Data Processing Agreement
Version 1.0 · Last updated 14 July 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Fueld AI Ltd ("Fueld", "Processor", "we", "us") and the practitioner, coach, clinic or organisation that uses the Fueld professional portal ("Controller", "you", "your Organisation").
It applies where Fueld processes personal data of your clients (or prospective clients) on your behalf through the portal — for example, where a client shares health, nutrition, activity, sleep or related categories with your Organisation and your staff view or coach on that data.
This DPA is intended to meet Article 28 of the UK GDPR and equivalent obligations under the Data Protection Act 2018. It is governed by the laws of England and Wales.
By creating a professional portal account, inviting clients, or otherwise accessing client data through the portal, you agree to this DPA. It should be read with our Terms of Service and Privacy Policy.
1. Definitions
In this DPA, the following terms have the meanings given in the UK GDPR (or, where not defined there, the meanings below):
- UK GDPR means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.
- Client Data means personal data relating to a data subject who is your client (or prospective client), including special-category health data, that is made available to your Organisation through the Fueld professional portal as a result of that data subject's sharing choices.
- Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Data.
- Services means the Fueld professional portal and related hosting, storage, retrieval and support features that enable your Organisation to access Client Data shared with you.
- Sub-processor means any third party engaged by Fueld to process Client Data on Fueld's behalf in connection with the Services.
2. Roles of the parties
For Client Data processed under this DPA:
- You (the Organisation) are the controller. You determine the purposes and means of processing Client Data for your professional, clinical or coaching relationship with the client (for example, reviewing shared categories, coaching, care planning, and record-keeping for your practice).
- Fueld is the processor in respect of that processing: we host, store, display and otherwise process Client Data on your documented instructions as necessary to provide the Services.
Independent-controller carve-out
3. Subject matter, duration, nature and purpose
- Subject matter
- Provision of the Fueld professional portal Services, including hosting and making Client Data available to authorised users of your Organisation.
- Duration
- For the term of your portal subscription or organisation account, and thereafter until Client Data is deleted or returned in accordance with this DPA and our retention practices.
- Nature of processing
- Collection (via client sharing), storage, retrieval, organisation, structuring, display, transmission to authorised Organisation users, backup, and deletion or anonymisation.
- Purpose
- To enable your Organisation to access and use Client Data that clients have chosen to share with you, so that you can provide professional services to those clients.
- Documented instructions
- Your instructions are: (a) to process Client Data as necessary to provide the Services in accordance with the portal configuration and sharing permissions set by the client and by your Organisation; (b) any reasonable written instructions you give us that are consistent with this DPA and applicable law; and (c) processing required by UK or EU law to which Fueld is subject (in which case we will inform you unless legally prohibited).
4. Categories of data subjects and personal data
Data subjects: clients and prospective clients of your Organisation who use the Fueld consumer app (or related Fueld services) and who share one or more data categories with your Organisation.
Personal data (depending on what the client shares):
- Identity and contact data (for example name, email, user identifiers)
- Profile and demographic data relevant to coaching (for example age band, sex, goals)
- Nutrition and meal data (including photos and AI-derived estimates where applicable)
- Activity, sleep, recovery and wearable-derived metrics
- Other lifestyle or wellbeing categories the client elects to share
- Communications or notes visible in the portal in connection with the coaching relationship
Much of this is special-category health data under UK GDPR Article 9. You are responsible for ensuring you have a lawful basis (and, where required, an Article 9 condition) for your processing as controller. Fueld relies on the client's relationship with Fueld for Fueld's own controller processing, and on your instructions for processor processing under this DPA.
5. Your obligations as controller
You warrant and undertake that you will:
- process Client Data only for legitimate professional purposes related to your relationship with the client, and in accordance with data protection law;
- ensure you have a lawful basis (and any required Article 9 condition) for accessing and using Client Data;
- obtain and maintain any client consents, notices or professional permissions required for your practice (Fueld does not replace your clinical or professional consent obligations);
- limit access within your Organisation to staff who need it, and ensure those staff are bound by confidentiality;
- not instruct Fueld to process Client Data in a way that would breach data protection law; and
- promptly inform Fueld if you become aware that an instruction infringes UK GDPR or other applicable data protection law.
6. Fueld's obligations as processor
Fueld shall, in relation to Client Data processed under this DPA:
- Instructions. Process Client Data only on documented instructions from you (including with regard to transfers), unless required to do otherwise by UK or EU law.
- Confidentiality. Ensure that persons authorised to process Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of Article 32 UK GDPR (see Schedule 2).
- Sub-processors. Not engage another processor without prior general written authorisation (see Clause 7 and Schedule 1).
