Data Processing Agreement

Last updated: May 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Fusionix LLC ("Processor," "we," "us"), the company that operates the BookMe Studio platform, and the Business User ("Controller," "you"). This DPA applies to the processing of personal data that you submit to or collect through the BookMe Studio platform on behalf of your clients.

By using the Service, you agree to this DPA. If you are accepting on behalf of a business entity, you represent that you have the authority to bind that entity.

1. Definitions

  • "Controller" means the Business User who determines the purposes and means of processing personal data through the Service.
  • "Processor" means Fusionix LLC, the operator of the BookMe Studio platform, which processes personal data on behalf of the Controller.
  • "Data Subject" means any identified or identifiable natural person whose personal data is processed — typically the Controller's clients (Client Users).
  • "Personal Data" means any information relating to a Data Subject, including name, email, phone number, appointment history, payment information, and any other data collected through the Service.
  • "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, transmission, anonymization, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to assist in processing personal data on behalf of the Controller.

2. Scope and Purpose of Processing

BookMe Studio processes personal data solely to provide the Service to you as described in our Terms of Service. This includes managing appointments, processing payments, sending communications (email and SMS) on your behalf, storing client records, and providing analytics.

We will not process personal data for any purpose other than providing the Service, unless required by applicable law. We will inform you of any such legal requirement before processing, unless prohibited by law.

3. Obligations of the Processor

BookMe Studio shall:

  • Process personal data only on documented instructions from the Controller, including with respect to transfers of personal data to a third country, unless required by law.
  • Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security assessments.
  • Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) through the platform's built-in tools (GDPR data export, account deletion) and support channels.
  • Assist the Controller in ensuring compliance with data protection impact assessments and prior consultations with supervisory authorities, where required.
  • At the Controller's choice, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless storage is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

4. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. A current list of Sub-processors is available at bookmestudio.com/sub-processors.

We will notify the Controller of any intended changes to Sub-processors (additions or replacements) at least 30 days before the change, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, we will work to address the concern or offer a commercially reasonable alternative.

5. International Data Transfers

Personal data processed through BookMe Studio is stored in the United States using Google Cloud Platform infrastructure. Where personal data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, such transfers are conducted in compliance with applicable data protection laws, including through Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognized transfer mechanisms.

6. Security Measures

BookMe Studio implements the following technical and organizational security measures:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256) via Google Cloud Platform.
  • Access Controls: Role-based access control, Firebase Authentication, and staff permission models limiting data access to authorized personnel.
  • Audit Logging: All data access, modification, and deletion events are logged for compliance accountability.
  • Incident Response: Documented procedures for identifying, containing, and reporting security incidents.
  • Data Minimization: We collect only the data necessary to provide the Service.
  • Regular Reviews: Periodic review of security measures and access controls.

7. Data Breach Notification

In the event of a personal data breach, BookMe Studio will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

8. Audits

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the cost of any audit.

9. Term and Termination

This DPA is effective as long as the Controller uses the Service. Upon termination of the Service, the Processor will delete or anonymize all personal data within 30 days, except where retention is required by applicable law (e.g., financial records retained for 7 years for tax compliance). The Controller may request a data export before termination using the platform's built-in GDPR data export tools.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law that cannot be limited under applicable law.

11. Contact

For questions about this DPA or to exercise rights under it, contact us at privacy@bookmestudio.com.