Data Processing Addendum
IntelaMetrix Holdings, Inc.
IntelaMetrix Holdings, Inc. ("IntelaMetrix," "BodyMetrix," or "the Company," collectively referred to as "we," "us," or "our") ("Data Controller and Processor as applicable") and the Customer or Provider identified in the applicable Order Form ("Controller for locally stored Client Data") enter into this Data Processing Addendum ("DPA"). This DPA forms part of, and is subject to, the IntelaMetrix Master End User License Agreement (EULA).
This DPA governs the limited personal data IntelaMetrix receives through license validation network calls from Customer or Provider-operated BodyView software installations. It does not govern Client Data — body composition measurements and client records — which are stored exclusively on the Customer or Provider's local PC and are never received, accessed, or processed by IntelaMetrix.
1. Scope of Data Processing
Data IntelaMetrix processes:
| Data Element | Purpose | Legal Basis | Retention |
|---|---|---|---|
| IP address | License validation, fraud prevention | Legitimate interest (contract performance) | 2 years from last validation |
| Device / machine identifier | License enforcement, anti-piracy | Contract performance | 2 years from last validation |
| License key | License status confirmation | Contract performance | Duration of subscription + 2 years |
| Software version | Update eligibility, support triage | Legitimate interest | 2 years from last validation |
| OS version | Compatibility validation | Legitimate interest | 2 years from last validation |
| Validation timestamp | Audit trail, fraud detection | Legitimate interest | 2 years from last validation |
Data IntelaMetrix does NOT process:
- Body composition measurements or client assessment results
- Client names, demographics, or contact information entered into BodyView
- Session notes, usage observations, or provider annotations
- Any data stored in the local BodyView database
2. Roles of the Parties
For License Validation Data: IntelaMetrix Holdings, Inc. acts as an independent Data Controller. IntelaMetrix determines the purposes and means of processing License Validation Data.
For Client Data: The Customer or Provider is the sole Data Controller. IntelaMetrix is neither a processor nor a sub-processor of Client Data and has no role, access, or obligation with respect to it.
3. Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Cloud computing platform | License validation server infrastructure | United States |
| eCommerce Platform | Account and subscription management | United States / Canada |
| CRM | Account holder contact data only; no Client Data | United States |
| Payment Platform | Payment processing | United States |
IntelaMetrix will provide 30 days' prior written notice before adding or replacing a sub-processor that processes License Validation Data.
4. Data Security
IntelaMetrix Holdings, Inc. maintains a security program appropriate to the risk of processing License Validation Data, including:
- Encryption of data in transit using TLS 1.2 or higher
- Access controls limiting License Validation Data to personnel with a defined operational need
- Regular security assessments of license validation infrastructure
- Audit logging of access to License Validation Data
5. Security Incident Notification
If IntelaMetrix becomes aware of a confirmed security incident involving License Validation Data, IntelaMetrix will notify the Customer or Provider within 72 hours of confirmation, to the extent permitted by law.
6. Data Subject Rights
To the extent that License Validation Data is linked to an identifiable individual, IntelaMetrix will respond to valid data subject rights requests in accordance with applicable privacy law, including the CCPA/CPRA, GDPR, UK GDPR, Canada's PIPEDA, and Quebec Law 25 where applicable.
7. Retention & Deletion
IntelaMetrix retains License Validation Data for 2 years from the last validation event. Upon subscription termination, IntelaMetrix will delete License Validation Data within 90 days, except where retention is required by law.
8. HIPAA Scope Clarification
IntelaMetrix Holdings, Inc. is not a HIPAA Business Associate with respect to Client Data, because IntelaMetrix does not receive, access, or maintain Protected Health Information (PHI) through the Platform. The license validation call does not constitute the creation, receipt, maintenance, or transmission of PHI.
If a Customer's or Provider's specific configuration would result in IntelaMetrix receiving PHI, that Customer or Provider must notify IntelaMetrix immediately at legal@BodyMetrix.com before any such data transmission occurs.
9. Order of Precedence
This DPA is governed by the laws of the State of Delaware. In the event of a conflict between this DPA and the IntelaMetrix Master EULA, this DPA controls with respect to data processing matters.
10. Contact
IntelaMetrix Holdings, Inc. — Privacy & Legal
2010 Elkins Way, Suite 2, Brentwood, CA 94513
privacy@BodyMetrix.com
916-840-0096
