Skip to main content
ZenBookr

Data Processing Agreement

DPA») pursuant to Art. 28 of Regulation (EU) 2016/679 («GDPR»)

Last updated: May 24, 2026 · Version: 1.0

Who must read this DPA? This document applies to all Professionals who use the ZenBookr Platform to manage their own clients' data (client list, bookings, technical sheets, notes, etc.). End-Clients booking a service do NOT need to accept this DPA.

Acceptance of the Terms for Professionals implies acceptance of this DPA as an integral part of the contract.

1. Parties and recitals

This Agreement is entered into between:

  • The Professional — the natural or legal person holding a ZenBookr account of type «Professional», hereinafter also «Controller»;
  • Marco D'Arminio (natural person (sole individual)), with registered office at Vico Malvina 9, 70042 Mola di Bari (BA), Italy, operator of the ZenBookr Platform, hereinafter also «ZenBookr» or «Processor».

Recitals:

  • (a) ZenBookr provides the Controller with the Platform on the basis of the Terms for Professionals («Main Contract»);
  • (b) In the performance of the Main Contract, ZenBookr processes personal data of third parties (the Controller's clients) on behalf of the Controller;
  • (c) This DPA governs the rights, duties and responsibilities of the parties relating to such processing, pursuant to Art. 28 GDPR.

In case of conflict between this DPA and the Main Contract, this DPA prevails for matters relating to the processing of personal data.

2. Definitions

Capitalized terms not defined in this DPA have the meaning given to them in the GDPR. In particular:

  • Personal Data: personal data, as defined by Art. 4(1) GDPR, processed by ZenBookr on behalf of the Controller in the performance of the Main Contract
  • Data Subjects: the natural persons to whom the Personal Data relate (primarily the Controller's clients)
  • Processing: any operation performed on Personal Data, pursuant to Art. 4(2) GDPR
  • Sub-processor: third party that ZenBookr authorizes to process Personal Data
  • Personal Data Breach: a breach of security leading to destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (Art. 4(12) GDPR)

3. Subject, duration, nature, purpose of processing

  • Subject: provision of the ZenBookr Platform as an operational management tool for the Controller's business
  • Duration: for the entire term of the Main Contract + 30 days post-termination (to allow export and/or deletion)
  • Nature of processing: collection, recording, organization, storage, consultation, modification, extraction, communication through the application (only for the purposes below)
  • Purposes: management of appointments, client cards, operational communications between the Controller and their clients, payment processing via Stripe Connect, aggregated business statistics for the Controller

4. Categories of Personal Data and Data Subjects

Categories of Data Subjects: clients, former clients, leads of the Controller; any collaborators/employees that the Controller registers in the «Team» area (if applicable).

Categories of Personal Data:

  • Identification data: name, surname, any aliases
  • Contact data: email, phone, address (for mobile services)
  • Booking and history data: appointments, services booked, duration, amounts
  • Any health-related data / physical preferences (e.g. cosmetic allergies, skin conditions): these fall within the «special categories» under Art. 9 GDPR and the Controller is responsible for collecting a valid legal basis (explicit consent of the client or other basis under Art. 9(2) GDPR) before uploading them to the Platform
  • Client photos (e.g. before/after treatment): only if the Controller has obtained the client's explicit consent
  • Notes and annotations from the Controller about the client

The Controller is solely responsible for ensuring the lawfulness of the collection and upload of such data to the Platform, including the privacy notice provided to their clients (Arts. 13/14 GDPR) and the collection of any necessary legal bases.

5. ZenBookr's obligations as Processor

Pursuant to Art. 28(3) GDPR, ZenBookr undertakes to:

  • (a) Process Personal Data only for the purposes authorized by the Controller and according to documented instructions (the Platform configurations and this DPA constitute documented instructions);
  • (b) Ensure that personnel authorized to process the data are bound by confidentiality;
  • (c) Adopt appropriate technical and organizational security measures (see Section 7);
  • (d) Comply with the conditions for engaging Sub-processors (Section 6);
  • (e) Assist the Controller, insofar as possible, in responding to requests from Data Subjects exercising GDPR rights;
  • (f) Assist the Controller in ensuring security, breach management, impact assessments (DPIAs) and prior consultation (Arts. 32-36 GDPR);
  • (g) At the Controller's choice, return or delete the Personal Data at the end of processing (Section 12);
  • (h) Make available to the Controller all information necessary to demonstrate compliance with the obligations of this DPA and allow audits (Section 11);
  • (i) Inform the Controller immediately if, in ZenBookr's opinion, an instruction violates the GDPR or other data protection provisions.

