Legal Document

Data Processing Agreement

How BookedUp processes personal data on behalf of subscriber businesses

Version: 1.0  |  Effective Date: March 26, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between BookedUp ("Processor," "we," "us") and the Subscriber ("Controller," "you") who uses the BookedUp AI receptionist platform under the Terms & Conditions. This DPA governs the processing of personal data by BookedUp on behalf of Subscribers.

This DPA is incorporated by reference into the Terms & Conditions and takes effect upon the Subscriber's registration for or continued use of the BookedUp service. No separate signature is required for standard B2B use — by using the Service, the Subscriber accepts these data processing terms. Enterprise Subscribers requiring a countersigned DPA may request one by contacting privacy@bookedup.app.

1. Parties

Role Party Description
Data Controller Subscriber
The business or individual accessing BookedUp		 Determines the purposes and means of processing End Customer personal data. Is responsible for the lawfulness of processing, including obtaining consent from End Customers for SMS communications.
Data Processor BookedUp
621 E Columbia St, Evansville, IN 47711
privacy@bookedup.app		 Processes personal data on behalf of the Subscriber only as necessary to deliver the BookedUp service. Acts on the Controller's documented instructions.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person ("data subject"), including names, phone numbers, and message content.
  • Controller: The Subscriber, who determines the purposes and means of processing Personal Data through the BookedUp platform.
  • Processor: BookedUp, which processes Personal Data on behalf of the Controller.
  • End Customer Data: Personal data belonging to the Subscriber's own customers that is processed through the platform.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • Sub-Processor: A third-party service provider engaged by BookedUp to assist in processing Personal Data on behalf of the Controller.
  • Data Breach: A security incident resulting in unauthorized access to, disclosure of, loss of, or destruction of Personal Data.
  • GDPR: EU General Data Protection Regulation 2016/679.
  • CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act.

3. Categories of Personal Data Processed

BookedUp processes the following categories of personal data on behalf of Subscribers:

3.1 End Customer Data

  • Contact data: First name, last name, mobile phone number
  • Communication data: Inbound and outbound SMS message content, call metadata (timestamp, duration, originating number)
  • Appointment data: Scheduled appointment date/time, service type, appointment status
  • Consent data: SMS opt-in/opt-out status and timestamp

3.2 Subscriber Account Data

  • Business name, industry, and contact information
  • Authorized user names and email addresses
  • Account configuration and messaging preferences

Sensitive Data: BookedUp does not collect or process sensitive personal data (including health information, financial account numbers, government IDs, or biometric data). Subscribers are strictly prohibited from inputting sensitive data into the platform. See the HIPAA Disclaimer in the Terms & Conditions.

4. Purposes and Legal Basis for Processing

4.1 Processing Purposes

BookedUp processes End Customer Data solely for the following purposes, as directed by Subscribers:

  • Delivering automated SMS responses to End Customers when the Subscriber misses a call
  • Facilitating appointment booking on behalf of the Subscriber
  • Sending appointment reminders and follow-up messages as configured by the Subscriber
  • Providing Subscribers with communication logs, conversation history, and analytics within their dashboard
  • Processing opt-out (STOP) requests from End Customers

BookedUp does not use End Customer Data for its own marketing, advertising, model training, or any purpose beyond the above.

4.2 Controller's Lawful Basis

The Subscriber (Controller) is responsible for establishing and maintaining a lawful basis for processing End Customer personal data. Applicable legal bases typically include:

  • Consent — Prior express written consent obtained from the End Customer for automated SMS communications (required under TCPA)
  • Legitimate Interests — Responding to an existing customer inquiry or missed call within applicable regulations
  • Contract Performance — Processing appointment data to fulfill a service booking

5. Processing Instructions

BookedUp processes Personal Data only on the documented instructions of the Subscriber, as set out in this DPA and the Terms & Conditions. The Subscriber instructs BookedUp to process Personal Data for the purposes described in Section 4.

