Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Business Partner Agreement ("Merchant Terms") between Stratosyte Pty Ltd (ABN 95 682 286 326, ACN 682 286 326), operating as KeepMyBooking ("KeepMyBooking", "we", "us"), and the Merchant identified during onboarding ("Merchant", "you"). Capitalised terms not defined in this DPA have the meaning given to them in the Merchant Terms.

1. Background and Purpose

1.1

In the course of providing services through the KeepMyBooking Platform, the Controller shares certain personal data of end-users (consumers) with the Merchant to enable the delivery of booked services.

1.2

The parties acknowledge that for the purposes of this DPA:

• KeepMyBooking determines the Platform purposes and means for collection and disclosure of end-user personal data through the Platform.
• The Merchant receives and handles end-user personal data only for the limited purposes permitted under this DPA and the Merchant Terms in connection with delivering booked services.

1.3

This DPA sets out the obligations of each party in connection with the processing of personal data, in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs) for New Zealand Merchants.

2. Definitions

For the purposes of this DPA:

• "Personal data" means any information relating to an identified or identifiable individual, as defined under the Privacy Act 1988 (Cth) and the Privacy Act 2020 (NZ).
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, transfer, or deletion.
• "End-user data" means the personal data of consumers shared by KeepMyBooking with the Merchant in connection with a confirmed booking, including name, contact details, booking details, and any other information provided through the Platform.
• "Notifiable data breach" has the meaning given under Part IIIC of the Privacy Act 1988 (Cth).
• "Sub-processor" means any third party engaged by the Merchant to process end-user data on the Merchant's behalf.

3. Scope and Nature of Processing

3.1

KeepMyBooking authorises the Merchant to process end-user data only to the extent strictly necessary for the following permitted purposes:

• Confirming and delivering the booked service to the end-user.
• Communicating with the end-user regarding an active confirmed booking (including via the Platform's in-app chat).
• Complying with applicable legal obligations directly related to the service being delivered.

3.2

The Merchant must not process end-user data for any purpose other than those listed in clause 3.1, including but not limited to:

• Marketing, promotional, or advertising communications to the end-user.
• Profiling, analytics, or data enrichment activities.
• Sale, rental, or transfer of end-user data to any third party.
• Use of end-user data in connection with services provided outside of the KeepMyBooking Platform.

3.3

The categories of personal data shared with Merchants are limited to:

• Full name and preferred contact name.
• Contact details (email address and/or phone number, as provided by the user).
• Booking details (service selected, date, time, and any notes provided by the user at the time of booking).
• Booking status and transaction identifiers (for the purpose of settlement and service delivery confirmation).

3.4

KeepMyBooking does not share payment card details, government-issued identifiers, or sensitive information (as defined under the Privacy Act 1988 (Cth)) with Merchants through the Platform.

4. Merchant Obligations as Data Processor

4.1 Lawful processing

The Merchant must process end-user data only in accordance with KeepMyBooking's documented instructions as set out in this DPA, the Merchant Terms, and applicable privacy laws. If the Merchant is required by law to process end-user data for a purpose not covered by this DPA, it must notify KeepMyBooking prior to such processing unless the law prohibits notification.

4.2 Confidentiality

The Merchant must ensure that all personnel authorised to process end-user data are bound by appropriate confidentiality obligations and are aware of the restrictions set out in this DPA.

4.3 Security measures

The Merchant must implement and maintain appropriate technical and organisational security measures to protect end-user data against unauthorised access, disclosure, alteration, loss, or destruction. These measures must be appropriate to the nature and volume of personal data processed and must include, at a minimum:

• Restricting access to end-user data to personnel who require it for service delivery purposes.
• Using secure communication methods when transmitting personal data.
• Not storing end-user data in unsecured or publicly accessible locations (including unencrypted spreadsheets, shared drives, or personal email accounts).

4.4 Data minimisation

The Merchant must not collect, copy, or retain end-user data beyond what is necessary for and directly related to the delivery of the relevant booked service.

4.5 Retention and deletion

The Merchant must:

• Retain end-user data only for as long as necessary to deliver the booked service and comply with any applicable legal retention obligations.
• Delete or de-identify end-user data promptly upon completion of the booked service, unless retention is required by law.
• Upon termination of the Merchant Terms or at KeepMyBooking's written request, promptly delete or return all end-user data in the Merchant's possession, and certify in writing that this has been done.

4.6 No secondary use

The Merchant acknowledges that end-user data provided through the Platform was collected by KeepMyBooking for the primary purpose of facilitating bookings. The Merchant must not use end-user data for any secondary purpose, including the compilation of client lists, contact databases, or customer relationship management systems, without the express prior written consent of the relevant end-user obtained independently of the Platform.

5. Sub-Processors

5.1

The Merchant must not engage any sub-processor to process end-user data without KeepMyBooking's prior written approval.

