Back to TheBookingApp

TheBookingApp.co

Data Processing Agreement

Last Updated: November 29, 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between The Promethean, LLC ("Processor," "we," "us") and you ("Controller," "Business," "you") for the use of TheBookingApp.co ("Platform").

This DPA governs the processing of personal data that you, as a business, collect from your customers and process through our Platform.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, modification, retrieval, use, disclosure, or deletion.
  • "Customer Data" means Personal Data of your customers that you process through the Platform.
  • "Sub-processor" means any third party engaged by us to process Customer Data on your behalf.
  • "Data Breach" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

3. Roles and Responsibilities

3.1 Your Role as Data Controller

As the Controller, you:

  • Determine the purposes and means of processing Customer Data
  • Are responsible for the lawfulness of data collection
  • Must obtain appropriate consent or legal basis for processing
  • Are responsible for informing customers about data processing
  • Must respond to customer data requests (access, deletion, etc.)

3.2 Our Role as Data Processor

As the Processor, we:

  • Process Customer Data only on your documented instructions
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate security measures
  • Assist you in responding to customer data requests
  • Notify you of any Data Breaches
  • Delete or return Customer Data upon termination

4. Data Processing Details

4.1 Categories of Data

Customer Data processed through the Platform may include:

  • Names and contact information (email, phone)
  • Appointment history and preferences
  • Service notes and special requests
  • Payment information (processed by Stripe)
  • Communication preferences

4.2 Processing Purposes

We process Customer Data solely for:

  • Providing the Platform services as described in our Terms
  • Appointment scheduling and management
  • Sending notifications and reminders (on your behalf)
  • Processing payments (through Stripe)
  • Customer relationship management
  • Analytics and reporting for your business

4.3 Duration of Processing

We process Customer Data for as long as you maintain an active account with us, plus any retention period required by law or specified in our Terms of Service.

5. Security Measures

We implement the following technical and organizational security measures:

5.1 Technical Measures

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256
  • Secure authentication mechanisms
  • Regular security testing and vulnerability assessments
  • Firewalls and intrusion detection systems
  • Regular backups with encrypted storage

5.2 Organizational Measures

  • Employee background checks where legally permitted
  • Confidentiality agreements with all personnel
  • Access controls on a need-to-know basis
  • Security awareness training
  • Incident response procedures
  • Regular policy reviews and updates

6. Sub-processors

6.1 Authorized Sub-processors

You authorize us to engage the following sub-processors:

Sub-processorPurposeLocation
SupabaseDatabase and authenticationUnited States
VercelHosting and deploymentUnited States
StripePayment processingUnited States
TwilioSMS notificationsUnited States
ResendEmail deliveryUnited States

6.2 Sub-processor Changes

We will notify you of any intended changes to sub-processors. You may object to a new sub-processor within 30 days of notification. If we cannot address your objection, you may terminate the affected services.

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to requests from individuals exercising their rights under applicable data protection laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure (right to be forgotten)
  • Right to restriction of processing
  • Right to data portability
  • Right to object

You are responsible for responding to such requests. We will provide reasonable assistance and may charge a reasonable fee for excessive or complex requests.

8. Data Breach Notification

8.1 Notification Timing

We will notify you of any Data Breach affecting Customer Data without undue delay, and in any event within 72 hours of becoming aware of the breach.

8.2 Notification Content

Our notification will include, to the extent known:

  • Description of the nature of the breach
  • Categories and approximate number of individuals affected
  • Categories and approximate number of records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for more information

8.3 Your Obligations

You are responsible for notifying affected individuals and relevant supervisory authorities as required by applicable law.

9. International Data Transfers

Customer Data may be transferred to and processed in the United States. We ensure that such transfers comply with applicable data protection laws through:

  • Use of sub-processors with appropriate data protection commitments
  • Standard Contractual Clauses where required
  • Other legally recognized transfer mechanisms

10. Audits

Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. This may include:

  • Security certifications and audit reports
  • Documentation of security measures
  • Questionnaire responses

On-site audits may be conducted upon reasonable notice, at your expense, no more than once per year, unless required by a supervisory authority.

11. Data Deletion and Return

Upon termination of your account:

  • You may export your Customer Data through the Platform's export features
  • We will delete Customer Data within 30 days, unless legally required to retain it
  • Backups containing Customer Data will be deleted according to our retention schedule
  • We will provide certification of deletion upon request

12. Liability

Our liability under this DPA is subject to the limitations of liability set forth in our Terms of Service. Each party is liable for its own breaches of applicable data protection laws.

13. Updates to This DPA

We may update this DPA from time to time to reflect changes in our practices or legal requirements. Material changes will be notified to you, and your continued use of the Platform constitutes acceptance of the updated DPA.

14. Contact Information

For questions about this DPA or data protection matters, contact us at:

The Promethean, LLC
Data Protection Contact
Email: dpa@thebookingapp.co
Address: Colorado, United States