Unless otherwise indicated, ZenBookr does not use the Personal Data for its own purposes (e.g. training AI models, profiling, sale to third parties, marketing) and does not share them outside the authorized Sub-processors listed in Section 6.

6. Sub-processors

The Controller generally authorizes ZenBookr to engage the Sub-processors necessary for the provision of the service. ZenBookr ensures that each Sub-processor is bound by contractual obligations equivalent to those of this DPA (Art. 28(4) GDPR).

6.1 Current list of authorized Sub-processors

Sub-processorServiceRegionSafeguard
Google Ireland Ltd. (Firebase, Cloud Functions, GA4, reCAPTCHA, Cloud Storage)Infrastructure hosting, authentication, database, file storage, aggregated analytics, anti-spamEU (Belgium) primary; US fallbackStandard Contractual Clauses (SCCs) + Google Data Processing and Security Terms
Stripe Payments Europe Ltd.Payment processing of the Controller's clients, Stripe Connect KYC onboardingEU (Ireland) + USSCCs + Stripe Data Processing Agreement
Brevo (Sendinblue SAS)Sending transactional emails on behalf of the Controller (e.g. booking confirmation to client)EU (France)Brevo DPA
AI providers (Groq, Google Gemini, OpenAI) — only if the Professional activates the integrated AI assistantAI query processing when the Controller requests intelligent assistance (e.g. automated client replies)EU/USSCCs + «no-train» setting (providers do not train models on this data)

6.2 Changes to the Sub-processor list

ZenBookr will inform the Controller of any change to the list (addition or replacement of Sub-processors) with at least 30 days' prior notice, by updating this page and notifying via email to the address associated with the account.

The Controller may object to the change within 15 days from the notice, providing reasonable grounds related to data protection. In such case, the parties shall collaborate to identify an alternative solution. If no solution is found within 30 days from the objection, the Controller may terminate the Main Contract without penalty, with 30 days' written notice.

7. Technical and organizational measures (Art. 32 GDPR)

ZenBookr adopts the following security measures:

7.1 Technical measures

  • Encryption in transit: TLS 1.2+ on all communications
  • Encryption at rest: AES-256 on Google Cloud side (Firestore, Cloud Storage)
  • Password hashing: bcrypt with unique salt per user
  • Authentication: Firebase Authentication with MFA support (TOTP, Passkey/WebAuthn)
  • Firebase App Check (reCAPTCHA Enterprise) to prevent API abuse
  • reCAPTCHA v3 on public forms
  • Firestore Security Rules with multi-tenant isolation per Controller
  • Structured logging of accesses and sensitive operations
  • Automatic daily backups with 30-day retention
  • Disaster recovery: multi-zone Google Cloud replication
  • Integrated Web Application Firewall (WAF) on Google Cloud

7.2 Organizational measures

  • Confidentiality contractual obligations with authorized personnel
  • Least-privilege access policy: data access only for support/security/maintenance, with logs
  • Periodic privacy and security training for personnel
  • Annual review of security policies
  • Vulnerability management process (security patches within 30 days from discovery for critical vulnerabilities)
  • Documented incident management procedure

7.3 Updates to measures

ZenBookr may update security measures over time, provided that the overall level of protection does not decrease compared to what is described.

8. Transfers of data outside the European Union

Except for the exceptions indicated in the Sub-processors table (Section 6.1), Personal Data is processed within the European Economic Area (EEA).

For any extra-EEA transfers, ZenBookr ensures the transfer takes place on the basis of:

  • Adequacy decision by the European Commission (e.g. EU-US Data Privacy Framework)
  • Standard Contractual Clauses (SCCs) approved by Decision 2021/914
  • Supplementary measures where necessary

Upon written request from the Controller, ZenBookr will provide a copy of the applicable safeguards.

9. Assistance to the Controller for Data Subject requests

If a Data Subject (the Controller's client) addresses ZenBookr directly to exercise GDPR rights (access, rectification, erasure, etc.), ZenBookr will not respond directly on the merits, but will:

  • (a) Direct the Data Subject to the Controller (Professional) as the competent party
  • (b) Inform the Controller of the request within 5 business days
  • (c) Provide the Controller with the technical tools to handle the request (e.g. data export, targeted deletion, exhibition of processing) through Platform features or, if necessary, through manual support team intervention within reasonable times

Assistance is provided at no additional cost where the effort required is compatible with ordinary support times. For extraordinary requests or activities requiring dedicated technical development, ZenBookr may request reimbursement of costs incurred, subject to the Controller's acceptance.

