AteMate by Piqniq, Inc.
Last updated: July 1, 2026.
This DPA takes effect for each Coach when that Coach accepts it, or continues to use the Coach Portal after we make it available, as described in the Acceptance section.
This Data Processing Addendum ("DPA") forms part of the agreement between Piqniq, Inc. ("Piqniq", "we", "us", or "our") and the Coach who accepts it ("Coach", "you") for the use of AteMate for Coaches (the "Coach Portal"), as governed by our Terms of Service (the "Terms"). It applies where you use the Coach Portal to process personal data about your Clients and where data protection law requires a contract between a controller and its processor.
Capitalized terms not defined here have the meaning given in the Terms.
1. How This DPA Fits Together
This DPA supplements the Terms. If there is a conflict between this DPA and the rest of the Terms about the processing of Client personal data, this DPA controls.
This DPA applies only to our processing of Client Personal Data that we carry out on your behalf as your processor. It does not change how we handle data for which we are the controller, which is described in our Privacy Policy.
By accepting the Terms, or by continuing to use the Coach Portal after this DPA takes effect, you enter into this DPA.
2. Definitions
Data Protection Law: all privacy and data protection laws that apply to the processing under this DPA, including the EU General Data Protection Regulation (GDPR), the UK GDPR and the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, and applicable U.S. state privacy laws.
Client: a User who has connected to your Coach Account and approved the connection.
Client Personal Data: personal data relating to your Clients that we process on your behalf through the Coach Portal, as described in Schedule 1.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Special Category Data, and Process / Processing: have the meanings given in the GDPR, applied to the equivalent concepts under other Data Protection Law.
Sub-processor: a third party we engage to process Client Personal Data on our behalf.
Standard Contractual Clauses (SCCs): the standard contractual clauses approved by the European Commission in Decision (EU) 2021/914, together with the UK International Data Transfer Addendum and the Swiss adaptations, where they apply.
3. Roles of the Parties
For Client Personal Data processed through the Coach Portal:
You are the Controller. You decide why and how your Clients' data is processed for your coaching purposes.
We are the Processor. We process Client Personal Data on your behalf to provide the Coach Portal.
You remain responsible for your own compliance with Data Protection Law as a controller, including having a lawful basis to process your Clients' data and obtaining any consents that the law requires. We are responsible for our obligations as a processor, set out below.
Separately, we are an independent controller of the personal data we process for our own purposes, such as running the Service, billing, security, and analytics. That processing is governed by our Privacy Policy, not this DPA.
4. Your Instructions
We will process Client Personal Data only:
on your documented instructions, including those given through the features and settings of the Coach Portal;
as needed to provide and support the Coach Portal and the rest of the Service; and
as required by law that applies to us, in which case we will tell you of that requirement before processing, unless the law prohibits it.
The Terms, this DPA, and your use of the Coach Portal are your complete and documented instructions to us. If we believe an instruction breaks Data Protection Law, we will tell you. If we cannot provide the Coach Portal in line with your instructions, we may suspend the affected processing or, where appropriate, allow you to terminate, as set out in the Terms.
5. How Clients Connect, Consent, and Health Data
You connect with a Client by sending the Client your invite code. The Client enters the code and approves the connection, and the Client chooses what data to share with you. A Client can change what they share or disconnect at any time.
Because AteMate is a health journal, Client Personal Data often includes health information, which is Special Category Data under the GDPR and consumer health data under some U.S. state laws. As the Controller, you are responsible for having a valid lawful basis and, where required, the explicit consent needed to process your Clients' health data for your coaching purposes. We provide the connection and consent mechanics described above as a feature, but they do not replace your own obligation to obtain whatever consents or authorizations the law requires for your relationship with your Client.
No PHI and no HIPAA. As stated in the Terms, the Service is not a HIPAA compliant service and we do not offer Business Associate Agreements. You must not use the Coach Portal to create, receive, maintain, or transmit Protected Health Information as defined under HIPAA. This DPA is not, and does not serve as, a HIPAA Business Associate Agreement.
6. Confidentiality
We make sure that the people we authorize to process Client Personal Data are bound by a duty of confidentiality and only process it as needed to perform their work.
7. Security
We maintain appropriate technical and organizational measures to protect Client Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing. Our current measures are described in Schedule 2. We may update them as the Service develops, provided the level of protection does not materially decrease.
8. Sub-processors
You give us general authorization to engage Sub-processors to help us provide the Coach Portal. Our current Sub-processors are listed in Schedule 3, and the same list is kept current in our Privacy Policy.
When we engage a Sub-processor, we impose data protection obligations on it that are no less protective than those in this DPA, and we remain responsible for the Sub-processor's performance.
We will give you notice before we add or replace a Sub-processor, by updating the list and, where we offer it, through a notification you can subscribe to. If you have a reasonable, data-protection-based objection to a new Sub-processor, tell us within 30 days of the notice. We will work with you in good faith to address it, and if we cannot, you may terminate the affected part of the Coach Portal as your sole remedy.
9. International Transfers
We are based in the United States, and our Sub-processors may process data in the United States and other countries. Where you or your Clients are in the European Economic Area, the United Kingdom, or Switzerland, and we process Client Personal Data in a country that has not been recognized as providing an adequate level of protection, the Standard Contractual Clauses apply to that transfer and are incorporated into this DPA by reference.
For those transfers, the parties agree:
Module Two (controller to processor) applies, with you as the data exporter and us as the data importer;
the optional docking clause applies;
for the purposes of the SCCs, the audit and Sub-processor provisions of this DPA apply, and our general authorization to engage Sub-processors in Section 8 satisfies the relevant option;
the governing law and the forum for disputes are those stated in the SCCs for the relevant region; and
Schedules 1, 2, and 3 of this DPA supply the information required by the annexes to the SCCs.
