Effective May 16, 2026

Data Processing Agreement

This DPA forms part of the Terms of Service between Pantazi Software (the processor) and you (the controller) for personal data Bookify processes on your behalf. It is GDPR-compliant out of the box. If you need a counter-signed PDF, email [email protected].

1. Subject matter, duration, nature

Bookify processes personal data of your bookers (name, email, optional phone, time zone, meeting metadata) and your team members (name, email, role, OAuth tokens) to provide booking and scheduling functionality. Processing lasts for the duration of your account plus a 30-day grace period after deletion.

2. Roles

Youare the controller of your bookers' and team members' data.
Pantazi Software is the processor acting on your documented instructions.
For our own customer relationship with you (subscription billing, audit log, marketing communications), Pantazi Software acts as an independent controller — see the Privacy Policy.

3. Sub-processors

We engage the sub-processors below, all bound by written agreements with confidentiality + security commitments at least equivalent to this DPA. We'll notify you by email at least 30 days before adding or replacing a sub-processor.

Sub-processor	Purpose	HQ	Transfer basis
Resend	Transactional email delivery (booking confirmations, reminders, magic links)	United States	SCCs
SMSapi	SMS reminder delivery worldwide	Poland (EU)	EU/EEA — no transfer
Creem	Bookify's subscription billing + SMS credit purchases	Singapore	SCCs
Stripe (Stripe Connect Express)	Client merchant payments (funds never touch Bookify)	United States / Ireland	SCCs
PayPal Commerce Platform	Client merchant payments	United States	SCCs
Google	Google Calendar + Google Meet integration	United States / Ireland	SCCs + EU-US Data Privacy Framework
Microsoft	Outlook Calendar + Microsoft Teams integration	United States / Ireland	SCCs + EU-US Data Privacy Framework
Apple	iCloud calendar synchronization (CalDAV)	United States	SCCs
Zoom	Zoom meeting creation	United States	SCCs
Cloudflare	DNS, CDN, DDoS protection	United States	SCCs
Hostinger International Ltd.	VPS hosting + Postgres + Redis	Lithuania (EU)	EU/EEA — no transfer

4. Technical + organizational measures (Art. 32 GDPR)

OAuth tokens encrypted at rest with AES-256-GCM, key rotation supported;
HTTPS in transit (TLS 1.2+); HSTS preload-eligible;
Postgres role separation; least-privilege application user;
nightly Postgres backups, GPG-encrypted, off-site;
strict Content-Security-Policy, no inline scripts on dashboard;
audit log of every state-changing action, with SHA-256 hashed IPs;
rate-limited public endpoints (Redis token bucket);
2FA-enforced infrastructure access; SSH key auth only.

5. Data subject requests

We assist you in fulfilling access, deletion, and portability requests. Your bookers can also exercise rights directly through the cancellation and self-service links in their booking emails. Account holders use Dashboard → Settings → Data export and Dashboard → Settings → Delete account.

6. Breach notification

We'll notify you without undue delay (and at the latest within 72 hours) of becoming aware of any personal data breach affecting data we process for you, with the information required by Art. 33(3) GDPR.

7. Audit rights

On reasonable notice you may audit our compliance with this DPA once per year, or more often if required by your supervisory authority. We can also provide SOC 2 / ISO 27001 attestations from our infrastructure provider on request.

8. Return / deletion

On termination of your subscription we return or delete all personal data within 30 days, unless retention is required by law (e.g. invoice data for accounting).