Legal

Data Processing Agreement

Last updated: 8 April 2026|v2.0

Between: The Club using the Grupetti platform (hereinafter: "Controller" or "Club")

And: Grupetti, the sole proprietorship registered at the Dutch Chamber of Commerce under number [KVK NUMBER], located at [ADDRESS] (hereinafter: "Processor" or "Grupetti")

Effective date: The date on which the Club creates an account on the Platform and accepts the Terms of Service.

This is a courtesy translation. The Dutch version is the legally binding version.

1. Background and purpose

1.1 The Club uses the Grupetti platform for managing rides, members, routes, sponsors, and events. In this context, Grupetti processes personal data of club members on behalf of the Club.

1.2 This Data Processing Agreement governs the obligations of the parties regarding the protection of personal data, in accordance with Article 28 of the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.

1.3 This agreement is an integral part of Grupetti's Terms of Service and prevails in case of conflict regarding data processing matters.

2. Definitions

Terms in this agreement have the same meaning as in the GDPR and Grupetti's Terms of Service, unless otherwise stated.

3. Subject matter and duration

3.1 Subject matter: The processing of personal data of club members, event participants, and sponsors for the purpose of providing the Grupetti platform.

3.2 Nature of processing: Storage, organization, structuring, consultation, use, disclosure by transmission, combination, restriction, and erasure of personal data.

3.3 Purposes of processing:

  • Ride management (sign-ups, attendance, speed groups, waitlists)
  • Member management (directory, roles, privacy settings)
  • Route management (GPX files, map rendering)
  • Sponsor management (contact details, deliverables, reporting)
  • Event management (ticket sales, participant registration)
  • Notifications (push, email, in-app)
  • Content generation (ride cards, sponsor cards, social media content)
  • Payment processing (via Stripe Connect as sub-processor)
  • Strava integration (activity sync, group ride detection, description enrichment)

3.4 Categories of data subjects:

  • Members of the Club
  • Participants in events organized by the Club
  • Sponsors of the Club (contact persons)

3.5 Types of personal data:

  • Identification data: name, email address, profile photo
  • Contact data: phone number, emergency contact name and phone number
  • Membership data: role, status, date of joining
  • Ride data: sign-ups, attendance, speed group
  • Activity data: Strava activities (distance, elevation, speed, route, timestamp) — only if connected by the member
  • Visual data: photos uploaded for rides with captions
  • Financial data: transaction data (amounts, dates, statuses) — processed via Stripe; bank details are not stored by Grupetti
  • Sponsor data: name, contact details, value, durations

3.6 Duration: This agreement remains in effect as long as the Club uses the Grupetti platform. Upon termination, data is deleted per article 10.

4. Obligations of the Processor

Grupetti shall:

4.1 Process personal data only on the basis of written instructions from the Club, unless Grupetti is required to process under Union or Member State law. In that case, Grupetti shall inform the Club prior to processing, unless that law prohibits such notification on important grounds of public interest. Instructions are documented in this agreement and the Terms of Service.

4.2 Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Take all appropriate technical and organizational measures to ensure a level of security appropriate to the risk in accordance with Article 32 GDPR, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Row Level Security (RLS) at the database level — members can only see data of clubs they are members of
  • JWT-based authentication with a validity period of 1 hour
  • Hashed password storage (bcrypt)
  • Encrypted storage of OAuth tokens
  • Pseudonymization where technically possible
  • Regular security updates and vulnerability scans
  • Restriction of access to the production environment

4.4 Sub-processors: Grupetti shall not engage sub-processors without prior written consent of the Club. The Club hereby grants general written consent for the following sub-processors:

Sub-processorServiceLocationTransfer mechanism
Supabase, Inc.Database, authentication, storage, Edge FunctionsEU (Frankfurt)No transfer outside EU
Stripe Technology Europe, Ltd.Payment processingEU (Ireland) / USEU-US DPF + SCCs
Vercel, Inc.Hosting, analyticsEU / USSCCs
Resend, Inc.Email deliveryUSSCCs
ExpoPush notificationsUSSCCs

Grupetti shall inform the Club at least 30 days in advance of intended addition or replacement of sub-processors, via email to the Club Admin or a notification in the dashboard. The Club may file a reasoned objection within 14 days of notification. In case of irreconcilable objection, the Club may terminate the agreement subject to a reasonable notice period.

Grupetti shall impose on sub-processors the same data protection obligations as set out in this agreement, in particular by means of an agreement that meets the requirements of Article 28(4) GDPR. Grupetti remains fully liable to the Club for the performance of the sub-processor's obligations.

