Data Processing Agreement (Annex: DPA)

Concluded electronically between: the Partner (data controller) — a business user of the Services (salon/clinic/self-employed person) who accepts the Terminka Terms, and DOIT-BI Sp. z o.o., with its registered office in Wrocław, pl. Powstańców Śląskich 1/11, 53-329 Wrocław, KRS 0001034827, NIP 8992959861, REGON 525250584 — operating under the Terminka brand (“Processor” / “Terminka”).

March 20, 2026

§1. Subject matter, duration, and nature of processing

  1. This Annex governs the rules under which the Partner entrusts Terminka with the processing of personal data for which the Partner is the controller, in connection with the use of the Services, in particular the Terminka Partner application and related modules.

  2. Duration: for the term of the agreement for the provision of the Services (Terms of Service) and until the data is deleted or returned in accordance with §10 of the DPA.

  3. Nature and purpose: hosting, storage, organization, arrangement, consultation, making available at the Partner’s request, transmission, restriction, and deletion — for the purpose of enabling the servicing of the Partner’s clients, maintaining the calendar and bookings, administering the Partner Account, using paid Terminka features, communication, reporting, and integrations indicated by the Partner. If the Partner uses the public display function for the Profile or offer, the processing may also include making the Partner’s data and materials available in Terminka channels in accordance with the Partner’s configuration and instructions.

§2. Categories of data and data subjects, scope of activities

  1. Categories of data subjects: the Partner’s clients (current and prospective), the Partner’s staff, and users of the Partner’s accounts.

  2. Categories of data: identification and contact data (e.g. first and last name, phone number, e-mail), booking data (dates, statuses, services), visit notes, marketing consents (if collected), communications, payment and billing identifiers related to the Partner’s use of paid Terminka features, and technical data (logs, IP, device identifiers).

  3. Special categories of data: Terminka does not require the processing of special categories of personal data. If the Partner decides to process such data, the Partner confirms that it has an appropriate legal basis and limits the scope of such data to the necessary minimum. Terminka processes such data solely on the basis of the Partner’s documented instruction and applies appropriate security measures.

§3. Instructions and obligations of the Partner (Controller)

  1. The Partner declares that it has an appropriate legal basis for processing the data and transferring it to Terminka.

  2. Terminka processes data solely on the basis of the Partner’s documented instruction (including through panel configuration, API, acceptance of relevant options in the Services interface, and written or e-mail instructions), unless processing is required by EU or Polish law. The Partner’s instruction may also include optional implementation support, including technical creation of the Account, initial completion of the Profile, and import or entry of offer data, services, prices, service duration, and contact details based on materials provided by the Partner.

  3. The Partner is responsible for fulfilling information obligations toward data subjects and handling their requests, with the support of Terminka in accordance with §6 of the DPA.

§4. Obligations of Terminka (Processor)

Terminka undertakes in particular to:

  1. ensure that persons authorized to access the data maintain confidentiality and are properly trained;

  2. apply appropriate technical and organizational measures in accordance with Article 32 GDPR;

  3. support the Partner in fulfilling obligations under Articles 32–36 GDPR, in particular with regard to security, breach notification, impact assessments, and consultations;

  4. assist in the exercise of data subject rights as referred to in §6 of the DPA;

  5. maintain a record of categories of processing activities, where required;

  6. not engage another processor without complying with §5 of the DPA;

  7. inform the Partner of any binding legal instruction, unless the law prohibits such disclosure;

  8. upon termination of the Services, delete or return the data in accordance with §10 of the DPA.

§5. Subprocessors

  1. The Partner grants a general authorization for Terminka to use subprocessors.

  2. The current list of subprocessors is published on the Subprocessors website. Terminka ensures that each subprocessor is subject to obligations no less restrictive than those set out in this DPA.

  3. Terminka will inform the Partner of planned changes to the list at least 15 days in advance (by e-mail or panel notification). Lack of objection within that period shall constitute consent. In the event of an objection, the Parties will make efforts to find a solution, for example by disabling a given integration; if no solution is possible, the Partner may terminate the agreement in the part relating to the relevant functionality.

§6. Rights of data subjects

  1. Taking into account the nature of the processing, Terminka assists the Partner in responding to requests from data subjects, in particular with regard to access, rectification, erasure, restriction, portability, and objection.

  2. If a request is sent directly to Terminka, Terminka will forward it to the Partner unless Terminka is under a legal obligation to respond independently.

  3. Terminka implements processes enabling timely handling of requests and proper documentation thereof.

§7. Personal data breaches

  1. In the event of a personal data breach, Terminka shall notify the Partner without undue delay after becoming aware of the breach, providing at least the information required under Article 33(3) GDPR, insofar as available.

  2. Terminka shall cooperate with the Partner in risk analysis, preparation of notifications to the UODO or to data subjects, and in remedial actions.

§8. Technical and organizational measures (TOMs)

Terminka applies at least the following technical and organizational measures:

  • transmission encryption (TLS),
  • access and authorization controls, including roles/ACL and MFA for staff,
  • environment segmentation,
  • pseudonymization where possible,
  • encryption of selected data at rest,
  • logging and monitoring of events,
  • security testing and vulnerability management,
  • backups and recovery procedures,
  • business continuity procedures,
  • supplier verification,
  • the data minimization principle.

A detailed description of the TOMs may be made available to Partners upon request in the form of a control sheet or other equivalent documentation.

§9. Audits and inspections

  1. The Partner has the right to carry out a desk-audit based on questionnaires, reports, or documentation no more than once every 12 months, with 14 days’ notice, during business hours, and without undue disruption to Terminka’s operations. On-site audits are possible only in justified cases.

  2. The Parties shall ensure the confidentiality and security of information disclosed during the audit. The costs of extraordinary audits shall be borne by the Partner, unless the audit reveals material breaches on the part of Terminka.

§10. Return and deletion of data

  1. Upon termination of the Services, Terminka shall, according to the Partner’s choice communicated within 30 days, provide an export of the data in a structured format (e.g. CSV/JSON), and shall then delete the data from operational systems within 60 days, unless a longer retention period is required by law; in such case, the data shall be appropriately blocked.

  2. Backups are overwritten or deleted in accordance with standard retention cycles.

§11. Transfers outside the EEA

If data is transferred outside the EEA, Terminka shall ensure an appropriate legal basis under Chapter V GDPR, for example standard contractual clauses (SCC), and, where necessary, additional safeguards such as encryption or access restrictions. Preferred data center locations: EEA.

§12. Liability and precedence

  1. The liability of the Parties is governed by the main agreement (Terms of Service) to the extent permitted by law; GDPR provisions shall prevail.

  2. In the event of any conflict between provisions, this Annex — the DPA — shall prevail in matters relating to data processing.

§13. Entry into force and form

  1. The DPA enters into force upon the Partner’s acceptance of the Terms of Service (click-wrap) and forms an integral part thereof.

  2. The Parties confirm that the DPA is concluded in electronic form in accordance with Article 28(9) GDPR and is equivalent to written form.

  3. Terminka maintains a record of acceptances, including in particular the date and time of acceptance, account identifier, IP address, and document version, and makes the current version available online.

Contact details for data protection matters

Data protection contact: rodo@terminka.com

Correspondence address:
DOIT-BI Sp. z o.o.
pl. Powstańców Śląskich 1/11
53-329 Wrocław
Poland