Data Processing Agreement (DPA)
Effective Date: April 13, 2025
Last Updated: April 14, 2025
Applies to: Bookiro. – https://bookiro.ca
Jurisdiction: Quebec, Canada
This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service and applies where Bookiro processes personal data on behalf of clients (acting as Data Controllers) during the use of Bookiro’s services.
1. Definitions
Data Controller: The client who determines the purposes and means of processing personal data.
Data Processor: Bookiro, which processes personal data on behalf of the Data Controller.
Personal Data: Any information relating to an identified or identifiable individual.
Processing: Any operation performed on personal data, whether automated or not.
2. Purpose & Scope
Bookiro processes personal data solely for the purpose of providing its platform features, including booking management, communication, notifications, invoicing, and analytics — as described in the main service agreement.
3. Duration
This DPA is effective for the duration of the client’s use of Bookiro services and remains valid until all data has been returned or deleted per Section 8.
4. Processing Obligations of Bookiro
Bookiro agrees to:
Only process personal data on documented instructions from the Controller.
Ensure confidentiality and restrict data access to authorized personnel only.
Implement appropriate technical and organizational measures to secure data (in line with Law 25).
Assist the Controller in ensuring compliance with obligations related to security, breach notifications, and data protection impact assessments (DPIAs), if required.
5. Sub-Processors
Bookiro may engage sub-processors (e.g., Stripe, Firebase, analytics providers) as needed.
A current list of sub-processors is available upon request.
Bookiro ensures all sub-processors are bound by data protection obligations equivalent to this agreement.
6. Assistance with Data Subject Rights
In accordance with Law 25 and PIPEDA:
Bookiro will assist the Controller in responding to data subject requests, including access, rectification, deletion, objection, and data portability.
Requests must be submitted by the Controller or verified through the client’s account.
7. Data Breach Notification
Bookiro shall notify the Controller without undue delay (within 72 hours) upon discovering a personal data breach.
The notification will include the nature of the breach, the data affected, consequences, and remediation steps.
8. Data Return or Deletion
Upon termination of the services:
Bookiro will, at the choice of the Controller, either return all personal data or delete it from its systems.
Exceptions apply only where retention is required by applicable laws (e.g., financial, tax, or audit obligations).
9. Audits & Documentation
Upon request, Bookiro shall provide documentation to demonstrate compliance with this DPA.
On-site audits may be requested but are subject to reasonable notice and cost recovery if not legally mandated.
10. Governing Law
This agreement shall be governed by the laws of the Province of Quebec and the federal laws of Canada.
11. Contact
For questions or concerns regarding this DPA, contact: