Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the club using Rowbot ("the Controller", "you", "your club") and Experiential Technologies Ltd ("the Processor", "we", "us"), a company registered in England and Wales (Company No. 12585767).

This DPA sets out how we process personal data on your behalf when you use the Rowbot platform.

1. Definitions

Terms used in this DPA have the same meaning as in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. "Platform" means the Rowbot application and related services.

2. Scope and roles

  • You (the club) are the Data Controller. You determine what member data is entered into Rowbot and for what purpose.
  • We (Experiential Technologies Ltd) are the Data Processor. We process personal data on your behalf to provide the Rowbot platform.

Note: We are an independent data controller for Rowbot account data (email, login credentials, platform profile). This DPA covers only the data we process on your behalf as a processor.

3. Data processed

Categories of data subjects

Your club's members, coaches, committee members, and other individuals whose data you enter into Rowbot.

Types of personal data

  • Names and contact details
  • Club membership information (type, status, dates)
  • Squad, group, and role assignments
  • Attendance, availability, and scheduling data
  • Lineup and crew selections
  • Equipment allocations and usage
  • Financial data (invoices, payment status)
  • Coaching notes and certifications
  • Health and activity data (where members have given explicit consent)
  • Any other data you choose to enter

Purpose of processing

  • Providing and maintaining the Rowbot platform for your club's use
  • Storing, organising, and displaying data as directed by your club's administrators
  • Sending notifications and communications on your club's behalf
  • Processing payments on your club's behalf (via third-party payment processors)
  • Providing technical support

4. Our obligations as processor

We will:

  • Process personal data only on your documented instructions, unless required by law (in which case we will inform you before processing, unless legally prohibited)
  • Ensure that anyone authorised to process the data is bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures (see Section 7)
  • Not engage sub-processors without your prior authorisation (see Section 5)
  • Assist you in responding to data subject requests (access, deletion, correction, portability, etc.)
  • Assist you in meeting your obligations regarding data security, breach notification, data protection impact assessments, and prior consultation with the ICO, where applicable
  • Delete or return all personal data on termination of the agreement, at your choice (see Section 9)
  • Make available to you information necessary to demonstrate our compliance with these obligations

5. Sub-processors

You authorise us to use the following sub-processors:

  • Amazon Web Services (AWS) — Hosting, database, frontend, file storage (UK, London)
  • Postmark — Transactional email delivery (US)
  • Stripe — Payment processing (US)
  • GoCardless — Direct debit payment processing (UK)

We will:

  • Notify you before adding or replacing a sub-processor, giving you reasonable opportunity to object
  • Ensure each sub-processor is bound by data protection obligations no less protective than those in this DPA
  • Remain fully liable for the acts and omissions of our sub-processors

Fitness platform integrations (e.g. Strava, Concept2, Apple Health) are connected by individual members under their own consent and are not sub-processors under this DPA.

6. International transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the ICO
  • Transfers to countries with an adequacy decision from the UK Secretary of State
  • Other lawful transfer mechanisms under UK GDPR

7. Security measures

We implement and maintain appropriate technical and organisational measures, including:

  • Encryption of data in transit (TLS) and at rest
  • Tenant isolation (each club's data is logically separated)
  • Role-based access controls within the platform
  • Regular security reviews and updates
  • Access logging and monitoring
  • Secure development practices

We will not materially reduce the overall level of security during the term of this agreement.

8. Data breaches

If we become aware of a personal data breach affecting your data, we will:

  • Notify you without undue delay, and in any case within 72 hours of becoming aware
  • Provide sufficient information for you to meet your own breach notification obligations to the ICO and affected individuals
  • Cooperate with you and take reasonable steps to investigate and mitigate the breach

9. Term and termination

This DPA remains in effect for as long as your club uses the Rowbot platform.

On termination:

  • We will, at your choice, return or delete all personal data we process on your behalf within 30 days
  • You may request a data export before termination
  • We may retain data where required by law, but only for as long as necessary and subject to the obligations in this DPA

10. Audit

You have the right to verify our compliance with this DPA. We will:

  • Respond to reasonable written audit requests
  • Provide relevant documentation and information
  • Allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint (at your cost, with reasonable notice)

Where possible, we will satisfy audit requests through documentation, certifications, or reports rather than on-site inspections.

11. Liability

Liability under this DPA is subject to the limitations set out in our Terms of Service, except where such limitations are prohibited by data protection law.

12. Governing law

This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

Experiential Technologies Ltd (Company No. 12585767)

Email: privacy@rowbot.app

To enter into this DPA with Experiential Technologies Ltd, please contact us at privacy@rowbot.app.