Skip to content
hubabble

Data processing

Data Processing Agreement

Last updated June 17, 2026.

Effective Date: June 17, 2026 · Version: 1.0

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Hubabble Terms of Service (the "Agreement") between you (the coach, operating a coaching practice) and Hubabble. It governs how Hubabble processes personal data about your clients on your behalf.

1. The parties and the role split

In this DPA:

  • "Hubabble", "we", "us", or "our" means Hubabble, LLC, a member-managed multi-member limited liability company organized under Oregon law, with its principal office at 403 Portway Avenue, Suite 300, Hood River, Oregon 97031.
  • "you", "your", or the "Coach" means the individual or entity that holds a Hubabble account and uses Hubabble to run a coaching practice.

This DPA is built on one spine, used identically across all of Hubabble's legal documents:

  • For data about you (the coach), your account, your billing, and visitors to Hubabble's own sites, Hubabble is the controller. That relationship is governed by Hubabble's Privacy Policy and the Agreement, not by this DPA.
  • For data about your clients that you collect and process through Hubabble, you are the controller and Hubabble is the processor. This DPA governs that relationship. Your clients interact with Hubabble surfaces directly through tokenized links (for example to book a session, complete an intake form, sign a document, or pay), and they do so on your behalf, under your instructions.

This split matters because it determines who owes which duties to your clients. As the controller of your client data, you decide what to collect, why, and on what lawful basis. We process that data only to provide the service to you and only on your documented instructions.

Stripe's dual role

One subprocessor sits in two roles at once, and we state it the same way everywhere it appears. Stripe acts as a subprocessor when it processes payments on the coach's behalf, and as an independent controller for its own fraud-prevention and legal-compliance purposes. When Stripe acts as an independent controller, its own terms and privacy notice govern that processing, not this DPA. We never surface payments-provider internal jargon to you or your clients; in coach- and client-facing surfaces we say "Payments setup", "account verification", and "background tasks".

2. Definitions

Terms not defined here have the meanings given in the Agreement or in applicable Data Protection Law.

  • "Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including, where applicable: the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"); the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR") together with the UK Data Protection Act 2018; the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"); and equivalent data-protection laws of other jurisdictions to the extent they apply.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Special Categories of Personal Data", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the EU GDPR, and equivalent terms under UK GDPR and CCPA (for example "Business", "Service Provider", and "Consumer" under CCPA) carry their corresponding meanings.
  • "Client Personal Data" means Personal Data about your clients (and about people connected to your clients, such as an emergency contact) that we process on your behalf under the Agreement. This is the data this DPA covers.
  • "Subprocessor" means any third party we engage to process Client Personal Data on your behalf.
  • "Standard Contractual Clauses" or "EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Transfer Mechanism" means, as applicable, the UK International Data Transfer Agreement ("UK IDTA") or the UK International Data Transfer Addendum to the EU SCCs (the "UK Addendum"), each issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
  • "Sensitive Data" means Special Categories of Personal Data under EU/UK GDPR Article 9 and any equivalent category of sensitive personal information under other Applicable Data Protection Law.
  • "Subprocessor List" means the list of subprocessors Hubabble maintains and makes available to you, as referenced in Annex C.

3. Subject matter, duration, nature, and purpose of processing

This section satisfies the content requirements of EU/UK GDPR Article 28(3). The specifics are set out in Annex A and summarized here.

  • Subject matter. Our processing of Client Personal Data so that you can run your coaching practice through Hubabble: scheduling and sessions, video sessions, client records (CRM), transactional and document email, payments, e-signed documents, and your coaching website.
  • Duration. For the term of the Agreement, plus the limited additional periods described in Section 12 (deletion and return) and any retention required by law or by the append-only records described in Section 12.
  • Nature. Collection, recording, organization, structuring, storage, retrieval, use, transmission, hosting, and (on your instruction, where supported) erasure of Client Personal Data, by automated means.
  • Purpose. Solely to provide and support the service to you under the Agreement, and to comply with our own legal obligations. We do not process Client Personal Data for our own purposes, and we never sell it.

4. Categories of data subjects and personal data

Data subjects

  • Your clients (current, prospective, and former), including people who book, attend, or are invited to sessions, complete intake or consent forms, sign documents, or pay you through Hubabble.
  • People connected to your clients whose details a client or you provide, for example an emergency contact named on an intake form.

