Consulter cet accord en français
Data Processing Addendum
Version 1.0 · Last updated: July 3, 2026
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Terms of Service between Revyn Media ("Processor", "we", "us"), an Alberta, Canada business (First Edmonton Place, 10665 Jasper Avenue, Edmonton, AB T5J 3S9, Canada), and the business that uses Revyn Engine ("Controller", "you"). It governs our processing of personal data that you or your guests put into the platform ("Controller Personal Data"). Where this DPA conflicts with the Terms on the subject of data protection, this DPA controls. Capitalized terms not defined here have the meaning given in the Privacy Policy.
1. Roles and scope
For guest personal information processed through the platform, you are the controller and we are your processor. We process Controller Personal Data only to provide and support the service — online booking, check-in and waivers, session management, payments, messaging, AI agents, marketing and analytics — and only on your documented instructions, including those given through your configuration of the platform. We will tell you if we believe an instruction violates applicable data-protection law. The subject matter, duration, nature and purpose of processing, the types of personal data, and the categories of data subjects are described in the Privacy Policy and your use of the platform.
2. Our security commitments
We maintain an information security program with technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls with multi-factor authentication for privileged access, audit logging, retention limits, and vulnerability management. These measures are summarized on our Security & Compliance page and may be updated as the service evolves, provided the level of protection is not materially reduced. Responsibilities are shared: you are responsible for managing your own staff accounts, enabling multi-factor authentication for your users, and obtaining the consents your guests' data requires.
3. Confidentiality
We keep Controller Personal Data confidential and ensure that personnel authorized to process it are bound by appropriate confidentiality obligations. We do not sell Controller Personal Data or use it for our own purposes, and we do not access it except as needed to provide, secure and support the service, or as you instruct.
4. Sub-processors
You authorize us to engage the sub-processors listed in our Privacy Policy to help provide the service. Each sub-processor is bound by data-protection terms no less protective than this DPA. We will give you advance notice before adding or replacing a sub-processor, and you may object on reasonable data-protection grounds; if we cannot reasonably accommodate your objection, you may terminate the affected service. We remain responsible for our sub-processors' performance of their data-protection obligations.
5. Assistance with data-subject rights
The platform provides export, correction and erasure tools to help you respond to your guests' data-subject requests (such as access, rectification, deletion and portability). Taking into account the nature of the processing, we will also provide reasonable assistance with data protection impact assessments and consultations with, or inquiries from, supervisory authorities, to the extent these relate to our processing of Controller Personal Data.
6. Personal-data breaches
On becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Controller Personal Data, we will notify you without undue delay, and within any timeframe required by applicable law, with the information reasonably available to us and updates on remediation. You are responsible for any notifications you are required to make to your guests or to regulators as controller.
7. International transfers
The platform runs on Cloudflare's global network, and some sub-processors are located outside your province or country (including in the United States and the European Union). Where a transfer of Controller Personal Data is subject to cross-border rules, we rely on a lawful transfer mechanism — such as adequacy, standard contractual clauses, or, for Quebec, a transfer assessment — and implement appropriate safeguards. Details of the relevant safeguards are available on request.
8. Audits and compliance documentation
On reasonable prior notice and no more than once per year (or as a regulator requires), you may request our then-current compliance documentation — such as our security-framework self-assessment, the current sub-processor list, and relevant third-party attestations — to verify our compliance with this DPA. This obligation is satisfied by providing that documentation rather than by on-site access, unless applicable law requires otherwise.
9. Return and deletion on termination
On termination of the service, you may export Controller Personal Data using the platform's export tools during the 30-day window described in the Terms. After that, we will delete or return Controller Personal Data in accordance with your instructions and our retention schedule, except where applicable law requires longer retention (for example, signed waivers or financial records) — in which case we continue to protect it and limit processing to what the law requires.
10. Data protection law and roles
Each party will comply with the data-protection laws applicable to it, including, as relevant, PIPEDA and provincial privacy laws (including Quebec's Law 25), applicable US state privacy laws, and the GDPR/UK GDPR. You are the controller and are responsible for having a lawful basis to collect and use your guests' data — including valid parent or guardian consent for minors' waivers, and any marketing consents your jurisdiction requires. We process Controller Personal Data only as a processor on your behalf.
11. Term, changes and governing law
This DPA takes effect when you accept the Terms and continues for as long as we process Controller Personal Data. We review it at least annually and may update it; material changes are notified as described in the Terms. This DPA is governed by, and disputes are resolved under, the governing-law and disputes section of the Terms of Service (Province of Alberta, courts sitting in Edmonton). Questions about this DPA can be sent to [email protected], or by writing to Revyn Media, First Edmonton Place, 10665 Jasper Avenue, Edmonton, AB T5J 3S9, Canada.