- Data subject rights. Taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as possible, for the fulfilment of your obligation to respond to requests for exercising data subject rights.
- Assistance. Assist you in ensuring compliance with Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of processing and information available to Fueld.
- Deletion or return. At your choice, delete or return all Client Data after the end of the provision of Services relating to processing, and delete existing copies, unless UK or EU law requires storage.
- Information and audits. Make available to you all information necessary to demonstrate compliance with Article 28 UK GDPR and this DPA, and allow for and contribute to audits (including inspections) conducted by you or an auditor mandated by you, subject to Clause 10.
7. Sub-processors
You give Fueld a general prior authorisation to engage Sub-processors for Client Data processing, provided that:
- Fueld maintains an up-to-date list of Sub-processors relevant to the Services (Schedule 1);
- Fueld imposes on each Sub-processor data-protection obligations equivalent to those in this DPA (Article 28(4) UK GDPR flow-down);
- Fueld remains fully liable to you for the performance of each Sub-processor's obligations; and
- Fueld will give you notice of intended changes to Sub-processors (addition or replacement) by updating Schedule 1 on this page and, where practicable, providing reasonable advance notice (for example via email or an in-portal notice). You may object on reasonable data-protection grounds within 14 days; if you object and the parties cannot agree a resolution, you may terminate the affected Services.
Sub-processors used solely for Fueld's independent controller purposes (and not for processing Client Data on your behalf) are not Sub-processors under this DPA; they are described in our Privacy Policy.
8. International transfers
Client Data (including special-category health data) processed under this DPA is hosted and processed in the United Kingdom and the European Economic Area, as set out in Schedule 1. Fueld's primary infrastructure for the Services runs on Google Cloud / Firebase in European regions.
MailerSend is used only for transactional email and receives name and email address — never Client health data. MailerSend's data centre is in the EU; its services may involve processing or transfer to other regions (including the United States) by its affiliates or sub-processors under European Commission Standard Contractual Clauses, as described in Schedule 1.
Stripe is used for portal subscription billing for your Organisation. Stripe does not support EU-only hosting or processing: payment-related personal data is transferred to Stripe, LLC in the United States and may be processed by Stripe's global sub-processors (including for card-network authorisation and fraud prevention). Stripe protects those transfers under the EU–U.S. Data Privacy Framework and Standard Contractual Clauses, as described in Schedule 1. Fueld does not send Client health data to Stripe.
If Client Data is transferred outside the UK or EEA to a country without an adequacy decision, Fueld shall ensure appropriate safeguards are in place — typically the UK International Data Transfer Agreement (IDTA) and/or the EU Standard Contractual Clauses (SCCs), or another lawful transfer mechanism — so that Client Data remains protected to a standard essentially equivalent to UK / EU law. Any such change would be reflected in an update to Schedule 1.
Contact data_protection@fueld.ai for further information about hosting locations or transfer mechanisms.
9. Personal data breaches
Fueld shall notify you without undue delay after becoming aware of a Personal Data Breach affecting Client Data processed under this DPA. Notification will include, to the extent then known:
- the nature of the breach;
- the categories and approximate number of data subjects and personal data records concerned;
- the likely consequences; and
- the measures taken or proposed to address the breach and mitigate its effects.
Fueld will cooperate reasonably with you so that you can meet your own notification obligations to the ICO and to data subjects where required. Notification under this clause is not an admission of fault or liability.
10. Audits and information
Audit rights are intended to verify Fueld's compliance with this DPA. Before conducting an on-site or invasive audit, you agree to:
- first review information Fueld makes available (security summaries, certifications, questionnaire responses);
- give reasonable prior written notice (not less than 30 days, except where a competent authority requires sooner);
- conduct audits during normal business hours, no more than once in any 12-month period (unless a Personal Data Breach or regulatory investigation reasonably requires more frequent review);
- ensure auditors are bound by confidentiality; and
- avoid disrupting Fueld's operations or accessing data of other customers.
11. Return and deletion of Client Data
On termination of your Organisation's portal access, or upon written request when Client Data is no longer required for the Services:
- you may request export of Client Data then available to your Organisation through the Services, where a self-serve or assisted export exists; and
- Fueld will delete or anonymise Client Data from active systems within a reasonable period, subject to backup retention cycles and any legal retention requirement.
Deletion of a client's Fueld consumer account is controlled by the data subject and Fueld's Privacy Policy. Where a client withdraws sharing with your Organisation, Fueld will stop making that shared Client Data available to you; underlying data may remain in the consumer app under Fueld's independent controller role.