4.5 Assistance with data subject rights: Grupetti shall assist the Club in fulfilling its obligations to respond to requests from data subjects to exercise their rights (Articles 15 to 22 GDPR), by means of:

  • Self-service functionality in the Platform (profile editing, account deletion)
  • Forwarding requests received directly by Grupetti to the relevant Club
  • Technical support for complex requests (e.g., data export in JSON format for portability)

4.6 Assistance with security and notification obligations: Grupetti shall assist the Club in fulfilling its obligations regarding:

  • Security of processing (Art. 32 GDPR)
  • Notification of personal data breaches to the supervisory authority (Art. 33 GDPR) and to data subjects (Art. 34 GDPR)
  • Data protection impact assessments (Art. 35 GDPR), where applicable
  • Prior consultation with the supervisory authority (Art. 36 GDPR)

4.7 After termination: After termination of processing services, Grupetti shall delete all personal data of club members within 30 days and confirm this deletion in writing to the Club, unless storage is required under Union or Member State law.

4.8 Audit and accountability: Grupetti shall make available all information necessary to demonstrate compliance with the obligations under Article 28 GDPR, and shall allow for and contribute to audits and inspections. In this regard:

  • Grupetti shall provide upon request an up-to-date overview of security measures and sub-processors
  • Audits shall be carried out at the Club's expense, with at least 30 days advance notice
  • Audits shall take place during regular business hours and may not unreasonably disrupt service delivery
  • The Club may appoint an independent third party as auditor, provided they are bound by confidentiality
  • Grupetti may limit audits to once per calendar year, unless a specific security incident warrants an additional audit

5. Obligations of the Controller

The Club shall:

5.1 Ensure that the processing of personal data via the Platform has a lawful basis under Article 6 GDPR.

5.2 Inform its members about the processing of their personal data, referring to Grupetti's Privacy Policy.

5.3 Ensure that data provided to the Platform is accurate, up to date, and relevant.

5.4 Not process special categories of personal data (Article 9 GDPR) or criminal data (Article 10 GDPR) via the Platform, unless explicitly agreed.

5.5 Inform Grupetti without delay upon receiving a request from a data subject relating to data processed via the Platform.

6. Data breaches

6.1 Grupetti shall inform the Club without undue delay, and no later than 48 hours after discovery, of a personal data breach affecting the personal data processed by Grupetti on behalf of the Club.

6.2 The notification shall include at least:

  • The nature of the breach, including where possible the categories and estimated number of data subjects and personal data records affected
  • The name and contact details of the contact point at Grupetti
  • The likely consequences of the breach
  • The measures Grupetti has taken or proposes to take to address the breach, including measures to mitigate its possible adverse effects

6.3 The Club is responsible for notifying the Data Protection Authority (within 72 hours, Art. 33 GDPR) and data subjects (Art. 34 GDPR), to the extent required by law. Grupetti shall provide all reasonably necessary information to enable the Club to make these notifications.

7. International transfers

7.1 Personal data may only be transferred to countries outside the EU/EEA if appropriate safeguards are in place in accordance with Chapter V GDPR, namely:

  • An adequacy decision by the European Commission (Art. 45 GDPR)
  • Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR)
  • The EU-US Data Privacy Framework (for certified American organizations)

7.2 The sub-processors listed in article 4.4 outside the EU/EEA are bound by the transfer mechanisms specified therein.

7.3 If a transfer mechanism is invalidated by a court or supervisory authority, the parties shall consult to implement an alternative safeguard or cease the transfer.

8. Confidentiality

8.1 Grupetti shall treat all personal data processed under this agreement as confidential.

8.2 This confidentiality obligation survives termination of this agreement, for as long as the data is in Grupetti's possession.

9. Liability

9.1 Each party is liable for damage caused by processing that infringes the GDPR, in accordance with Article 82 GDPR.

9.2 Grupetti is liable for damage caused by processing that does not comply with the obligations specifically directed to Grupetti as processor, or that is outside or contrary to the lawful instructions of the Club.

10. Termination and deletion

10.1 Upon termination of the Club's use of the Platform, all personal data of club members shall be permanently deleted within 30 days.

10.2 Grupetti shall retain no copies of the deleted data, unless storage is required under Union or Member State law.

10.3 Grupetti shall confirm the deletion in writing by email to the Club Admin.

11. Applicable law

11.1 This Data Processing Agreement is governed by Dutch law.

11.2 Disputes shall be submitted to the competent court in the district of Limburg, without prejudice to the right of data subjects to bring proceedings before the court of their place of residence (Art. 79(2) GDPR).

By creating a Club on the Grupetti platform and accepting the Terms of Service, the Club accepts this Data Processing Agreement.

Data Processing Agreement — Grupetti | Grupetti