If BookedUp is required by applicable law to process Personal Data beyond the Subscriber's instructions, BookedUp will inform the Subscriber of such requirement unless prohibited by law.

The Subscriber must not instruct BookedUp to process Personal Data in a way that violates applicable law, these Terms, or this DPA. BookedUp may refuse to act on an instruction that it reasonably believes would result in unlawful processing.

6. Confidentiality

BookedUp ensures that personnel authorized to process Personal Data are bound by confidentiality obligations (whether by contract or professional duty) and are trained in applicable data protection requirements. Access to Personal Data is limited to personnel who need such access to perform their job responsibilities.

7. Security Measures

BookedUp implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

7.1 Technical Safeguards

  • Encryption in transit: All data transmitted between users and BookedUp servers uses TLS 1.2 or higher
  • Encryption at rest: Database storage uses AES-256 encryption for sensitive fields
  • Access controls: Role-based access control (RBAC) limits staff access to Personal Data on a need-to-know basis
  • Authentication: Bcrypt password hashing; JWT-based session management with expiry
  • Input validation: All API endpoints validate and sanitize input to prevent injection attacks
  • Dependency management: Regular automated scanning for vulnerable dependencies

7.2 Organizational Safeguards

  • Internal data handling policies and staff training
  • Vendor security assessments for sub-processors
  • Incident response procedures (see Section 10)
  • Periodic review and updating of security practices

8. Sub-Processors

The Subscriber grants BookedUp a general authorization to engage sub-processors to assist in delivering the Service, subject to the conditions in this section. BookedUp will:

  • Impose data protection obligations on sub-processors that are equivalent to those in this DPA
  • Remain liable to the Subscriber for the acts and omissions of sub-processors to the extent BookedUp would be liable under this DPA
  • Provide at least 14 days' advance notice before engaging a new sub-processor that will process End Customer Data, giving the Subscriber the opportunity to object

8.1 Current Sub-Processors

Sub-Processor Purpose Data Processed Location
Twilio, Inc. SMS carrier routing and delivery End Customer phone numbers; message content United States
Stripe, Inc. Payment processing and subscription billing Subscriber billing information (name, email, payment method) United States
OpenAI, L.L.C. AI language model inference for message generation Conversation context (may include End Customer phone number and message content) United States
Neon, Inc. (Neon PostgreSQL) Relational database hosting All Subscriber and End Customer Data at rest United States
Render, Inc. Application hosting and compute infrastructure All application-layer data during processing United States
Meta Platforms, Inc. (Meta Pixel) Marketing website analytics and ad attribution only Anonymized website visitor events (after cookie consent on marketing site only; not in authenticated dashboard) United States

9. Data Subject Rights

To the extent End Customers exercise their data subject rights (access, deletion, correction, portability, objection) with BookedUp directly, BookedUp will:

  • Promptly notify the relevant Subscriber of the request (within 5 business days)
  • Not respond directly to End Customers without the Subscriber's authorization, unless required by law
  • Provide the Subscriber with reasonable technical assistance to fulfill the request, such as exporting or deleting End Customer records on request

Subscribers are responsible for responding to End Customer data subject requests within required timeframes under applicable law.

10. Data Breach Notification

In the event BookedUp becomes aware of a security incident that results in unauthorized access to, disclosure of, loss of, or destruction of Personal Data ("Data Breach"), BookedUp will:

  • Notify affected Subscribers within 72 hours of confirming a breach affecting their data, consistent with GDPR Article 33 and applicable state breach notification laws
  • Include in the notification: (a) the nature of the breach; (b) categories and approximate number of data subjects affected; (c) categories and approximate volume of data affected; (d) likely consequences of the breach; and (e) measures taken or proposed to address the breach
  • Cooperate with Subscribers in their own breach notification obligations to regulators and data subjects

Breach notification timelines begin from the moment BookedUp has sufficient information to confirm the occurrence of a breach. If full details are not available within 72 hours, BookedUp will provide an initial notification with available information and supplement it as further details are confirmed.