5.2

Where KeepMyBooking approves the engagement of a sub-processor, the Merchant must:

• Enter into a written agreement with the sub-processor that imposes data processing obligations at least equivalent to those set out in this DPA.
• Remain fully liable to KeepMyBooking for the acts and omissions of the sub-processor in relation to end-user data.

5.3

For the avoidance of doubt, standard business software and tools used by the Merchant in the ordinary course of its operations (e.g., practice management software, internal scheduling tools) may be used in connection with end-user data, provided that the Merchant ensures that such tools are configured to apply appropriate security and access controls consistent with this DPA.

6. Data Subject Rights

6.1

The Merchant acknowledges that end-users have rights in respect of their personal data under the Privacy Act 1988 (Cth) and the Privacy Act 2020 (NZ), including rights of access, correction, and in certain circumstances deletion.

6.2

If the Merchant receives a request from an end-user seeking to exercise their privacy rights in respect of data that originates from the KeepMyBooking Platform, the Merchant must:

• Notify KeepMyBooking at [email protected] within 5 business days of receiving the request.
• Provide KeepMyBooking with reasonable assistance to enable KeepMyBooking to respond to the request within the timeframes required by applicable law.
• Not respond directly to the end-user's request without KeepMyBooking's prior written approval, unless the Merchant is independently required to do so by law.

7. Data Breach Notification

7.1

The Merchant must notify KeepMyBooking as soon as practicable, and in any event within 48 hours, of becoming aware of any actual or suspected data breach involving end-user data. The notification must include:

• A description of the nature of the breach, including the categories and approximate number of individuals and records affected.
• The likely consequences of the breach.
• The measures taken or proposed to be taken to address the breach and mitigate its effects.

7.2

The Merchant must not make any public statement or notification to any regulatory authority regarding a data breach involving end-user data without KeepMyBooking's prior written approval, unless independently required to do so by law.

7.3

KeepMyBooking retains the right to determine, in consultation with the Merchant, whether a breach constitutes a Notifiable Data Breach under the Privacy Act 1988 (Cth) requiring notification to the Office of the Australian Information Commissioner (OAIC) and/or affected individuals.

8. Audit Rights

8.1

KeepMyBooking may, on reasonable prior written notice of not less than 10 business days, request that the Merchant:

• Provide written confirmation that it is complying with its obligations under this DPA.
• Make available relevant documentation, records, or personnel for the purpose of verifying compliance with this DPA.

8.2

The Merchant must cooperate fully with any audit or verification request made by KeepMyBooking under this clause and must bear its own costs in connection with such cooperation.

8.3

KeepMyBooking will conduct audits no more than once per calendar year, unless a data breach or credible compliance concern warrants more frequent review.

9. Overseas Transfers

9.1

The Merchant must not transfer end-user data to a recipient located outside of Australia or New Zealand without KeepMyBooking's prior written approval.

9.2

Where KeepMyBooking approves an overseas transfer, the Merchant must ensure that the recipient is subject to privacy protections at least equivalent to the Australian Privacy Principles or the New Zealand Information Privacy Principles, or that an alternative lawful basis for the transfer exists under applicable law.

10. Liability and Indemnity

10.1

The Merchant is solely responsible for ensuring its processing of end-user data complies with this DPA and all applicable privacy laws.

10.2

The Merchant indemnifies KeepMyBooking against any loss, damage, liability, cost, or expense (including reasonable legal fees and regulatory fines) arising from or related to:

• The Merchant's breach of this DPA or any applicable privacy law.
• Unauthorised processing, disclosure, or use of end-user data by the Merchant or its personnel.
• Any failure by the Merchant to implement adequate security measures resulting in a data breach.
• Any regulatory investigation, enforcement action, or penalty arising from the Merchant's processing of end-user data.

10.3

Nothing in this clause limits the Merchant's obligations or liability under the indemnity provisions of the Merchant Terms.

11. Relationship to Merchant Terms

11.1

This DPA supplements and forms part of the Merchant Terms. In the event of any inconsistency between this DPA and the Merchant Terms with respect to the processing of personal data, this DPA prevails.

11.2

Termination of the Merchant Terms automatically terminates this DPA. The Merchant's obligations in clauses 4.5 (data deletion), 7 (breach notification), and 10 (indemnity) survive termination of this DPA.

12. Governing Law

For Merchants operating in Australia: This DPA is governed by the laws of the State or Territory in Australia in which the Merchant's principal place of business is located, together with the laws of the Commonwealth of Australia, and each party submits to the non-exclusive jurisdiction of the courts of that State or Territory and the Commonwealth. For Merchants operating in New Zealand, applicable New Zealand privacy law also applies.

13. Contact

Privacy and data processing enquiries: +61 2 8456 7107 | [email protected] | Stratosyte Pty Ltd, ABN 95 682 286 326 | keepmybooking.com

Back to related policies