The UK Addendum and the Swiss adaptations apply to transfers subject to UK or Swiss law, with the relevant authorities and references read accordingly.
10. Assisting You
Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to help you meet your own obligations, specifically:
Data subject requests. We will help you respond to requests from Clients to exercise their rights, such as access, correction, deletion, and portability. Many of these can be handled directly by the Client in the Application or by you through the Coach Portal. Where you need our help beyond those tools, contact us and we will assist. If a Client contacts us directly about data we process for you, we will, where lawful, refer the request to you or ask the Client to direct it to you.
Security, breach, and impact assessments. We will provide reasonable assistance with your data protection impact assessments and prior consultations, and with keeping Client Personal Data secure, in each case to the extent it relates to our processing and the information is available to us.
We may charge a reasonable fee for assistance that goes beyond what Data Protection Law requires of us as a processor, and we will tell you before we do.
11. Personal Data Breach
If we become aware of a Personal Data Breach affecting Client Personal Data, we will notify you without undue delay. Our notice will describe, to the extent known, the nature of the breach, its likely consequences, the measures we have taken or propose to take, and a point of contact for more information. We will provide further details as they become available. As the Controller, you are responsible for any notifications you must make to authorities or to Data Subjects.
12. Deletion and Return
On the end of the Coach Portal services, or earlier at your written request, we will delete or return Client Personal Data processed on your behalf, at your choice, and delete existing copies, unless the law requires us to keep it. Client data that a Client also holds in the Client's own account remains the Client's data and is governed by our Privacy Policy. Where we cannot immediately delete data held in backups, we isolate it from further processing until deletion is possible.
13. Audits and Information
We will make available to you the information reasonably necessary to show our compliance with this DPA, and we will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint.
To keep this practical and to protect other customers and the security of the Service:
you will give us reasonable prior notice, normally at least 30 days, unless a Data Protection Law or a regulator requires sooner;
audits take place during business hours, no more than once a year unless a regulator or a Personal Data Breach makes more frequent review necessary, and must not unreasonably disrupt our operations;
in the first instance, we may satisfy an audit request by providing current certifications, audit reports, or written responses to a security questionnaire; and
anyone conducting an audit must be bound by confidentiality.
14. Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Terms. Nothing in this DPA limits liability that cannot be limited under applicable law.
15. Term and Termination
This DPA takes effect when you accept it and continues for as long as we process Client Personal Data on your behalf. Provisions that by their nature should survive termination, including those on deletion, confidentiality, and liability, survive.
16. General
Changes. We may update this DPA where needed to reflect changes in the Service, our Sub-processors, or Data Protection Law. If a change materially affects your rights, we will give reasonable notice. Continued use of the Coach Portal after a change takes effect means you accept the updated DPA.
Order of precedence. For the processing of Client Personal Data, the order of precedence is: the SCCs (where they apply), then this DPA, then the rest of the Terms.
Governing law. Except where the SCCs require otherwise for a particular transfer, this DPA is governed by the law stated in the Terms.
Schedule 1. Details of the Processing
Subject matter: our provision of the Coach Portal to you, which lets your connected Clients share journal and health data with you and lets you message them.
Duration: for as long as you use the Coach Portal and we process Client Personal Data on your behalf, as set out in Section 15.
Nature and purpose: storing, organizing, displaying, and transmitting Client Personal Data so you can view the data your Clients choose to share and support them through the Service.
Types of Personal Data: Client identity and contact data (such as name and email); journal content, which may include food, mood, hydration, movement, and sleep entries, photos, notes, and measurements such as weight, blood sugar, blood pressure, and cholesterol; insights and patterns derived from that content; and messages exchanged between you and the Client. This data often includes health information, which is Special Category Data.
Categories of Data Subjects: your Clients who connect to your Coach Account and approve the connection.
Special category data: health and wellbeing information, processed on the basis you establish as Controller.
Frequency: continuous, for the duration of each Client connection.
Schedule 2. Technical and Organizational Security Measures
We maintain measures that include:
encryption of Client Personal Data in transit and at rest;
access controls that limit access to authorized personnel on a need-to-know basis, with authentication;
hosting on reputable cloud infrastructure with physical and environmental safeguards managed by the provider;
logical separation of customer data;
secure development and change-management practices;
monitoring, logging, and measures designed to detect and respond to security events;
backup and recovery processes; and
confidentiality obligations and security awareness for personnel.
We may change these measures as the Service develops, provided the level of protection does not materially decrease.
Schedule 3. Sub-processors
The Sub-processors we currently use to provide the Service, and that may process Client Personal Data, are below. This list is kept current in our Privacy Policy.
Anthropic: AI Coach processing.
OpenAI: AI food photo recognition.
Google / Firebase: hosting, cloud storage, and infrastructure.
Stripe: Coach Portal payment processing.
Intercom: customer support and messaging.
SendGrid (Twilio): email delivery.
Mixpanel: product analytics.
Adapty: subscription and paywall management.
Airbridge: mobile measurement and attribution.
Make (make.com): workflow automation between subscription and support tools.
Cloudflare: website performance and security.
Google Analytics (GA4): website and product analytics.
Acceptance
By accepting this DPA, or by continuing to use the Coach Portal after we make this DPA available to you, you and Piqniq, Inc. agree to it. If you require a countersigned copy for your records, contact us at privacy@atemate.com and we can arrange one.