Categories of Client Personal Data

  • Identity and contact data: name, email address, phone number, and similar contact details.
  • Scheduling and session data: bookings, session times, time zone, attendance, cancellations, reschedules, and the white-labeled video room a session uses. (We never name the underlying video provider to you or your clients.)
  • CRM and relationship data: the client records, tags, and history you keep in Hubabble.
  • Free-form notes: your client notes and session notes, which you may write in a rich-text editor. These can contain anything you choose to record, including Sensitive Data.
  • Intake and consent responses: answers your clients give on the forms you send, which may include wellbeing or mental-health information, goals, and similar context.
  • Document and e-signature data: the documents you send for signature, the signed copies, signer name, and signing metadata (for example timestamp, IP address, and user agent captured at signing).
  • Payment-related data: the information needed to take payment from a client and pay it out to your coaching practice. Sensitive payment-instrument details (such as full card numbers) are handled by our payments provider, not stored by Hubabble.
  • Technical data generated as clients use tokenized links, such as IP address and user agent recorded for security and audit purposes.

Sensitive Data (Special Categories)

Some of what your clients share, and some of what you record, is Sensitive Data under EU/UK GDPR Article 9. In particular: client wellbeing and mental-health information collected on intake forms; free-form client notes and session notes (which can reveal health, beliefs, or other special categories); and, in the future, session recordings and transcripts if and when Hubabble ships them.

Processing Sensitive Data requires a valid Article 9 condition. Where you rely on the data subject's explicit consent, that consent must be specific to this processing, unbundled from other terms, and withdrawable as easily as it was given. You, as controller, are responsible for obtaining and maintaining a valid Article 9 condition for the Sensitive Data you collect through Hubabble.

No children's data

Hubabble is sold to adult coaches, and clients are presumed to be adults. You must not use Hubabble to process Personal Data about anyone under 16 (the EU GDPR Article 8 floor) or under 13 (the COPPA floor in the United States). If such data is collected in error, you must tell us promptly, and we will work with you to delete it on a reasonable path. We exclude children's data by contract rather than operating a children's-data program.

5. Your instructions; our processing obligations

Processing only on your instructions

We process Client Personal Data only on your documented instructions, including for international transfers, unless a law to which we are subject requires otherwise. In that case we will tell you of that legal requirement before processing, unless the law prohibits telling you on important grounds of public interest.

Your documented instructions are: (a) the Agreement and this DPA; (b) your configuration and use of the service (for example, the forms you build, the documents you send, the notes you write, and the settings you choose); and (c) any further written instruction you give us that is consistent with the service. If we believe an instruction infringes Applicable Data Protection Law, we will tell you (we are not obliged to give you legal advice).

Our core obligations as processor

We will:

  1. Process Client Personal Data only as described in Section 5 and Annex A, and not for our own purposes.
  2. Ensure that people authorized to process Client Personal Data are bound by an appropriate duty of confidentiality (Section 6).
  3. Implement and maintain the technical and organizational security measures described in Annex B, taking into account the state of the art and the risks of the processing.
  4. Engage subprocessors only on the terms in Section 8.
  5. Assist you, taking into account the nature of the processing, with the data-subject-request and compliance obligations described in Sections 9 and 10, so far as the service makes that possible.
  6. Tell you without undue delay about a Personal Data Breach affecting Client Personal Data, as described in Section 10.
  7. On termination, delete or return Client Personal Data as described in Section 12, subject to the honestly disclosed limits there.
  8. Make available to you the information needed to demonstrate compliance with Article 28, and allow for and contribute to audits, as described in Section 11.

6. Confidentiality

We will keep Client Personal Data confidential. We will ensure that any person we authorize to process Client Personal Data (including employees, contractors, and the members of Hubabble, LLC) is subject to a binding obligation of confidentiality, whether by contract or by a statutory duty, and is made aware of the confidential nature of the data. Access to Client Personal Data is limited to those who need it to provide or support the service.

7. Security measures

We will implement appropriate technical and organizational measures to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by EU/UK GDPR Article 32. Those measures are described in Annex B, which is drafted to match what Hubabble has actually shipped, not an aspirational checklist. We may update the measures over time provided the level of protection does not materially decrease.

8. Subprocessors

General authorization

You give us general written authorization to engage subprocessors to process Client Personal Data, subject to this Section. The current subprocessors are listed in Annex C, which references the Subprocessor List we maintain.

