Legal
Data Processing Agreement
Last updated: April 2026
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between GETBOOKD LTD ("Processor", "we", "us") and the groomer or business using the Bookd platform ("Controller", "you").
Processor: GETBOOKD LTD
Registered Address: 49 Maes y Crofft, Morganstown, Cardiff CF15 8FE
Email: info@getbookd.io
Website: getbookd.io
This DPA applies to all personal data processed by Bookd on behalf of Controllers through the Bookd platform, in accordance with Article 28 of the UK GDPR.
2. Roles and Responsibilities
You (the Controller): You determine the purposes and means of processing personal data. As a groomer using Bookd, you are the data controller for your clients' personal data (names, contact details, pet information, booking history).
Bookd (the Processor): We process personal data solely on your behalf and in accordance with your instructions. We do not use your clients' data for our own marketing or any purpose beyond providing the Bookd service to you.
3. Data Processed
The categories of personal data processed through the Bookd platform include:
- Client data: Names, email addresses, phone numbers, addresses
- Pet data: Pet names, breeds, ages, weights, health conditions, grooming preferences
- Booking data: Appointment dates, times, services booked, booking status, prices
- Payment data: Transaction references, payment amounts, deposit records (card details are processed directly by Stripe and never stored on Bookd servers)
- Communication data: SMS and email notification logs, message content sent on your behalf
4. Sub-Processors
We use the following sub-processors to deliver the Bookd service. Each sub-processor has been assessed for GDPR compliance and appropriate data protection measures:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Supabase (PostgreSQL) | Database hosting, authentication, storage | EU (Frankfurt) |
| Stripe | Payment processing, subscriptions, deposits | EU/UK |
| Twilio | SMS notifications (confirmations, reminders) | US (with EU data processing) |
| Brevo | Transactional email delivery | EU (France) |
| Vercel | Application hosting, edge network | Global (primary EU) |
| PostHog | Product analytics (anonymised, consent-gated) | EU (Frankfurt) |
| Sentry | Error tracking and performance monitoring | EU |
We will notify you of any intended changes to sub-processors, giving you the opportunity to object to such changes.
5. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Row-Level Security (RLS) on the database ensuring groomers can only access their own data
- Authentication via Supabase Auth with secure session management
- Rate limiting on all public-facing API endpoints
- Regular security assessments and dependency updates
- Access controls limiting staff access to production data
- Security headers (HSTS, CSP, X-Frame-Options) on all endpoints
6. Data Breach Notification
In the event of a personal data breach, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach
We will cooperate fully with you and the ICO in investigating and resolving any data breach.
7. Data Retention
We retain personal data for the duration of your subscription. Upon account cancellation:
- Your data will be retained for 30 days to allow for account reactivation
- After 30 days, all personal data will be permanently deleted from our active systems
- Backup copies may persist for up to 90 days before automatic deletion
- You may request immediate deletion at any time by contacting info@getbookd.io
8. International Transfers
Where personal data is transferred outside the UK/EEA (e.g., Twilio's US infrastructure), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO
- UK International Data Transfer Agreements (IDTAs) where applicable
- Adequacy decisions by the UK Secretary of State
Our primary database (Supabase) and analytics (PostHog) are hosted in the EU (Frankfurt), minimising the need for international transfers.
9. Data Subject Rights
We will assist you in responding to data subject requests from your clients, including:
- Right of access: Providing copies of personal data held
- Right to rectification: Correcting inaccurate data
- Right to erasure: Deleting data upon request
- Right to data portability: Exporting data in a structured format
- Right to restrict processing: Limiting how data is used
- Right to object: Stopping certain types of processing
You can manage client data directly through the Bookd dashboard (edit, delete, export). For requests we need to assist with, contact us at info@getbookd.io and we will respond within 48 hours.
10. Audit Rights
You have the right to audit our compliance with this DPA. We will make available all information necessary to demonstrate compliance with our obligations and allow for audits, including inspections, conducted by you or an auditor mandated by you.
Audit requests should be made in writing to info@getbookd.io with at least 30 days' notice.
11. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Contact Us
For any questions about this Data Processing Agreement, contact us at: info@getbookd.io
GETBOOKD LTD · 49 Maes y Crofft, Morganstown, Cardiff CF15 8FE