notes, invitation code, date of birth, height, weight, connected-service IDs. |
| Performance data | Raw Peach telemetry, stroke metrics, power, force, speed, GPS, session metadata, piece data, derived curves, critical-power related outputs, and generated files. |
| Optional HR data | Heart-rate streams or FIT data used for previewing, merging, or exporting where enabled by the customer, coach, or athlete. |
| Credentials and integration data | API keys, OAuth tokens, connected account IDs, activity IDs, sync status, and transfer metadata. |
4. Customer Instructions
CatchLab processes personal data only on documented customer instructions, including these terms, the order form, product configuration, user actions inside the platform, and reasonable written instructions. CatchLab may refuse instructions that would breach law or create a security risk.
5. Confidentiality And Security
CatchLab restricts access to customer data to people and systems that need it to provide and secure the service. CatchLab uses appropriate technical and organisational measures, including HTTPS, private storage, access controls, tenant separation, provider-managed encryption, application-level encryption for connected-service tokens, admin access restrictions, and operational logging.
Connected-service credentials and tokens are sensitive. Connected-service tokens are encrypted before storage. Decryption happens only inside trusted server routes when needed to provide the instructed integration workflow.
6. Subprocessors
CatchLab may use subprocessors listed at /subprocessors. CatchLab remains responsible for subprocessors it appoints to process customer personal data. CatchLab will give reasonable prior notice of material subprocessor changes, normally 30 days where practical. Customers may object to a new subprocessor on reasonable data-protection grounds. Signed customer agreements should include or reference an annex with subprocessor locations and transfer safeguards.
7. International Transfers
CatchLab aims to keep primary platform data in EU-hosted infrastructure where available. Some subprocessors or connected services may process data outside the EEA. Where required, CatchLab relies on appropriate transfer safeguards offered by those providers, such as standard contractual clauses or equivalent mechanisms.
8. Assistance
CatchLab will provide reasonable assistance with data subject requests, security incidents, DPIAs, audits, deletion, and export requests, taking into account the nature of the processing and information available to CatchLab.
9. Security Incidents
CatchLab will notify affected customers without undue delay after becoming aware of a personal-data breach affecting customer personal data, and will provide available information reasonably needed by the customer to assess and meet its own notification obligations.
10. Deletion And Return
During the subscription, customers can delete sessions and request export or deletion assistance. After termination, CatchLab will delete or return customer personal data according to the written agreement and applicable law. Operational backups are normally overwritten or deleted within 90 days, unless longer retention is required for security, legal compliance, billing, or dispute handling.