DATA PROCESSING ADDENDUM (DPA)
Effective date: June 2, 2026 Last updated: June 2, 2026 Version: 1.0
This Data Processing Addendum ("DPA") governs, under Article 28 GDPR (EU 2016/679), the terms on which the Service Provider processes personal data on behalf of and on the instructions of the Provider. This DPA forms an integral part of the Terms of Service between the Provider and the Service Provider and details the data-processing provisions set out in Section 20 of the Terms. In case of conflict regarding data processing, this DPA prevails.
1. Parties and roles
- Controller: the Provider, who processes the personal data of its own customers (Clients) for its own purposes.
- Processor: the Service Provider (WaveOne Technologies; for identification and contact details see the Imprint), which processes that data on the Provider's instructions in the course of operating the platform.
The parties record that, with respect to registered users' own account data, the Service Provider is an independent controller (see the Privacy Policy); this DPA covers only the data the Service Provider processes as the Provider's processor.
2. Subject matter, duration, nature and purpose
- Subject matter: processing of personal data related to the Provider's booking and customer-management activity via the platform.
- Duration: for the term of the contract between the Provider and the Service Provider, and for the retention periods set out in the Privacy Policy.
- Nature and purpose: providing, storing and technically operating the booking system, calendar, messaging, ratings, credit accounting and related features.
3. Categories of data subjects and personal data
- Data subjects: the Provider's Clients (bookers), Workers and other contacts.
- Categories of data: name, email address, phone number (if provided), booking data (time, status, the values of Provider-defined form fields), messages, ratings and notes. Processing of special-category data (Article 9 GDPR) is not intended (see Terms §6.6); if the Provider enters such data, it does so as an independent controller and is responsible for it.
4. Controller's instructions
The Service Provider processes the personal data only on the Provider's documented instructions — including the ordinary use of the platform as a standing instruction — unless required to do otherwise by Union or Member State law; in that case the Service Provider informs the Provider before processing, unless the law prohibits this on important grounds of public interest.
5. Confidentiality
The Service Provider ensures that persons authorized to access the data have committed to confidentiality or are under an appropriate statutory duty of confidentiality, and access the data only to the extent necessary for their tasks (need-to-know, least-privilege).
6. Technical and organizational measures (TOMs) — Article 32 GDPR
The Service Provider applies the following measures (proportionate to risk):
- Encryption in transit (TLS/HTTPS) for all network traffic;
- Encryption at rest at the database/storage provider (Supabase) level;
- Access control: role-based permissions, least-privilege, two-factor authentication (2FA) for administrative operations;
- Credential handling: password hashing (bcrypt), secrets stored separately;
- Pseudonymization / anonymization: removal of personal identifiers on account deletion (tombstone), pseudonymized logs;
- Logging and auditability: logging of security-relevant events;
- Abuse prevention: rate limiting, bot- and fraud-mitigation;
- Business continuity: regular backups and recoverability;
- Privacy by design and by default.
Current details of the TOMs can be provided on request and may be updated in line with technological progress, without lowering the level of protection.
7. Sub-processors
The Provider grants the Service Provider a general authorization to engage sub-processors. The Service Provider imposes on each sub-processor data-protection obligations materially equivalent to those in this DPA (Article 28 GDPR) and remains responsible for their performance. The Service Provider informs the Provider in advance of the addition or replacement of a sub-processor, and the Provider may object.
Current sub-processors:
| Sub-processor | Function | Processing location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database (PostgreSQL), storage | EU region | Within the EEA |
| Vercel Inc. | Hosting, edge network | USA | EU-US DPF / SCC |
| Paddle.com Market Ltd. | Payment processing, invoicing (Merchant of Record) | United Kingdom / USA | UK GDPR adequacy / SCC |
| MailerSend (MailerSend Inc.) | Transactional email delivery | USA / EU | EU-US DPF / SCC |
| GeoNames (Unxos GmbH) | City auto-completion | Germany | Within the EEA |
| OpenStreetMap Foundation | Map tiles, geocoding (Nominatim) | United Kingdom | UK GDPR adequacy |
| Open-Meteo (Open-Meteo.com) | Weather data (by coordinates) | Germany | Within the EEA |
| Anthropic PBC | AI booking and search assistant (Claude) | USA | SCC + data processing agreement under Article 28 GDPR |
8. International transfers
For transfers outside the EEA the Service Provider relies on an adequacy decision, Standard Contractual Clauses (SCC, EU Decision 2021/914), or EU-US Data Privacy Framework certification, with supplementary technical and organizational measures where needed.
9. Assistance to the controller
Taking into account the nature of processing, the Service Provider assists the Provider with appropriate measures in:
- fulfilling data-subject rights (access, rectification, erasure, restriction, portability, objection);
- meeting the obligations under Articles 32–36 (security, breach notification, data-protection impact assessment (DPIA) and prior consultation).
10. Personal-data breach
The Service Provider notifies the Provider of a personal-data breach affecting the data it processes without undue delay after becoming aware, as soon as possible (target: within 72 hours), and provides the information reasonably necessary for the Provider's own notification.
11. Audit
The Service Provider makes available to the Provider the information necessary to demonstrate compliance with Article 28 obligations and allows for and contributes to audits at reasonable intervals and on prior arrangement (including by an independent auditor mandated by the Provider and bound by confidentiality), with due protection of business continuity and other customers' data.
12. Return and deletion of data
On termination of the contract, the Service Provider, at the Provider's choice, returns or deletes the processed personal data, unless Union/Member State law requires storage (e.g. accounting retention). For retention periods see the Privacy Policy and the internal retention matrix.
13. Liability and governing law
Liability and governing law are as set out in the Terms of Service. This DPA is construed under Hungarian law and the GDPR.
14. Contact
Data-processing enquiries: privacy@1booq.com (see also the Imprint and the Privacy Policy).