Data Processing Agreement

Capitalized terms used but not defined in this DPA have the meanings given in the Terms of Service. For the purposes of this DPA:

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK GDPR and the UK Data Protection Act 2018; (c) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (d) other U.S. state privacy laws (including those of Virginia, Colorado, Connecticut, Utah, Texas, and Oregon), each as in force from time to time.

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the GDPR. Under CCPA/CPRA, "Customer" acts as a "Business" and "Bellafy" acts as a "Service Provider".

"End User" means an individual who interacts with the Customer's Progressive Web App powered by Bellafy (typically a client of the Customer's beauty clinic).

"Services" means the Bellafy platform and related services provided to the Customer under the Terms of Service.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as approved by the European Commission (Decision 2021/914/EU), as amended or replaced from time to time.

"Subprocessor" means any third party engaged by Bellafy to process Personal Data on its behalf in connection with the Services.

This DPA applies to the Processing of Personal Data by Bellafy acting as a Processor on behalf of the Customer acting as a Controller.

The Customer is and remains the Controller of the End User Personal Data processed through its Bellafy account. The Customer is responsible for the lawfulness of the collection, use, and processing of such Personal Data, including ensuring that appropriate legal bases exist for the processing and that End Users have been properly informed through the Customer's own privacy notice.

Bellafy acts as a Processor and will only process Personal Data on documented instructions from the Customer, as set out in this DPA, the Terms of Service, and the Customer's use of the Services. Bellafy will inform the Customer without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Law.

This DPA does not apply to Personal Data for which Bellafy acts as a Controller (for example, account information of the Customer's authorized users, billing information, or website analytics about visitors to bellafy.app). Such processing is governed by the Bellafy Privacy Policy.

Subject matter of the Processing. Provision of the Bellafy Services, including online booking, payment coordination, voucher management, loyalty program, push notifications, and client database management.

Duration of the Processing. For as long as the Customer maintains an active Bellafy account, plus the retention periods set out in Section 9 (Return and Deletion).

Nature and purpose of the Processing. Storage, organization, retrieval, consultation, use, disclosure by transmission (to authorized Subprocessors), restriction, erasure, and destruction of Personal Data as necessary to provide the Services.

Types of Personal Data processed on behalf of the Customer. Limited to the minimum necessary to deliver the Services: End User first name, phone number, appointment history, voucher balances, loyalty points balance, communication preferences, push notification subscription data (where opted in), and Stripe tokenized payment method references. Bellafy does not receive or store raw payment card numbers at any point.

Categories of Data Subjects. End Users registered through the Customer's Progressive Web App (typically clients of the Customer's beauty clinic).

Bellafy will process Personal Data only on the Customer's documented instructions, including those reflected in the Customer's use of the Services and the configuration choices made in the Bellafy dashboard. The Customer instructs Bellafy to process Personal Data: (a) to provide and maintain the Services; (b) as further specified in the Services' configuration (e.g. appointment reminders, push notifications, loyalty points calculations); (c) to comply with the Customer's reasonable instructions consistent with the Terms of Service; and (d) as required by law, in which case Bellafy will inform the Customer of that legal requirement unless prohibited from doing so.

If Bellafy believes that an instruction from the Customer would violate Applicable Data Protection Law, Bellafy will inform the Customer without undue delay. The Customer will be responsible for any such instructions it provides to Bellafy.

Bellafy will ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory, and that such personnel process Personal Data only on a need-to-know basis.

Bellafy will take reasonable steps to ensure that personnel authorized to process Personal Data are reliable and have received appropriate training on their responsibilities under Applicable Data Protection Law.

Bellafy has implemented and will maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

The current security measures are described on the Bellafy Security page at https://bellafy.app/en/security and include, without limitation: encryption of data in transit (TLS 1.3) and at rest (AES-256); Row-Level Security at the database layer to isolate Customer data; two-factor authentication available to all Customer users; bot protection and rate limiting on sensitive endpoints; principle of least privilege for internal access; audit logging of sensitive operations; and regular review of the security posture.

