SwimKit← Back to homepage

Data Processing Agreement

Art. 28 GDPR

Entered into between:

  • (A) Data Controller (Instructor/School) - User of the Service,
  • and
  • (B) Data Processor: Edward Baltaza (sole proprietorship), NIP 8212577665, ul. Lindleya 16, 02-013 Warsaw, email: edward@swimkit.io.

Section 1. Subject matter and duration

  1. The Controller entrusts the Processor with personal data to the extent necessary for the provision of SwimKit services.
  2. This Agreement remains in effect for the duration of service provision (Account activity) and for the period necessary for settlement/data deletion in accordance with the Privacy Policy.

Section 2. Purpose and nature of processing

  1. The purpose of processing is to enable the Controller to use the Service features (scheduling, client database, notes, payments, reports).
  2. Nature: recording, organizing, storing, making available within the Account, deleting, creating backups.

Section 3. Types of data and categories of data subjects

  1. Categories of data subjects: clients/participants (including children), parents/guardians, employees/associates of the Controller (if entered).
  2. Categories of data (ordinary): identification and contact data, lesson schedule data, lesson notes, billing/packages.
  3. Special category data: generally not recommended; if the Controller chooses to enter sensitive data, they do so at their own responsibility and only when they have a legal basis and ensure data minimization.

Section 4. Obligations of the Processor

  1. Processing only on documented instructions of the Controller (use of the Service constitutes an instruction).
  2. Ensuring confidentiality (authorizations, confidentiality obligations).
  3. Implementing security measures appropriate to the risk (including access control, transmission encryption).
  4. Assisting the Controller in fulfilling data subject rights (to a reasonable technical extent).
  5. Notifying the Controller of breaches without undue delay after becoming aware of an incident.

Section 5. Sub-processing (sub-processors)

  1. The Controller gives general consent to the use of sub-processors necessary for the operation of the Service: Supabase, Google (optional), Polar.
  2. The Processor ensures that sub-processors provide appropriate data protection measures.

Section 6. Termination of services

Upon termination of the agreement, the Processor shall delete or anonymize the Controller's data within the timeframes and on the terms described in the Privacy Policy, unless the law requires longer retention of certain data (e.g., billing records).

Section 7. Final provisions

  1. This Agreement is in documentary form and is concluded by acceptance within the Service.
  2. Matters not regulated herein shall be governed by the GDPR and Polish law.

For questions, please contact: edward@swimkit.io