Legal
Data Processing Agreement
Last updated: March 24, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Bookably App Inc. ("Processor") and the customer ("Controller") for the provision of the Bookably platform and services. This DPA applies where Bookably processes personal data on behalf of the Controller in connection with the Service.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws (including GDPR, CCPA/CPRA, and UK GDPR).
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Data Subject" means the identified or identifiable person to whom Personal Data relates.
- "Sub-processor" means any third party engaged by Bookably to process Personal Data on behalf of the Controller.
2. Scope and Purpose of Processing
Bookably processes Personal Data solely to provide the Service as described in the Terms of Service, including:
- Analyzing booking data to generate demand predictions and pricing recommendations
- Creating and delivering automated incentive offers to end clients
- Synchronizing data with connected third-party platforms
- Generating analytics and reporting for the Controller
3. Categories of Data and Data Subjects
| Data Category | Data Subjects | Examples |
|---|---|---|
| Booking data | End clients of the Controller | Appointment times, service types, client identifiers (hashed), booking status |
| Contact data | End clients of the Controller | Email addresses, phone numbers (for incentive delivery) |
| Account data | Controller's staff and administrators | Names, email addresses, role assignments |
| Provider data | Service providers / practitioners | Names, schedules, service assignments |
4. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis for processing Personal Data and for instructing Bookably to process data on its behalf
- Provide clear and transparent privacy notices to Data Subjects regarding the use of Bookably
- Obtain any necessary consents from Data Subjects where required by applicable law
- Ensure the accuracy and completeness of Personal Data provided to Bookably
5. Processor Obligations
Bookably shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure data security (see Section 7)
- Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests
- Delete or return all Personal Data upon termination of the agreement, at the Controller's election, within 30 days
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
6. Sub-processors
Bookably engages the following categories of sub-processors. The Controller authorizes the use of sub-processors subject to the conditions in this section.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database hosting and authentication | United States |
| Vercel | Application hosting and edge delivery | United States / Global edge |
Bookably will notify the Controller at least 30 days before engaging a new sub-processor. If the Controller objects, Bookably will work in good faith to address the concern or provide an alternative. All sub-processors are bound by data processing agreements with protections no less stringent than this DPA.
7. Security Measures
Bookably implements the following technical and organizational measures:
- Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
- Access controls: Role-based access, multi-factor authentication for administrative access
- Monitoring: Continuous logging and anomaly detection
- Incident response: Documented procedures for identifying, containing, and resolving security incidents
- Backups: Automated daily backups with point-in-time recovery
- Employee training: Regular security and privacy training for all personnel
8. Data Breach Notification
In the event of a personal data breach, Bookably will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:
- A description of the nature of the breach
- The categories and approximate number of Data Subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
9. International Data Transfers
Where Personal Data is transferred outside the EEA or UK, Bookably ensures appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor)
- Transfer Impact Assessments where required
- Supplementary measures as necessary based on the laws of the receiving country
10. Data Subject Rights
Bookably will assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by providing appropriate technical measures and information. Bookably will redirect any Data Subject requests it receives directly to the Controller, unless otherwise instructed.
11. Audits
Bookably will make available to the Controller, upon reasonable request and with reasonable notice, the information necessary to demonstrate compliance with this DPA. The Controller may conduct audits (or engage a qualified third-party auditor) no more than once per year, at the Controller's expense, provided such audit does not unreasonably interfere with Bookably's operations.
12. Term and Termination
This DPA remains in effect for the duration of the agreement between the parties. Upon termination, Bookably will, at the Controller's choice, delete or return all Personal Data within 30 days, and certify in writing that it has done so. Obligations that by their nature should survive termination (including confidentiality and security) will continue.
13. Governing Law
This DPA is governed by the same law that governs the underlying agreement between the parties. For EEA Data Subjects, the provisions of the GDPR take precedence where there is a conflict.
Contact
For questions about data processing, contact us at support@feltsense.com.
Bookably App Inc.
Email: support@feltsense.com