Legal

Data Processing Agreement

The data processing obligations of Veast coaches when handling member personal data through the Platform. Governs how member data may be processed, shared, and deleted.

Last updated: May 2026 Effective date: September 18, 2026
For coaches and data sub-processors only — this agreement applies to verified coaches accepted onto the Veast Platform.
This DPA forms part of and supplements the Veast Coach Agreement. In the event of a conflict between this DPA and the Coach Agreement, this DPA controls with respect to data processing matters.

1. Definitions

TermDefinition
Personal DataAny information relating to an identified or identifiable natural person, as defined under applicable data protection law including GDPR and PIPEDA.
Member DataPersonal Data of Platform members to whom you provide coaching services, made accessible to you through the Veast Platform.
ProcessingAny operation performed on Personal Data, including collection, use, disclosure, storage, and deletion.
GDPREU General Data Protection Regulation 2016/679.
PIPEDACanada's Personal Information Protection and Electronic Documents Act.
Sub-processorA third party engaged by the Coach to process Member Data on the Coach's behalf.
BreachAny accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose

2.1 Scope

This DPA applies to all processing of Member Data by the Coach through the Veast Platform, including:

  • Viewing member profiles, questionnaire responses, and health disclosures
  • Reviewing and confirming AI-generated fitness routines
  • Communicating with Premium members via the private coach chat
  • Accessing member progress data, Veast Score, and workout logs within the Coach Dashboard
  • Creating and assigning custom routines scoped to the Coach's specialty planes

2.2 Purpose

The Coach may process Member Data only for the following purposes:

  • Providing personalized coaching, fitness guidance, and routine creation for assigned clients
  • Reviewing and confirming AI-generated routines within the Coach's declared specialty planes
  • Scheduling and conducting coaching sessions (video, chat, or group Q&A)
  • Monitoring client progress and adjusting programs accordingly
  • Communicating with clients within the Veast Platform's designated communication channels

The Coach must not process Member Data for any other purpose, including marketing to members outside the Platform, building independent client databases, or sharing with third parties for any reason other than as permitted under Section 5.

3. Coach Obligations

3.1 Lawful Processing

Process Member Data only in accordance with Veast's documented instructions, applicable data protection law, and this DPA. If the Coach believes an instruction infringes applicable law, the Coach must promptly notify Veast in writing.

3.2 Confidentiality

Ensure that all persons authorized to process Member Data are bound by confidentiality obligations at least as protective as those in this DPA, and that access is limited to those who need it to fulfill coaching duties.

3.3 Security

Implement appropriate technical and organizational measures to protect Member Data, including:

  • Securing devices used to access the Platform with strong passwords and screen locks
  • Not accessing the Platform over unsecured public Wi-Fi without a VPN
  • Not downloading, copying, or extracting Member Data to personal devices or external systems
  • Immediately notifying Veast of any suspected or confirmed Breach (see Section 7)

3.4 No Unauthorized Disclosure

Not disclose Member Data to any third party (including family members, colleagues, or business partners) without prior written consent from the member and notification to Veast.

3.5 Specialty Scope

Process Member Data only within the scope of the Coach's declared specialty planes. For member needs outside that scope, use the in-Platform referral suggestion tool rather than processing or advising on those areas.

3.6 Responding to Member Requests

Cooperate promptly with Veast to facilitate member rights requests (access, portability, erasure, rectification) within 48 hours of receiving notice from Veast.

4. Veast Obligations

Veast agrees to:

  • Provide the Coach with access to Member Data necessary and sufficient to fulfill coaching duties, and no more
  • Maintain appropriate security of the Platform infrastructure (encryption in transit and at rest, RLS enforcement, security monitoring)
  • Notify the Coach within reasonable time of changes to processing instructions that materially affect the Coach's obligations
  • Respond to Coach questions about data protection obligations and this DPA
  • Provide Veast's Privacy Policy and Terms of Service as the primary data protection framework communicated to members

5. Sub-Processing

5.1 Restriction

The Coach must not engage any Sub-processor to process Member Data without prior written consent from Veast.

5.2 Permitted Sub-processors

Video conferencing platforms used exclusively for 1:1 Premium sessions are pre-approved, where: the Coach has disclosed their chosen tool to Veast and the member prior to the first session, and the tool is used only for real-time session delivery (no persistent Member Data storage).

5.3 Sub-processor Obligations

Where a Sub-processor is approved, the Coach must ensure the Sub-processor is bound by data protection obligations equivalent to those in this DPA, and remains fully liable to Veast for the Sub-processor's compliance.

6. Data Subject Rights

When a member exercises their rights under GDPR (access, portability, erasure, rectification, restriction, objection) or CCPA/PIPEDA:

  • Veast will notify the Coach within 48 hours if the rights request requires any action from the Coach (e.g., deletion of locally retained notes)
  • The Coach must cooperate to complete the request within the statutory deadline (30 days for GDPR requests)
  • The Coach must not retain any copies of Member Data after a valid erasure request is processed by Veast, except where the Coach has an independent legal obligation to retain specific records

7. Breach Notification

7.1 Coach's Obligation

In the event that the Coach becomes aware of a confirmed or suspected Breach involving Member Data, the Coach must notify Veast at veganbeast@veast.life within 24 hours of becoming aware. The notification must include:

  • The nature of the Breach and categories of data affected
  • The approximate number of members affected (if known)
  • Likely consequences of the Breach
  • Measures taken or proposed to address the Breach

7.2 Veast's Obligation

Upon receiving notice of a Breach, Veast will investigate and contain the Breach, notify affected members and relevant supervisory authorities within 72 hours where required under GDPR Article 33 and applicable Canadian law, and coordinate with the Coach on remediation.

7.3 No Independent Notification

The Coach must not independently notify members or regulatory authorities about a Breach involving the Veast Platform without Veast's prior written consent, unless required to do so by law.

8. Audit and Compliance

Veast reserves the right, upon reasonable written notice (minimum 10 business days), to:

  • Request documentation of the Coach's data protection practices
  • Conduct or commission an audit of the Coach's processing activities related to Member Data, at Veast's cost

The Coach will reasonably cooperate with any such audit and provide access to relevant information.

9. Data Deletion on Contract End

Upon termination of the Coach Agreement or this DPA for any reason:

  • The Coach must immediately cease processing Member Data
  • Within 30 days of termination, the Coach must delete or return all Member Data in their possession (including any notes, exported data, or copies) and certify in writing to Veast that deletion is complete
  • The Coach may retain only such records as required by applicable law, and only for the duration required by law, after which they must also be deleted
  • Veast will revoke the Coach's Platform access on the termination date

10. Liability

Each party is liable for compliance with its own obligations under this DPA. If the Coach's breach of this DPA results in a GDPR fine, PIPEDA penalty, or civil claim against Veast, the Coach agrees to indemnify Veast for the damages, fines, and reasonable legal costs arising from that breach.

11. Governing Law

This DPA is governed by the laws of the Province of British Columbia, Canada. Disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of British Columbia.

12. Updates to This DPA

Veast may update this DPA in response to changes in applicable law or Platform operations. Material changes will be communicated to Coaches at least 14 days before the effective date. Continued use of the Platform as a Coach after the effective date constitutes acceptance of the revised DPA.

13. Contact

Veast X LTD — Data Protection Contact
Email: veganbeast@veast.life
Subject line: "DPA Inquiry"

Also see: Privacy Policy · Terms of Service