GDPR & Data Protection Addendum

Corvus Analytics, Inc.
Effective Date: January 6, 2026

1. Purpose and Scope

This GDPR & Data Protection Addendum ("Addendum") supplements the Corvus Analytics Terms of Service and Privacy Policy when Corvus Analytics, Inc. ("Corvus") processes Personal Data subject to:
- The EU General Data Protection Regulation (EU) 2016/679 ("GDPR")
- The UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR")
- Equivalent data protection laws in the EEA, UK, and Switzerland

This Addendum governs Corvus's processing of Personal Data as a data processor on behalf of our club customers ("Customer"), who act as data controllers.

In case of conflict between this Addendum and other agreements, this Addendum prevails to the extent related to GDPR or equivalent data protection laws.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Controller" means the entity which determines the purposes and means of Processing Personal Data.

"Processor" means the entity which Processes Personal Data on behalf of the Controller.

"Sub-processor" means any third party engaged by Corvus to Process Personal Data on behalf of the Customer.

"Data Protection Laws" means GDPR, UK GDPR, and any applicable data protection or privacy laws.

3. Roles of the Parties

3.1 Customer as Controller

The Customer:
- Determines the purposes and means of Processing Personal Data
- Is responsible for ensuring a valid legal basis for Processing
- Is responsible for providing Data Subjects with required privacy notices
- Is responsible for obtaining any required consents (including for minors)

3.2 Corvus as Processor

Corvus:
- Processes Personal Data solely on documented instructions from Customer
- Does not determine the purposes and means of Processing Personal Data
- Will not sell Personal Data or use it for its own marketing to Data Subjects
- May use aggregated or anonymized data to improve the Service, as permitted by this Addendum and the Privacy Policy

4. Subject Matter, Duration, Nature, and Purpose of Processing

4.1 Subject Matter

Corvus Processes Personal Data related to club members and club staff in connection with the provision of:
- Member analytics and engagement insights
- Churn prediction and retention modeling
- AI-powered campaign recommendations
- Reporting and dashboarding for club performance

4.2 Duration

Corvus Processes Personal Data for the duration of the Service Agreement, plus any retention period required by law or agreed with Customer (see Sections 11 and 12).

4.3 Nature and Purpose

Processing activities include:
- Ingesting customer-provided datasets
- Storing member profile and transaction data
- Running analytics and AI models to generate insights
- Displaying dashboards and reports
- Providing customer support and troubleshooting
- Improving model performance using anonymized or aggregated outputs

5. Categories of Data and Data Subjects

5.1 Categories of Personal Data

Depending on Customer configuration, Personal Data may include:
- Member identifiers (ID, membership number)
- Names and contact details
- Demographic data (age, gender, membership type)
- Membership status, join dates, renewal dates
- Engagement data (visits, bookings, class attendance)
- Transaction data (spend amounts, categories, dates)
- Communication preferences and consent flags

Customer shall not transmit the following to Corvus:
- Full payment card numbers, CVV/CVC codes, or track data
- Government ID numbers (e.g., SSN, national ID) unless strictly necessary and documented in writing
- Special categories of data under GDPR Article 9 (e.g., health data, religious beliefs) unless specifically agreed in writing

5.2 Categories of Data Subjects

Data Subjects include:
- Club members (including prospective, active, former, and lapsed members)
- Club staff or administrators whose data is added to the system

Customer is responsible for defining and documenting the categories of Data Subjects in their own privacy notices.

6. Customer Instructions

Corvus will Process Personal Data only:
- As necessary to provide the Service described in the main agreement
- In accordance with Customer's documented instructions
- As required to comply with applicable law (in which case Corvus will inform Customer, unless legally prohibited)

Customer's initial instructions are contained in:
- The main Service Agreement
- This Addendum
- Customer's written configuration of data flows and integrations

If Corvus believes an instruction violates Data Protection Laws, Corvus will inform Customer without undue delay.

7. Confidentiality and Security

7.1 Confidentiality

Corvus shall:
- Ensure that employees, contractors, and agents with access to Personal Data are bound by confidentiality obligations
- Limit access to Personal Data to individuals with a strict need to know

7.2 Security Measures

Taking into account the state of the art, cost of implementation, and nature of Processing, Corvus shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data at rest and in transit
- Access control, authentication, and authorization
- Regular security testing and vulnerability management
- Business continuity and disaster recovery plans
- Logging and monitoring of access to Personal Data

Details of Corvus security practices are available upon request (e.g., security overview or whitepaper).

8. Sub-processors

8.1 Authorization of Sub-processors

Customer grants Corvus general authorization to engage Sub-processors for Processing Personal Data, including but not limited to:
- Cloud infrastructure providers (e.g., AWS)
- AI service providers (e.g., Anthropic)
- Analytics and monitoring tools
- Email and communication services

Corvus will:
- Use only Sub-processors bound by written agreements with data protection obligations no less protective than this Addendum
- Remain responsible for Sub-processor performance with respect to Personal Data

8.2 Notice of Sub-processor Changes

Corvus will:
- Maintain a list of current Sub-processors upon request
- Notify Customer (via email or website) of material Sub-processor changes
- Allow Customer to object to a new Sub-processor on reasonable grounds related to data protection

If Customer reasonably objects, the parties will discuss in good faith. If no resolution is reached, Customer may terminate the affected services without penalty.

