Romby Coach
Privacy Terms DPA Back to Romby Coach

Romby Coach Data Processing Agreement

Last updated 7 July 2026

Draft — under legal review. This DPA describes how coaching data is handled today in plain language. It has not yet been finalised by a lawyer — treat it as accurate and in effect, not as polished final legal text.

This Data Processing Agreement ("DPA") applies to every coach using Romby Coach (dashboard.romby.co), operated by Evgeny Klimenchenko ([COMPANY NAME], [REGISTERED ADDRESS] — to be updated upon incorporation, "Romby", "we"). It supplements our Terms of Service and Privacy Policy and explains how personal data about your clients ("Client Data") is handled when you use Romby Coach to coach them.

1. Roles: who controls what

Data-protection roles here are split deliberately, and it's worth being precise about them:

  • For the underlying eater-app data (a client's account, food logs, weight, and goals), Romby is the data controller directly vis-à-vis the client — that relationship exists under our Privacy Policy whether or not the client ever connects with a coach.
  • For the incremental processing that happens because of your coaching relationship with a client — i.e. surfacing their health data on your dashboard, and anything you create yourself (your plan, private notes, push nudges, check-ins) — you, the coach, are an independent data controller. You decide what to look at, what advice to give, and what to note down; that purpose is yours, not Romby's.
  • With respect to that same coaching-relationship processing, Romby acts as your data processor (GDPR Art. 28): we provide the platform that stores, displays, and transmits Client Data on your instructions (given by using the product's features — e.g. writing a note, assigning a goal), and we process it only for that purpose.

In short: Romby remains the client's controller for their own data at all times; you become an additional, independent controller only for the coaching layer you add on top, and Romby is your processor for that layer.

2. What triggers access

You can only see a client's health data after they've explicitly accepted your invite link — never before, and never for a client who hasn't. If they revoke the link, your access to their live data is cut off immediately going forward (see §6).

3. Your obligations as coach

  • Confidentiality — keep Client Data confidential; don't disclose it to anyone outside the coaching relationship without the client's consent.
  • Purpose limitation — use Client Data only to coach that specific client. Don't repurpose it (marketing, research, training other clients, etc.) without a separate lawful basis and the client's consent.
  • No independent collection — you rely on the consent Romby obtained from the client to share their data with you; you're not authorised to collect further special-category health data about them outside the platform under this DPA.
  • No export or re-sharing — don't export, download, or copy Client Data to other tools or share it with third parties (including other coaches) except as strictly necessary to communicate directly with that client.
  • Your notes are the client's personal data — under the GDPR's access and portability rights, the notes and records you keep about a client (your plan, private notes, check-ins) are that client's personal data. They may be included in the client's data export or access request, so write them professionally.

4. Romby's obligations as your processor

  • We process Client Data on your documented instructions (i.e. via the features you use) and for the Service's operation — not for our own unrelated purposes.
  • Our staff and systems handling Client Data are bound by confidentiality and the security measures described in the Privacy Policy §10.
  • We use the sub-processors listed in the Privacy Policy §5 (hosting, backups, email, payments, the AI vision provider) and will keep that list current.
  • We'll assist you in responding to a client's data-subject rights request that reaches you directly, and in any data-protection impact assessment concerning the coaching feature.

5. Sub-processors & international transfers

Client Data is hosted and backed up in the EU as described in the Privacy Policy §§5, 9. Where any sub-processor operates outside the EU/EEA, we rely on Standard Contractual Clauses or an adequacy decision.

6. Deletion on unlink or termination

When a client revokes your link, or your coach account is terminated, your in-app access to that client's live data stops immediately. If you exported, downloaded, or separately noted down any Client Data (e.g. copied it into your own files), you must delete it within 30 days of the link ending, unless you have an independent legal obligation to retain it. Notes and plans you authored inside Romby about that client remain in Romby's systems until you delete them yourself or their deletion is requested (e.g. by the client exercising their rights under the Privacy Policy) — Romby does not yet auto-delete coach notes on unlink; time-based automatic retention for this data is a planned feature, not yet built.

7. Incident notification

We'll notify you without undue delay if we become aware of a personal-data breach affecting Client Data you have access to, so you can meet your own Art. 33/34 obligations if applicable. Likewise, you must notify us promptly at hello@romby.co if you become aware of a breach involving Client Data (for example, an exported note that's lost or compromised).

8. Liability

Liability under this DPA follows the limitations set out in our Terms of Service §10.

9. Term

This DPA applies for as long as you have an active Romby Coach account and at least one active client link, and survives with respect to the deletion obligations in §6 after either ends.

10. Governing law

This DPA is governed by [GOVERNING LAW / JURISDICTION].

11. Contact

Questions about this DPA: hello@romby.co.

Romby Coach Coach from real data, not recall. hello@romby.co For eaters → romby.co Privacy Terms DPA © 2026 Romby · romby.co