Data Processing Agreement (DPA)

Last updated: 7 June 2026

This Data Processing Agreement ("DPA") governs RNSTRM Solutions AB's processing of personal data on behalf of a coach or club when the coach and club features of Hoopio Lab are used. The DPA forms part of the Terms of Use and applies automatically when you activate a coach/club licence and process player data.

Roles: The coach/club is the controller for player data processed in the coach features. RNSTRM Solutions AB is the processor. For processing whereRNSTRM Solutions AB is controller, such as accounts and billing, our Privacy Policy applies.

Governing language: This English version is provided for convenience. If the Swedish version and this English version differ, the Swedish version applies to the extent permitted by law.

1. Background and definitions
2. Subject matter and instructions
3. Nature and scope of processing
4. Processor obligations
5. Security
6. Subprocessors
7. International transfers
8. Assistance to the controller
9. Personal data breaches
10. Deletion and return
11. Audit and review
12. Liability
13. Term and termination
14. Contact

1. Background and definitions

Terms such as controller, processor, processing, personal data breach, and data subject have the same meaning as in the GDPR. "Controller" means the coach/club and "Processor" means RNSTRM Solutions AB, Swedish company registration no. 559578-0536.

2. Subject matter and instructions

The Processor processes personal data only to provide the coach and club features in Hoopio Lab and only under the Controller's documented instructions, consisting of this DPA, the Terms of Use, and the Controller's configuration and use of the Service. The Processor will notify the Controller if an instruction appears to infringe data protection law.

3. Nature and scope of processing

Subject matter	Provision of coach/club features in Hoopio Lab
Duration	For as long as the licence is active and processing is needed
Nature and purpose	Storage, organisation, display, and follow-up of player training
Types of data	Name/display name, team membership, training history and progress, and injuries or limitations voluntarily entered by the player (health data)
Data subjects	Players in the Controller's teams, which may include minors

4. Processor obligations

Process personal data only under instructions and applicable law.
Ensure that persons authorised to process the data are bound by confidentiality.
Apply appropriate technical and organisational security measures.
Assist the Controller as described in sections 8 and 9.
Use subprocessors only under section 6.

5. Security

The Processor applies appropriate measures under Article 32 GDPR, including encryption in transit, access control, permission management, logging, and routines to test and evaluate security. Health data is handled with particular care.

6. Subprocessors

The Controller grants a general prior authorisation for the Processor to use subprocessors needed to deliver the Service. Current subprocessors are listed in the Privacy Policy. The Processor ensures that subprocessors are bound by obligations equivalent to this DPA and remains responsible for their processing.

7. International transfers

If personal data is transferred outside the EU/EEA, the Processor ensures a lawful transfer mechanism, primarily the European Commission's Standard Contractual Clauses and, where applicable, EU-US Data Privacy Framework certification, together with supplementary safeguards.

8. Assistance to the controller

Taking into account the nature of the processing, the Processor assists the Controller with data subject requests and with obligations concerning security, breach notification, DPIAs, and prior consultation. Export and deletion functionality is available in the Service.

9. Personal data breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting data processed on behalf of the Controller and will provide information reasonably needed for the Controller's notification obligations.

10. Deletion and return

When processing ends, the Processor will, at the Controller's choice, delete or return all personal data and delete existing copies unless storage is required by law. Players can also export and delete their own data in the app.

11. Audit and review

The Processor will provide information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Controller or an auditor appointed by the Controller. Audits must be conducted with reasonable notice, during normal business hours, and without undue disruption.

12. Liability

Liability for damage caused by processing follows Article 82 GDPR and the liability limitations in the Terms of Use to the extent permitted by mandatory law.

13. Term and termination

This DPA applies for as long as the Processor processes personal data on behalf of the Controller. If this DPA conflicts with other terms on personal data processing, this DPA prevails.

14. Contact

Questions about this DPA or requests for a signed copy can be sent to privacy@hoopiolab.com.
RNSTRM Solutions AB, Stjärngatan 37, 195 58 Märsta, Sverige