Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between IiroMan OÜ (“Taimli”, “Processor”) and the salon or business using Taimli (“Salon”, “Controller”).

This DPA ensures compliance with the EU General Data Protection Regulation (GDPR) for all personal data processed by Taimli on behalf of the Salon.

1. Definitions

“Controller”
The Salon that determines the purposes and means of processing personal data of its clients.

“Processor”
Taimli (IiroMan OÜ), which processes personal data on behalf of the Salon.

“Personal Data”
Any information relating to an identifiable individual.

“Services”
The Taimli booking platform and related features provided to the Salon.

“Sub-processors”
Third-party providers engaged by Taimli to support the service.

2. Subject Matter and Duration

Taimli processes personal data solely for the purpose of providing the booking, scheduling, communication, and related features of the platform.

This DPA remains valid as long as the Salon uses Taimli.

3. Nature and Purpose of Processing

Taimli processes personal data for:

• Managing customer bookings
• Sending email and SMS confirmations and reminders
• Displaying salon schedules
• Storing booking history (until deleted by the salon)
• Optional communications from salon to clients
• Securely hosting customer data for salon operations

Taimli does not process salon customer data for its own purposes.

4. Types of Personal Data and Data Subjects

4.1 Data Subjects

• Salon clients
• Salon staff (optional)

4.2 Types of Data

• Name
• Email address
• Phone number
• Appointment details
• Optional notes

Taimli does not collect IP addresses or device fingerprints.

5. Obligations of the Processor (Taimli)

Taimli agrees to:

1. Process personal data only on documented instructions from the Salon.
2. Not use client data for advertising, analytics, training models, or any unrelated purpose.
3. Maintain appropriate technical and organisational security measures.
4. Ensure that staff with access to data are under confidentiality obligations.
5. Assist the Salon in fulfilling GDPR data subject requests.
6. Notify the Salon without undue delay of any personal data breach.
7. Delete all salon data upon account deletion, subject to provider backup cycles.
8. Make available all information necessary to demonstrate GDPR compliance.

6. Obligations of the Controller (Salon)

The Salon agrees to:

1. Collect client data lawfully and inform clients that Taimli processes their data.
2. Use Taimli only for legitimate business purposes.
3. Handle all GDPR requests from clients, with support from Taimli.
4. Determine its own lawful basis for processing (typically performance of contract).
5. Ensure contact information provided to clients is accurate.

7. Sub-processors

Taimli uses GDPR-compliant sub-processors essential to delivering the service:

• Stripe — payment processing
• Hetzner & Servinga — VPS hosting (EU)
• PlanetScale — managed PostgreSQL database (EU region)
• Cloudflare — DNS, security, and content delivery (SCCs may apply)
• Cloudflare R2 — media storage (EU region)
• Mailgun — transactional email (EU region)
• Prelude — SMS delivery for booking confirmations and reminders

Taimli ensures all sub-processors provide appropriate data protection guarantees.

The Salon authorizes Taimli to use these sub-processors.

8. International Transfers

Taimli stores and processes data primarily within the EU.

Some providers (e.g., Cloudflare) may transfer limited data outside the EU.
Such transfers are protected using:

• Standard Contractual Clauses (SCCs)
• Additional contractual and technical safeguards

Taimli aims to use EU-based processing whenever possible.

9. Security Measures

Taimli employs industry-standard security practices, including:

• HTTPS encryption in transit
• Encryption at rest where supported by providers
• Access control and authentication
• Password hashing (Argon2 for upcoming password features; magic link for now)
• Database backups managed by hosting providers
• Regular patching and security updates

10. Data Retention and Deletion

Minimal Retention Policy (Controller-Friendly)

• Client data is retained only while the Salon’s account is active.
• Upon account deletion, all personal data is deleted immediately from production systems.
• Backup retention by providers (e.g., PlanetScale) persists for 30–90 days, then is automatically purged.
• Taimli does not maintain additional internal backups of production data.

The Salon may delete client data at any time through the interface or by request.

11. Breach Notification

In case of a confirmed personal data breach, Taimli will notify the Salon without undue delay and provide all necessary information for compliance with GDPR Articles 33–34.

12. Assistance with Data Subject Requests

Taimli will support the Salon in handling:

• Access requests
• Correction
• Deletion
• Export
• Objection or restriction requests

Requests from salon clients must be initiated by the Salon.

13. Verification and Audits

At the Salon’s written request, Taimli will provide all information reasonably necessary to demonstrate compliance with this DPA, including a description of relevant security measures and a list of sub-processors.

The Salon’s verification rights are limited to reviewing such documentation.
No on-site audits, inspections, or access to Taimli’s infrastructure, systems, or hosting environments are permitted.

If additional information is required for the Salon’s GDPR compliance, Taimli will make reasonable efforts to respond to such requests.

14. Termination

Upon termination of the Salon’s Taimli account:

• All personal data is deleted from active systems
• Backup data is automatically purged according to provider retention cycles
• Taimli retains no copies of personal data beyond required legal obligations

15. Governing Law

This DPA is governed by the laws of Estonia.
Disputes shall be resolved exclusively in the courts of Tallinn, Estonia.

16. Entire Agreement

This DPA forms part of the Terms of Service.
In case of conflict between the Terms and this DPA, the DPA prevails for data protection matters.

IiroMan OÜ (Taimli)
Email: [email protected]