Data Processing Addendum

Last updated: 10/06/2026

When a sports or service organization uses Chamelix to manage its customers, bookings, and — where applicable — medical/fitness certificates, that organization acts as the data controller and ArizenLab S.r.l.s. (which operates Chamelix) acts as a data processor on its behalf.

For this relationship, Chamelix offers a Data Processing Addendum ("DPA") to business customers. The DPA governs how Chamelix processes personal data on the organization's instructions, in line with Article 28 GDPR.

What the DPA covers

the subject matter, duration, nature, and purpose of the processing;
the categories of data subjects and personal data, including special-category health data where the organization manages fitness or medical certificates;
Chamelix's obligations as processor, including confidentiality, security measures, and assistance with data-subject requests;
the list of authorized subprocessors (see the Subprocessors page) and our commitment to give prior notice of changes;
handling of international transfers, including Standard Contractual Clauses where a subprocessor is outside the EEA;
return or deletion of personal data at the end of the service, taking into account that deleted files in cloud storage may remain recoverable for a limited period (see the Privacy Policy, "Backups and deletion recovery").

How to request the DPA

Business customers can request the current DPA, ask questions, or return a signed copy by contacting us at app@chamelix.it with the subject line "DPA request" and the legal name of the organization.

This page describes the availability of our DPA. It is not itself the agreement and does not replace the executed DPA between your organization and Chamelix.

Data Processing Addendum

Last updated: 10/06/2026

What the DPA covers

the subject matter, duration, nature, and purpose of the processing;

the categories of data subjects and personal data, including special-category health data where the organization manages fitness or medical certificates;

Chamelix's obligations as processor, including confidentiality, security measures, and assistance with data-subject requests;

the list of authorized subprocessors (see the Subprocessors page) and our commitment to give prior notice of changes;

handling of international transfers, including Standard Contractual Clauses where a subprocessor is outside the EEA;

return or deletion of personal data at the end of the service, taking into account that deleted files in cloud storage may remain recoverable for a limited period (see the Privacy Policy, "Backups and deletion recovery").

How to request the DPA

Business customers can request the current DPA, ask questions, or return a signed copy by contacting us at app@chamelix.it with the subject line "DPA request" and the legal name of the organization.

This page describes the availability of our DPA. It is not itself the agreement and does not replace the executed DPA between your organization and Chamelix.