Calentivo

Legal

Data Processing Agreement (DPA)

How personal data is processed by Calentivo on behalf of Customers.

Last updated: March 1, 2026

This Data Processing Agreement (DPA) forms part of the Terms and Conditions governing the use of Calentivo (the Terms) between the Customer and the Estonian company operating Calentivo (the Provider). This DPA applies where the Provider processes personal data on behalf of the Customer in connection with the provision of the Calentivo booking platform.

Read our Terms and Conditions

1. Roles of the Parties

For the purposes of Regulation (EU) 2016/679 (GDPR):

The Customer acts as the Data Controller.

The Provider acts as the Data Processor. The Provider processes personal data solely on behalf of the Customer and only in accordance with the Customer's documented instructions as reflected in the Terms and this DPA.

2. Subject Matter and Duration of Processing

The subject matter of processing is the provision of the Calentivo booking and scheduling platform.

Processing begins when the Customer uploads or collects personal data through Calentivo and continues for the duration of the Customer's Subscription, including any grace period described in the Terms.

After termination, data will be deleted in accordance with Section 9 of this DPA.

3. Nature and Purpose of Processing

The Provider processes personal data for the purpose of:

The Provider does not process data for its own marketing purposes.

  • Providing booking and scheduling functionality
  • Managing appointments and availability
  • Sending notifications (for example, email, SMS, and WhatsApp) as configured by the Customer
  • Providing customer support
  • Maintaining and securing the platform
  • Performing backup and disaster recovery operations

4. Categories of Data Subjects

Categories of data subjects may include:

  • End Customers booking services
  • Customer's employees and Authorized Users
  • Customer's own clients and contacts

5. Categories of Personal Data

Depending on Customer configuration, data may include:

The Provider does not intentionally process special categories of data under Article 9 GDPR unless uploaded by the Customer.

  • Name
  • Email address
  • Phone number
  • Booking date and time
  • Service details
  • Notes entered by End Customers
  • Communication records
  • Technical metadata (IP address, timestamps)

6. Provider Obligations

The Provider shall:

  • Process personal data only on documented instructions from the Customer.
  • Ensure persons authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures in accordance with Article 32 GDPR.
  • Assist the Customer in responding to data subject rights requests.
  • Assist the Customer in fulfilling obligations under Articles 32 to 36 GDPR.
  • Notify the Customer without undue delay after becoming aware of a personal data breach.
  • Make available information necessary to demonstrate compliance with this DPA.

7. Sub-processors

The Customer authorizes the Provider to engage sub-processors necessary to operate Calentivo.

Current categories of sub-processors include:

The Provider ensures sub-processors are bound by data protection obligations equivalent to those in this DPA. A current list of sub-processors is available in the Privacy Policy.

  • Cloud hosting providers
  • Communication service providers (for example, Bird)
  • AI service providers (for example, OpenAI)
  • Payment processor for subscription billing (Stripe)

8. International Transfers

Where personal data is transferred outside the European Economic Area, the Provider ensures appropriate safeguards under Articles 44 to 49 GDPR, including:

The Provider applies equivalent technical and organizational safeguards where required.

  • Standard Contractual Clauses
  • Adequacy decisions
  • Equivalent technical and organizational safeguards

9. Deletion and Return of Data

Upon termination of the Subscription, the Customer may export available data during the grace period described in the Terms.

After the grace period, personal data is deleted or anonymized, except where retention is required by law.

Backup systems may retain data temporarily in accordance with secure retention policies.

10. Liability

Liability under this DPA is subject to the limitation of liability set out in the Terms.