Legal

Data Processing Agreement (DPA)

Last updated: April 2026 · version 2026.04.1

Data Controller

Email:
privacy@tapsela.com

Operating as unregistered economic activity (działalność nierejestrowana) under art. 5 of the Polish Entrepreneurs’ Law (ustawa Prawo przedsiębiorców).

Who this is for

This Data Processing Agreement (DPA) is intended for Specialists (business users) who use Tapsela to manage their Clients' bookings. If you are a Client booking an appointment, this document does not apply to you — please refer to the Privacy Policy.

A. Subject matter and duration

The Specialist (Data Controller) entrusts Tapsela (Processor) with the processing of Client personal data for the purpose of providing the appointment booking service. The processing applies for the entire duration of the main Service Agreement and afterwards for the period necessary to fulfil return or deletion obligations.

B. Nature and purpose of processing

Tapsela processes the entrusted data solely to create and maintain bookings, send transactional messages according to Client preferences, provide the Specialist with an appointment management interface, and ensure the security and integrity of the service. Tapsela does not use the entrusted data for its own marketing or analytics purposes.

C. Types of personal data

The following categories of Client personal data may be entrusted:

  • name (or first name only)
  • phone number
  • optional email address
  • appointment date, time, duration and name
  • optional location, price, Specialist notes
  • communication preferences and Client consent history

D. Categories of data subjects

Specialist's Clients booking appointments via book.tapsela.com or booking links generated in the Specialist's panel.

E. Tapsela's obligations as Processor

Tapsela undertakes to:

  • process data only on the documented instructions of the Controller
  • ensure confidentiality of data by authorised persons
  • implement appropriate technical and organisational measures pursuant to Art. 32 GDPR
  • assist in fulfilling data subject rights
  • notify the Controller of a breach within no more than 48 hours of becoming aware
  • assist in DPIAs and consultations with the supervisory authority
  • return or delete the entrusted data within 30 days after termination of the service
  • make available all information necessary to demonstrate compliance with Art. 28 GDPR and allow audits

F. Sub-processors

The Controller grants general authorisation for Tapsela's use of sub-processors, the current list of which is published in the privacy policy. Tapsela informs the Controller of planned changes at least 30 days in advance and allows objection (Art. 28(4) GDPR).

G. Transfers outside the EEA

Some sub-processors (Cloudflare, Clerk) process data in third countries. Transfers are based on the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. Copies of the SCCs are available upon request.

H. Liability

Each Party is liable for damages pursuant to Art. 82 GDPR. Tapsela's aggregate liability under this DPA shall not exceed amounts paid by the Controller in the 12 months preceding the event causing the damage, excluding wilful misconduct and gross negligence.

I. Right to audit

The Controller is entitled to one audit per calendar year, with 30 days' prior notice. Tapsela may offer an independent auditor's report (e.g. ISO 27001, SOC 2) as an alternative to an on-site audit.

J. Term

This DPA enters into force upon acceptance of the Terms and remains in effect for their duration. It terminates automatically upon termination of the main Agreement, subject to the data return/deletion obligations in Section E.

Contact

Data protection contact point: privacy@tapsela.com