IntelaMetrix Holdings, Inc.

Effective Date: January 1, 2026

IntelaMetrix Holdings, Inc. ("IntelaMetrix," "BodyMetrix," or "the Company," collectively referred to as "we," "us," or "our") ("Data Controller and Processor as applicable") and the Customer or Provider identified in the applicable Order Form ("Controller for locally stored Client Data") enter into this Data Processing Addendum ("DPA"). This DPA forms part of, and is subject to, the IntelaMetrix Master End User License Agreement (EULA).

This DPA governs the limited personal data IntelaMetrix receives through license validation network calls from Customer or Provider-operated BodyView software installations. It does not govern Client Data — body composition measurements and client records — which are stored exclusively on the Customer or Provider's local PC and are never received, accessed, or processed by IntelaMetrix.

1. Scope of Data Processing

Data IntelaMetrix processes:

Data Element Purpose Legal Basis Retention
IP address License validation, fraud prevention Legitimate interest (contract performance) 2 years from last validation
Device / machine identifier License enforcement, anti-piracy Contract performance 2 years from last validation
License key License status confirmation Contract performance Duration of subscription + 2 years
Software version Update eligibility, support triage Legitimate interest 2 years from last validation
OS version Compatibility validation Legitimate interest 2 years from last validation
Validation timestamp Audit trail, fraud detection Legitimate interest 2 years from last validation

Data IntelaMetrix does NOT process:

  • Body composition measurements or client assessment results
  • Client names, demographics, or contact information entered into BodyView
  • Session notes, usage observations, or provider annotations
  • Any data stored in the local BodyView database

2. Roles of the Parties

For License Validation Data: IntelaMetrix Holdings, Inc. acts as an independent Data Controller. IntelaMetrix determines the purposes and means of processing License Validation Data.

For Client Data: The Customer or Provider is the sole Data Controller. IntelaMetrix is neither a processor nor a sub-processor of Client Data and has no role, access, or obligation with respect to it.

3. Sub-Processors

Sub-Processor Purpose Location
Cloud computing platform License validation server infrastructure United States
eCommerce Platform Account and subscription management United States / Canada
CRM Account holder contact data only; no Client Data United States
Payment Platform Payment processing United States

IntelaMetrix will provide 30 days' prior written notice before adding or replacing a sub-processor that processes License Validation Data.

4. Data Security

IntelaMetrix Holdings, Inc. maintains a security program appropriate to the risk of processing License Validation Data, including:

  • Encryption of data in transit using TLS 1.2 or higher
  • Access controls limiting License Validation Data to personnel with a defined operational need
  • Regular security assessments of license validation infrastructure
  • Audit logging of access to License Validation Data

5. Security Incident Notification

If IntelaMetrix becomes aware of a confirmed security incident involving License Validation Data, IntelaMetrix will notify the Customer or Provider within 72 hours of confirmation, to the extent permitted by law.

6. Data Subject Rights

To the extent that License Validation Data is linked to an identifiable individual, IntelaMetrix will respond to valid data subject rights requests in accordance with applicable privacy law, including the CCPA/CPRA, GDPR, UK GDPR, Canada's PIPEDA, and Quebec Law 25 where applicable.

7. Retention & Deletion

IntelaMetrix retains License Validation Data for 2 years from the last validation event. Upon subscription termination, IntelaMetrix will delete License Validation Data within 90 days, except where retention is required by law.

8. HIPAA Scope Clarification

IntelaMetrix Holdings, Inc. is not a HIPAA Business Associate with respect to Client Data, because IntelaMetrix does not receive, access, or maintain Protected Health Information (PHI) through the Platform. The license validation call does not constitute the creation, receipt, maintenance, or transmission of PHI.

If a Customer's or Provider's specific configuration would result in IntelaMetrix receiving PHI, that Customer or Provider must notify IntelaMetrix immediately at legal@BodyMetrix.com before any such data transmission occurs.

9. Order of Precedence

This DPA is governed by the laws of the State of Delaware. In the event of a conflict between this DPA and the IntelaMetrix Master EULA, this DPA controls with respect to data processing matters.

10. Contact

IntelaMetrix Holdings, Inc. — Privacy & Legal
2010 Elkins Way, Suite 2, Brentwood, CA 94513
privacy@BodyMetrix.com
916-840-0096