Data Processing Agreement

Last updated: March 24, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Book Tech, LLC, a Missouri limited liability company ("BookShip," "Processor") and you, the business or individual using the BookShip platform ("Provider," "Controller"). This DPA governs BookShip's processing of personal data on behalf of the Provider.

By using the BookShip platform to manage client data, you agree to the terms of this DPA. This DPA supplements and is incorporated into the Terms of Service and Privacy Policy.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by BookShip on behalf of the Provider through the Service.
  • "Controller" means the Provider, who determines the purposes and means of processing Personal Data.
  • "Processor" means BookShip, which processes Personal Data on behalf of the Controller.
  • "Sub-Processor" means a third party engaged by BookShip to process Personal Data on behalf of the Controller.
  • "Data Subject" means the individual to whom the Personal Data relates (e.g., a Guest or client of the Provider).
  • "Security Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and any other applicable state, federal, or international data protection legislation.

2. Roles and Scope

2.1 Controller and Processor

The Provider is the Controller of client Personal Data entered into or generated through the BookShip platform. BookShip is the Processor, processing Personal Data solely on behalf of and under the instructions of the Provider.

2.2 Provider Responsibilities

As the Controller, the Provider is responsible for:

  • Ensuring a lawful basis exists for collecting and processing Personal Data (e.g., consent, legitimate interest, contractual necessity).
  • Providing any required privacy notices to Data Subjects.
  • Responding to Data Subject rights requests, with reasonable assistance from BookShip.
  • Ensuring that any instructions given to BookShip comply with applicable Data Protection Laws.

3. Details of Processing

3.1 Purpose

BookShip processes Personal Data solely to provide the Service as described in the Agreement, including appointment scheduling, client management, payment processing facilitation, SMS messaging, and analytics.

3.2 Categories of Data Subjects

  • Clients and guests of the Provider.
  • Team members and staff of the Provider.

3.3 Types of Personal Data

  • Contact information (name, email, phone number).
  • Address information (when provided by the Provider).
  • Demographic information (birthday, gender preference — when provided).
  • Appointment and booking history.
  • Transaction records and payment metadata (card brand, last four digits — full card numbers are never stored by BookShip).
  • SMS message content and delivery status.
  • Notes and preferences entered by the Provider.

3.4 Sensitive Data

BookShip does not require or intentionally collect sensitive personal data (e.g., health information, racial or ethnic origin, religious beliefs). Providers should not enter sensitive personal data into the Service unless they have obtained appropriate consent from the Data Subject and have a lawful basis for processing such data.

3.5 Duration

Processing continues for the duration of the Agreement. Upon termination, data is handled as described in Section 9 of this DPA.

4. Processor Obligations

BookShip shall:

  • Process Personal Data only on documented instructions from the Provider, unless required by law to do otherwise.
  • Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in Section 5.
  • Assist the Provider in responding to Data Subject requests and in ensuring compliance with data protection obligations.
  • Not process Personal Data for any purpose other than providing the Service, except for anonymized, aggregated data as described in the Privacy Policy.

5. Security Measures

BookShip implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption: data encrypted in transit (TLS/HTTPS) and at rest.
  • Access control: row-level security policies ensuring team-level data isolation. Role-based access controls within teams.
  • Authentication: secure session management and password-based authentication.
  • Payment security: PCI DSS compliance delegated entirely to Stripe. BookShip never stores full card numbers.
  • Infrastructure: hosted on Supabase (cloud-hosted PostgreSQL) with managed security, backups, and monitoring.
  • Error monitoring: Sentry is used for error tracking. Technical data in error logs is used solely for debugging and service reliability.

6. Sub-Processors

6.1 Authorization

The Provider authorizes BookShip to engage the following Sub-Processors to assist in providing the Service:

  • Supabase — database hosting, authentication, file storage, and real-time subscriptions.
  • Stripe — payment processing, subscription billing, and point-of-sale terminal support.
  • Twilio — SMS message delivery and phone number management.
  • Sentry — error monitoring and performance tracking.

6.2 Changes to Sub-Processors

BookShip will provide the Provider with at least thirty (30) days' advance notice before engaging a new Sub-Processor. If the Provider objects to a new Sub-Processor on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If no resolution is reached, the Provider may terminate the Agreement.

6.3 Sub-Processor Obligations

BookShip ensures that each Sub-Processor is bound by data protection obligations no less protective than those in this DPA.

7. Data Subject Rights

The Provider, as Controller, is responsible for responding to Data Subject requests (e.g., access, correction, deletion, portability). BookShip will:

  • Provide tools within the Service for Providers to view, export, and delete client data.
  • Promptly notify the Provider if BookShip receives a Data Subject request directly, and not respond to the request except on the Provider's instructions.
  • Provide reasonable assistance to the Provider in fulfilling Data Subject requests.

8. Breach Notification

In the event of a Security Breach affecting Personal Data, BookShip will:

  • Notify the Provider without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach.
  • Provide sufficient detail for the Provider to fulfill any breach reporting obligations, including the nature of the breach, categories and approximate number of Data Subjects affected, and measures taken or proposed to mitigate the breach.
  • Take reasonable steps to contain and remediate the breach.

9. Data Return and Deletion

Upon termination of the Agreement:

  • BookShip will make the Provider's data available for export for thirty (30) days following termination.
  • After the export period, BookShip will delete or anonymize Personal Data within a reasonable timeframe, except where retention is required by applicable law.
  • Financial records (payment transactions, sales records) are retained indefinitely as required for legal and accounting purposes, as described in the Terms of Service.

10. Audit Rights

Upon written request and with reasonable advance notice, BookShip will provide the Provider with information necessary to demonstrate compliance with this DPA. This may include:

  • Written responses to reasonable compliance questionnaires.
  • Summaries of relevant security certifications or audit reports, where available.

On-site audits may be conducted no more than once per year, at the Provider's expense, with at least thirty (30) days' advance written notice, during normal business hours, and subject to reasonable confidentiality obligations.

11. International Transfers

Personal Data is primarily stored and processed in the United States. If BookShip transfers Personal Data to a jurisdiction that does not provide an adequate level of data protection, BookShip will ensure appropriate safeguards are in place, such as Standard Contractual Clauses or other legally recognized transfer mechanisms.

12. Limitation of Liability

Each party's liability under this DPA is subject to the limitations set forth in the Agreement. This DPA does not create any independent liability beyond what is established in the Agreement.

13. Term

This DPA takes effect when the Provider begins using the Service and remains in effect for the duration of the Agreement. The obligations related to data deletion, return, and confidentiality survive termination.