Terms governing how we process personal data on your behalf
Last updated: 23 January 2026
This Data Processing Agreement ("DPA") forms part of the General Terms and Conditions (the "Terms") between The Roll AB, trading as Flyt ("Processor", "we", "us"), and you, the customer ("Controller", "you").
This DPA sets out the terms on which we process personal data on your behalf when providing the Services and contains the mandatory provisions required by Article 28(3) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws.
The terms "controller", "processor", "data subject", "personal data", "personal data breach", "processing", and "special categories of personal data" have the meanings given to them in the GDPR.
"Applicable Data Protection Law" means the GDPR, any national implementing legislation, and any other applicable data protection laws and regulations.
"Services" has the meaning given in the Terms.
"Sub-processor" means any third party engaged by us to process personal data on your behalf.
You are the controller for the personal data processed through the Services. This includes personal data relating to your coaches, coachees, stakeholders, and other individuals whose data you choose to process using the platform.
We are your processor and will process personal data only in accordance with your documented instructions and the terms of this DPA, except where processing is required by law.
Categories of data subjects: Coaches (internal and external), coachees/clients, stakeholders, programme participants, and administrative users, as determined by you in your use of the Services.
Types of personal data: Contact details (name, email, phone), job title and role information, session notes and coaching records, feedback and assessments, scheduling and availability data, and any other personal data you choose to upload or input.
Special category data: Coaching engagements may involve the processing of special category data, such as information about health, personal circumstances, or other sensitive matters disclosed during coaching sessions. You are solely responsible for determining whether and how such data is processed and for ensuring an appropriate legal basis under Article 9 of the GDPR.
The scope of personal data processed is determined by you. We will process only the personal data that you and your authorised users input into the Services.
We will process personal data only on your documented instructions, unless required by applicable law. If we are required by law to process personal data, we will inform you of this requirement before processing, unless prohibited from doing so.
We will ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Schedule B.
We will assist you, taking into account the nature of processing and information available to us, with: (a) responding to requests from data subjects exercising their rights under Applicable Data Protection Law; (b) ensuring compliance with your obligations regarding security, breach notification, impact assessments, and consultations with supervisory authorities.
We will notify you of any instructions that, in our opinion, infringe Applicable Data Protection Law.
You are responsible for ensuring that your processing of personal data through the Services complies with Applicable Data Protection Law, including: (a) determining the lawful basis for processing; (b) providing appropriate privacy notices to data subjects; (c) responding to data subject requests; (d) ensuring a legal basis for any processing of special category data.
You warrant that your instructions to us will comply with Applicable Data Protection Law and that you have the right to process all personal data provided to us.
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
We are certified under ISO 27001:2022. A copy of our certificate is available on request. The technical and organisational measures we implement are described in Schedule B.
You provide general authorisation for us to engage sub-processors to assist in providing the Services. A list of our current sub-processors is set out in Schedule A and is also available on request.
We will notify you of any intended addition or replacement of sub-processors at least 5 days before the change takes effect. You may object to the change in writing within that period on reasonable grounds relating to data protection. If you object and we cannot reasonably address your concerns, you may terminate the affected Services by notice to us.
We will enter into written agreements with sub-processors containing data protection obligations no less protective than those in this DPA. We remain fully liable for the acts and omissions of our sub-processors.
We will notify you without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach affecting your data.
Our notification will include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of data subjects and records affected; (b) the likely consequences of the breach; (c) measures taken or proposed to address the breach and mitigate its effects; (d) contact details for obtaining further information.
We will cooperate with you and provide reasonable assistance in relation to your obligations under Articles 33 and 34 of the GDPR.
Personal data is primarily processed and stored within the European Economic Area. We will not transfer personal data to a country outside the EEA unless: (a) the transfer is to a country subject to an adequacy decision by the European Commission; (b) appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission; or (c) another valid transfer mechanism under Applicable Data Protection Law applies.
Our current sub-processors and their locations are listed in Schedule A.
We will make available to you all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.
Audit requests must be made in writing with reasonable notice (at least 14 days, except in emergencies). Audits will be conducted during normal business hours and must not unreasonably disrupt our operations.
Each party bears its own costs in connection with audits. If you request more than one audit in any 12-month period, you will bear our reasonable costs for any additional audits, unless the audit reveals a material breach of this DPA.
Upon termination or expiry of the Terms, we will, at your choice: (a) return all personal data to you in a commonly used format; or (b) securely delete all personal data.
You may request data export for up to 30 days after termination. After this period, we will delete personal data unless retention is required by applicable law.
Upon request, we will provide written confirmation of deletion.
Our liability under this DPA is subject to the limitations of liability set out in the Terms. The aggregate liability of each party for all claims arising under or in connection with this DPA is subject to the cap specified in the Terms.
This DPA comes into effect when you accept the Terms and remains in effect for as long as we process personal data on your behalf. Obligations that by their nature should survive termination will continue in effect.
In the event of any conflict between this DPA and the Terms on matters relating to data protection, this DPA prevails.
This DPA is governed by the laws of Sweden. Any dispute arising under this DPA shall be subject to the dispute resolution provisions of the Terms.
The following sub-processors are approved for processing personal data on behalf of the Controller:
| Name | Location (Country) | Purpose/Service |
|---|---|---|
| DigitalOcean | Netherlands/Germany (EU) | Cloud infrastructure – hosting, managed PostgreSQL, managed Redis, object storage |
| Mailgun | EU | Transactional email delivery |
| Cronofy | Germany | Calendar integration and scheduling |
| Stripe | USA/Ireland | Payment processing and subscription management |
| Sentry | USA | Error monitoring and performance tracking |
| Hotjar | Malta (EU) | Session recording and user behaviour analytics |
| Mistral AI | France | AI-powered analytics and coach matching |
| Google Analytics | USA | Web analytics and usage tracking |
Note: The current list of sub-processors is maintained on this page. You may also request it by contacting us at [email protected].
The Processor implements the following technical and organisational measures to protect personal data:
If you have any questions about this Data Processing Agreement, please contact us at [email protected].