12. Liability and indemnity
Each party remains responsible for its own compliance with data protection law in its respective role. Subject to the liability provisions in the Terms of Service (which apply to this DPA except where they conflict with mandatory data-protection law):
- Fueld is liable to you for damage caused by processing where Fueld has not complied with UK GDPR obligations specifically directed to processors, or has acted outside or contrary to your lawful instructions;
- you are liable for damage caused by processing where you have not complied with your controller obligations; and
- you shall indemnify Fueld against claims arising from your unlawful instructions or your misuse of Client Data, except to the extent caused by Fueld's breach of this DPA.
13. Term and changes
This DPA takes effect when you first accept it (including by creating or continuing to use a portal Organisation account) and continues until Fueld ceases processing Client Data on your behalf.
We may update this DPA from time to time to reflect changes in law, Sub-processors, or the Services. Material changes will be notified by updating the "Last updated" date on this page and, where appropriate, by email or in-portal notice. Continued use of the Services after the effective date of changes constitutes acceptance, except where applicable law requires a different process.
14. Governing law and jurisdiction
This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) are governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction, without prejudice to any mandatory rights you may have under applicable law.
15. Contact
For data-protection notices, Sub-processor objections, breach notifications to Fueld, or questions about this DPA:
- Email: data_protection@fueld.ai (data protection) · legal@fueld.ai (legal)
- Fueld AI Ltd, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Supervisory authority (UK): Information Commissioner's Office — ico.org.uk/concerns.
Schedule 1 — Authorised Sub-processors
Sub-processors that may process personal data in connection with the professional portal Services. Locations indicate where processing may occur.
| Provider | Purpose | Location |
|---|---|---|
| Google / Firebase (Google Cloud) | Hosting, database, authentication, file storage, Cloud Functions and related infrastructure for the portal and shared Client Data | UK / EEA |
| PostHog (EU cloud) | Product analytics and diagnostics for portal usage (technical/usage events; not used to train third-party models on Client Data) | EEA |
| MailerSend | Transactional email for Organisation accounts and portal operations (e.g. welcome and account notices). Processes name and email address only — never Client health data or other special-category Client Data | EU (see note below) |
| Stripe | Portal subscription billing for your Organisation (billing and payment data about you/your Organisation — never Client health data or other special-category Client Data) | UK / EEA / USA (see note below) |
MailerSend. MailerSend's data centre is located in the EU and MailerSend states that it is GDPR compliant. Customer data (limited, for Fueld's use, to name and email address) may still be processed or transferred to other regions, including the United States, where MailerSend's affiliates or sub-processors operate. Where data is transferred outside the EU, MailerSend protects it using Standard Contractual Clauses (SCCs) approved by the European Commission. Fueld does not send Client health data, meal data, wearable data, or other special-category Client Data to MailerSend.
Stripe. Stripe cannot be restricted to EU-only processing. Even where Fueld contracts with Stripe's European entity, payment-related personal data is transferred to Stripe, LLC in the United States and may be processed by Stripe's global sub-processors (including card networks and fraud prevention such as Stripe Radar). Stripe protects international transfers under the EU–U.S. Data Privacy Framework (an adequacy decision for certified organisations) and Standard Contractual Clauses as a further safeguard. Card details are handled under Stripe's PCI DSS Level 1 controls and are not stored on Fueld's servers. Fueld does not send Client health data to Stripe.
A fuller list of processors used by Fueld as controller for the consumer app and Fueld's own purposes appears in the Privacy Policy. Wearable providers (e.g. Apple Health, Oura, Whoop, Garmin) are data sources under the client's control, not Sub-processors of Fueld under this DPA.
Schedule 2 — Security measures (summary)
Fueld maintains technical and organisational measures appropriate to the risk of processing special-category health data, including (as applicable):
- encryption in transit (TLS) and encryption at rest for primary datastores;
- access controls, authentication, and role-based permissions for Organisation staff and Fueld operations;
- segregation of environments and least-privilege access to production systems;
- logging, monitoring and alerting for security-relevant events;
- staff confidentiality obligations and restricted operational access to Client Data;
- backup and recovery processes for service continuity;
- vendor due diligence and contractual flow-down to Sub-processors; and
- processes for Personal Data Breach detection, escalation and notification.
Further detail may be provided on request to data_protection@fueld.ai for legitimate security-review purposes.
Related documents
- Privacy Policy — Fueld as controller for consumer and platform processing
- Terms of Service — commercial terms for the Service and professional portal
- Cookie Policy — cookies and similar technologies
Canonical URL: https://fueld.ai/data-processing-agreement. Reference this URL in security questionnaires, practitioner onboarding, and internal compliance documentation.