Data Processing Agreement (Annex: DPA)

Concluded electronically between: the Partner (data controller) – a business user of the Services (salon/studio/self-employed professional) who accepts the Terminka Terms of Service, and DOIT-BI Sp. z o.o. with its registered office in Wrocław, pl. Powstańców Śląskich 1/11, 53-329 Wrocław, KRS 0001034827, NIP 8992959861, REGON 525250584 – operating under the brand Terminka ("Processor" / "Terminka").

November 17, 2025
§1. Subject matter, duration, and nature of processing

  1. This Annex sets out the rules for entrusting Terminka with the processing of personal data for which the Partner is the data controller, in connection with the use of the Services (in particular the Terminka Partner application and related modules).

  2. Duration: for the term of the Services Agreement (Terms of Service) and until the deletion/return of the data in accordance with §10 of this DPA.

  3. Nature and purpose: hosting, storage, organising, structuring, retrieving, making available at the Partner’s request, transmission, restriction, deletion – for the purpose of enabling the Partner to serve its clients, manage calendars and bookings, settlements, communication, reporting, and integrations indicated by the Partner.

§2. Categories of data subjects, data, and scope of processing activities

  1. Categories of data subjects: the Partner’s clients (current and potential), the Partner’s staff, users of the Partner’s accounts.

  2. Categories of data: identification and contact data (e.g., name and surname, phone number, e-mail), booking data (times, statuses, services), visit notes, marketing consents (if collected), communication, transaction and settlement identifiers, technical data (logs, IP, device identifiers).

  3. Special categories of data: Terminka does not require and does not recommend processing health data.
    If the Partner chooses to process such data, the Partner confirms having an appropriate legal basis and limits the scope to what is strictly necessary; Terminka processes such data only on documented instructions (§3 sec. 2 of this DPA) and applies adequate security measures.

§3. Instructions and obligations of the Partner (Controller)

  1. The Partner declares that they have a valid legal basis for processing the data and for transferring it to Terminka.

  2. Terminka processes the data solely on documented instructions from the Partner (including through configurations in the panel, API, and written/e-mail instructions), unless processing is required by EU or Polish law.

  3. The Partner is responsible for fulfilling the information obligations towards data subjects and for handling their requests, with Terminka’s support as provided in §6 of this DPA.

§4. Obligations of Terminka (Processor)

Terminka undertakes in particular to:

  1. ensure that persons authorised to process the data maintain confidentiality (commitments/clauses) and are properly trained;

  2. apply appropriate technical and organisational measures in accordance with Art. 32 GDPR;

  3. support the Partner in fulfilling obligations under Art. 32–36 GDPR (security, breach notification, impact assessments, consultations);

  4. provide assistance in the exercise of data subject rights as described in §6 of this DPA;

  5. maintain a record of categories of processing activities;

  6. not engage another processor without complying with §5 of this DPA;

  7. inform the Partner about any binding legal order to disclose data, provided that the law does not prohibit such disclosure;

  8. after the end of the Service provision – delete or return the data in accordance with §10 of this DPA.

§5. Subprocessors

  1. The Partner grants general authorisation for Terminka to use subprocessors.

  2. The current list is published at Subprocessors page (Annex C of the Privacy Policy).
    Terminka ensures that each subprocessor is subject to obligations no less stringent than those set out in this DPA.

  3. Terminka will inform the Partner of planned changes to the list with at least 15 days’ prior notice (e-mail or notice in the panel).
    Lack of objection within this period constitutes consent.
    In case of an objection, the Parties will make reasonable efforts to find a solution (e.g., disabling the relevant integration); if no solution is possible, the Partner may terminate the agreement in the part concerning the affected functionality.

§6. Rights of data subjects

  1. Taking into account the nature of the processing, Terminka assists the Partner in handling data subject requests (access, rectification, deletion, restriction, portability, objection).

  2. If a request is submitted directly to Terminka, we will forward it to the Partner unless we are under a legal obligation to respond independently.

  3. Terminka implements processes that enable timely handling and documentation of such requests.

§7. Personal data breaches

  1. Terminka will notify the Partner of any personal data breach without undue delay after becoming aware of the breach, providing at least the information required under Art. 33(3) GDPR, to the extent available.

  2. Terminka cooperates in the risk assessment, preparation of notifications to the supervisory authority/data subjects, and in implementing remedial actions.

§8. Technical and organisational measures (TOM)

At a minimum: encrypted transmission (TLS), access and permission control (roles/ACL, MFA for staff), environment segmentation, pseudonymisation where possible, encryption of selected data at rest, event logging and monitoring, security testing and vulnerability management, backups and recovery, business continuity procedures, vendor verification, data minimisation principle.
A detailed TOM description may be made available to Partners upon request in the form of a control sheet.

§9. Audits and inspections

  1. The Partner has the right to conduct an audit (desk audit based on questionnaires/reports) no more than once every 12 months, with 14 days’ prior notice, during business hours and without unduly disrupting Terminka’s operations; an on-site audit may be carried out in justified cases.

  2. The Parties shall ensure the confidentiality and security of information. The costs of extraordinary audits shall be borne by the Partner, unless the audit reveals significant violations on the part of Terminka.

§10. Return and deletion of data

  1. After the termination of the Services, Terminka shall, at the Partner’s choice communicated within 30 days, provide a data export in a structured format (e.g., CSV/JSON) and subsequently delete the data from operational systems within 60 days, unless longer retention is required by law (in which case the data will be appropriately blocked).

  2. Backups are overwritten/removed in accordance with standard retention cycles.

§11. Transfers outside the EEA

If data is transferred outside the EEA, Terminka ensures a legal basis in accordance with Chapter V of the GDPR (e.g., SCC) and — where necessary — additional safeguards (e.g., encryption, access restrictions).
Preferred data centre locations: EEA.

§12. Liability and precedence

The Parties’ liability is defined in the main agreement (Terms of Service) to the extent permitted by law; the provisions of the GDPR take precedence. In the event of any inconsistency, this Annex – the DPA – has precedence with regard to data processing matters.

§13. Entry into force and form

  1. The DPA enters into force upon the Partner’s acceptance of the Terms of Service (click-wrap) and constitutes an integral part thereof.

  2. The Parties confirm that the DPA is concluded in electronic form (Art. 28(9) GDPR) and is equivalent to a written agreement.

  3. Terminka maintains a record of acceptance (including date/time, account identifier, IP address, document version) and makes the current version available online.

Contact details for data protection matters:

DPO: rodo@doit-bi.com
Correspondence address: DOIT-BI Sp. z o.o., pl. Powstańców Śląskich 1/11, 53-329 Wrocław, Poland.