Skip to content

Data Processing Agreement

Version 1.0 — Effective 22 April 2026

For Tenant businesses (data controllers)

This Data Processing Agreement ("DPA") sets out the terms under which NextBookin processes personal data on behalf of you, the Tenant, in accordance with Article 28 of the UK GDPR. It supplements and forms part of our Terms of Service. By accepting the Terms of Service, you accept the terms of this DPA.

If you require a counter-signed copy of this DPA for your own records, email privacy@nextbookin.com with the subject line "DPA request" and we will return a signed copy within 5 business days.

1. Definitions

In this DPA, the following terms have the following meanings. Capitalised terms not defined here have the meaning given in the Terms of Service or the UK GDPR.

  • "Controller", "Processor", "Personal Data", "Processing", and "Data Subject" have the meanings given in the UK GDPR.
  • "Customer Personal Data" means Personal Data of your end Customers (the people who book through your business) processed by us on your behalf.
  • "Subprocessor" means any third party engaged by us to process Customer Personal Data, as listed in our Privacy Policy.
  • "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and any other data protection law applicable to the Processing under this DPA.

2. Roles of the Parties

You (the Tenant) are the Controller of Customer Personal Data. NextBookin is the Processor of Customer Personal Data, processing it on your documented instructions to provide the Service. NextBookin remains the Controller of its own platform-operational data (including your account credentials, billing information, and aggregate usage data), as set out in our Privacy Policy.

3. Subject Matter and Duration

Subject matter: the provision of the NextBookin booking and scheduling Service as defined in the Terms of Service.

Duration: this DPA remains in force for the duration of the Terms of Service and for such additional period as we hold Customer Personal Data on your behalf.

Nature and purpose of processing: hosting, storing, retrieving, transmitting, displaying, backing up, and (where instructed by you) deleting Customer Personal Data, and processing it to send transactional and marketing communications you initiate through the Service.

Categories of Data Subjects: your end Customers, prospective customers who interact with your booking pages, and any other individuals whose Personal Data you upload to or generate within the Service.

Categories of Customer Personal Data: contact details (name, email, phone), booking history (services, appointments, payments), notes you record, marketing preferences, consultation form responses, and any other Personal Data you choose to capture using the Service.

4. Our Obligations as Processor

We will:

  • Process Customer Personal Data only on your documented instructions, including those reflected in the configuration of your Tenant account, except where required to do so by Applicable Data Protection Law (in which case we will inform you of that legal requirement before processing, unless prohibited from doing so).
  • Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organisational measures to protect Customer Personal Data, as described in section 8 (Security).
  • Engage Subprocessors only in accordance with section 7.
  • Assist you, taking into account the nature of the Processing, in fulfilling your obligations to respond to Data Subject rights requests (see section 9).
  • Assist you in ensuring compliance with your obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of the Processing and the information available to us.
  • At your choice, delete or return all Customer Personal Data after the end of the provision of the Service, and delete existing copies, except where Applicable Data Protection Law requires storage.
  • Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections (subject to reasonable advance notice and confidentiality).

5. Your Obligations as Controller

You warrant that:

  • You have a lawful basis under Applicable Data Protection Law for collecting and processing the Customer Personal Data you upload to or generate through the Service.
  • You have provided all required information notices to Data Subjects (typically through your own privacy notice) before collecting their Personal Data.
  • You have obtained any consents required for marketing communications sent through the Service (see section 12 of the Terms of Service).
  • Your instructions to us regarding the Processing of Customer Personal Data comply with Applicable Data Protection Law.
  • You will respond to Data Subject requests directed to you within statutory time limits.

6. International Data Transfers

The primary data store (Neon, eu-west-2 London) and application hosting (Hetzner, Germany) keep Customer Personal Data within the UK/EEA at rest. Where Subprocessors located outside the UK/EEA process Customer Personal Data (e.g. Stripe, Twilio, Resend, Cloudflare, Google), the transfer is safeguarded by Standard Contractual Clauses, the UK Addendum to the EU SCCs, or an applicable adequacy decision.

7. Subprocessors

You provide a general written authorisation for us to engage the Subprocessors listed in our Privacy Policy at /privacy (section 9). We will give at least 30 days' written notice (by email to the Account Owner and/or in-app notification) of any intended addition or replacement of a Subprocessor that materially affects the Processing of Customer Personal Data, and you may object to the change on reasonable data protection grounds within 14 days of notice. If we cannot accommodate a reasonable objection, you may terminate your Service subscription on written notice; no further fees will be charged from the date of termination.

We remain liable to you for the acts and omissions of our Subprocessors with respect to their obligations under this DPA.

8. Security

We implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where appropriate:

  • Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest;
  • Per-tenant database isolation to prevent cross-tenant access;
  • Role-based access controls with audit logging of every administrative access (including Support Access — see section 17 of the Terms of Service);
  • Two-factor authentication for platform administrators;
  • Regular vulnerability scanning and security review;
  • Backup, disaster recovery, and incident response procedures;
  • Personnel confidentiality obligations and security training.

9. Data Subject Rights

Where a Data Subject contacts us directly with a request to exercise their rights under the UK GDPR in respect of Customer Personal Data, we will forward the request to you without undue delay and will not respond directly (except to acknowledge receipt and direct them to you).

You can exercise the most common rights yourself through the Service:

  • Access / portability: use the data export tools in your dashboard to retrieve all Customer Personal Data in a structured, machine-readable format.
  • Rectification: edit Customer records directly in your dashboard.
  • Erasure: delete Customer records directly in your dashboard. Soft-deleted records are anonymised after the retention period in our Privacy Policy.
  • Restriction: mark a Customer record as restricted using the suspension control in your dashboard.

10. Personal Data Breach Notification

We will notify you without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach affecting Customer Personal Data. The notification will, to the extent the information is available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. We will cooperate with you in your own breach notification obligations to the ICO and affected Data Subjects.

11. Audits

You may audit our compliance with this DPA no more than once per calendar year (and additionally following any material Personal Data breach), on reasonable advance written notice (at least 30 days), during business hours, and subject to confidentiality. We may charge our reasonable costs incurred in supporting an audit. As an alternative to an on-site audit, we will provide copies of relevant third-party security certifications and audit reports (where available) on request.

12. Liability

The aggregate liability of each party arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Conflicts

In the event of a conflict between this DPA and the Terms of Service in relation to the Processing of Customer Personal Data, this DPA prevails.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales. Any dispute arising out of or in connection with this DPA is subject to the exclusive jurisdiction of the courts of England and Wales.

15. Contact

All notices and correspondence under this DPA should be sent to privacy@nextbookin.com.