Same-obligations flow-down

Where we engage a subprocessor, we will impose on it, by a written contract, data-protection obligations that are no less protective than those in this DPA, in particular the obligation to implement appropriate technical and organizational measures. Where a subprocessor fails to meet its data-protection obligations, we remain fully liable to you for the performance of that subprocessor's obligations, to the extent set out in this DPA and the Agreement.

Notice of changes and your right to object

We will give you at least 30 days' prior notice (through the Subprocessor List, by email, or in-product) before adding or replacing a subprocessor that processes Client Personal Data, so that you have an opportunity to object on reasonable data-protection grounds. You may object in writing within that 30-day notice period. If you object on reasonable grounds and we cannot offer a commercially reasonable alternative, your remedy is to stop using the affected feature or to terminate the Agreement as described there. This general written authorization and objection right is the Clause 9 option elected for the EU SCCs (see Section 13).

Current subprocessors

The live and imminent subprocessors that process Client Personal Data are: Neon (the Postgres database of record); Vercel (hosting and edge delivery, and Speed Insights telemetry); our payments provider (platform billing live, and client payments imminent), in the dual role described in Section 1; our white-labeled video provider (which we never name to you or your clients); Google (per-coach Calendar API, where you connect your calendar); Resend (transactional and e-signature email, where our email provider can record delivery and engagement events such as opens and clicks where that is enabled); Amazon Web Services S3 in AWS region us-east-1 (US East, N. Virginia) (storage of signed PDF documents); Inngest (background jobs); and Cloudflare (DNS and inbound email). The Subprocessor List (subprocessor-list.md) is the single canonical source for this split; Annex C and this paragraph reference it and must match its live, imminent, and future breakdown.

9. Assistance with data-subject requests

Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, so far as this is possible, to help you respond to requests from your clients to exercise their rights (for example access, rectification, erasure, restriction, portability, and objection under EU/UK GDPR, and the equivalent CCPA rights). Where the service provides self-service tooling for a given right, using it is the primary path; where it does not, we will assist on a reasonable basis.

If we receive a request directly from one of your clients, we will, unless legally required to act, refer the client to you and tell you about the request without undue delay rather than respond on your behalf.

10. Personal Data Breach

We will notify you without undue delay, and in any event within 72 hours after we become aware of a Personal Data Breach affecting Client Personal Data. Our notice will, to the extent then known and so far as the information is available to us, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. We will provide further information in phases as it becomes available.

We will assist you, taking into account the nature of processing and the information available to us, in meeting your own breach-notification and communication obligations to Supervisory Authorities and to affected clients. You, as controller, are responsible for determining whether and how to notify a Supervisory Authority or your clients. We will not notify your clients of a breach on your behalf unless you instruct us to or the law requires us to.

This 72-hour notification process is operationalized in Hubabble's internal data-subject-request and breach runbook, which sets out detection, triage, the notification clock, and the contacts responsible for reaching the account email on file and the privacy inbox.

11. Audit

We will make available to you the information reasonably necessary to demonstrate compliance with EU/UK GDPR Article 28 and this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate.

To keep audits proportionate and protect other customers' data and our security posture: (a) you will give reasonable prior written notice; (b) audits will occur during business hours, no more than once per year unless a Supervisory Authority requires otherwise or a Personal Data Breach reasonably warrants it; (c) we may satisfy an audit request by providing our then-current security documentation and any third-party reports or certifications we hold; and (d) you will bear your own audit costs and treat all information obtained as confidential.

12. Deletion and return on termination

On expiry or termination of the Agreement, and at your choice, we will delete or return Client Personal Data, and delete existing copies, unless Applicable Data Protection Law requires us to keep it. We will do this within a reasonable period after termination.

An honest disclosure about what survives erasure. Some records are append-only by design and are kept for legal, financial, security, and evidentiary integrity. These include the audit-log events, the financial ledger, records of legal acceptances, and signed agreements. We do not edit or delete these rows. When you or a client exercises erasure, we remove or anonymize the personal identifiers we can, but anonymized or minimized references in these append-only records survive as a deliberate integrity measure. We disclose this rather than promise a clean wipe we do not perform.

13. International transfers

Client Personal Data may be processed in, or transferred to, countries outside the country where you or your clients are located, including the United States (for example, our database, hosting, document storage in AWS S3 us-east-1, and several subprocessors operate in or route through the United States).