9. International Data Transfers

9.1 Transfers Outside the EEA/UK

Where Corvus or its Sub-processors transfer Personal Data outside the EEA, UK, or Switzerland, Corvus shall ensure that such transfers are made in compliance with Data Protection Laws, including by:
- Using EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Implementing UK International Data Transfer Addendum (IDTA), as applicable
- Ensuring adequate safeguards consistent with GDPR Chapter V

Customer authorizes these international transfers to the extent necessary for Service delivery.

10. Data Subject Rights Assistance

10.1 Assistance with Requests

Taking into account the nature of Processing, Corvus shall assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligations to respond to Data Subject requests regarding:
- Access
- Rectification
- Erasure
- Restriction
- Portability
- Objection

10.2 Handling Data Subject Requests

If Corvus receives a request directly from a Data Subject, Corvus shall:
- Not respond directly (unless legally required)
- Promptly notify Customer of the request
- Provide reasonable assistance to Customer in responding to the request

Customer remains responsible for handling Data Subject requests and for fulfilling legal obligations under Data Protection Laws.

11. Personal Data Breach Notification

11.1 Breach Definition

"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

11.2 Notification to Customer

In the event of a Personal Data Breach affecting Customer's Personal Data, Corvus shall:
- Notify Customer without undue delay after becoming aware of the breach
- Provide information available at the time, including:
- Nature of the breach
- Categories and approximate number of affected Data Subjects and records
- Likely consequences of the breach
- Measures taken or proposed to address the breach

Corvus may provide information in phases as investigation proceeds.

11.3 Cooperation

Corvus will cooperate with Customer to:
- Investigate and remediate the breach
- Provide additional information as it becomes available
- Support Customer in meeting legal notification obligations to authorities and Data Subjects

Customer is responsible for regulatory and Data Subject notifications, unless otherwise agreed.

12. Data Retention and Deletion

12.1 Retention During Service

Corvus retains Personal Data for the duration of the Service Agreement, unless otherwise agreed or required by law.

12.2 Return or Deletion Upon Termination

Upon termination of the Service Agreement or upon Customer's written request, Corvus shall:
- Either return all Personal Data to Customer (in a commonly used, machine-readable format) or delete Personal Data, at Customer's choice
- Delete any remaining copies in its systems within 90 days, except where retention is required by law or for legitimate business purposes (e.g., audit logs)

Where deletion is not possible (e.g., data in backups), Corvus shall:
- Continue to protect such Personal Data in accordance with this Addendum
- Not actively Process Personal Data except for storage and security purposes

13. Audits and Compliance

13.1 Documentation

Corvus shall maintain documentation demonstrating compliance with this Addendum and Data Protection Laws, including:
- Records of processing activities (as required by GDPR Article 30)
- Security policies and procedures
- Sub-processor agreements

13.2 Audit Rights

Upon reasonable written notice and no more than once per year, Customer may:
- Request summaries of Corvus's third-party security assessments or certifications
- Request responses to security questionnaires

On-site audits may be conducted only:
- Where required by law or regulatory authority, or
- In the event of a confirmed security incident affecting Customer's Personal Data

Any audits shall:
- Be conducted during normal business hours
- Not unreasonably interfere with Corvus's operations
- Be subject to confidentiality obligations

14. Customer Obligations

Customer represents and warrants that:
- It has a lawful basis for Processing Personal Data and engaging Corvus as a Processor
- It has provided appropriate privacy notices to Data Subjects
- It has obtained any required consents (including parental consent for minors)
- It will not provide Corvus with more Personal Data than is necessary for the purposes of the Service
- It will not instruct Corvus to Process Personal Data in violation of Data Protection Laws

Customer shall be responsible for:
- Compliance with Data Protection Laws in relation to its own Processing activities
- Ensuring that its configurations and use of Corvus comply with Data Protection Laws

15. Liability and Indemnity

The limitations of liability in the main Service Agreement apply to this Addendum. Customer shall indemnify and hold Corvus harmless from claims, damages, or penalties arising from:
- Customer's failure to comply with Data Protection Laws
- Customer's unlawful instructions to Corvus
- Customer's failure to obtain necessary consents or provide required notices

16. Contact and Data Protection Officer

For questions about this Addendum or data protection at Corvus:

Data Protection Officer (DPO):
Email: [email protected]
Privacy: [email protected]

17. Changes to this Addendum

Corvus may update this Addendum to reflect changes in Data Protection Laws or its Processing practices. If changes are material, Corvus will:
- Provide at least 30 days' notice to Customer via email or the Service
- Allow Customer to raise reasonable objections or request discussion

If Customer does not agree to the updated Addendum, Customer may terminate the affected services in accordance with the Service Agreement.

Last Updated: January 6, 2026
Version: 1.0