Data Processing Agreement
Last updated: April 2026
Roles
For client booking data submitted to the service by a specialist, Tapsela acts as a Data Processor and the specialist acts as the Data Controller. The specialist is responsible for ensuring that client data is collected and used lawfully, including identifying an appropriate legal basis, providing any required privacy notice, and responding to data subject requests. Tapsela acts as an independent Data Controller only for data processed for its own account administration, security, fraud prevention, support, legal compliance, and service improvement purposes.
Data Processed
On the specialist's behalf, we may process client personal data entered into the service, including client name, phone number, booking date and time, service details, location, price, notes, communication preferences if provided, and other information submitted by the specialist in connection with appointment management.
Purpose of Processing
We process client personal data only on the specialist's documented instructions and only as necessary to provide, maintain, secure, and support the appointment management service, including displaying bookings, maintaining related records, enabling the specialist to manage appointments, and sending transactional communications to clients on behalf of the specialist such as booking confirmations, reminders, cancellation notices, and reschedule requests.
Subprocessors
We may use authorised subprocessors to support the service, including providers of hosting, database infrastructure, security, messaging delivery, analytics consent management, customer support, and related technical operations. Where required by applicable law, we ensure that subprocessors are subject to written data protection obligations that are no less protective than those set out in this agreement.
Data Retention
We retain client personal data for as long as necessary to provide the service to the specialist, to maintain service security and integrity, and to comply with applicable legal obligations. Specialists may delete booking records through the service where functionality allows. After account closure, client personal data will be deleted or anonymised within a reasonable period, subject to backup retention cycles, legal requirements, fraud prevention, dispute resolution, and security needs.
Security Measures
We implement appropriate technical and organisational measures designed to protect client personal data against unauthorised or unlawful access, use, disclosure, alteration, loss, or destruction, including encrypted connections, access controls, and system-level protections appropriate to the service.
Data Subject Rights
As between the parties, the specialist is responsible for responding to requests from clients and other data subjects relating to client personal data. Where required by applicable law, we will provide reasonable assistance to the specialist. If we receive a request relating to data for which the specialist is the controller, we may direct the requester to the relevant specialist.
Contact
For questions about this agreement or our processing of personal data, contact: privacy@tapsela.com