Where a transfer of Client Personal Data subject to EU GDPR or UK GDPR is made to a country without an adequacy decision, the parties agree to rely on an appropriate safeguard:

  • For transfers subject to EU GDPR: the EU SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA. Module Two (controller to processor) applies to transfers from you (controller) to us (processor), and Module Three (processor to processor) applies where we onward-transfer to a subprocessor. The parties elect the Clause 7 docking clause (so further parties may accede). For the Clause 9 subprocessor option, Option 2 (general written authorization) applies, with the prior-notice and objection period set out in Section 8. For Clause 17 (governing law), the SCCs are governed by the law of the Republic of Ireland. For Clause 18(b) (choice of forum and jurisdiction), disputes are resolved before the courts of Ireland. The Annexes to the SCCs are populated by Annexes A, B, and C of this DPA, and the competent supervisory authority is identified in Annex A.
  • For transfers subject to UK GDPR: the UK Transfer Mechanism applies, by means of the UK Addendum to the EU SCCs, as completed by the parties. The UK Addendum is a transfer safeguard only. It does not, on its own, satisfy the Article 28 processor-contract requirements; those are met by this DPA.

Where there is a conflict between the SCCs or UK Transfer Mechanism and the rest of this DPA on a transfer matter, the transfer mechanism prevails to the extent of the conflict.

14. Recorded assent as a precondition

This DPA, and the transfer mechanisms it incorporates, bind the parties because your assent to the Agreement (and therefore to this DPA) is captured and recorded with its version, the date and time, and the IP address and user agent of the assenting session.

15. CCPA service-provider terms

To the extent we process Client Personal Data that is "personal information" of a California "consumer" and you are a "business" under the CCPA, we act as your service provider. We will:

  1. Process the personal information only on your behalf and for the business purposes specified in this DPA and the Agreement, and not for any other purpose.
  2. Not sell or share the personal information (as those terms are defined in the CCPA).
  3. Not retain, use, or disclose the personal information outside the direct business relationship with you, or for any purpose other than the business purposes specified, except as permitted by the CCPA.
  4. Not combine the personal information with personal information we receive from other sources, except as the CCPA permits a service provider to do.
  5. Comply with the applicable obligations of the CCPA and provide the same level of privacy protection it requires, and notify you if we determine we can no longer meet those obligations.

You may take reasonable steps to ensure we use the personal information consistent with your CCPA obligations, and to stop and remediate unauthorized use. We certify that we understand and will comply with these restrictions.

16. Notices, governing law, and forum

Notices to us under this DPA should go to privacy@hubabble.com and to: Hubabble, LLC, 403 Portway Avenue, Suite 300, Hood River, Oregon 97031.

This DPA is governed by the laws of the State of Oregon, without regard to its conflict-of-laws rules, and the parties submit to the exclusive jurisdiction of the state and federal courts located in Hood River County, Oregon, except to the extent the incorporated transfer mechanisms require a different governing law or forum for transfer matters.

Liability under this DPA is governed by the limitation-of-liability clause in the Agreement, except that the aggregate cap is structured as a non-zero floor: it is the greater of the fees paid in the 12 months before the claim or a fixed minimum amount, so the cap is never effectively $0 for a comped or trial coach.

17. Order of precedence

If there is a conflict between this DPA and the rest of the Agreement on a data-protection matter, this DPA prevails. If there is a conflict between this DPA and the incorporated SCCs or UK Transfer Mechanism on a transfer matter, the transfer mechanism prevails. Otherwise the Agreement governs.

Annex A: Details of processing

This Annex populates both the Article 28(3) content requirements and Annex I of the EU SCCs.

Parties. Data exporter / controller: the Coach (you). Data importer / processor: Hubabble, LLC.

Categories of data subjects. Your clients (current, prospective, and former) and people connected to them (for example an emergency contact named on an intake form).

Categories of personal data. Identity and contact data; scheduling and session data (including time zone and the white-labeled video room); CRM and relationship data; free-form client and session notes; intake and consent responses; document and e-signature data (including signer name and signing metadata such as timestamp, IP address, and user agent); payment-related data (sensitive payment-instrument data handled by the payments provider, not stored by Hubabble); and technical data such as IP address and user agent from tokenized links.

Sensitive Data (Special Categories). Client wellbeing and mental-health intake information; free-form client and session notes that may reveal special-category data; and, in the future if shipped, session recordings and transcripts. Restrictions applied: limited to the data subjects and purposes above; controller responsible for the Article 9 condition; processor does not use Sensitive Data for its own purposes.

Frequency of processing. Continuous, for the term of the Agreement.

