Booker: Time & Space Rentals — Data Processing Agreement
Last updated: 30 June 2026
This Data Processing Agreement (“DPA”) governs the processing of personal data by the provider of Booker: Time & Space Rentals (“Processor”) on behalf of the merchant who installs the App (“Controller”). By installing or using the App, the Controller accepts this DPA. It forms part of the agreement between the parties and reflects GDPR Art. 28 and equivalent obligations.
1. Subject matter & duration
The Processor processes personal data only to provide the App’s booking functionality, for as long as the App is installed. On uninstall, data is deleted as described below.
2. Nature & purpose of processing
Creating, confirming, and managing time-based product bookings made through the Controller’s store, and surfacing them in the Shopify admin.
3. Types of personal data & data subjects
- Data subjects: the Controller’s customers who place a booking.
- Data: customer name, customer email, order reference, and booking time span. No special-category data.
4. Processor obligations
- Process personal data only on the Controller’s documented instructions (installing and using the App constitutes those instructions), unless required by law.
- Ensure personnel authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Section 6).
- Not engage another sub-processor without general authorisation; current sub-processors are listed in Section 5, and the Controller is notified of changes.
- Assist the Controller in responding to data-subject rights requests via Shopify’s data-request and redaction webhooks, which the App honours automatically.
- Assist the Controller with security, breach notification, and data-protection-impact obligations.
- Delete or return personal data on termination (Section 7).
- Make available information needed to demonstrate compliance and allow for reasonable audits.
5. Sub-processors
- Shopify — order/customer data source and admin host.
- Vercel — application hosting.
- Neon — managed PostgreSQL database.
6. Security measures
Encryption in transit (TLS) and at rest (AES-256), including backups; least-privilege access with strong passwords and two-factor authentication; logging of access to and erasure of personal data; data minimisation (only name and email are stored); secrets held only in environment variables.
7. Deletion
On uninstall, the Controller’s stored data is erased on Shopify’s shop/redactrequest (~48 hours later). Individual customer data is erased on customers/redact. Data-access requests are served via customers/data_request.
8. International transfers
Any transfer outside the Controller’s region relies on appropriate safeguards (e.g. Standard Contractual Clauses) and the sub-processors’ compliance programmes.
9. Breach notification
The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach and provide the information needed for the Controller to meet its notification duties.
Contact
Data protection contact: booker-app@protonmail.com.