Bellafy may update its security measures from time to time provided the updates do not materially decrease the overall level of protection.

The Customer provides a general authorization for Bellafy to engage Subprocessors to process Personal Data on the Customer's behalf in connection with the Services.

As of the date of this DPA, Bellafy engages the following Subprocessors: Stripe, Inc. (United States) — payment processing; Supabase Inc. (United States) — database, authentication, and file storage; Vercel Inc. (United States) — application hosting; Resend (United States) — transactional email; Cloudflare, Inc. (United States) — bot protection and content delivery; Google LLC (United States) — website analytics.

A current list of Subprocessors, including the categories of Personal Data processed by each, is available at https://bellafy.app/en/privacy and https://bellafy.app/en/security.

Bellafy will notify the Customer at least 30 days before engaging any new Subprocessor that will process Personal Data, by updating the list referenced above or by another reasonable means (including email to the account owner).

The Customer may object in writing to the appointment of a new Subprocessor on reasonable grounds relating to the protection of Personal Data, within 30 days of the notification. If the parties cannot reach a mutually acceptable resolution within a further 30 days, the Customer may terminate the affected Services for convenience by written notice, without liability to either party except for fees accrued before termination. Absent a written objection within the 30-day period, the appointment of the new Subprocessor is deemed accepted.

Bellafy will enter into a written agreement with each Subprocessor imposing data protection obligations substantially equivalent to those set out in this DPA and remains responsible for its Subprocessors' performance of those obligations.

Bellafy is established in the United States and processes Personal Data primarily in the United States. Certain Subprocessors may also process Personal Data in other jurisdictions.

Where Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision from the competent authority, such transfers are governed by the Standard Contractual Clauses (Module Two: Controller to Processor) published by the European Commission (Decision 2021/914/EU), which are hereby incorporated into this DPA by reference. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner's Office, is hereby incorporated by reference.

For the purposes of the SCCs: (a) the Customer is the "data exporter" and Bellafy is the "data importer"; (b) Clause 7 (Docking clause) applies; (c) in Clause 9, Option 2 (general written authorization for Subprocessors) applies with a 30-day notification period as set out in Section 7 of this DPA; (d) in Clause 11, the optional redress language is not used; (e) in Clause 17, Option 1 applies, with the law of Ireland as the governing law; (f) in Clause 18, the courts of Ireland are chosen as the competent courts; and (g) Annex I (list of parties, description of transfer), Annex II (technical and organizational measures), and Annex III (list of Subprocessors) are populated by reference to this DPA and the Bellafy Security and Privacy pages.

Bellafy will implement supplementary measures as required to ensure an essentially equivalent level of protection, which may include technical measures (encryption, access controls), contractual measures (as set out in the SCCs), and organizational measures (challenging overly broad government requests, publishing transparency reports if any are made).

Throughout the term of the Services, the Customer may export End User Personal Data at any time through the export features provided in the Bellafy dashboard (including the client list, reservation history, and activity logs).

Upon termination or expiration of the Services for any reason, the Customer may request the return or deletion of Personal Data. Absent a specific instruction from the Customer, Bellafy will retain Personal Data in a read-only state for 30 days following termination to allow for export, and will then permanently delete the Personal Data from its active systems.

Deletion from backups occurs in accordance with the backup retention cycle (typically within the point-in-time recovery window maintained by Bellafy's database provider, currently up to 7 days). During that residual period, backup data is not actively accessed and is overwritten in the ordinary course.

Bellafy may retain Personal Data to the extent required by applicable law, including tax and accounting law, in which case such retention is limited to the minimum required and the data continues to be protected in accordance with this DPA.

As Processor, Bellafy will provide reasonable assistance to the Customer, taking into account the nature of the Processing and the information available to Bellafy, in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, deletion, restriction, portability, and objection.

If a Data Subject submits a request directly to Bellafy relating to Personal Data processed on behalf of the Customer, Bellafy will, without undue delay, inform the Data Subject that the request should be directed to the Customer and, where appropriate, forward the request to the Customer.

