Data Processing Addendum

Effective date: 5 July 2026 · Last updated: 5 July 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between Xaiotech Pty Ltd ABN 63 821 547 002 trading as Bookaiq (“Processor,” “Bookaiq”) and the Workspace Owner who accepted the Agreement (“Controller,” “you”).

1. Definitions

Terms not defined in this DPA have the meaning given in the Agreement, the GDPR, or applicable Data Protection Laws.

  • Data Protection Laws — all applicable laws relating to data protection and privacy, including the GDPR, UK GDPR, Australian Privacy Act 1988, CCPA/CPRA, PIPEDA, Quebec Law 25, LGPD, and any other applicable data protection legislation.
  • GDPR — Regulation (EU) 2016/679 (General Data Protection Regulation).
  • UK GDPR — the GDPR as retained in UK law by the European Union (Withdrawal) Act 2018.
  • Personal Data — any information relating to an identified or identifiable natural person that is processed by Bookaiq on behalf of the Controller in connection with the Service.
  • Processing — any operation performed on Personal Data (collection, recording, storage, use, disclosure, erasure, etc.).
  • Sub-processor — a third party engaged by Bookaiq to process Personal Data on behalf of the Controller.
  • SCCs — the Standard Contractual Clauses annexed to the European Commission’s Decision 2021/914.
  • UK Addendum — the International Data Transfer Addendum to the EU SCCs issued by the UK ICO (version 21 March 2022).
  • Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Roles

2.1 Controller and Processor

The Controller determines the purposes and means of processing Booking Client data via the Service. Bookaiq processes that data on the Controller’s behalf as Processor.

2.2 Controller-to-controller processing

For account data, billing data, usage analytics, and Service improvement, Bookaiq acts as an independent controller. This DPA does not apply to that processing; the Privacy Policy governs it.

2.3 Subject matter and duration

The subject matter and duration of processing, the nature and purpose of processing, the types of Personal Data, and the categories of data subjects are described in Annex A.

3. Processing Instructions

3.1 Documented instructions

Bookaiq will process Personal Data only on the Controller’s documented instructions, which include:

  • The Agreement and this DPA.
  • The Controller’s configuration of the Service (settings, intake forms, automations, integrations).
  • Any additional written instructions agreed between the parties.

3.2 Notification of conflicting instructions

If Bookaiq believes an instruction infringes Data Protection Laws, it will promptly inform the Controller before processing, unless prohibited by law.

3.3 Additional instructions

The Controller may issue additional processing instructions provided they are consistent with the Agreement and the Service’s functionality. Instructions that require changes to the Service beyond its standard functionality may be subject to additional fees.

4. Confidentiality

Bookaiq ensures that persons authorised to process Personal Data are bound by contractual or statutory confidentiality obligations.

5. Security

Bookaiq implements and maintains the technical and organisational security measures described in Annex B. These measures are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access.

Bookaiq may update security measures from time to time, provided the overall level of protection is not materially diminished.

6. Sub-processors

6.1 General authorisation

The Controller grants Bookaiq general authorisation to engage the sub-processors listed in the Sub-processor List and in Annex C.

6.2 Obligations on sub-processors

Before engaging a sub-processor, Bookaiq will:

  • Enter into a written agreement imposing data-protection obligations materially equivalent to those in this DPA.
  • Remain fully liable to the Controller for the performance of the sub-processor’s obligations.

6.3 New sub-processors

Bookaiq will notify the Controller at least 14 days before engaging a new sub-processor (via email or an update to the Sub-processor List page). The Controller may object by notifying Bookaiq in writing within 14 days of the notice. If the Controller objects on reasonable data-protection grounds and no resolution is reached within 30 days, either party may terminate the Agreement with respect to the affected Service feature.

6.4 Emergency sub-processors

In exceptional circumstances (e.g., sub-processor insolvency, critical security incident), Bookaiq may engage a replacement sub-processor on shorter notice, provided it notifies the Controller as soon as practicable and the replacement provides equivalent or better protections.

7. Data Subject Requests

7.1 Assistance

Bookaiq will assist the Controller in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection) by:

  • Providing tools in the Service for exporting, correcting, and deleting records.
  • Redirecting requests received directly from data subjects to the Controller, unless legally required to respond.
  • Providing reasonable additional assistance upon request (which may be subject to a fee for excessive or complex requests).

7.2 Notification

If Bookaiq receives a data-subject request directly, it will promptly redirect the data subject to the Controller and notify the Controller of the request.

8. Data Breach Notification

8.1 Notification to Controller

Bookaiq will notify the Controller of a Data Breach without undue delay and in any event within 72 hours of becoming aware of it. The notification will include, to the extent available:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
  • The name and contact details of the point of contact.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach.