Nature and purpose. As set out in Section 3: providing scheduling, video sessions, CRM, transactional and document email, payments, e-sign, and coaching website features to you, and supporting them.

Duration / retention. For the term of the Agreement plus the limited periods in Section 12; append-only records (audit events, ledger, legal acceptances, signed agreements) are retained with anonymized references after erasure.

Subprocessors. See Annex C and the Subprocessor List; each processes for the duration and purpose stated there.

Competent supervisory authority (SCC Annex I.C). For transfers subject to EU GDPR, the competent supervisory authority is the Irish Data Protection Commission (DPC), consistent with the Clause 17/18 election of Ireland in Section 13. Where a given coach (controller) is established in another EU member state, the supervisory authority competent for that controller applies instead.

Annex B: Technical and organizational security measures

This Annex describes measures that match what Hubabble has shipped, not an aspirational list. It populates Annex II of the EU SCCs.

  • Tenant isolation. Every database query for Client Personal Data is scoped to the owning account (tenant). Tenant identity is resolved once per request and passed through the application; cross-tenant access is prevented in the data-access layer outside narrowly controlled platform-admin paths.
  • Encryption in transit. All connections to Hubabble surfaces are served over HTTPS/TLS. Security headers (including HSTS and a content-security policy) are applied on responses.
  • Encryption at rest. Neon provides encryption at rest for the Postgres database of record, and AWS S3 provides encryption at rest for the object storage that holds signed PDFs. In addition, per-coach calendar OAuth tokens are application-encrypted with AES-256-GCM before storage.
  • Tokenized client links. Client-facing flows (book, sign, pay, receipt, reschedule, magic-link) use HMAC-peppered, hashed tokens rather than raw identifiers; tokens are verified in constant time, carry per-purpose lifetimes, and tokenized routes set a no-referrer policy to avoid leaking tokens.
  • Access control. Access to Client Personal Data is limited to those who need it. Administrative access and impersonation of an account are gated, and every write made during impersonation is attributed to the staff member; certain destructive actions are blocked during impersonation.
  • Audit logging. Security-relevant and account actions are written to an append-only audit log, capturing actor, IP address, and user agent, correlated by a trace identifier.
  • Append-only financial integrity. Financial records are written to an append-only ledger that is never updated or deleted in place.
  • Webhook and idempotency safety. Inbound webhook events are processed idempotently using a race-safe insert-on-conflict pattern.
  • Input handling. User-generated rich text and HTML are sanitized with a strict schema before rendering; raw injection is not permitted.
  • Secrets management. Application secrets are injected at runtime from a managed secrets store and are not committed to source. (The secrets manager does not itself receive Client Personal Data.)
  • Backups. The Postgres database of record is backed up on a regular schedule.
  • Rate limiting. Authentication and other sensitive endpoints are rate-limited (Postgres-backed) to reduce abuse.

Annex C: Subprocessors

The authoritative, current list of subprocessors that process Client Personal Data, with their processing purpose and location, is the Subprocessor List that Hubabble maintains and makes available to you (subprocessor-list.md, see Section 8). That Subprocessor List is the single canonical source; this Annex and the inline table below reference it and must match its live, imminent, and future split. If the table below ever drifts from the Subprocessor List, the Subprocessor List controls.

As of this Version, the subprocessors are:

Subprocessor Purpose (coach-facing framing) Notes
Neon Postgres database of record Stores Client Personal Data.
Vercel Hosting and edge delivery; Speed Insights telemetry Serves the application.
Our payments provider Payments setup and client payments Stripe acts as a subprocessor when it processes payments on your behalf, and as an independent controller for its own fraud-prevention and legal-compliance purposes (Section 1). Client payments imminent. We never surface its internal jargon to you or your clients.

| daily.co (Pluot Labs, Inc.) | Video sessions and your video room | Powers your video sessions and your video room; fully white-labeled and never named to you or your clients in any product surface. | | Google | Per-coach calendar and scheduling (Calendar API) | Only where you connect your calendar; limited to providing calendar/scheduling features. Scopes: calendar.events (sensitive), calendar.readonly (sensitive), userinfo.email, userinfo.profile. | | Resend | Transactional and e-signature email | Our email provider can record delivery and engagement events such as opens and clicks where that is enabled. | | Amazon Web Services (S3) | Storage of signed PDF documents | AWS region us-east-1 (US East, N. Virginia). | | Inngest | Background tasks | Runs background jobs. | | Cloudflare | DNS and inbound email | Network and mail routing. |