To the extent the Customer cannot obtain the necessary information from the Bellafy dashboard's self-service export and deletion features, the Customer may request additional assistance from Bellafy by contacting support@bellafy.app.

Bellafy will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data.

Such notification will include, to the extent known at the time: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the Personal Data Breach; (c) the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects; and (d) a point of contact for further information.

Where and to the extent it is not possible to provide all information at the same time, the information may be provided in phases without further undue delay.

Bellafy's notification of or response to a Personal Data Breach is not an acknowledgment by Bellafy of any fault or liability. The Customer remains responsible for notifying the competent supervisory authority and affected Data Subjects as required by Applicable Data Protection Law.

Bellafy will provide reasonable assistance to the Customer, at the Customer's reasonable cost where such assistance materially exceeds the information already made available publicly (for example, through the Bellafy Privacy, Security, and Documentation pages), with: (a) any data protection impact assessment the Customer is required to carry out under Applicable Data Protection Law; and (b) any prior consultation with a supervisory authority required under such law.

Bellafy will make available to the Customer all information reasonably necessary to demonstrate compliance with its obligations under this DPA and Applicable Data Protection Law. This includes the information published on the Bellafy Security page, the list of Subprocessors, and any third-party audit reports or certifications Bellafy may hold from time to time.

Where the Customer reasonably believes that the information made available is insufficient to demonstrate compliance, the Customer may request additional information in writing with at least 30 days' notice, no more than once per twelve-month period (except following a Personal Data Breach affecting the Customer). Bellafy will respond to such requests within a reasonable timeframe.

On-site audits are not generally available; where Applicable Data Protection Law (including the SCCs) requires them, the parties will agree in advance on the scope, timing, and conduct of the audit, such audit will be conducted during regular business hours, without disruption to Bellafy's operations, and subject to appropriate confidentiality and security protections. The Customer bears the cost of any on-site audit it requests.

This Section applies to the extent Bellafy processes Personal Data of California residents on behalf of the Customer.

The parties acknowledge that the Customer is the "Business" and Bellafy is the "Service Provider" with respect to such Personal Data.

Bellafy will: (a) not sell or share (as those terms are defined in the CCPA/CPRA) Personal Data; (b) not retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing the Services or as otherwise permitted by the CCPA/CPRA; (c) not retain, use, or disclose Personal Data outside of the direct business relationship between the Customer and Bellafy; (d) not combine Personal Data received from or on behalf of the Customer with Personal Data received from another source, except as permitted by the CCPA/CPRA; and (e) comply with applicable obligations under the CCPA/CPRA.

Bellafy certifies that it understands the restrictions set out in this Section 14 and will comply with them.

Each party's liability under or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service, except where and to the extent such limitations are not permitted by Applicable Data Protection Law (including Clause 12 of the SCCs, to the extent incorporated).

This DPA is effective upon the Customer's acceptance of the Terms of Service and will remain in force for as long as Bellafy processes Personal Data on behalf of the Customer. Sections that by their nature are intended to survive (including those relating to confidentiality, return and deletion, and liability) will continue to apply after termination.

Order of precedence. In the event of any conflict between this DPA and the Terms of Service, this DPA prevails as to matters of data protection. In the event of any conflict between this DPA and the SCCs (where incorporated), the SCCs prevail.

Amendments. Bellafy may update this DPA from time to time to reflect changes in Applicable Data Protection Law, changes to its Services, or changes to its security practices. When material changes are made, Bellafy will notify the Customer at least 15 days before the changes take effect.

Entire agreement. This DPA, together with the Terms of Service and the Privacy Policy, constitutes the entire agreement between the parties with respect to the Processing of Personal Data.

Language. In the event of any conflict between the English version of this DPA and any translated version, the English version prevails.

Signed copy. While no signature is required for this DPA to be binding, Customers may request a countersigned copy for their records by emailing support@bellafy.app with the subject line "DPA signature request".

Questions about this DPA can be sent to support@bellafy.app.

Bellafy LLC

[Registered agent address, Wyoming]

United States