Data Processing Agreement
Effective Date: February 24, 2026
This Data Processing Agreement ("DPA") is part of our Terms of Service and governs how BookingFlow processes personal data on behalf of our customers. This DPA is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).
1. Definitions
For purposes of this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person (your customers' names, emails, phone numbers, booking history)
- "Data Controller" means you, the venue owner (the entity that determines the purposes and means of processing Personal Data)
- "Data Processor" means BookingFlow (the entity that processes Personal Data on behalf of the Data Controller)
- "Sub-processor" means a third party engaged by BookingFlow to process Personal Data (e.g., Stripe, AWS)
- "Data Subject" means your customers (the individuals whose Personal Data is processed)
- "Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, deletion)
2. Scope and Purpose
2.1 Relationship
You (the venue owner) are the Data Controller. BookingFlow is the Data Processor. We process Personal Data only on your behalf and according to your instructions.
2.2 Processing Purpose
BookingFlow processes Personal Data to:
- Accept and manage bookings on your behalf
- Send booking confirmations and reminders to your customers
- Process payments through Stripe
- Provide AI chatbot and voice agent support (if enabled)
- Store and display booking data in your dashboard
2.3 Types of Personal Data
We process the following Personal Data categories:
- Contact information: Name, email address, phone number
- Booking details: Date, time, number of participants, special requests
- Payment metadata: Transaction amount, date, last 4 digits of card (full card details are processed and stored by Stripe, not BookingFlow)
- IP address and device information (for fraud prevention)
2.4 Duration of Processing
We process Personal Data for the duration of your BookingFlow subscription and for a retention period after termination (see Section 9).
3. Your Instructions
BookingFlow processes Personal Data only according to your documented instructions. Your instructions include:
- The Terms of Service you agreed to when signing up
- Settings you configure in your dashboard (email templates, booking rules, data retention)
- Your use of BookingFlow features (embedding the widget, enabling chatbots, exporting data)
- Any additional written instructions you provide to our support team
If we believe an instruction violates GDPR or other data protection laws, we'll notify you immediately.
4. Sub-processors
4.1 Authorized Sub-processors
You authorize BookingFlow to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Amazon Web Services (AWS) | Cloud hosting and database | United States |
4.2 Changes to Sub-processors
If we add or replace a sub-processor, we'll notify you at least 30 days before the change. You can object by emailing support@bookingflowai.com. If we can't accommodate your objection, you may terminate your subscription without penalty.
4.3 Sub-processor Obligations
We impose the same data protection obligations on sub-processors as in this DPA. We remain liable for any sub-processor's failure to meet their obligations.
5. Data Security Measures
BookingFlow implements technical and organizational measures to protect Personal Data:
5.1 Technical Measures
- Encryption: All data in transit uses TLS 1.3. Passwords are hashed with bcrypt.
- Access controls: Role-based permissions. Multi-factor authentication available.
- Infrastructure: Data stored in AWS with encryption at rest.
- Network security: Firewalls, DDoS protection, intrusion detection.
5.2 Organizational Measures
- Staff training: Employees are trained on data protection principles.
- Confidentiality: Employees sign confidentiality agreements.
- Access limitation: Only authorized personnel can access production data.
- Security audits: Regular penetration testing and code reviews.
6. Data Breach Notification
6.1 Notification to Controller
If we discover a data breach involving your customers' Personal Data, we'll notify you within 72 hours of becoming aware of the breach. Our notification will include:
- Nature of the breach (what data was affected)
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact information for further inquiries
6.2 Your Obligations
As the Data Controller, you are responsible for notifying your customers and relevant data protection authorities if required by law. We'll assist you with this process.
7. Data Subject Rights
Your customers (Data Subjects) have rights under GDPR and CCPA. BookingFlow provides tools to help you fulfill these rights:
7.1 Right to Access
You can export customer data from your dashboard. We'll assist you in providing data to customers who request it.
7.2 Right to Rectification
You can edit booking data through the dashboard. Customers can also update their information directly.
7.3 Right to Erasure
You can delete customer data from your dashboard. Contact us if you need assistance with bulk deletions.
7.4 Right to Restrict Processing
If a customer requests restricted processing, contact us at support@bookingflowai.com. We'll mark their data as restricted.
7.5 Right to Data Portability
You can export customer data in CSV or JSON format from your dashboard.
7.6 Response Time
We'll respond to Data Subject requests within 30 days (as required by GDPR). You are responsible for responding to your customers within the legally required timeframe.
8. Data Protection Impact Assessments
If you're required to conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35, we'll provide reasonable assistance by sharing information about our processing activities, security measures, and sub-processors.
9. Data Deletion on Termination
When your BookingFlow subscription ends (either by cancellation or termination):
- You have 30 days to export all your data
- After 30 days, we'll delete all Personal Data from our active systems
- Backups may retain data for up to 90 days (then automatically deleted)
- We may retain anonymized usage data for analytics
- Certain records (billing, legal) may be retained for up to 7 years for compliance
You can request early deletion by contacting support@bookingflowai.com.
10. International Data Transfers
10.1 Transfer Mechanism
BookingFlow is based in the United States. If you're in the EU/EEA or UK, transferring Personal Data to us is an international transfer. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to protect your data.
10.2 Safeguards
We implement the security measures described in Section 5 to protect data transferred internationally. Our sub-processors (Stripe, AWS) also comply with EU data protection standards.
11. Audit Rights
You have the right to audit our compliance with this DPA. To request an audit:
- Contact us at support@bookingflowai.com with at least 30 days' notice
- We'll provide documentation of our security measures and compliance certifications
- For on-site audits, you must cover reasonable costs and sign a confidentiality agreement
- Audits are limited to once per year (unless required by a data protection authority)
12. Liability and Indemnification
Each party's liability under this DPA is subject to the limitation of liability clause in our Terms of Service. We're liable for damages caused by our breach of this DPA, except where the breach was caused by your instructions or failure to comply with data protection laws.
13. Contact Information
For questions about this DPA or to exercise your rights: