This Data Processing Agreement (DPA) supplements the Terms of Service between the Coach ("Controller") and Orbi ("Processor"). It governs the processing of personal data by the Processor on behalf of the Controller pursuant to Art. 28 GDPR.
The Processor processes: client personal data (name, email, phone), client health and fitness data (with explicit consent), booking and scheduling data, payment transaction references, and communication data between coach and client.
The Processor shall: process data only on documented instructions from the Controller, ensure persons authorized to process data are bound by confidentiality, implement appropriate technical and organizational measures (Art. 32 GDPR), and assist the Controller with data subject requests.
The Processor uses the following sub-processors: • Supabase Inc. — database and authentication. Hosting region Frankfurt (eu-central-1). Contract and SCC between Orbi and Supabase Inc., USA. • Vercel Inc. — web hosting and edge functions. Deployment region Frankfurt (fra1). SCC. • Stripe Payments Europe, Ltd. — payment processing via Stripe Connect Express. Based in Dublin, Ireland. Processing within the EEA. • Resend Inc. — transactional email delivery (USA). SCC. • PostHog Inc. — product analytics (consent-based). EU hosting (eu.i.posthog.com). SCC. • Functional Software Inc. (Sentry) — error monitoring (consent-based). EU region Frankfurt. SCC. Session replay masks all text and input fields. All sub-processors are bound by equivalent data protection obligations. The Controller is informed with reasonable notice of any change or addition and may object.
The Processor shall assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability) within the timeframes required by GDPR.
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, in any case within 72 hours, so that the Controller can fulfill its own notification obligations under Art. 33 GDPR. The notification shall include the nature of the breach, categories of data affected, the estimated number of data subjects, the likely consequences, and the measures taken or planned in response.
Upon termination, the Processor shall delete or return all personal data to the Controller, unless retention is required by law. The Controller may request data export in JSON or CSV format before deletion.
Last updated: 2026-04-14
Questions? Contact us at legal@orbi.so
We use analytics cookies to understand how Orbi is used and improve it. They're optional — essential cookies (sign-in, language) work without them. Learn more