Organizer Data Processing Agreement

This Data Processing Agreement ("Agreement") is entered into between:

Data Controller

The Organizer is the data controller for all personal information uploaded to, collected through, or processed in connection with their meet(s) on Gym Art Meets. As data controller, the Organizer:

• Determines the purposes and means of data processing;
• Retains full responsibility for the lawfulness of collection;
• Ensures the accuracy and completeness of personal information;
• Obtains and maintains all required consents from data subjects prior to uploading information to Gym Art;
• Complies with all applicable data protection laws and regulations.

Data Processor

Gym Art acts as a data processor on behalf of the Organizer. In this capacity, Gym Art:

• Processes personal data only on documented instructions from the Organizer;
• Implements technical and organizational security measures to protect personal data;
• Engages only authorized sub-processors with equivalent data protection obligations;
• Maintains records of processing activities and cooperates with regulatory inquiries;
• Notifies the Organizer of any data breaches affecting their data within 72 hours;
• Deletes or returns all personal data upon termination of this Agreement, unless legally required to retain it.

The Organizer certifies that, prior to uploading any personal information to Gym Art Meets, they have obtained all legally required consents from the appropriate data subject or parent/legal guardian, as follows:

3.1 For Gymnasts Under 13

For gymnasts under 13 years of age, the Organizer has obtained verifiable parental or legal guardian consent in accordance with the Children's Online Privacy Protection Act (COPPA), 16 CFR Part 312, including the 2025 Final Rule Amendments effective April 22, 2026. This consent must be verifiable and document the parent or guardian's affirmative authorization before data collection occurs.

3.2 For Gymnasts Aged 13–15

For gymnasts aged 13 to 15, the Organizer has obtained parental or legal guardian consent as required by applicable data protection laws in the jurisdictions where the gymnast resides or the meet is located, including:

• Loi 25 (Quebec): https://www.legisquebec.gouv.qc.ca/en/document/cs/P-39.1
• PIPEDA (Canada): https://laws-lois.justice.gc.ca/eng/acts/P-8.6/
• PIPA (Alberta): https://kings-printer.alberta.ca/570.cfm?frm_isbn=9780779842902
• PIPA (British Columbia): https://www.bclaws.gov.bc.ca/civix/document/id/complete/statreg/03063_01
• GDPR (European Union / EEA): https://gdpr-info.eu/

3.3 For Individuals 16 and Older

For individuals age 16 and older, the Organizer has obtained the individual's own informed consent, or has established another lawful basis for processing as permitted under applicable data protection laws (e.g., contractual necessity, legitimate interests).

3.4 Scope of Consent — Core Data

All consents obtained explicitly cover the collection, processing, and storage of the following core data fields and purposes:

• Gymnast name;
• Club/organization affiliation;
• Competitive level and age category;
• Date of birth;
• Processing of this data by Gym Art as a data processor on behalf of the Organizer;
• Storage of data on Google Cloud Platform in Montréal, Canada (northamerica-northeast1 region);
• Retention periods as specified in the Gym Art Privacy Policy (Section 8);
• The data subject's rights to access, correct, delete, and port their personal information.

3.5 Scope of Consent — Additional Data Fields

For any additional personal data fields beyond core fields—such as emergency contact information, dietary requirements, medical notes, accessibility needs, or other sensitive information—the Organizer has obtained separate, explicit consent that:

• Clearly discloses the specific data category (e.g., "emergency contact name and phone number");
• Explains the purpose of collection (e.g., "to contact in case of medical emergency");
• Specifies the retention period for that category;
• Is documented and retained by the Organizer for audit purposes.

3.6 Floor Music and Media Files

For floor music files, video recordings, or other media associated with individual gymnasts, the Organizer has obtained explicit consent from the gymnast (or parent/guardian if under 18) authorizing:

• Upload to Gym Art Meets;
• Storage on Google Cloud Platform;
• Use in connection with the meet (e.g., display on scoreboard, archive);
• Default retention period of 3 years from the meet date.

The Organizer is required to set a specific retention date or deletion policy at the time of meet setup. Data subjects may request early deletion by contacting the Organizer.

The Organizer must maintain comprehensive documentation to evidence compliance with this Agreement, including:

Consent Records

• Copies of all consent forms and signed agreements (physical or digital) obtained from data subjects or parents/guardians;
• Records of the date consent was obtained and the method of obtaining it (e.g., electronic signature, print-and-sign, in-person);
• Proof that the consent form met the requirements of all applicable jurisdictions for the data subject's age and location.

Production of Records

The Organizer must be able to produce records of consent:

• Upon reasonable request by Gym Art for compliance audits or as part of responding to data subject or regulatory requests;
• To any regulatory authority (e.g., information commissioner, privacy commissioner) conducting an investigation;
• To a data subject exercising their right to access or contest the lawfulness of processing.

