This Data Processing Agreement ("DPA") forms part of the Terms of Service between Booking Bible ApS (CVR 46504666, Torvegade 66, 1400 København K, Denmark) ("Processor", "BOOKING BIBLE") and the studio operator ("Controller", "Operator") using the Booking Bible platform.
This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to the processing of personal data by the Processor on behalf of the Controller.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means the individual whose Personal Data is being processed (typically the Operator's members and staff).
2. Scope of Processing
Subject Matter
Processing of member and staff personal data to provide the BOOKING BIBLE studio management platform.
Duration
Processing continues for the term of the Operator's subscription plus a 30-day data retention period after termination.
Categories of Data Subjects
- Studio members and customers
- Studio staff and instructors
- Guest visitors and leads
Types of Personal Data
- Identity data (name, email, phone, date of birth)
- Booking and attendance records
- Payment references (Stripe customer IDs, transaction records)
- Health questionnaire responses (special category data)
- Communication preferences and engagement data
- Technical data (IP addresses, device information)
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or member state law.
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
- Implement appropriate technical and organizational security measures as described in Section 5.
- Not engage another processor (sub-processor) without prior written authorization of the Controller, as detailed in Section 6.
- Assist the Controller in responding to Data Subject requests.
- Assist the Controller in ensuring compliance with obligations regarding data breach notification, data protection impact assessments, and prior consultation.
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or member state law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
4. Obligations of the Controller
The Controller shall:
- Ensure that its instructions for the processing of Personal Data comply with applicable data protection laws.
- Obtain all necessary consents from Data Subjects for the processing of their data, particularly for special category data (health questionnaires).
- Maintain appropriate privacy notices for its members and staff.
- Notify the Processor promptly of any Data Subject requests that require the Processor's assistance.
5. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256).
- Access control: Role-based access with row-level security (RLS) enforcing organization data isolation.
- Authentication: Secure authentication via Supabase Auth with support for MFA.
- Audit logging: All administrative actions are logged with user, timestamp, and change details.
- Backup: Automated daily backups with point-in-time recovery.
- Monitoring: Error tracking (Sentry) and uptime monitoring.
- Incident response: Defined incident response procedure with 72-hour breach notification.
6. Sub-processors
The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object within 14 days.
Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| e-conomic | Danish accounting integration for venue payouts | DK |
| Anthropic | Claude AI for Studio Manager + customer agents | US |
| PostHog Cloud EU | Product analytics — funnels, retention, cohorts, experiments, session replay | EU |
| BunnyCDN | Legacy media CDN (sunsetting) | EU |
| Supabase | Postgres database, Auth, Storage, Realtime | EU (project region) |
| Upstash Redis | Distributed rate-limiting + hot-path cache | EU available |
| Resend | Transactional + marketing email delivery | US |
| Vercel | Application hosting, edge functions, CDN | US edge |
| ClassPass | Class-discovery network for fitness venues | US |
| Cloudflare Turnstile | Bot protection on signup and other public forms | Global edge |
| GitHub | Source control + CI / CD | US |
| Zapier | Workflow automation (varies per Zap) | US |
| BetterStack Uptime | External synthetic uptime monitoring + public status page | EU |
| Sentry | Error monitoring + performance tracing | EU available — currently US |
| Adyen | Enterprise multi-region payment processing | EU (Netherlands) |
| Mollie | European payment processing (alternative to Stripe Connect) | EU (Netherlands) |
| Reepay | Danish-native subscription billing (alternative to Stripe) | DK |
| Stripe | Card + MobilePay processing, Connect marketplace | US + EU |
| Gateway API | Transactional SMS delivery (DK + global) | DK |
| Mux | Live streaming + recording for online classes | US |
The full registry — including data categories, SOC 2 / ISO 27001 posture, sub-sub-processors, and signed DPA links — is published at /legal/sub-processors.
For sub-processors located outside the EU/EEA, appropriate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
Deletion triggered by feature removal
Processor (Booking Bible) shall delete Personal Data associated with feature-specific records on the schedule set forth in the Operator's Terms of Service when the Operator disables the feature or downgrades to a tier excluding the feature. Processor shall notify Controller in writing at least seven (7) days before deletion.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification shall include:
- The nature of the breach, including categories and approximate number of data subjects affected.
- The name and contact details of the data protection officer or other contact point.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach.
8. International Transfers
Where Personal Data is transferred to sub-processors outside the EU/EEA, the Processor ensures that such transfers are subject to appropriate safeguards in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (Module 3: Processor to Sub-processor) and supplementary measures where required.
9. Audits
The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall cooperate with such audits and provide reasonable access to relevant facilities, systems, and documentation. Audits shall be conducted with reasonable advance notice (minimum 30 days) and shall not unreasonably disrupt the Processor's operations.
10. Governing Law
This DPA is governed by the laws of Denmark and subject to the jurisdiction of the City Court of Copenhagen (Københavns Byret).
11. Contact
For questions about this DPA or to request changes, contact:
Data Protection Officer
Booking Bible ApS
Torvegade 66
1400 København K, Denmark
Email: dpo@bookingbible.com