Data Processing Agreement (DPA)

• Controller: The Personal Trainer who uses the CatalysAI platform to manage their students. The Controller determines the purposes and means of processing their students' personal data. • Processor: CatalysAI, a company based in Brazil, which processes personal data on behalf of the Controller to provide the Service.

This DPA governs the processing of personal data of the Controller's students by CatalysAI for the duration of the service agreement. The duration of processing corresponds to the period during which the Controller maintains an active account on the CatalysAI platform. After account termination, data will be handled as described in Section 12 (Termination) of this DPA.

CatalysAI processes personal data for the following purposes: • AI-powered personal training management • Generation of personalized workout plans using AI • Student progress tracking • Communication between trainer and students (check-ins, notifications) • Generation of performance reports and analyses • Payment processing and financial management

The following types of personal data are processed: • Identification data: name, email • Health data: weight, injuries, pain, sleep quality, body measurements, progress photos, body composition • Training data: exercises performed, weights, sets, repetitions, session history • Check-in data: sleep, energy, mood, pain, adherence, feedback • Financial data: payment history, subscription status • Technical data: IP address, access logs

The data subjects are the students/clients of the Personal Trainer (Controller) whose data is registered on the CatalysAI platform.

CatalysAI, as Processor, undertakes to: • Process personal data only on the basis of documented instructions from the Controller, unless required by law • Ensure that all persons authorized to process personal data are committed to confidentiality or are under an appropriate statutory obligation of secrecy • Implement appropriate technical and organizational security measures (as described in Section 7) • Not engage any sub-processor without prior authorization from the Controller (see list at /subprocessors) • Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability) • Assist the Controller in ensuring compliance with obligations regarding security, breach notification, impact assessments, and prior consultations • Delete or return all personal data upon contract termination, as described in Section 12 • Make available to the Controller all information necessary to demonstrate compliance with this DPA

CatalysAI implements the following technical and organizational measures: • Encryption in transit: TLS 1.2+ for all communications • Encryption at rest: AES-256 for stored data • Password hashing: bcrypt with salt for all passwords • Row Level Security (RLS): database-level row security policies ensuring each trainer can only access their own data • Role-based access control (RBAC) • Regular automatic backups • Security monitoring and audit logs • Periodic review of access and permissions

The complete and up-to-date list of sub-processors is available at: https://catalysfit.com/subprocessors The Controller authorizes the use of the sub-processors listed on that page. CatalysAI will notify the Controller 30 days in advance before adding new sub-processors. The Controller may object within 15 days.

Personal data may be transferred to the United States through the following providers: • Supabase (AWS) — database and authentication • OpenRouter / MiniMax — AI workout generation (only anonymized training parameters, no PII) • Stripe — payment processing • Vercel — hosting and CDN • Resend — transactional email delivery These transfers are protected by: • European Commission Standard Contractual Clauses (SCCs) • Provider certifications (SOC 2, ISO 27001) • Compliance with Art. 33 of the LGPD and Chapter V of the GDPR

In the event of a personal data breach: • CatalysAI (Processor) will notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach • The notification will include: nature of the breach, categories of data affected, measures taken, and recommendations • The Controller is responsible for notifying the competent supervisory authority: — GDPR: within 72 hours (Art. 33) — LGPD/ANPD: within 3 business days • CatalysAI will assist the Controller in investigating and mitigating the breach

The Controller may request evidence of compliance with this DPA, including: • Reports on implemented security measures • Sub-processor certifications and compliance documentation • Data processing records • Evidence of retention and deletion policies Audit requests must be made in writing to support@catalysai.app, with a reasonable 30-day advance notice.

Upon termination of the service agreement: • CatalysAI will delete all of the Controller's personal data within 30 days, unless retention is required by law • Financial data may be retained for up to 5 years for legal and tax compliance • Backups will be deleted within the rotation cycle (maximum 90 days) • The Controller may request data export prior to deletion • CatalysAI will provide written confirmation of data deletion

This DPA is governed by: • The Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018) for Controllers based in Brazil • The EU General Data Protection Regulation (GDPR — Regulation EU 2016/679) for Controllers based in the European Union • The more protective law shall apply where there is a conflict between jurisdictions

For questions regarding this DPA: 📧 Email: support@catalysai.app 🌐 Website: catalysai.app