Kizomba Foundations

Data Processing Addendum

Last updated: February 9th, 2026

1. Introduction and Scope

This Data Processing Addendum ("DPA") forms part of the Terms of Use between Kizomba Foundations ("Processor", "we", "us") and the event organizer ("Controller", "you") who uses the Kizomba Foundations platform to create and manage events that collect attendee personal data.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all processing of personal data that Kizomba Foundations carries out on behalf of the Controller in connection with the provision of event management services through the platform.

By creating an event on the Kizomba Foundations platform, you acknowledge that you act as the Controller of the personal data collected from your event attendees, and that Kizomba Foundations acts as a Processor of that data on your behalf. This DPA governs the terms under which such processing takes place.

2. Definitions

  • Controller means the event organizer who determines the purposes and means of processing personal data collected through the platform in connection with their events.
  • Processor means Kizomba Foundations, which processes personal data on behalf of the Controller in connection with the provision of the platform services.
  • Data Subject means an identified or identifiable natural person whose personal data is processed under this DPA, including event attendees and registered users.
  • Personal Data means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller through the platform.
  • Sub-processor means any third-party entity engaged by the Processor to assist in the processing of personal data on behalf of the Controller.
  • Processing means any operation or set of operations performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
  • Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data processed under this DPA.

3. Nature and Purpose of Processing

Kizomba Foundations processes personal data on behalf of the Controller for the following purposes in connection with the platform services:

  • Event Registration: Collecting and managing attendee registrations, including name, email, dance role, skill level, and pass selections.
  • Payment Processing: Facilitating payment transactions for event registrations through Stripe, including processing refunds and managing financial records.
  • Event Communications: Enabling the Controller to send event-related communications to attendees, including updates, schedule changes, and announcements.
  • Attendee Management: Providing the Controller with tools to view, manage, and export attendee lists, track check-ins, and manage waitlists.
  • Competition Management: Recording and displaying competition results, rankings, and placements for events that include competition components.

4. Types of Personal Data

The following categories of personal data may be processed by the Processor on behalf of the Controller:

  • Full name
  • Email address
  • Phone number (when provided during registration)
  • Payment transaction data (processed through Stripe; credit card numbers are not stored by Kizomba Foundations)
  • Dance role (lead or follow)
  • Dance skill level (beginner, intermediate, advanced)
  • Event registration records (pass type, registration date, status)
  • Competition participation history and results
  • Waitlist records
  • Coupon and discount code usage
  • Event review content (when submitted by attendees)

5. Categories of Data Subjects

The personal data processed under this DPA relates to the following categories of Data Subjects:

  • Event Attendees: Individuals who register for, purchase passes to, or attend events created by the Controller on the platform.
  • Registered Users: Individuals who hold user accounts on the Kizomba Foundations platform and interact with the Controller's events.

6. Duration of Processing

The Processor shall process personal data on behalf of the Controller for the duration of the Controller's use of the platform services. Processing begins when an attendee registers for the Controller's event and continues until:

  • The Controller terminates their use of the platform;
  • The Controller requests deletion of the data; or
  • The data is no longer required for the purposes described in this DPA, subject to any legal retention obligations.

7. Processor Obligations

The Processor shall:

  • Lawful Processing: Process personal data only on documented instructions from the Controller, including with respect to transfers of personal data outside the European Economic Area, unless required to do so by applicable law.
  • Confidentiality: Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security Measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security assessments.
  • Sub-processor Management: Not engage another processor without prior written authorization from the Controller. The Controller provides general authorization for the Sub-processors listed in Section 8 of this DPA. The Processor shall inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.
  • Data Subject Rights: Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligations to respond to Data Subject requests for access, rectification, erasure, restriction, portability, or objection.
  • Breach Notification: Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach. The notification shall include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
  • Data Protection Impact Assessments: Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required.
  • Deletion or Return: At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data. See Section 11 for details.
  • Audit and Inspection: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. See Section 10 for details.

