1. Scope and Purpose

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and the platform operator ("Processor") and governs the processing of personal data on behalf of the Customer in connection with the use of the platform. This DPA applies where the Customer acts as a data controller and the Processor processes personal data on its behalf.

2. Definitions

Terms used in this DPA shall have the meanings given under applicable data protection law, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR where applicable.

Personal Data: any information relating to an identified or identifiable natural person processed under this agreement.
Processing: any operation performed on personal data, including storage, retrieval, use, and deletion.
Sub-processor: any third party engaged by the Processor to carry out processing activities on behalf of the Customer.

3. Categories of Personal Data Processed

The Processor may process the following categories of personal data on behalf of the Customer:

Customer end-user names, email addresses, and phone numbers
Billing and payment information (payment tokens only; raw card data is handled by payment processors)
Order history, booking records, and transaction metadata
IP addresses and device identifiers collected via session management
Marketing consent preferences and consent timestamps

4. Purpose and Legal Basis of Processing

The Processor processes personal data solely to provide the platform services described in the Terms of Service. Processing is carried out on the basis of the Customer's instructions and, where applicable, the legitimate interests of operating a secure, functional platform. The Processor will not process personal data for any purpose beyond what is necessary to deliver the agreed service.

5. Sub-processors

The Processor engages the following sub-processors who may access personal data:

Stripe, Inc. — payment processing and billing (United States)
Razorpay Software Pvt. Ltd. — payment processing (India, for applicable regions)
Amazon Web Services / Hetzner / equivalent cloud provider — infrastructure and hosting
Redis Labs / equivalent — session and cache storage

The Processor will notify the Customer of any material changes to sub-processors and provide a reasonable opportunity to object before the change takes effect.

6. Security Measures

The Processor implements the following technical and organisational measures to protect personal data:

Encryption of data in transit using TLS 1.2 or higher
Encryption of sensitive credentials at rest using AES-256
CSRF protection on all state-changing requests
Rate limiting on all public-facing API endpoints
Role-based access control limiting staff access to personal data
Comprehensive audit logging of all data access and modification events
Regular dependency updates and security patching

7. Data Subject Rights Assistance

The Processor provides self-service tools enabling the Customer to fulfil data subject rights requests without Processor involvement in most cases, including: data export (JSON format), consent withdrawal, marketing opt-out, and account deletion. Where a request cannot be fulfilled through self-service tools, the Processor will assist the Customer within a reasonable timeframe, typically 5 business days.

8. Breach Notification

In the event of a personal data breach affecting Customer data, the Processor will notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom, the Processor ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) with sub-processors or reliance on adequacy decisions issued by the relevant supervisory authority.

10. Data Retention and Deletion

Upon termination of the Customer's account or upon written request, the Processor will delete or anonymise all personal data within 30 days, except where retention is required by law. Audit logs may be retained for up to 6 years for compliance purposes and will be treated as confidential.

11. Audit Rights

The Customer may request, no more than once per year and with 30 days' written notice, a summary audit report or completed security questionnaire confirming the Processor's compliance with this DPA. Physical audits are subject to mutual agreement and reasonable cost sharing.

12. Contact

Questions or requests relating to this DPA should be directed to our data protection contact via the Support page. Enterprise customers requiring a countersigned DPA should request one through the same channel.