← Back to RIVL

Data Processing Agreement

Last updated: February 2026

1. Subject Matter and Purpose

RIVL provides a platform for organising training competitions and activity campaigns. When an Organiser creates a campaign or competition, participants register and submit personal data (including training and health data) through the RIVL app. RIVL processes this data solely on behalf of, and according to the documented instructions of, the Organiser.

The purpose of processing is to enable the Organiser to manage enrolments, track participant activity, display leaderboards, validate results, distribute rewards, and communicate with participants within the scope of the campaign or competition.

2. Categories of Data Subjects

• Participants (athletes) who enrol in the Organiser's campaign or competition
• Companions or validators designated by participants

3. Types of Personal Data Processed

Category	Examples
Identity data	Name, profile picture, email address
Activity data	Workout sessions, activity type, duration, distance, timestamps
Health data (Art. 9)	Heart rate measurements (only when participant has given explicit consent)
Competition data	Results, rankings, validation status, segment times
Communication data	Messages between participant and organiser within the platform
Technical data	Device identifiers, push notification tokens

Special category data: Heart rate and other health-related data are processed only when the participant has given explicit consent (GDPR Art. 9(2)(a)). The Organiser shall not request or require health data beyond what is collected through standard platform functionality.

4. Duration of Processing

Processing begins when the first participant enrols in the Organiser's campaign or competition and continues until:

1. The campaign or competition ends and all associated data retention periods have expired; or
2. The Organiser requests deletion of all campaign data; or
3. The Organiser's account is terminated.

After the campaign or competition ends, RIVL retains participant data for a maximum of 12 months to allow the Organiser to access results, generate reports, and fulfil any outstanding reward obligations. After this period, personal data is either deleted or anonymised.

Anonymised, aggregated statistics (which cannot be linked to any individual) may be retained indefinitely and are not considered personal data under GDPR Art. 4(1).

5. Obligations of the Processor

RIVL shall:

1. Process on instructions only — process personal data solely in accordance with the Organiser's documented instructions and not for any other purpose. If RIVL is required by EU or member state law to process data beyond the Organiser's instructions, RIVL shall inform the Organiser before processing (unless prohibited by law).
2. Ensure confidentiality — ensure that all persons authorised to process personal data are bound by statutory or contractual confidentiality obligations.
3. Implement security measures — implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 7 of this DPA (pursuant to GDPR Art. 32).
4. Respect sub-processor conditions — not engage another processor without the Organiser's prior general written authorisation. The Organiser grants general authorisation for the sub-processors listed in Section 8. RIVL shall inform the Organiser of any intended changes concerning the addition or replacement of sub-processors, giving the Organiser the opportunity to object.
5. Assist with data subject rights — taking into account the nature of the processing, assist the Organiser by appropriate technical and organisational measures in fulfilling the Organiser's obligation to respond to requests for exercising data subjects' rights under GDPR Chapter III (Articles 15–22).
6. Assist with compliance obligations — assist the Organiser in ensuring compliance with GDPR Articles 32–36 (security of processing, notification of personal data breaches, communication to data subjects, and data protection impact assessments), taking into account the nature of processing and information available to RIVL.
7. Delete or return data — at the choice of the Organiser, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or member state law requires storage of the personal data.
8. Demonstrate compliance — make available to the Organiser all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Organiser or an auditor mandated by the Organiser. RIVL shall immediately inform the Organiser if, in its opinion, an instruction infringes the GDPR or other data protection provisions.

6. Obligations of the Controller

The Organiser shall:

1. Ensure that there is a valid legal basis for the processing of participants' personal data, including obtaining any required consent (in particular for health data under Art. 9).
2. Provide participants with appropriate privacy information (transparency obligation under GDPR Art. 13–14) regarding the Organiser's use of the RIVL platform.
3. Not instruct RIVL to process personal data in a manner that would violate the GDPR or applicable data protection legislation.
4. Promptly notify RIVL of any data subject requests that require RIVL's assistance.