8. Sub-processors

The Controller provides general authorization for the Processor to engage the following Sub-processors. Each Sub-processor processes personal data only to the extent necessary for the specific purpose described:

Sub-processorPurposeData Location
Google / Firebase Cloud hosting, Firestore database, Firebase Authentication, Firebase Storage, Firebase Analytics, Cloud Functions United States
Stripe Payment processing, event organizer payouts via Stripe Connect, fraud prevention United States
AlgoliaSearch indexing and search functionality for users and eventsUnited States
Brevo Transactional email delivery (booking confirmations, event notifications) and live chat customer support European Union
PostHogProduct analytics, usage tracking, and feature flag managementUnited States / European Union

The Processor shall notify the Controller of any intended additions or replacements of Sub-processors by updating this DPA. The Controller may object to a new Sub-processor by contacting the Processor at contact@kizombafoundations.com within 30 days of being notified.

9. International Data Transfers

The Processor and its Sub-processors may transfer and process personal data outside the European Economic Area ("EEA"), primarily in the United States. For such transfers, the Processor relies on the following safeguards:

  • EU-U.S. Data Privacy Framework: Where applicable, Sub-processors that have certified under the EU-U.S. Data Privacy Framework (e.g., Google, Stripe) provide an adequate level of protection for transatlantic data transfers.
  • Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, the Processor ensures that appropriate Standard Contractual Clauses approved by the European Commission are in place with Sub-processors to provide adequate safeguards for the transfer of personal data.
  • Supplementary Measures: The Processor implements supplementary technical and organizational measures, including encryption of data in transit and at rest, to ensure the effective protection of transferred personal data.

If you have questions about the specific safeguards applied to your data transfers, please contact us at contact@kizombafoundations.com.

10. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 GDPR.

Audits shall be subject to the following conditions:

  • The Controller shall provide at least 30 days' written notice before conducting an audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
  • The Controller shall bear the costs of any audit unless the audit reveals material non-compliance.
  • The Processor may satisfy audit requests by providing relevant certifications, audit reports, or other evidence of compliance, where available and reasonably sufficient.
  • Audit findings and all information obtained during the audit shall be treated as confidential by the Controller.

11. Data Deletion and Return

Upon termination of the Controller's use of the platform services, or upon the Controller's written request, the Processor shall:

  • Data Return: Provide the Controller with a copy of all personal data processed on the Controller's behalf in a commonly used, machine-readable format, upon request.
  • Data Deletion: Delete all personal data processed on the Controller's behalf within 30 days of the termination or request, unless applicable law requires continued storage.
  • Sub-processor Deletion: Instruct all Sub-processors to delete the relevant personal data within the same timeframe.
  • Confirmation: Provide written confirmation of the deletion upon the Controller's request.

The following data may be retained after deletion as required by law or legitimate business purposes:

  • Financial transaction records required for tax, accounting, or regulatory compliance
  • Data related to pending disputes, chargebacks, or legal proceedings
  • Anonymized or aggregated data that no longer constitutes personal data

12. Data Breach Notification

In the event of a Data Breach affecting personal data processed under this DPA, the Processor shall:

  • Timely Notification: Notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach, via the Controller's registered email address.
  • Breach Details: Provide the Controller with sufficient information to enable the Controller to meet its obligations to notify the relevant supervisory authority and affected Data Subjects, including:
    • The nature of the breach, including the categories and approximate number of Data Subjects affected
    • The categories and approximate number of personal data records concerned
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach and mitigate its effects
  • Cooperation: Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
  • Documentation: Document the breach, including the facts, its effects, and the remedial actions taken, in accordance with Article 33(5) GDPR.

13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Use. Nothing in this DPA shall limit either party's liability for breaches of its obligations under applicable data protection law where such limitation would not be permitted by law.

14. General Provisions

  • Governing Law: This DPA shall be governed by and construed in accordance with the laws applicable to the Terms of Use, without prejudice to the mandatory provisions of GDPR.
  • Amendments: This DPA may be updated by the Processor from time to time. The Processor shall notify the Controller of material changes. Continued use of the platform following such notification constitutes acceptance of the updated DPA.
  • Conflict: In the event of a conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to the processing of personal data.
  • Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

15. Contact

For any questions, requests, or notifications regarding this Data Processing Addendum, please contact us at contact@kizombafoundations.com.

Contact UsPrivacy PolicyTerms of UseCookie Preferences