Data Processing Addendum

1. Roles of the parties

With respect to Client Personal Data, you are the controller/business and SalonHub360 is the processor/service provider. You are responsible for the accuracy, quality, and legality of Client Personal Data, for the means by which you acquired it, and for having a lawful basis and any required notices and consents to provide it to us and to have us process it as described here. SalonHub360 processes Client Personal Data only on your behalf and for the purposes described in this DPA.

2. Scope and purpose of processing

We process Client Personal Data only as needed to provide, secure, maintain, and improve the Services, in accordance with your documented instructions (which include the Terms of Service, this DPA, and your configuration and use of the Services), and as required by applicable law. The subject matter, nature, purpose, and duration of processing, the types of Client Personal Data, and the categories of data subjects are described in the Annex below. If we are required by law to process Client Personal Data other than on your instructions, we will inform you unless legally prohibited.

3. Service-provider commitments (Privacy Laws)

As a service provider/processor, SalonHub360:

• Will not sell or share Client Personal Data, as those terms are defined under Privacy Laws.
• Will not retain, use, or disclose Client Personal Data for any purpose other than the business purposes of providing the Services, or as otherwise permitted by Privacy Laws.
• Will not retain, use, or disclose Client Personal Data outside the direct business relationship between you and us.
• Will not combine Client Personal Data with personal information we receive from, or on behalf of, others, or collect ourselves, except as permitted by Privacy Laws.
• Will comply with the applicable obligations under Privacy Laws and provide the same level of privacy protection as required of you.

We certify that we understand and will comply with these restrictions. You may take reasonable and appropriate steps to help ensure that we use Client Personal Data consistently with your obligations under Privacy Laws, and to stop and remediate any unauthorised use.

4. Confidentiality

We will treat Client Personal Data as confidential and ensure that our personnel authorised to process it are subject to appropriate confidentiality obligations and are made aware of its confidential nature. Access is limited to personnel who need it to provide the Services.

5. Security

We will maintain reasonable and appropriate technical and organisational measures designed to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access, taking into account the nature of the data and the risks involved. A summary of our current measures is set out in the Annex. We may update these measures over time provided the level of protection is not materially reduced.

6. Subprocessors

You authorise us to engage subprocessors to help provide the Services. We will impose on each subprocessor data-protection obligations no less protective than those in this DPA, and we remain responsible for each subprocessor’s performance. Our current subprocessors include:

• Vercel — application hosting.
• Railway — database hosting.
• Stripe — payment processing.
• Cloudflare — content delivery and image storage.
• Email and SMS providers — to deliver transactional and, where enabled, marketing communications you send through the Services.

We will provide notice of any new subprocessor before it begins processing Client Personal Data, and you may object on reasonable data-protection grounds by contacting support@salonhub360.com. If we cannot reasonably accommodate an objection, your remedy is to stop using the affected feature or terminate the Services.

7. Assistance with data-subject requests

The Services provide features that let you access, correct, export, and delete Client Personal Data. Taking into account the nature of the processing, we will provide reasonable assistance to help you respond to requests from individuals to exercise their rights under Privacy Laws. If we receive such a request directly from one of your End Clients, we will, where permitted, direct the individual to you or promptly forward the request, and we will not respond on your behalf except on your instruction or as required by law.

8. Personal-data incidents

We will notify you without undue delay after becoming aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to Client Personal Data that we process on your behalf. The notification will include the information reasonably available to us to help you meet any obligations to notify regulators or affected individuals. Our notification is not an acknowledgement of fault or liability.

9. Audits

On reasonable written request, and no more than once per year unless required by a regulator or following a confirmed incident, we will make available information reasonably necessary to demonstrate our compliance with this DPA. Audits are limited to information within our control, must respect the confidentiality and security of other customers’ data, and must not unreasonably disrupt our operations.

10. International processing

The Services are operated from and Client Personal Data is processed in the United States. You are responsible for ensuring that your provision of Client Personal Data to us, and our processing of it in the United States, is permitted under the laws applicable to you.

11. Return and deletion

On termination or expiry of the Services, or on your earlier request, we will delete or de-identify Client Personal Data in our control, except to the extent we are permitted or required by law to retain it (for example, for tax, accounting, fraud-prevention, or legal-hold purposes) or as retained in routine backups that are deleted on a rolling basis. The Services also let you delete much of this data yourself at any time.

12. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, and any reference to a party’s liability means the aggregate liability of that party under the Terms of Service and this DPA together.

Annex — details of processing

Categories of data subjects

Your End Clients and prospective clients; your staff and authorised users; and other individuals whose personal information you enter into or collect through the Services.

Categories of Client Personal Data

Names and contact details (email, phone, address); appointment and booking history; service preferences and notes you record; customer portal credentials; communications you send through the Services; and limited payment-status information (full card details are handled by Stripe). You should not enter sensitive health information or full payment-card numbers into free-text fields.

Nature and purpose of processing

Hosting, storing, organising, transmitting, displaying, and otherwise processing Client Personal Data to provide the Services — including booking and scheduling, customer management, communications, payments, the public salon website, and related features — and to secure, maintain, and improve the Services.

Duration

For the term of the Services and until deletion in accordance with Section 11 and our Privacy Policy.

Security measures (summary)

• Encryption of data in transit (HTTPS/TLS) and encryption of sensitive credentials at rest.
• Role-based access controls and the principle of least privilege for personnel.
• Use of reputable hosting and infrastructure providers as subprocessors.
• Logging and monitoring to help detect and respond to issues.
• Separation of customer data within the multi-tenant platform.

Contact

Questions about this DPA, or to request a countersigned copy? Email us at support@salonhub360.com.