Data Processing Addendum
Last updated: May 9, 2026
This Data Processing Addendum (“DPA”) governs the processing of personal data BookyTails performs on behalf of you, the Subscriber, in connection with your use of the service. By subscribing to BookyTails, you and BookyTails agree to this DPA. It forms part of and is incorporated into our Terms of Service.
1. Definitions
- “Subscriber” means the groomer or business that has an account with BookyTails.
- “Customer Personal Data” means personal data of pet parents (the Subscriber's end customers) that the Subscriber, or its end customer at the Subscriber's direction, submits to BookyTails. Examples: name, phone, email, pet info, intake photos, appointment data.
- “Controller,” “Processor,” “Data Subject,” and “Personal Data” have the meanings given in the GDPR/UK GDPR. For California, the equivalent CCPA/CPRA definitions apply (“Business,” “Service Provider,” “Consumer,” etc.).
- “Sub-processor” means a third party engaged by BookyTails to process Customer Personal Data on its behalf.
2. Roles
With respect to Customer Personal Data, the Subscriber is the Controller and BookyTails is the Processor. BookyTails will process Customer Personal Data only on the Subscriber's documented instructions, including as set out in our Terms of Service and the functional configuration of the service (e.g., enabling SMS reminders, creating appointments).
3. Subject matter and duration
BookyTails processes Customer Personal Data to provide the SaaS platform described in the Terms of Service: customer intake, AI quote estimation, scheduling, appointment management, payment processing (via Stripe), SMS notifications (via Brevo), and reporting. Processing continues for the duration of the subscription, plus the deletion window described below.
4. BookyTails' obligations
BookyTails will:
- Process Customer Personal Data only as instructed by the Subscriber and in accordance with applicable law.
- Implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data, as described in our Security page.
- Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
- Not sell or rent Customer Personal Data, share it for cross-context behavioral advertising, or use it for any purpose beyond providing the service.
- Assist the Subscriber in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection) to the extent technically practicable.
5. Sub-processors
BookyTails uses the sub-processors listed in our Privacy Policy. By agreeing to this DPA, you authorize BookyTails to engage these sub-processors. We'll provide notice of any new or replaced sub-processor by updating that list at least 14 days before the change takes effect. If you object to a new sub-processor on reasonable grounds, you may terminate your subscription before the change takes effect; pro-rata refunds for the unused portion will be issued.
BookyTails remains liable for sub-processors' compliance with this DPA.
6. Data subject rights
BookyTails will, to the extent legally permitted, promptly notify the Subscriber of any request from a Data Subject relating to their Customer Personal Data and will not respond to such requests directly, leaving the Subscriber as Controller to handle them. We will provide reasonable assistance, including export tools and bulk-deletion options, to help fulfill these requests.
7. International data transfers
BookyTails is operated from the United States. If Customer Personal Data originates from the European Economic Area, the United Kingdom, or Switzerland, transfers to BookyTails are governed by the European Commission's Standard Contractual Clauses (modules 2 and 3 as applicable), the UK International Data Transfer Addendum, or the Swiss-equivalent mechanism. By accepting this DPA, the parties incorporate these safeguards by reference.
8. Breach notification
BookyTails will notify the Subscriber without undue delay, and in any case within 72 hours of confirmation, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.
9. Audits
BookyTails will, on reasonable written request and no more than once per 12-month period, provide the Subscriber with summary information sufficient to demonstrate compliance with this DPA, including current sub-processor list, security overview, and any third-party audit reports we hold (e.g., from Vercel and Supabase). On-site audits are not generally available; if required by law, the parties will agree on scope and timing in good faith.
10. Return and deletion
Upon termination of the subscription, BookyTails will retain Customer Personal Data for 90 days to allow export, after which it will be deleted from active systems. Backup copies are deleted in accordance with our backup-rotation schedule (within 30 days). Where law requires longer retention (e.g., billing records), BookyTails will continue to protect that data and use it solely for the legally-required purpose.
11. CCPA/CPRA service-provider terms
For California residents, BookyTails serves as the Subscriber's “Service Provider” under CCPA/CPRA. BookyTails:
- Will not sell or share Customer Personal Data (as those terms are defined under CCPA/CPRA).
- Will not retain, use, or disclose Customer Personal Data outside the direct business relationship with the Subscriber.
- Will comply with applicable CCPA/CPRA obligations and give the Subscriber the same level of privacy protection.
- Will allow the Subscriber to take reasonable and appropriate steps to ensure that BookyTails uses Customer Personal Data consistent with these obligations.
12. Conflict
If any provision of this DPA conflicts with the Terms of Service, this DPA controls with respect to processing of Customer Personal Data.
13. Contact
Questions about this DPA, exercising rights, or invoking the audit or sub-processor objection clauses: privacy@bookytails.com.