11. Data Retention and Deletion

11.1 Retention During Service

BookedUp retains Personal Data for the duration of the Subscriber's active account, as necessary to deliver the Service and as described in the Privacy Policy.

11.2 Deletion Upon Account Termination

Upon account cancellation or termination, BookedUp will:

  • Make Subscriber Data (including End Customer Data) available for export for 30 days following termination
  • Delete Personal Data from active systems within 90 days of account closure
  • Purge Personal Data from encrypted backup systems within 30 days of active system deletion (total: ~120 days from closure)

Upon the Subscriber's written request, BookedUp will certify the deletion of Personal Data in writing within 30 days of completing the deletion process.

11.3 Early Deletion Requests

Subscribers may request deletion of specific End Customer Data records at any time by contacting privacy@bookedup.app. BookedUp will process deletion requests within 30 days.

12. Transfers of Personal Data

BookedUp and its sub-processors are located in the United States. Personal Data is processed and stored in the United States. If a Subscriber or its End Customers are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, the following applies:

12.1 GDPR and EU-US Transfers

For Subscribers subject to GDPR, transfers of personal data to BookedUp (a US-based processor) are conducted under one or more of the following mechanisms:

  • The EU-U.S. Data Privacy Framework (DPF), where applicable to our sub-processors
  • Standard Contractual Clauses (SCCs) — enterprise Subscribers may request execution of SCCs by contacting privacy@bookedup.app
  • Other applicable derogations under GDPR Article 49 (e.g., performance of contract)

12.2 CCPA (California)

BookedUp acts as a "Service Provider" under the CCPA. We process End Customer Data solely for the business purposes specified in this DPA and do not sell, share, or retain End Customer Data for our own commercial purposes. We certify that we understand and will comply with the restrictions applicable to Service Providers under the CCPA.

13. Audit Rights

Upon the Subscriber's written request (no more than once per 12-month period), BookedUp will make available information reasonably necessary to demonstrate compliance with this DPA. BookedUp may satisfy this obligation by providing:

  • Responses to a security questionnaire or audit checklist
  • Summary results of third-party security audits or penetration tests (with sensitive details redacted)
  • Relevant certifications (if and when obtained)

On-site audits are available for enterprise Subscribers with at least 30 days' advance written notice and at the Subscriber's expense, subject to reasonable confidentiality restrictions.

14. Cooperation with Regulators

BookedUp will provide reasonable cooperation and assistance to the Subscriber in connection with any investigation, inquiry, or enforcement action by a data protection supervisory authority or similar regulatory body relating to the processing of Personal Data under this DPA.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms & Conditions, including the aggregate liability cap. Nothing in this DPA limits either party's liability for willful misconduct or gross negligence in connection with data protection obligations.

16. Term and Termination

This DPA remains in effect for the duration of the Subscriber's use of the BookedUp Service and terminates automatically upon termination of the Terms & Conditions. Obligations relating to the processing of Personal Data that was collected prior to termination survive termination until all such data is deleted in accordance with Section 11.

17. Amendments

BookedUp may update this DPA from time to time to reflect changes in law, technology, or business practices. Material changes will be communicated to Subscribers with at least 30 days' notice via email. Continued use of the Service after the effective date constitutes acceptance.

18. Conflict

In the event of a conflict between this DPA and the Terms & Conditions, this DPA controls with respect to data processing matters. In all other respects, the Terms & Conditions govern.

19. Contact for Data Processing Inquiries

For questions about this DPA, data processing practices, or to request a countersigned DPA or SCCs:

  • Data Privacy Contact: privacy@bookedup.app
  • Address: 621 E Columbia St, Evansville, IN 47711
  • Website: https://bookedup.today

Need a countersigned DPA or Standard Contractual Clauses (SCCs)?
Enterprise Subscribers requiring executed agreements for compliance programs (SOC 2, GDPR, ISO 27001) can request a countersigned DPA.

Request a Signed DPA →