Data Processing Agreement
Last updated: 29 April 2026
This Data Processing Agreement ("DPA") supplements our Terms of Service for studio owners and enterprise customers who need formal data processing terms for compliance with Indian and international data protection laws.
If your studio handles member data subject to specific regulatory requirements (DPDPA 2023, GDPR for EU members, etc.), this DPA describes how Dizios processes data on your behalf.
For most small and medium studios, the Terms of Service and Privacy Policy provide sufficient coverage. This DPA is automatically applicable when you use Dizios; you do not need to sign anything separately.
1. Parties and Roles
Studio Owner ("Controller"): You, the operator of a fitness studio using Dizios, are the data controller for your members' and trainers' personal data.
Dizios ("Processor"): Vikrama Innovations Pvt Ltd, operator of Dizios, processes personal data on your behalf as a data processor.
This means: you decide what member data is collected and how it is used. We process that data according to your instructions and these terms.
2. Subject Matter and Duration
Subject matter: Processing of personal data of your studio's members and trainers as part of using the Dizios platform.
Duration: Throughout the period of your active Dizios subscription, plus a reasonable wind-down period after termination as described in our Privacy Policy.
Categories of data subjects:
- Members of your studio
- Trainers operating under your studio
- Studio staff with Dizios access
Categories of personal data:
- Identification data (name, contact details)
- Demographic data (age, gender)
- Health-related data (goals, conditions, body metrics — only if you choose to collect it)
- Operational data (attendance, payments, sessions)
- Behavioral data (app usage, engagement)
- Performance data (workout history, progress)
3. Our Obligations as Processor
We commit to:
Processing only on your instructions. We process data only for the purposes of providing Dizios to you and as described in our Privacy Policy. We do not process member or trainer data for other purposes without your authorization.
Confidentiality. Our team members who access your data are bound by confidentiality obligations.
Security. We implement appropriate technical and organizational security measures including encryption, access controls, and regular security reviews.
Sub-processors. We use third-party service providers (sub-processors) to deliver Dizios. These currently include hosting providers (Vercel, Hostinger), payment processors (Razorpay), communication services (Meta WhatsApp Business), and analytics tools. Each sub-processor is contractually required to protect data to standards equivalent to ours. We provide a current list of sub-processors on request.
Data subject rights. When your members or trainers exercise their data rights (access, correction, deletion), we will assist you in fulfilling those requests.
Breach notification. If we discover a personal data breach affecting your data, we will notify you without undue delay and provide information you need to comply with your own breach notification obligations.
Audit cooperation. On reasonable request, we will provide information necessary to demonstrate our compliance with this DPA.
Data return and deletion. On termination of your Dizios subscription, we will return your data in a portable format and delete remaining copies within 90 days, except where retention is required by law (for example, financial records under Indian tax law).
4. Your Obligations as Controller
You commit to:
Lawful basis. Ensure you have a lawful basis (typically consent or legitimate interest) for collecting and using member and trainer data on Dizios.
Privacy notices. Provide your members and trainers with appropriate privacy notices describing how their data is used, including reference to Dizios as a processor.
Data quality. Take reasonable steps to ensure data submitted to Dizios is accurate and current.
Member consent for sensitive data. Obtain explicit consent before adding sensitive personal data (such as health conditions) to Dizios.
Compliance. Comply with applicable data protection laws as the data controller.
5. International Data Transfers
Dizios operates from India. Some of our sub-processors may store or process data outside India.
For Indian data subjects: Such transfers comply with the requirements of the Digital Personal Data Protection Act, 2023, including necessary government notifications where applicable.
For EU data subjects: Where applicable, we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.
If you have specific data residency requirements, contact us to discuss whether we can accommodate them.
6. Sub-processors
Current list of sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Web hosting | USA |
| Hostinger | Email hosting | EU/India |
| Razorpay | Payment processing | India |
| Meta (WhatsApp Business API) | Communication | India/USA |
| Anthropic | AI model API | USA |
| Sentry | Error monitoring | USA |
We may update this list as we add or change service providers. Material changes will be communicated through our website or in-app notification at least 30 days in advance, giving you opportunity to object. If you object, we will work with you to find a resolution.
7. Data Subject Requests
When members or trainers exercise their rights under applicable data protection law (access, correction, deletion, portability):
You handle initial response. As the data controller, you are responsible for receiving and responding to data subject requests.
We assist. We will provide tools and information to help you fulfill these requests, including:
- Self-service options where feasible (e.g., export of member data)
- Direct technical support for complex requests
- Documentation of data we hold
Response timelines. We aim to provide assistance within 7 business days of your request, allowing you to meet your statutory response deadlines.
8. Liability and Indemnity
Each party's liability under this DPA aligns with the liability provisions in the Dizios Terms of Service.
To the extent that one party's breach of this DPA causes the other party to incur regulatory fines or penalties, the responsible party will indemnify the affected party for those amounts, subject to the overall liability cap in the Terms of Service.
9. Term and Termination
This DPA is effective for the duration of your Dizios subscription. Termination of your Dizios subscription terminates this DPA, except for provisions that survive (data return, deletion, confidentiality).
10. Changes to This DPA
We may update this DPA to reflect changes in law, our services, or industry standards. Material changes will be notified to you with reasonable advance notice. Continued use of Dizios after the effective date constitutes acceptance.
11. Order of Precedence
If there is a conflict between this DPA and our Terms of Service or Privacy Policy, the order of precedence for data processing matters is:
- This DPA
- Privacy Policy
- Terms of Service
12. Contact
Data protection questions:
Email: hello@dizios.com
Subject line: Data Protection Inquiry
For formal regulatory communications, please indicate the nature of the request clearly.
Disclaimer
This DPA addresses standard data processing relationships. If your specific compliance requirements need additional terms (custom audit rights, specific data residency, regulatory-specific commitments), please contact us to discuss enterprise arrangements.
This DPA is governed by Indian law and the courts of Gurgaon, Haryana, India.