Data Processing Agreement (DPA)

Last updated 8 May 2026

Pilot version. This Data Processing Agreement (DPA) is a pilot-stage minimum. Larger customers and the lawyer-reviewed final version may be requested separately by email: smoothbooking.app@gmail.com.

This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policyin respect of personal data processed by SmoothBooking on behalf of the Pro user (the "Controller") in accordance with Article 28 of the GDPR.

1. Parties

  • Processor: SmoothBooking (Business ID Y-tunnus rekisteröidään pian), Osoite ilmoitetaan rekisteröinnin jälkeen.
  • Controller: the business that has registered as a Pro user and uses SmoothBooking to manage its own customer base.

2. Subject matter, duration, nature and purpose

  • Subject matter:processing of the Pro user's customers' personal data within the SmoothBooking service.
  • Duration:the agreement remains in force as long as the Pro user's account is active and ends within 30 days of account deletion, except for retention obligations imposed by law.
  • Nature and purpose: appointment and queue management, customer communications, marketing automation and loyalty / discount handling.

3. Data and data subjects

Categories of personal data:

  • Identifiers (name, email, phone)
  • Booking and queue history
  • Marketing consent state and opt-out history
  • Free-form notes entered by the Pro user about a customer

Data subjects: the Pro user's end customers.

We do not process special categories of data within the meaning of Article 9 GDPR unless the Pro user enters such data into a free-form note. We instruct against entering such information into free-form fields.

4. Processor obligations

SmoothBooking will:

  • process personal data only on documented instructions from the Controller — in practice, in line with the functionality of the Service;
  • ensure that personnel processing personal data are subject to confidentiality obligations;
  • implement appropriate technical and organisational security measures (Art. 32 GDPR; see section 7);
  • assist the Controller with requests it receives from data subjects (right of access, rectification, erasure, restriction);
  • notify the Controller without undue delay after becoming aware of a personal data breach (see section 8);
  • not transfer personal data outside the EU/EEA without a safeguard required by Articles 44–49 GDPR.

5. Controller obligations

The Pro user shall:

  • ensure that there is a lawful basis for the processing (contract, consent, legitimate interest, etc.);
  • inform data subjects in accordance with Articles 13/14 GDPR about its own processing;
  • enter only personal data necessary for the intended purpose into the system.

6. Sub-processors

The Controller grants a general authorisation to use sub-processors as listed below. The current list is in our Privacy Policy; we will give at least 30 days' notice in the Service or by email of new or replacing sub-processors. The Controller may object on reasonable grounds — we will then jointly seek a solution, failing which the Controller may terminate the agreement immediately.

The principal sub-processors are listed in the Privacy Policy.

7. Security

  • Connections are encrypted with TLS 1.2 or higher.
  • Passwords are stored as hashes, not in plain text.
  • Production access is role-based and logged.
  • Data is stored in the EU/EEA whenever the cloud platform allows; any transfers to third countries are based on the EU Standard Contractual Clauses.
  • Environments (dev/staging/production) are separated; production data is not used in testing.

8. Breach notification

Upon becoming aware of a personal data breach, we will notify the Controller without undue delay and at the latest within 72 hours, by email to the address on file for the Pro user's account. The notification will include the available information about the nature and impact of the breach and remedial actions.

9. Audit rights

On request, we will provide the Controller with a reasonable amount of written documentation about our security and processes to demonstrate compliance with this DPA. On-site audits require a separate agreement on scope and cost allocation.

10. Return or deletion of data

At the Controller's request or on termination of this agreement:

  • we will provide an export of the Controller's data in a machine-readable format, and
  • delete the data from our systems within 30 days, except for data the retention of which is mandated by law (e.g. accounting).

11. Liability

Liability between Processor and Controller is governed by the limitation provisions in section 16 of the Terms of Service, unless mandatory legislation (including Art. 82 GDPR) provides otherwise.

12. Contact and changes

For DPA-related questions: smoothbooking.app@gmail.com. We will give at least 30 days' notice of material changes.