Legal

Data Processing Agreement

Last updated: June 2026

This Data Processing Agreement ("DPA") forms part of our Terms of Service for business customers. When your business uses BookZync, your customers' details (names, contact information, appointment requests, chat conversations) flow through our systems: you are the data controller of that information, and BookZync acts as your data processor. This DPA describes how we handle it. If your business requires a countersigned copy, email [email protected].

01

Roles and scope

You (the business subscribing to BookZync) are the controller of your customers' personal data. BookZync is your processor: we process that data only to provide the services you signed up for — answering chats, capturing leads, booking appointments, sending confirmations and reminders, and showing you analytics.

02

What we process for you

  • Identity and contact data: your customers' names, phone numbers, and email addresses.
  • Booking data: requested services, appointment dates and times, attendance, and visit history.
  • Conversation data: chat messages your customers exchange with your AI assistant.
  • What we deliberately do NOT process: payment card numbers (payments run through secure checkout only) and medical details — the AI is instructed never to collect diagnoses, symptoms, or health history.
03

Our duties as your processor

  • Process personal data only to deliver the service and on your documented instructions.
  • Keep it confidential — staff access is limited, role-based, and logged.
  • Help you respond to data-subject requests: your dashboard can export or delete customer records, and we assist with anything it can't do yet.
  • Tell you without undue delay if we become aware of a personal-data breach affecting your data.
  • Delete or return your data when the agreement ends (see section 7).
04

Security measures

  • Encryption in transit (HTTPS/TLS) and at rest on our managed database.
  • Strict tenant isolation: every record is scoped to your business, and cross-tenant access is treated as not-found by design.
  • Administrative access protected by two-factor authentication and step-up verification for sensitive actions.
  • An audit log records every administrative change.
  • SMS opt-outs are honored automatically: when one of your customers replies STOP, our systems record it and stop texting them across every feature.
05

Sub-processors

We use a small set of vetted providers to deliver the service. The current list is published at bookzync.com/sub-processors. Each is bound by obligations equivalent to this DPA. We will update that page before adding a new sub-processor; if you object on reasonable data-protection grounds, you may cancel under our standard terms.

06

International transfers

Our providers may process data outside your country (primarily in the United States). Where your law requires it — for example for transfers out of the EU/UK — we rely on recognized safeguards such as the providers' standard contractual clauses and data-protection certifications.

07

Term, return, and deletion

This DPA applies for as long as your subscription is active. After cancellation, your data remains available for export for 30 days, then is deleted unless the law requires us to keep specific records longer (for example, tax records). You can also delete individual customer records from your dashboard at any time.

08

Contact

Data-protection questions or requests: [email protected].