7. Security Measures

RIVL implements the following technical and organisational measures to protect personal data (GDPR Art. 32):

Technical measures

• Encrypted data in transit (TLS 1.2+/HTTPS on all endpoints)
• Encrypted data at rest (AES-256 via Supabase/AWS infrastructure)
• Row-Level Security (RLS) in the database — each user can only access data they are authorised to see based on their role (participant, organiser, validator)
• Authentication via Supabase Auth with support for Vipps, email/password, and biometric verification
• Automated backups with point-in-time recovery
• Push notification tokens stored per-user and accessible only by the token owner

Organisational measures

• Principle of least privilege — access to production data is restricted to essential personnel only
• Two-factor authentication on all infrastructure accounts
• Regular review of access rights and security configurations
• Incident response procedures in place (see Section 9)

8. Sub-processors

The Organiser grants general authorisation for the following sub-processors. RIVL shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

Sub-processor	Purpose	Location
Supabase, Inc.	Database hosting, authentication, storage, and serverless functions	AWS EU-West-1 (Ireland)
Amazon Web Services (AWS)	Cloud infrastructure underlying Supabase	EU-West-1 (Ireland)
Expo / EAS (Expo Application Services)	Push notification delivery	United States (with EU SCCs)

RIVL shall notify the Organiser at least 30 days in advance of any intended changes to the list of sub-processors. The Organiser may object to such changes within the notice period. If the Organiser objects and no reasonable alternative is available, either party may terminate this DPA upon written notice.

9. Data Breach Notification

In the event of a personal data breach (as defined in GDPR Art. 4(12)), RIVL shall:

1. Notify the Organiser without undue delay and in any event within 48 hours after becoming aware of the breach.
2. Provide the Organiser with sufficient information to enable the Organiser to fulfil its obligations under GDPR Articles 33 and 34, including:
   • The nature of the breach, including (where possible) the categories and approximate number of data subjects and records concerned
   • The likely consequences of the breach
   • The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
3. Cooperate with the Organiser and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

The Organiser remains responsible for notifying the supervisory authority (Datatilsynet) and affected data subjects where required under GDPR Articles 33–34. RIVL shall assist the Organiser in fulfilling these obligations.

10. International Transfers

All personal data is stored within the EU/EEA (AWS EU-West-1, Ireland). Where a sub-processor is located outside the EU/EEA (e.g., Expo/EAS in the United States), RIVL ensures that appropriate safeguards are in place, such as:

• EU Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914
• Verification that the sub-processor maintains adequate security measures

11. Data Deletion and Return

Upon termination of this DPA or upon the Organiser's request, RIVL shall:

1. Delete all personal data processed on behalf of the Organiser within 30 days, unless EU or member state law requires further retention (e.g., accounting obligations under the Norwegian Bookkeeping Act).
2. Upon request, provide the Organiser with a copy of all personal data in a structured, commonly used, and machine-readable format (e.g., CSV or JSON) before deletion.
3. Confirm deletion in writing upon the Organiser's request.

Anonymised data that cannot be linked to any individual is not subject to deletion requirements and may be retained for statistical purposes.

12. Audits and Inspections

The Organiser (or an independent auditor appointed by the Organiser) has the right to conduct audits to verify RIVL's compliance with this DPA. Audits shall be:

• Conducted with reasonable prior notice (at least 30 days)
• Carried out during normal business hours
• Limited to information relevant to this DPA
• Subject to reasonable confidentiality obligations

RIVL may satisfy audit requests by providing relevant certifications, audit reports, or other documentation demonstrating compliance, where available. If a physical or remote inspection is required beyond documentation review, the Organiser shall bear the reasonable costs of such inspection.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the RIVL Terms of Service (where applicable). Nothing in this DPA limits either party's liability for breaches of GDPR obligations that cannot be limited by contract under applicable law.

14. Term and Termination

This DPA enters into force when the Organiser accepts it (by checking the DPA checkbox when creating a campaign or competition) and remains in effect for as long as RIVL processes personal data on behalf of the Organiser.

Either party may terminate this DPA:

• By the Organiser deleting or archiving all campaigns and competitions
• By the Organiser closing their RIVL account
• By either party giving 30 days' written notice

Sections 5.7 (deletion/return), 9 (breach notification), 11 (data deletion), and 12 (audits) survive termination of this DPA.

15. Governing Law and Jurisdiction

This DPA is governed by and construed in accordance with the laws of Norway. Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Bergen, Norway.

16. Amendments

RIVL may update this DPA from time to time to reflect changes in legislation, sub-processors, or security practices. Material changes will be communicated to the Organiser via email or in-app notification with at least 30 days' notice. Continued use of the platform after the notice period constitutes acceptance of the updated DPA.

17. Contact

For questions about this Data Processing Agreement:
contact@getrivl.app

Norwegian Data Protection Authority (supervisory authority):
Datatilsynet — datatilsynet.no