Data Processing Agreement (DPA)

Data Controller

Email:

privacy@tapsela.com

Operating as unregistered economic activity (działalność nierejestrowana) under art. 5 of the Polish Entrepreneurs’ Law (ustawa Prawo przedsiębiorców).

Parties

This Agreement binds every Specialist (Controller of their Clients' personal data) using the Tapsela platform and the platform operator (Processor) whose identification details appear in the "Data Controller" block of the Privacy Policy.

A. Subject matter and duration

The Specialist entrusts Tapsela with processing Client personal data for the purpose of providing the appointment management service. The entrustment lasts for the entire term of the main Service Agreement and, after termination, for the period necessary to fulfil the data return/deletion obligations (section E item 7).

B. Nature and purpose of processing

Tapsela processes the entrusted data solely to create and maintain appointment bookings on behalf of the Specialist, send transactional messages according to Client preferences, provide the Specialist with an appointment management interface, and ensure the security, availability and integrity of the service. Tapsela does not use the entrusted data for its own marketing or analytics purposes.

C. Types of personal data

The following categories of Clients' personal data may be entrusted: full name (or first name only), phone number, optional email address, appointment date/time/duration/name, optional location, price, Specialist notes, and the Client's communication preferences and consent history.

D. Categories of data subjects

The Specialist's Clients who book appointments via the booking surface book.tapsela.com or via booking links generated in the Specialist panel.

E. Obligations of Tapsela as Processor

Tapsela undertakes to: (1) process data only on the documented instructions of the Controller; (2) ensure confidentiality by authorised personnel; (3) implement appropriate technical and organisational measures pursuant to art. 32 GDPR; (4) assist with data-subject rights requests; (5) notify the Controller without undue delay and in any event within 48 hours of becoming aware of a personal data breach; (6) assist with DPIAs and prior consultations with the supervisory authority; (7) on termination of the service, return or delete all entrusted data within 30 days; (8) make available the information necessary to demonstrate compliance with art. 28 GDPR and allow audits.

F. Use of further processors

The Controller grants general authorisation for Tapsela to use further processors, the current list of which is published in the Privacy Policy. Tapsela informs the Controller of intended changes at least 30 days in advance and allows objection. Each further processor is bound by obligations no less strict than those set out in this Agreement (art. 28(4) GDPR).

G. Transfers outside the EEA

Some further processors (Cloudflare, Clerk) process data in third countries. Transfers take place under the Standard Contractual Clauses approved by Commission Implementing Decision 2021/914 of 4 June 2021. Copies of the SCCs are available on request.

H. Liability

Each Party is liable for damage caused by GDPR-violating processing to the extent set out in art. 82 GDPR. Tapsela's aggregate liability under this Agreement does not exceed the amounts paid by the Controller to Tapsela in the 12 months preceding the event causing the damage, except in cases of wilful misconduct or gross negligence.

I. Audit rights

The Controller may audit performance of this Agreement once per calendar year, with at least 30 days' prior notice, during business hours and without disrupting normal operation of the service. Tapsela may offer an independent auditor's report (e.g. ISO 27001, SOC 2) as an alternative to an on-site audit.

J. Term and termination

This Agreement enters into force when the Specialist accepts the Terms of Service and remains in force for the duration of the Terms. It terminates automatically when the main Service Agreement ends, subject to the data return/deletion obligations of section E item 7.

Contact

Data protection contact point: privacy@tapsela.com