Consent Form Templates

A compliant consent form template that meets the requirements of all applicable jurisdictions (Loi 25, PIPEDA, PIPA AB, PIPA BC, COPPA, GDPR) is available at:

Parent/Guardian Consent Form Template

Organizers may use this template or develop their own form, provided it includes all required elements and disclosures.

Consent Withdrawal and Revocation

The Organizer must notify Gym Art immediately of any consent withdrawal by a data subject. Upon notification, Gym Art will delete or cease processing that individual's data in accordance with Section 6.

Organizer Responsibilities

The Organizer must ensure that their own systems, practices, and facilities maintain reasonable security standards appropriate to the sensitivity of personal data, including:

• Using secure, unique passwords to access their Gym Art Meets account;
• Never sharing login credentials with unauthorized personnel;
• Restricting access to personal data to authorized team members only;
• Using secure networks and devices to access the platform;
• Implementing reasonable physical, technical, and organizational safeguards for any personal data stored locally.

Gym Art Security Measures

Gym Art implements industry-standard technical and organizational security measures to protect personal data, including encryption in transit, secure access controls, and regular security assessments. Full details are provided in the Gym Art Privacy Policy.

Breach Notification

The Organizer must promptly report any suspected or confirmed data breach, unauthorized access, or security incident affecting Gym Art Meets or the personal data stored within it to:

privacy@gymart.org

A breach should be reported as soon as discovered, even if details are still being investigated.

Organizer-Set Retention Periods

At the time of meet creation and setup, the Organizer must configure retention date(s) for all personal data in accordance with applicable law and the Gym Art Privacy Policy. Default retention is:

• Meet records: 3 years from the meet date;
• Floor music and media: 3 years from the meet date;
• Participant lists and registration data: 3 years from the meet date.

Automatic Deletion

Upon expiry of the retention period set by the Organizer, Gym Art automatically deletes the associated personal data from all systems, including backups, unless Gym Art is legally obligated to retain it longer (e.g., for tax or legal proceedings).

Early Deletion Requests

The Organizer may request early deletion of meet data at any time by contacting:

privacy@gymart.org

Gym Art will process early deletion requests within 10 business days, unless extended retention is required by law.

Termination of Agreement

Upon termination of this Agreement or the Organizer's Gym Art account:

• Gym Art will delete all personal data associated with the Organizer's meets within 30 days, unless a longer retention period is legally required;
• The Organizer may request a data export prior to deletion;
• Deletion includes all backups, archives, and disaster recovery systems.

Sub-Processor Authorization

Gym Art may engage third-party sub-processors to assist in providing the Gym Art Meets service, subject to the following conditions:

• Each sub-processor must be bound by a written data processing contract that imposes substantially equivalent data protection obligations;
• Gym Art remains liable to the Organizer for any sub-processor's failure to fulfill its data protection obligations;
• The Organizer is informed of any change to the list of sub-processors.

Current Sub-Processors

As of the effective date of this Agreement, the primary sub-processor is:

• Google Cloud Platform (GCP): Personal data is stored on Google Cloud servers located in Montréal, Canada (northamerica-northeast1 region). All data remains encrypted at rest and in transit. Google Cloud maintains SOC 2, ISO 27001, and other compliance certifications.

Sub-Processor Changes

Gym Art may engage additional or replacement sub-processors in the future. A current, complete list is maintained in the Gym Art Privacy Policy (Section 7). The Organizer is notified of material changes at least 30 days in advance, with the opportunity to terminate their use of Gym Art Meets if they object to a new sub-processor.

Rights of Data Subjects

Data subjects have the following rights with respect to their personal information processed through Gym Art Meets, as established by applicable data protection laws (GDPR, Loi 25, PIPEDA, PIPA AB, PIPA BC):

• Right of Access: Request a copy of their personal data;
• Right of Correction/Rectification: Request correction of inaccurate data;
• Right to Deletion/Erasure: Request deletion of their data (subject to legal retention requirements);
• Right to Data Portability: Request their data in a portable, machine-readable format;
• Right to Object: Object to certain processing activities;
• Right to Withdraw Consent: Withdraw consent to processing at any time.

Exercising Rights

Data subjects may exercise these rights by:

• Contacting the Organizer directly (as they are the data controller);
• Submitting a request through the Gym Art Meets platform (if available);
• Contacting Gym Art at privacy@gymart.org, and Gym Art will notify the Organizer and assist in fulfilling the request.

Response Timeline

The Organizer, with support from Gym Art, must respond to data subject rights requests within 30 days of receipt, or within a shorter timeline if required by applicable law (e.g., 15 days under GDPR for access requests). Extensions of up to 60 additional days may be granted for complex or voluminous requests.

Gym Art Cooperation

Gym Art will reasonably assist the Organizer in fulfilling data subject rights requests, including providing tools to export, correct, or delete data where technically feasible.

Gym Art Notification Obligations

In the event of a confirmed or reasonably suspected personal data breach affecting the Organizer's data, Gym Art will:

• Notify the Organizer within 72 hours of discovering the breach;
• Provide details of the breach, including: the nature of the data affected, the number of data subjects potentially impacted, the suspected cause, and mitigation steps taken;
• Provide information the Organizer needs to assess risk and meet its own breach notification obligations to affected data subjects and regulators.

