Skip to main content

Data Processing Addendum

Last updated: June 1, 2026

This Data Processing Addendum ("DPA") is part of our Terms of Service. It explains, in plain terms, how Setpaid handles personal information about your clients on your behalf. If you're an individual trainer in the US, much of this may not apply to you — but if you or your clients are in the EU or UK, this is the part data-protection law cares about.

Who's responsible for what

For your clients' personal information ("Client Data"), you are in charge of deciding what's collected and why (the "controller"), and we handle it for you, following your instructions (the "processor"). We only use Client Data to run the app for you and to do what these terms describe.

What we process

  • What it's for: running the app — managing clients, sessions, and invoices.
  • Whose data: your clients, and anyone who pays on their behalf.
  • What kind: contact details, session records, and invoice and payment status. We do not store your clients' card numbers — card payments go through Stripe under your own Stripe account.

What we promise

  • Use Client Data only to run the app and only as you instruct.
  • Keep the people who work on it bound to confidentiality.
  • Protect it with sensible security — keeping each account's data separate, encrypting sensitive credentials, and limiting access.
  • Help you respond to your clients' privacy requests and to your own security and breach-reporting duties.
  • Tell you without undue delay if we learn of a security breach affecting Client Data.
  • Let you ask us to delete or return Client Data (see below).

Companies that help us (sub-processors)

You agree we can use trusted companies to help run the app. Today these are:

  • Hetzner (cloud hosting) — runs the servers and database.
  • Stripe — charges your Setpaid subscription. (Separately, your own connected Stripe account handles your clients' payments; that's your Stripe relationship, and we don't control those funds.)
  • SendGrid — sends the app's emails.
  • Google — only if you connect Google Calendar, and only for the calendar features.

If we add or change a sub-processor, we'll update this list and give you a reasonable way to object.

Sending data across borders

We're based in the United States. If Client Data about people in the EU or UK is sent to us, we'll rely on a lawful transfer method for that — such as the EU Standard Contractual Clauses or the UK's equivalent. If you need a signed copy of those clauses, contact us.

Keeping or deleting data

You can export your data and close your account anytime from your account settings. When you close your account, we delete or de-identify Client Data, except anything we must keep by law.

Need a formal agreement?

If your business needs a signed DPA with full Standard Contractual Clauses and a detailed list of security measures, contact us and we'll work it out:

[email protected]