Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the agreement between BookByOnline and a Merchant and governs our processing of personal data on the Merchant's behalf. Where there is a conflict on data-protection matters, this DPA prevails.
Roles: controller and processor
For customer and booking data a Merchant processes through the Platform, the Merchant is the controller and BookByOnline is the processor. We process such personal data only on the Merchant's documented instructions, which include use of the Platform's features and this DPA, and as required by law.
Scope & duration of processing
We process personal data for the duration of the agreement to provide the booking, CRM, loyalty, campaign, payment-configuration, analytics and AI features the Merchant enables. Categories of data subjects include the Merchant's customers, staff and contacts; categories of data include identifiers, contact details, booking and payment records, and communications.
Subprocessors
The Merchant authorises BookByOnline to engage subprocessors to provide the service (see our Subprocessors page). We impose data-protection obligations on subprocessors no less protective than this DPA and remain responsible for their performance. We will give notice of intended changes and allow reasonable objection.
Security measures
We implement appropriate technical and organisational measures, including encryption in transit and at rest, tenant isolation with row-level security, access controls and least-privilege, logging and monitoring, and secure development practices, taking into account the state of the art and the risks of processing.
Cross-border transfers
Where processing occurs outside the Merchant's region, we rely on appropriate transfer mechanisms, including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary measures where needed.
Data subject requests
Taking into account the nature of processing, we provide reasonable assistance (including through Platform functionality) to help the Merchant respond to data-subject requests to access, correct, delete, restrict, object to or port their data. If we receive a request directly, we will refer the individual to the relevant Merchant unless legally required to act.
Personal data breach notification
We will notify the Merchant without undue delay after becoming aware of a personal data breach affecting their data, and provide information reasonably available to help the Merchant meet its own notification obligations.
Audit rights
We make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Merchant or an appointed auditor on reasonable notice, subject to confidentiality and to not compromising other customers' security.
Return & deletion of data
On termination, and at the Merchant's choice, we delete or return personal data and delete existing copies, except to the extent retention is required by law. Standard export tools are available for a limited post-termination period.
Standard Contractual Clauses
Where required for international transfers, the applicable modules of the EU Standard Contractual Clauses and the UK Addendum are incorporated by reference into this DPA and completed by the parties' details and the descriptions of processing set out here.