1. Roles
You are the Data Controller of the personal data of your end-customers. FlexiBooking acts as Data Processor and only processes data on documented instructions from you.
2. Subject matter & duration
Processing is limited to what is necessary to deliver the service and lasts for the term of the underlying agreement, plus any required deletion period.
3. Categories of data & data subjects
Identification and contact data of your end-customers, transaction and booking metadata, and any optional fields you configure on your booking flows.
4. Sub-processors
We may engage sub-processors for hosting, email delivery and payments. The list is available on request; you have the right to object to the addition of any new sub-processor.
5. Security measures
Encryption in transit and at rest, role-based access control, audit logs, regular penetration testing, and a documented incident response process.
6. International transfers
Where data is transferred outside the EEA, the EU Standard Contractual Clauses (Module 2 or 3, as applicable) apply.
7. Audit & assistance
We assist you with DPIAs, data subject requests and supervisory authority enquiries, and make available the information necessary to demonstrate compliance.
8. Return & deletion
On termination, we return or delete personal data within 30 days, unless retention is required by law.