Data Processing Agreement (DPA)

This Data Processing Agreement (the “DPA”) forms an integral part of the Public Offer and/or agreement governing the use of the Move-o service.

The DPA governs the processing of personal data carried out by LuckySoft OÜ acting as a Data Processor on behalf of business customers using the Move-o service.

1. Definitions and roles

Data Controller means a legal entity or individual entrepreneur using Move-o that determines the purposes and means of the processing of personal data.

Data Processor means LuckySoft OÜ, which processes personal data solely on behalf of and under the instructions of the Data Controller.

Personal Data means any information relating to an identified or identifiable natural person as defined under the GDPR.

2. Subject matter of processing

The Data Processor shall process Personal Data exclusively for the purpose of providing, operating, and supporting the Move-o service, in accordance with the documented instructions of the Data Controller.

Personal Data shall be processed only for the duration of the contractual relationship between the parties.

3. Categories of data and data subjects

The following categories of Personal Data may be processed when using the service:

• client and student data of the Data Controller;
• parent or legal guardian contact details;
• attendance, scheduling, and membership information;
• payment and billing data (excluding full card details);
• business account user credentials.

Data subjects include clients, students, parents, employees, and other individuals whose data is entered into the service by the Data Controller.

4. Obligations of the Data Controller

The Data Controller shall:

• ensure a lawful basis for the collection and processing of Personal Data;
• obtain all required consents, including parental consent where applicable;
• provide appropriate privacy notices to data subjects;
• issue lawful and documented instructions to the Data Processor.

5. Obligations of the Data Processor

The Data Processor shall:

• process Personal Data only on documented instructions from the Data Controller;
• not use Personal Data for its own purposes;
• ensure confidentiality of Personal Data;
• implement appropriate technical and organizational security measures;
• ensure that personnel authorized to process Personal Data are bound by confidentiality.

6. Sub-processors

The Data Controller grants the Data Processor a general authorization to engage sub-processors necessary for the provision of the service, including hosting, infrastructure, and payment providers.

All sub-processors shall be subject to contractual obligations ensuring a level of data protection no less stringent than that set out in this DPA.

7. Security of processing

The Data Processor implements appropriate technical and organizational measures to protect Personal Data, including access controls, encryption, monitoring, and infrastructure security.

8. Data subject rights

The Data Processor shall provide reasonable assistance to the Data Controller in responding to requests from data subjects exercising their rights under the GDPR.

All data subject requests shall be handled through the Data Controller.

9. Personal data breaches

In the event of a Personal Data Breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of the breach.

10. Return and deletion of data

Upon termination of the use of the service or upon request of the Data Controller, Personal Data shall be deleted or returned, unless retention is required by applicable law.

11. Term

This DPA shall remain in effect for the duration of the processing of Personal Data by the Data Processor on behalf of the Data Controller.

12. Contact information

Data Processor: LuckySoft OÜ

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Vesivärava tn 50-301, 10152

GDPR contact email: support@move-o.com