Data Processing Agreement

1. Definitions

• Controller: the Studio — the natural or legal person who determines the purposes and means of processing student personal data.
• Processor: Ananda Studio Management — processes personal data on behalf of the Controller.
• Data Subject: the individual student whose personal data is being processed.
• Personal Data: any information relating to an identified or identifiable natural person.
• Processing: any operation performed on personal data, including collection, storage, retrieval, use, and deletion.
• Sub-processor: any third party engaged by Ananda to process personal data on behalf of the Controller.
• GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council.

2. Subject Matter and Duration

This DPA governs the processing of personal data by Ananda in the course of providing the Ananda studio management platform (the "Service") to the Studio. It begins when the Studio accepts these terms and remains in effect for the duration of the Studio's active subscription to the Service.

Upon termination of the Service agreement, Ananda will cease processing and delete or return all personal data as described in Section 8 below.

3. Nature and Purpose of Processing

Ananda processes personal data solely for the purpose of providing the Service to the Studio. Processing activities include:

• Storing and managing student account data (name, email, contact details)
• Recording class bookings, attendance, and cancellations
• Processing payments and maintaining payment history
• Delivering booking confirmations and class reminders via email
• Hosting online classes via Zoom integration (where enabled)
• Providing students access to on-demand video content (where enabled)
• Generating reports and analytics for the Studio

Ananda will not process personal data for any purpose other than fulfilling its obligations under the Service agreement, except as required by EU or Member State law.

4. Types of Personal Data Processed

• Identity data: first name, last name, date of birth
• Contact data: email address, phone number, postal address
• Health and practice data: skill level, health notes (if provided by the student)
• Emergency contact information
• Financial data: payment method details (tokenised, stored by Stripe/PayPal), transaction history
• Booking and attendance records
• Technical data: IP address (security logs, 90 days), session tokens
• Communications: transactional email logs (2 years)

5. Categories of Data Subjects

Students, prospective students, and any other individuals who register an account within the Studio's Ananda tenant.

6. Obligations of Ananda (Processor)

Ananda shall:

1. Process on documented instructions only. Process personal data only on documented instructions from the Controller (the Studio), except where required by EU or Member State law, in which case Ananda shall inform the Controller unless that law prohibits such information.
2. Ensure confidentiality. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate security measures (Art. 32). Implement technical and organisational measures appropriate to the risk, including encryption in transit (TLS) and at rest, bcrypt password hashing, access controls, and regular security reviews.
4. Manage sub-processors (Art. 28(2)). Not engage another processor without prior general or specific written authorisation of the Controller. Where general authorisation is given, Ananda shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object. The current list of sub-processors is published at ananda.app/sub-processors .
5. Assist with data subject requests. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to requests for exercising data subjects' rights (access, rectification, erasure, portability, objection).
6. Assist with security obligations. Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation).
7. Notify of personal data breaches. Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data subjects, providing sufficient information to allow the Controller to meet its own notification obligations.
8. Delete or return data on termination. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage of the personal data.
9. Provide audit assistance. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.

7. Obligations of the Studio (Controller)

The Studio shall:

• Ensure it has a valid legal basis under GDPR Art. 6 (and Art. 9 where applicable) for processing each category of personal data before instructing Ananda to process it.
• Maintain its own privacy policy informing students of how their data is used by the Studio.
• Promptly forward any data subject requests received from students to Ananda where Ananda's assistance is required.
• Comply with applicable data protection law in all respects of its use of the Service.

8. Sub-processors

The Studio grants Ananda general authorisation to engage the sub-processors listed at ananda.app/sub-processors . Ananda will notify Studios at least 14 days in advance of any changes to the sub-processor list via email. Studios that object to a change may terminate the Service in accordance with the terms of their subscription.

Ananda imposes data protection obligations on all sub-processors equivalent to those set out in this DPA, by means of a contract or other legal act under EU law.

9. International Data Transfers

Ananda's infrastructure is hosted on servers located within the European Union (Hetzner, Germany/Finland). Where sub-processors are located outside the EEA (including Stripe, Zoom, Cloudflare, and Mailgun in the United States), Ananda ensures that adequate safeguards are in place through:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914/EU)
• Where applicable, adequacy decisions by the European Commission

Details of the safeguards in place for each sub-processor are listed at ananda.app/sub-processors .

10. Data Retention and Deletion

Ananda retains personal data in accordance with its Data Retention Policy . Upon termination of the Service: student personal data that is not subject to mandatory retention periods (e.g., payment records under Italian tax law) will be deleted within 90 days.

11. Liability

Each party shall be liable for damages caused to data subjects in accordance with Article 82 GDPR. Where both parties are responsible for damage caused by processing, each shall be held liable for the entire damage in order to ensure effective compensation of the data subject, with the right of contribution between the parties in proportion to their responsibility.

Ananda's liability to the Studio under this DPA is subject to the limitations set out in the main Terms of Service.

12. Governing Law and Jurisdiction

This DPA is governed by Italian law and the laws of the European Union. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Italy, without prejudice to the rights of data subjects to lodge a complaint with a supervisory authority (in Italy: the Garante per la protezione dei dati personali — www.garanteprivacy.it).

13. Contact

For questions about this DPA or to exercise your rights under it, contact us at support@ananda.app .