8.2 Cooperation

Bookaiq will cooperate with the Controller in investigating the breach, mitigating its effects, and fulfilling the Controller’s notification obligations under Data Protection Laws.

8.3 No acknowledgement of fault

Notification of a breach does not constitute an acknowledgement of fault or liability.

9. Data Return and Deletion

9.1 During the Agreement

The Controller may export Personal Data at any time using the Service’s export features.

9.2 On termination

Upon termination of the Agreement, Bookaiq will:

  • Make Personal Data available for export for at least 30 days.
  • After the export period, delete all Personal Data from active systems within 30 days, except where retention is required by applicable law (see the Privacy Policy for retention schedules).
  • Delete Personal Data from backup systems within 90 days or as soon as the backup cycle permits.

9.3 Certification

Upon request, Bookaiq will provide written confirmation of deletion.

10. International Transfers

10.1 Transfer mechanisms

Personal Data may be transferred to countries outside the Controller’s jurisdiction (including Australia and the United States) where Bookaiq and its sub-processors operate.

For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, Bookaiq relies on:

  • EU Standard Contractual Clauses (Commission Decision 2021/914): Module 2 (Controller-to-Processor) for transfers of the Controller’s Personal Data from the EEA to Bookaiq, and Module 3 (Processor-to-Processor) for onward transfers from Bookaiq to sub-processors outside the EEA.
  • UK International Data Transfer Addendum (ICO version, 21 March 2022).
  • Swiss Federal Data Protection Act amendments to the EU SCCs.

10.2 SCC elections

For the purposes of the SCCs:

  • Clause 7 (Docking clause): included.
  • Clause 9(a) (Sub-processor authorisation): Option 2 — general written authorisation.
  • Clause 11(a) (Redress): optional provision not included.
  • Clause 13 (Supervisory authority): the supervisory authority of the EEA member state where the data exporter is established, or (where the data exporter is not established in the EEA) the supervisory authority of the member state where the data subjects whose data is transferred are located, as per Clause 13(a)(ii).
  • Clause 17 (Governing law): the laws of Ireland.
  • Clause 18 (Jurisdiction): the courts of Ireland.

10.3 UK Addendum

The UK International Data Transfer Addendum applies to transfers of Personal Data from the UK. In case of conflict between the SCCs and the UK Addendum, the UK Addendum prevails for UK transfers.

10.4 Data Privacy Framework

Bookaiq does not currently participate in the EU-US, UK Extension, or Swiss-US Data Privacy Framework. This section will be updated if Bookaiq certifies under the DPF.

10.5 Transfer impact assessment

Bookaiq has assessed the laws of the countries where Personal Data is processed (primarily Australia and the United States) and concluded that, combined with the supplementary measures described in Annex B, the SCCs provide an adequate level of protection. Bookaiq will notify the Controller if it becomes aware of any material change to this assessment.

11. CCPA/CPRA Service Provider Terms

To the extent the CCPA/CPRA applies:

  • Bookaiq is a “service provider” as defined in CCPA §1798.140(ag) / CPRA.
  • Bookaiq processes Personal Data only for the business purposes specified in the Agreement and this DPA.
  • Bookaiq does not sell or share (for cross-context behavioural advertising) Personal Data received from or on behalf of the Controller.
  • Bookaiq does not retain, use, or disclose Personal Data for any purpose other than performing the Service, and does not combine Personal Data with data received from other sources except as permitted by the CCPA/CPRA.
  • Bookaiq will comply with CCPA/CPRA obligations applicable to service providers and assist the Controller in responding to consumer rights requests.
  • If Bookaiq determines it can no longer meet its CCPA/CPRA obligations, it will notify the Controller.

12. Data Protection Impact Assessments

Bookaiq will provide reasonable assistance to the Controller in conducting data-protection impact assessments and prior consultations with supervisory authorities, where required under Data Protection Laws, to the extent the assessment relates to Bookaiq’s processing.

13. Audit

13.1 Information

Bookaiq will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

13.2 Audits

The Controller (or its authorised third-party auditor, subject to reasonable confidentiality obligations) may audit Bookaiq’s compliance with this DPA once per year with at least 30 days’ written notice, during business hours, without unreasonably disrupting operations. The Controller bears the cost of the audit.

13.3 Certifications and reports

Where available, Bookaiq may satisfy audit requests by providing relevant third-party certifications, audit reports, or summary findings. Bookaiq does not currently hold SOC 2 or ISO 27001 certification.

14. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Agreement.