10. Personal Data Breach

Should ZenBookr become aware of a Personal Data Breach affecting the Data processed on behalf of the Controller:

  • (a) It will notify the Controller without undue delay and in any case within 48 hours of discovery;
  • (b) It will provide the information required by Art. 33(3) GDPR: nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, measures taken or proposed to mitigate effects;
  • (c) It will cooperate with the Controller in incident management activities, communication to the authorities (Garante) pursuant to Art. 33 GDPR, and communication to Data Subjects pursuant to Art. 34 GDPR if applicable;
  • (d) It will document the incident, its causes and corrective measures taken.

The obligation to notify the supervisory authority under Art. 33 GDPR (within 72 hours) remains with the Controller: ZenBookr only provides the information necessary for the Controller to comply.

11. Audit and inspections

The Controller has the right, pursuant to Art. 28(3)(h) GDPR, to verify ZenBookr's compliance with the obligations as Processor, by:

  • (a) Examining the technical and organizational documentation provided by ZenBookr (third-party audit reports, certifications, Platform technical documentation)
  • (b) Upon written reasoned request, an on-site or remote audit at ZenBookr's premises, with at least 30 business days' notice, during standard business hours, once per year (save for extraordinary audits in case of confirmed breach)

The Controller will bear the costs of its own audit. Any audits requested by third parties (e.g. external auditors of the Controller) are permitted subject to signing a confidentiality agreement.

ZenBookr may replace the on-site audit with the presentation of recognized independent certifications (e.g. SOC 2, ISO 27001) where applicable.

12. Deletion / return of Data at the end of the Contract

Upon termination of the Main Contract, for any reason, ZenBookr, at the Controller's choice communicated in writing within 30 days from termination:

  • (a) Will return the Personal Data to the Controller in structured format (JSON/CSV export), or
  • (b) Will delete all Personal Data (and existing copies)

In the absence of instructions from the Controller within 30 days from termination, ZenBookr will default to deletion.

Deletion on active systems occurs within 30 days. Complete deletion, including backups, occurs within 60 days from the request (to respect the automatic backup rotation cycle).

ZenBookr may retain Personal Data only within the limits and for the time strictly necessary to:

  • Comply with legal obligations (e.g. fiscal obligations, retention of payment evidence)
  • Legal defense
  • Anonymized data (irreversibly not attributable to individuals) for statistical purposes

13. Liability

Each party is liable for damages caused by its breaches of the obligations of this DPA or the GDPR. ZenBookr's overall liability under this DPA is limited as provided in the «Limitation of Liability» section of the Terms for Professionals.

It is understood that, pursuant to Art. 82(2) GDPR, ZenBookr is liable only for damages caused by processing if it has violated GDPR obligations specifically directed at Processors or has acted in a manner that is contrary or inconsistent with the Controller's instructions.

The Controller indemnifies ZenBookr from third-party claims (including Data Subjects and supervisory authorities) arising from:

  • Controller's breaches of its own GDPR obligations (privacy notice, legal basis, consent collection)
  • Uploading to the Platform data that the Controller was not authorized to collect/process
  • Unlawful instructions from the Controller

14. Final provisions

14.1 Changes to the DPA

ZenBookr may update the DPA to adapt it to regulatory developments, service changes or to improve the safeguards offered. Changes will be notified to the Controller with at least 30 days' prior notice via email and in-app notice.

If the Controller does not agree with the changes, it may terminate the Main Contract without penalty within 30 days from the notice, with written notice to ZenBookr.

14.2 Governing law and jurisdiction

This DPA is governed by Italian law. For any dispute the competent court is the one indicated in the Terms for Professionals.

14.3 Survival

The obligations of this DPA which, by their nature, must survive the termination of the Main Contract (e.g. confidentiality, data deletion) continue to apply.

15. Contacts

For any matter relating to this DPA:

Marco D'Arminio

Privacy email: privacy@zenbookr.app
Support email: support@zenbookr.app
Email: info@zenbookr.app
Registered office: Vico Malvina 9, 70042 Mola di Bari (BA), Italy