Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Terms of Service and applies whenever you, as a practitioner using Therapybook, store personal data about your clients on the platform. It is drafted to satisfy Article 28 of the UK GDPR and the EU GDPR.
1. Parties and roles
- Controller: you, the practitioner holding an account on the platform. You determine the purposes and means of processing your clients' personal data.
- Processor: Puresoft Ltd, operating the Therapybook platform on your behalf.
For practitioner account data (your name, your settings, your Stripe Connect ID) Puresoft Ltd is a controller in its own right — that processing is governed by the Privacy Policy, not by this DPA.
2. Subject matter, nature, and purpose of processing
The processor processes personal data of the controller's clients on the platform for the following purposes:
- Storing booking records (start/end time, payment status, cancellation status).
- Storing intake-form answers submitted by the client.
- Storing the controller's private session notes.
- Sending transactional email (confirmation, cancellation, update) and iCal attachments.
- Sending transactional SMS reminders.
- Routing payment-processing API calls to Stripe Connect on the controller's behalf.
- Calculating refund amounts from the controller's published cancellation policy.
3. Duration of processing
This DPA applies for the duration of the controller's active account on the platform plus a 30-day defensive window after account closure during which data may be restored on request. After that 30 days, data is deleted in accordance with the retention schedule in the Privacy Policy.
4. Types of personal data
| Data type | Stored at rest as |
|---|---|
| Client name | Plaintext |
| Client email | Plaintext |
| Client phone (optional) | Envelope-encrypted (AES-256-GCM, per-row DEK wrapped with per-tenant KEK) |
| Free-text booking notes (optional) | Envelope-encrypted |
| Intake-form answers (may contain health data) | Envelope-encrypted |
| Private practitioner notes (may contain health data) | Envelope-encrypted |
| Booking start/end times, payment status, refund amounts | Plaintext |
| Stripe payment intent IDs, charge IDs, refund IDs | Plaintext (they are opaque references; the actual payment data lives on Stripe's systems) |
5. Categories of data subjects
- The controller's clients (the people booking sessions).
- Where the controller works with minors with parental consent, the consenting parent / guardian to the extent they appear in notes or intake answers.
6. Processor obligations
The processor will:
- Process only on documented instructions from the controller — meaning the actions enabled by the platform's UI and API. If the processor is required to process for a different purpose by law, it will inform the controller in advance unless legally prohibited.
- Ensure confidentiality. Any personnel with access to personal data are bound by confidentiality and have a legitimate need-to-know.
- Implement appropriate technical and organisational
measures, including:
- Envelope encryption at rest for the fields listed in section 4.
- TLS 1.2+ in transit (terminated at Cloudflare's edge).
- HttpOnly, Secure, SameSite session cookies; magic-link authentication (no stored passwords).
- Per-tenant row-level scoping enforced in every API handler.
- Restricted secret store for cryptographic keys (Cloudflare secret store; no plaintext in source control).
- Audit logging of sent emails and dispatched SMS.
- Assist with data-subject rights requests by providing data export, deletion, and rectification facilities, and by responding to support tickets that surface a rights request from one of the controller's clients.
- Assist with breach notification by notifying the controller of any personal data breach affecting their clients without undue delay, with a target of within 72 hours of becoming aware. The notice will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.
- Delete or return data at the end of processing, in accordance with section 13.
7. Controller responsibilities
- Establish a lawful basis for processing your clients' data before collecting it on the platform.
- Provide your clients with appropriate privacy notices.
- Obtain explicit consent for any health-related data you collect through intake forms (Article 9 GDPR).
- Respond to your clients' data-subject rights requests within the statutory deadline (one month under UK / EU GDPR). The platform provides export and deletion tooling to help you do this.
- Configure access controls appropriate to your practice (e.g. don't share your magic-link sign-in email).
8. Sub-processors
The controller grants the processor a general authorisation to engage the sub-processors listed below. The processor will give the controller at least 30 days' notice by email of any addition or replacement. If the controller reasonably objects, the controller may terminate the agreement and export their data per section 13 before the new sub-processor begins processing.
| Sub-processor | Role | Transfer mechanism |
|---|---|---|
| Cloudflare Inc. | Hosting (Pages, Workers, D1, R2, KV), DNS, TLS, transactional email delivery via the Cloudflare Email Service. | SCCs + UK IDTA as published by Cloudflare. |
| Stripe Inc. / Stripe Payments Europe | Stripe Connect Standard. Payment processing for the controller's connected Stripe account. | SCCs + UK IDTA as published by Stripe. |
| Twilio Inc. / Twilio Ireland | Outbound SMS reminders. | SCCs + UK IDTA as published by Twilio. |
9. International transfers
Where personal data is transferred outside the UK or EEA to a jurisdiction without an adequacy decision, the processor and its sub-processors rely on the European Commission's Standard Contractual Clauses (Module 3: processor-to-processor) and the UK ICO's International Data Transfer Addendum. Documentation is available from each sub-processor's privacy notice as linked in the Privacy Policy.
10. Audit rights
The processor will, on reasonable notice (and no more than once per calendar year unless required by a regulator), provide:
- A SOC 2 Type II report or an equivalent independent audit report once such a report is available. (One is not available today; this clause becomes operational when the platform commissions one.)
- A summary of the processor's penetration-test results.
- Written responses to a reasonable audit questionnaire from the controller.
On-site audits will only be permitted where strictly necessary and after exhausting paper-audit alternatives, and the controller will bear the cost of any such audit.
11. Breach notification
The processor will notify the controller of any personal data breach affecting their data without undue delay and, in any event, within 72 hours of becoming aware. The notice will provide the information required by Article 33(3) of the UK / EU GDPR to the extent it is then known.
12. International notice channels
All notices under this DPA may be given by email to support@clientbooking.pages.dev (notices to the processor) and to the controller's account email on file (notices to the controller). Either party may update its notice address by giving the other 14 days' written notice.
13. End of processing
On the earlier of (a) account closure, (b) termination of the Terms of Service, or (c) the controller's written request, the processor will, at the controller's choice:
- Return all personal data in a structured, machine-readable format (decrypted), or
- Delete all personal data,
within 30 days of the request, unless retention is required by law (e.g. tax records of financial transactions). Anonymised aggregate metadata used for billing reconciliation and platform analytics may be retained indefinitely.
14. Liability
Each party's liability under this DPA mirrors and is subject to the limitation of liability in the Terms of Service. Nothing in this DPA limits or excludes liability that cannot be limited or excluded by law.
15. Governing law and jurisdiction
This DPA is governed by the laws of England and Wales. Any dispute arising out of or in connection with this DPA is subject to the exclusive jurisdiction of the courts of England and Wales.
16. Contact
Questions about this DPA? Email support@clientbooking.pages.dev.