15. Term

This DPA takes effect on the date the Controller accepts the Agreement and remains in effect until all Personal Data has been deleted or returned in accordance with Section 9.

Annex A — Processing Details

FieldDetail
Subject matterProcessing of Personal Data in connection with the Bookaiq appointment scheduling and booking management platform
DurationFor the term of the Agreement plus any post-termination retention period (see the Privacy Policy)
Nature and purposeStorage, retrieval, display, transmission, and deletion of Personal Data to provide scheduling, booking, communication, payment processing, analytics, and related features
Categories of data subjectsBooking Clients, Staff Members, website visitors to the Workspace Owner’s booking pages
Types of Personal DataNames, email addresses, phone numbers, booking details (service, date/time, location, notes), intake-form responses, IP addresses, device/browser information, booking-history patterns, payment transaction references (via Stripe), outbound-offer metadata
Special categoriesHealth-related booking information may be processed where the Controller configures intake forms to collect it (for example, medical or allied-health businesses). The Controller is responsible for ensuring a lawful basis and any required consent for such collection (see the Acceptable Use Policy, Section 3.1). No other special-category data is intended to be processed.
Processing operationsCollection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission (email/SMS reminders, calendar sync), alignment, combination, restriction, erasure, destruction

Annex B — Technical and Organisational Security Measures

B.1 Encryption

  • In transit: TLS 1.2+ for all client-server and server-to-server connections.
  • At rest: database encryption at rest provided by Supabase (AES-256).

B.2 Access controls

  • Authentication: Supabase Auth with bcrypt password hashing; social sign-in (Google, Microsoft) via OAuth 2.0 / OIDC.
  • Session management: signed JWT tokens with short-lived access tokens and refresh-token rotation.
  • Production access: multi-factor authentication; least-privilege access; no shared credentials.
  • Row-level security: Supabase RLS policies enforce workspace-level data isolation — each workspace can only access its own data.

B.3 Infrastructure

  • Hosting: Vercel (serverless compute in the Sydney region) with global CDN.
  • Database: Supabase (PostgreSQL, Sydney, Australia).
  • Network: all public endpoints behind HTTPS; no direct database exposure.
  • Availability: Vercel and Supabase provide redundancy and automatic failover.

B.4 Monitoring and incident response

  • Logging: request logs, authentication events, and security events retained for up to 90 days.
  • Monitoring: platform-level monitoring and alerting via Vercel and Supabase dashboards and logs.
  • Incident response: breach notification within 72 hours per Section 8.

B.5 Personnel

  • All personnel with access to Personal Data are bound by confidentiality obligations.
  • Periodic reviews of production access.

B.6 Data minimisation and retention

  • Only data necessary for the configured features is collected.
  • Retention per the Privacy Policy; automated deletion of time-slot offer data at 90 days.
  • Deletion from backups within 90 days or as soon as the backup cycle permits.

Annex C — Sub-processors

See the Sub-processor List for the current list. Summary as of the effective date:

Sub-processorPurposeData processedPrimary region
Supabase, Inc.Database, authenticationAll Service dataSydney, Australia
Vercel, Inc.Hosting, CDN, serverless computeRequest data, assetsSydney, Australia (compute); global (CDN)
Bird B.V. (formerly MessageBird B.V.)SMS (primary provider), WhatsApp, transactional emailPhone numbers, message content, email addresses, email contentNetherlands (EU) / global carrier network
Resend, Inc.Transactional email (alternate/fallback route)Email addresses, email contentUnited States
Twilio Inc.SMS delivery (legacy contingency route only)Phone numbers, message contentUnited States / global carrier network
Stripe, Inc.AU billing + Stripe paymentsPayment data, billing addressUnited States / global
Lemon Squeezy, LLCMerchant-of-record billing (non-AU)Payment data, billing address, tax infoUnited States
Google LLCSign-in, calendar sync, Meet links, Places API, static maps, Firebase Cloud Messaging (Android push)Calendar events, auth tokens, meeting links, location queries, push tokensUnited States / global
Microsoft CorporationSign-in, Outlook/365 calendar sync, Teams meeting linksCalendar events, auth tokens, meeting linksUnited States / global
Zoom Communications, Inc.Meeting links (when the Controller connects Zoom)Meeting topics, times, join links, staff OAuth tokensUnited States / global
Xero LimitedInvoicing (when the Controller connects Xero)Client name/email, invoice line items and amountsUnited States / global
Meta Platforms, Inc.Facebook/Instagram Page connection (when connected; where available)Page identifiers, access tokensUnited States / global

Contact

Questions about this DPA or privacy enquiries: support@bookaiq.com.