Data Processing Agreement – Bookairy
This Data Processing Agreement ("DPA") forms part of the agreement between Bookairy and the Customer. Bookairy is operated by Ghekko Development, Willem Buytewechstraat 187 C, 3024 XH Rotterdam, the Netherlands, Dutch Chamber of Commerce number 70485437, establishment number 000028452003, VAT number NL858338543B01.
1. Roles and instructions
- The Customer is the controller for personal data entered into or processed through the Customer's Bookairy workspace.
- Bookairy is the processor where it processes personal data on behalf of the Customer.
- Bookairy processes personal data only on documented instructions from the Customer, including the agreement, this DPA, product configuration and lawful support requests.
- The Customer remains responsible for the lawfulness of the processing, the accuracy of data, information notices, consent where required and sector-specific obligations.
- If Bookairy believes an instruction infringes the GDPR or other applicable data protection law, Bookairy will inform the Customer unless prohibited by law.
2. Subject matter, duration and purpose
The subject matter of the processing is the provision, maintenance, security and support of the Bookairy booking, scheduling and business platform. The processing lasts for the term of the agreement and any reasonable export, backup, deletion or legal retention period after termination.
The purpose is to provide online bookings, calendars, customer management, staff management, services, events, products, POS, invoices, deposits, payment status, notifications, reporting, forms, multilingual booking flows, support, security, troubleshooting and related SaaS functionality.
3. Categories of personal data
- Names, addresses, email addresses, phone numbers and other contact details.
- Account, company, staff, role and permission data.
- Booking, calendar, appointment, waiting list, cancellation, no-show and service history data.
- Customer notes, preferences, form answers, uploaded files and communication content.
- Payment status, transaction references, invoice data, deposit data and refund or chargeback information.
- Device, installation, browser, app version, IP address, log, usage and security data.
- Depending on the Customer's configuration: health, treatment, wellness, intake or other sensitive data entered by the Customer or End Customers.
4. Categories of data subjects
- The Customer's clients, customers, patients, guests, participants or other end users.
- The Customer's staff, contractors, administrators and users.
- Contacts, support contacts and users of public booking pages.
5. Security measures
Bookairy implements appropriate technical and organizational measures taking into account the state of the art, implementation costs, processing nature, scope, context, purposes and risks. Measures may include:
- HTTPS/TLS encryption for data in transit.
- Role-based access controls and authentication controls.
- Restricted internal access to production data.
- Logging, monitoring and abuse prevention.
- Secure cloud infrastructure and Firestore, storage or comparable security rules.
- Logical separation of company data by company or tenant identifiers.
- Cloudflare or comparable network protection, firewall, bot protection and DDoS mitigation.
- Backups, recovery or export mechanisms where available.
- Periodic application and infrastructure updates.
- Confidentiality obligations for persons authorized to process personal data.
6. Confidentiality
Bookairy ensures that persons authorized to process personal data are bound by confidentiality or are under an appropriate statutory obligation of confidentiality. Access is limited to what is necessary for operation, support, security and maintenance.
7. Subprocessors
The Customer gives Bookairy general authorization to use subprocessors. Bookairy will impose data protection obligations on subprocessors that are materially comparable to this DPA where required by the GDPR.
| Subprocessor | Purpose |
|---|---|
| Google Cloud / Firebase | Hosting, database, authentication, cloud functions, storage and platform infrastructure. |
| Cloudflare | DNS, CDN, security, DDoS protection, firewall functionality, bot protection, Turnstile, network protection and traffic filtering. |
| MailerSend | Transactional email and email notifications. |
| Mollie | Online payments, deposits, payment status, refunds and payment processing. |
| DeepL | Automatic translations of Customer-entered content when translation features are enabled. |
| Apple | App Store distribution, platform services and push notification infrastructure where applicable. |
| Google Play / Google | App distribution, platform services and push notification infrastructure where applicable. |
| Support, hosting, monitoring or communication tools | Support, operational communication, monitoring, diagnostics and customer service where used. |
Bookairy may update subprocessors when needed for the delivery, security or improvement of the Services. The Customer may object on reasonable data protection grounds within five (5) Business Days after notice of a material subprocessor change.
8. International transfers
Personal data may be transferred outside the European Economic Area only where permitted under the GDPR. Where required, Bookairy will use appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, transfer impact assessments and supplementary measures.
9. Assistance to the Customer
Taking into account the nature of the processing and the information available to Bookairy, Bookairy will reasonably assist the Customer with data subject requests, security obligations, data protection impact assessments, prior consultation, breach investigations and information needed to demonstrate compliance. Bookairy may charge reasonable costs for assistance that goes beyond standard platform functionality or normal support.
10. Data breaches
Bookairy will notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Customer. Where available, Bookairy will provide information about the nature of the breach, affected categories, likely consequences and measures taken or proposed. The Customer remains responsible for any notifications to supervisory authorities or data subjects.
11. Audits and compliance information
Bookairy will make available information reasonably necessary to demonstrate compliance with this DPA. Audits require prior written notice, may occur no more than once per calendar year unless a serious incident requires otherwise, must be performed during business hours by an independent expert bound by confidentiality and must not unreasonably disrupt Bookairy's operations.
12. Return and deletion
After termination, Bookairy will delete or make available for export personal data processed on behalf of the Customer, unless legal retention obligations require continued storage. Backups may remain temporarily until overwritten or deleted according to the regular backup cycle.
13. Liability and precedence
The liability limitations in the Terms and Conditions apply to this DPA unless mandatory law provides otherwise. If this DPA conflicts with the Terms and Conditions on personal data processing, this DPA prevails for that processing conflict.