Organizer Breach Notification Obligations

The Organizer is responsible for notifying affected data subjects and regulatory authorities of breaches as required by applicable law:

• GDPR requires notification without undue delay and within 72 hours to the competent authority;
• PIPEDA, Loi 25, and provincial privacy laws may have different timelines and thresholds.

Gym Art will cooperate and provide necessary information to assist the Organizer in meeting these obligations.

Investigation and Remediation

Both parties will cooperate in investigating the breach, determining its scope, and implementing remediation measures to prevent recurrence. Gym Art will provide regular updates on investigation progress.

Organizer Indemnification

The Organizer indemnifies, defends, and holds harmless Gym Art and its officers, directors, employees, and agents from any claims, damages, liabilities, and costs (including reasonable attorneys' fees) arising from:

• The Organizer's failure to obtain proper, lawful consent from data subjects or parents/guardians prior to uploading personal data;
• The Organizer's breach of this Agreement, including failure to maintain documentation or comply with data protection laws;
• The Organizer's processing of personal data beyond the scope authorized by this Agreement;
• The Organizer's use of Gym Art Meets in violation of applicable law or the platform's terms of service.

Gym Art Indemnification

Gym Art indemnifies, defends, and holds harmless the Organizer from any claims, damages, liabilities, and costs arising from:

• Gym Art's failure to process personal data in accordance with the Organizer's documented instructions and this Agreement;
• Gym Art's unauthorized processing, disclosure, or loss of personal data due to breach of Gym Art's own security obligations;
• Gym Art's failure to cooperate with data subject rights requests, breach notifications, or regulatory inquiries;
• Gym Art's use of a sub-processor that fails to maintain equivalent data protection obligations.

Limitation

These indemnification obligations are subject to the parties' duty to mitigate damages and do not apply to the extent a claim arises from the other party's gross negligence or willful misconduct.

Effective Date and Scope

This Agreement becomes effective upon the Organizer's acceptance through the Gym Art Meets platform. Acceptance is required:

• Before creating the first competition meet on Gym Art Meets;
• Before each new meet is created (the Organizer will be prompted to accept or re-accept the current version);
• Before uploading any personal data to the platform.

Retroactive Application to Prior Events

By accepting this Agreement, the Organizer acknowledges and agrees that the terms, obligations, and representations set forth herein apply retroactively to all prior competition meets the Organizer has hosted or managed using the Gym Art Meets platform, regardless of when those events took place.

Specifically, the Organizer confirms that:

• For all prior events hosted on Gym Art Meets, the Organizer obtained all necessary consents and legal authority to collect, upload, and process the personal information of gymnasts and other data subjects in accordance with the requirements described in this Agreement;
• The Organizer has maintained (and continues to maintain) records of the consents obtained for prior events, and can provide evidence of such consent upon request by Gym Art or a regulatory authority;
• The Organizer accepts full responsibility as the data controller for all personal data uploaded to the Gym Art platform in connection with prior events, including gymnast information, medical documentation, floor music files, competition scores, and any additional data fields;
• The Organizer's indemnification obligations under this Agreement extend to claims arising from or related to prior events;
• Any personal data from prior events that remains on the Gym Art platform is subject to the retention and deletion provisions of this Agreement.

Continued use of the Gym Art Meets platform constitutes acceptance of this retroactive application. If the Organizer does not agree to these retroactive terms, the Organizer must notify Gym Art in writing at privacy@gymart.org within 30 days of acceptance. Gym Art will then work with the Organizer to delete all data from prior events and, if no resolution is reached, the Organizer's access to the platform will be suspended.

Updates to This Agreement

Gym Art may update this Agreement from time to time to reflect changes in law, technology, or business practices. Gym Art will provide reasonable notice (at least 30 days) of material changes. Continued use of Gym Art Meets after the notice period constitutes acceptance of the updated Agreement.

Termination

Either party may terminate this Agreement with 30 days' written notice to the other party. Upon termination:

• The Organizer's access to Gym Art Meets and all data will be suspended;
• Gym Art will delete all personal data associated with the Organizer within 30 days, unless legally required to retain it;
• The Organizer's obligations under Sections 2–10 remain in effect with respect to any data retention or ongoing regulatory obligations.

This Agreement is governed by and construed in accordance with the laws of the Province of Quebec, Canada, without regard to its conflict of laws principles. Any disputes arising from this Agreement are subject to the exclusive jurisdiction of the courts of the Province of Quebec.

The Organizer consents to the jurisdiction and venue of these courts and waives any objection to the inconvenience of such forum.

For questions, requests, or concerns regarding this Data Processing Agreement, the Organizer's obligations, or data processing practices, please contact Gym Art:

Gym Art will respond to inquiries and requests within 10 business days. For urgent data security matters, please contact privacy@gymart.org and reference "URGENT" in the subject line.