Data Processing Agreement

Data Controller: The individual or entity that has accepted this DPA by creating a shop on octobooking.com. As a shop owner, you determine the purposes and means of processing your customers' personal data.

Data Processor: Octobooking, operating the platform at octobooking.com. The Processor acts strictly on the Controller's documented instructions and does not independently determine the purpose of any processing.

The Processor provides a cloud-based appointment and booking management platform that allows the Controller to manage bookings, customers, staff schedules, and related operational data for their business.

Octobooking is a scheduling tool. It does not process payments on behalf of the barber, does not issue invoices or fiscal documents, and is not connected to any tax authority.

Processing begins upon acceptance of this DPA and continues for as long as the Controller maintains an active account. Termination is governed by Section 8.

The Processor processes personal data solely to provide the Service, which includes:

• Creating and managing customer booking records on behalf of the Controller;
• Sending transactional notifications — confirmations, reminders, and cancellations — to end customers via email and/or SMS;
• Providing the Controller with customer management, staff scheduling, and reporting tools;
• Maintaining anonymised operational records after account deletion (see Section 8).

The Processor will not use personal data for its own purposes, for advertising, or for any purpose other than those listed above.

Data subjects: End customers of the Controller's business (individuals who make or receive bookings), and staff members of the Controller (names used in booking records).

Data categories processed:

• Identity: first name, last name;
• Contact: email address, phone number;
• Booking: appointment dates and times, service name, staff member, notes;
• Operational: payment status (paid/unpaid), service price (for reference only — no invoicing);
• Technical: IP address (rate limiting and security only), session tokens (authentication).

The Processor commits to:

1. Process personal data only on the Controller's documented instructions, including for international transfers, unless required otherwise by EU or Member State law.
2. Ensure all persons authorised to process data are bound by appropriate confidentiality obligations.
3. Implement technical and organisational measures appropriate to the risk (Art. 32 GDPR) — see Section 9.
4. Engage sub-processors only in accordance with Section 6, under equivalent data protection obligations.
5. Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability) under Chapter III GDPR.
6. Notify the Controller without undue delay — and at the latest within 48 hours — upon becoming aware of a personal data breach affecting the Controller's data. The notification will include: (a) the nature of the breach and approximate number of data subjects and records affected; (b) the likely consequences; (c) measures taken or proposed to address the breach. This enables the Controller to assess its own obligation to notify the supervisory authority within 72 hours under GDPR Art. 33.
7. Make available information necessary to demonstrate compliance, and support audits or inspections by the Controller or a mandated auditor.
8. At the Controller's request, delete or return all personal data at the end of the service relationship, subject to Section 8.

The Controller grants general authorisation for the Processor to engage the sub-processors listed below. The Processor will notify the Controller of any planned changes, giving a reasonable opportunity to object.

SCC = Standard Contractual Clauses, Commission Decision 2021/914/EU (Art. 46(2)(c) GDPR).

Some sub-processors are based outside the EEA. Transfers are conducted under Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914/EU), supplemented by encryption in transit (TLS) and at rest.

When a data subject exercises their right to erasure (Art. 17 GDPR), or when a Controller account is closed, the Processor applies the following procedure:

• Personal identifiers are erased immediately: name, email address, phone number, and any free-text notes are overwritten with anonymous placeholders. The auth account is deleted.
• Anonymised booking shells are retained for a reasonable operational period (up to 2 years after the last booking). These contain no personal identifiers — only dates, service names, and price references — and serve the Controller's legitimate interest in maintaining their business history (GDPR Art. 17(3)(e) and Art. 6(1)(f)). They are permanently deleted thereafter.

This app is a scheduling tool. It does not produce invoices, connect to tax authorities, or manage accounting records. No retention is carried out on the basis of fiscal or tax law.

Measures implemented in accordance with Art. 32 GDPR:

• All data in transit is encrypted using TLS 1.2 or higher;
• Data at rest is encrypted by the database provider (AES-256);
• Access to production systems requires MFA and is limited to authorised personnel;
• Authentication is handled by a purpose-built library with rate limiting, IP blocking, and phone OTP verification;
• Personal data is pseudonymised upon account deletion (ghosting procedure, Section 8);
• Dependencies are reviewed regularly for security vulnerabilities.

As the Data Controller, you are responsible for:

• Establishing a lawful basis for processing your customers' personal data (typically Art. 6(1)(b) GDPR — performance of a contract — for booking management);
• Providing your customers with a privacy notice that includes the information required under Art. 13 GDPR, and disclosing that Octobooking is used as a data processor;
• Handling data subject requests from your own customers and communicating relevant requests to the Processor where appropriate;
• Ensuring staff with access to the platform understand their data protection obligations.

The Processor may update this DPA to reflect changes in law, technology, or the Service. Material changes will be communicated at least 30 days before taking effect. Continued use of the Service after the effective date constitutes acceptance. The current version number and effective date are shown at the top of this page.

This DPA is governed by EU law, in particular the GDPR, and where applicable, the national implementing law of the Member State in which the Controller is established. Disputes shall be submitted to the competent courts of the Controller's jurisdiction.