Data Processing Agreement (DPA)

This DPA is concluded between the studio (the "controller") and Muff Consulting & Webdesign GmbH as the operator of StudioPlan (the "processor"). The controller determines the purpose and means of processing the personal data of its customers and staff; StudioPlan processes this data exclusively on behalf of and on the instructions of the controller.

The subject matter of the processing is the provision of the booking and management platform. The nature and purpose include storing, updating, transmitting, analysing and deleting data for the management of customers, bookings, classes, products, payments and staff, as well as handling support requests. The duration of the processing corresponds to the term of the main contract.

Data subjects are in particular the studio's customers, prospective customers, staff and instructors. The data processed includes in particular master data (name, address), contact details (e-mail, phone), booking and contract data, payment information and any notes recorded by the controller. The controller undertakes not to process special categories of personal data (e.g. health data) via the platform unless this is expressly provided for and permitted.

StudioPlan processes personal data exclusively within the scope of this agreement and the controller's documented instructions, unless a legal obligation requires otherwise. If an instruction appears unlawful, StudioPlan will inform the controller.

StudioPlan obliges the persons entrusted with the processing to maintain confidentiality and ensures that they process the data only in accordance with instructions.

StudioPlan takes appropriate technical and organisational measures to protect the data, in particular encrypted transmission (TLS), access controls and authentication, tenant separation of studio data, regular backups and measures to restore availability after an incident. The measures are developed further in line with the state of the art.

The controller authorises the use of sub-processors to provide the service (in particular Supabase, Stripe, Expo, Upstash, Vercel, Resend and Bexio). StudioPlan binds these to an equivalent level of data protection and informs the controller of any intended changes; the controller may object for good cause.

StudioPlan assists the controller, by appropriate technical and organisational means, in responding to requests from data subjects (access, rectification, erasure, portability, etc.) as far as possible.

StudioPlan informs the controller without undue delay after becoming aware of a personal data breach and assists the controller in fulfilling any notification obligations towards authorities and data subjects.

Where personal data is disclosed to countries without an adequate level of data protection (e.g. the USA), StudioPlan ensures appropriate protection through suitable safeguards — in particular the standard contractual clauses recognised by the FDPIC or on the basis of an adequacy decision (e.g. the Swiss–U.S. Data Privacy Framework for certified recipients). These safeguards are ensured through the data processing agreements of the providers used.

Upon request, StudioPlan provides the controller with the information necessary to demonstrate compliance with this agreement and allows for verifications within a reasonable scope.

After the end of the contract, StudioPlan deletes the personal data processed on behalf of the controller or returns it, unless a statutory retention obligation applies. Upon request, StudioPlan will first make the data available for export in a common format.

This DPA is governed by Swiss law and supplements the Terms of Service; for the rest, their provisions apply, in particular those on liability, jurisdiction and severability.