This Data Processing Agreement ("DPA") forms part of the SubPro Terms of Service between Let's BJJ Inc. ("SubPro", "Processor") and the Platform User ("Academy Owner", "Controller") who has agreed to the Terms of Service.
The Academy Owner is the Data Controller. SubPro is the Data Processor. SubPro processes End User Data solely to provide the Service as described in the Terms of Service.
Students, subscribers, and other end users of the Academy Owner's video subscription service.
| Category | Data |
|---|---|
| Identity | Name, email address, account credentials (hashed) |
| Financial | Subscription status, purchase history (card data processed by Stripe, not stored by SubPro) |
| Usage | Watch progress, notes, playlists, favourites, login activity |
| Technical | IP address, browser type, device information |
SubPro shall process Personal Data only in accordance with the Controller's documented instructions, which are defined by the functionality of the Service. SubPro shall not process Personal Data for any other purpose unless required by applicable law, in which case SubPro will inform the Controller (unless prohibited by law).
SubPro ensures that all personnel authorised to process Personal Data are bound by obligations of confidentiality.
SubPro implements appropriate technical and organisational measures to protect Personal Data, including:
The Controller authorises SubPro to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, CDN, database (D1), file storage (R2), DNS | Global (US HQ) |
| Stripe, Inc. | Payment processing, subscription management | US |
| Mux, Inc. | Video hosting, encoding, delivery | US |
| Resend, Inc. | Transactional email delivery | US |
SubPro will notify the Controller at least 30 days before adding or replacing a Sub-processor. If the Controller objects, they may terminate the Service. SubPro ensures all Sub-processors are bound by data protection obligations no less protective than those in this DPA.
Sub-processor deletion instructions: Upon account deletion, SubPro will instruct each Sub-processor to delete viewer-level personal data as follows: Cloudflare D1/R2 (immediate deletion from active systems, backup rotation within 90 days); Mux (deletion of viewer-level analytics within 30 days via Mux API); Stripe (deletion subject to Stripe's own data retention policies for regulatory compliance); Resend (transactional email logs retained per Resend's retention policy, typically 30 days).
Personal Data may be transferred to:
Copies of relevant SCCs are available upon request to privacy@sub-pro.net.
SubPro will assist the Controller in responding to requests from Data Subjects to exercise their rights (access, rectification, erasure, portability, restriction, objection) by providing the following self-service tools:
For requests that cannot be handled via self-service, SubPro will provide reasonable assistance to the Controller within 15 business days.
SubPro will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include:
SubPro will make available to the Controller all information necessary to demonstrate compliance with this DPA. SubPro will allow and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
Upon termination of the Service, the Controller may request an export of all End User Data within 30 days. After the 30-day period, SubPro will delete all Personal Data from its systems, except where retention is required by applicable law. Backup copies will be rotated out within 90 days of deletion.
For certain categories of data, SubPro acts as an independent Data Controller (not a Processor), including:
Where SubPro independently determines the purposes of processing for platform operations or security monitoring, GDPR Article 28 (Processor obligations) does not apply to such processing. SubPro's processing of this data is governed by the Platform Privacy Policy.
This DPA remains in effect for the duration of SubPro's processing of Personal Data on behalf of the Controller. It automatically terminates when the Controller's SubPro account is closed and all Personal Data has been deleted in accordance with Section 11.
Data Processor: Let's BJJ Inc. (株式会社Let'sBJJ)
〒160-0023 東京都新宿区西新宿3丁目3番13号 西新宿水間ビル2F
Email: privacy@sub-pro.net