Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in the Customer Terms.

• “Controller” means the Customer (you), who determines the purposes and means of processing personal data relating to your guests, clients, and staff.
• “Processor” means JAR 26 LTD trading as ReserveNI, who processes personal data on behalf of the Controller.
• “Data Protection Law” means the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, and any other applicable UK data protection legislation, as amended from time to time.
• “Personal Data” has the meaning given in Data Protection Law — broadly, any information relating to an identified or identifiable living individual.
• “Processing” has the meaning given in Data Protection Law, and includes storing, organising, retrieving, using, disclosing, and deleting personal data.
• “Sub-processor” means any third-party processor engaged by ReserveNI to process Personal Data in connection with the ReserveNI platform.
• “Data Subject” means an identified or identifiable individual whose Personal Data is processed.

2. Roles: controller and processor

The parties acknowledge that, in relation to personal data processed through the ReserveNI platform on the Customer’s behalf:

• the Customer is the data controller — you determine the purposes and means of collecting and using personal data about your guests, clients, and staff through the platform;
• ReserveNI is the data processor — we process that personal data only on your behalf, in accordance with your instructions and this DPA.

Each party remains independently responsible for its own compliance with Data Protection Law in relation to personal data for which it acts as controller.

3. Subject matter, nature, and purpose of processing

ReserveNI processes Personal Data as part of providing the ReserveNI platform to you. The nature and purpose of processing is:

• storing, managing, and retrieving booking and reservation records;
• managing guest profiles and contact information;
• sending automated booking confirmations, reminders, and notifications;
• processing payments and deposits through Stripe on your behalf;
• providing you with reporting and analytics on your bookings;
• enabling you and your staff to access and manage guest and booking data through the dashboard;
• maintaining audit logs and records necessary to operate the platform.

4. Types of personal data and categories of data subjects

Categories of data subjects: your guests and clients who make or are associated with bookings; your staff members and admin users who access the platform.

Types of personal data processed may include:

• names;
• email addresses;
• phone numbers (including mobile numbers for SMS communications);
• booking details (dates, times, party size, service type, notes);
• payment references (Stripe payment intent IDs — not card numbers, which are held by Stripe);
• deposit and transaction records;
• communications history (email and SMS confirmation and reminder records);
• staff account information (name, email address, account credentials managed via Supabase Auth).

ReserveNI does not intentionally process special category personal data (such as health data, biometric data, or criminal offence data). You must not upload special category data to the platform unless you have a lawful basis to do so and have first discussed this with us.

5. Duration of processing

ReserveNI will process Personal Data for the duration of your subscription, and for up to 30 days after termination to allow for data export. After this period, we will delete or anonymise Personal Data within a reasonable timeframe in accordance with our data retention practices, unless we are required to retain it longer by law.

6. ReserveNI’s obligations as processor

ReserveNI will:

• process Personal Data only on your documented instructions, including as set out in this DPA, the Customer Terms, and as required by law;
• not process Personal Data for any purpose other than providing the platform and related services, unless required to do so by law (in which case we will inform you, to the extent permitted by law);
• ensure that staff authorised to process Personal Data are bound by appropriate confidentiality obligations;
• implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (see section 9);
• assist you, to the extent reasonably possible, in responding to requests from data subjects exercising their rights under Data Protection Law (see section 7);
• notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach affecting Personal Data processed on your behalf (see section 10);
• at your request, provide information reasonably necessary to demonstrate compliance with this DPA and Data Protection Law;
• on termination of the Customer Terms, delete or anonymise Personal Data in accordance with section 5 of this DPA, unless retention is required by law.

7. Your obligations as controller

You confirm that, in relation to Personal Data processed through the platform, you:

• have a lawful basis under Data Protection Law for collecting and processing the Personal Data you upload or generate through the platform;
• have provided, or will provide, data subjects with the information required by Data Protection Law (including a privacy notice) about how their data is used;
• are responsible for handling data subject rights requests (access, rectification, erasure, restriction, portability, objection) received by you directly, and will notify us promptly where our assistance is required;
• are responsible for ensuring that any personal data you instruct us to process is accurate and not excessive for the stated purpose.

8. Sub-processors

You provide general authorisation for ReserveNI to engage sub-processors to help deliver the platform. ReserveNI will ensure that sub-processors are bound by data protection obligations equivalent to those in this DPA.

We will notify you of any intended changes to sub-processors (additions or replacements) by updating this page and providing at least 14 days’ notice by email. You may object to a new sub-processor on legitimate data protection grounds; if we cannot accommodate your objection, you may terminate your subscription without penalty.

Current sub-processors:

9. Security measures

ReserveNI implements and maintains appropriate technical and organisational measures to protect Personal Data. These include:

• encryption of data in transit using TLS and at rest using encryption provided by our infrastructure providers;
• row-level security controls at the database layer to isolate data by venue;
• access controls limiting staff access to Personal Data on a need-to-know basis;
• authentication controls including password requirements managed through Supabase Auth;
• use of environment-separated secrets management (server-side only) for API keys and credentials;
• regular dependency updates and security patching;
• reliance on sub-processors (Supabase, Vercel, Stripe) who maintain their own ISO 27001 or equivalent security certifications.

We will review and update security measures from time to time to respond to new threats and industry developments. We will provide information about our security measures on request.

10. Personal data breaches

If ReserveNI becomes aware of a personal data breach affecting Personal Data processed on your behalf, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware. Notification will include:

• a description of the nature of the breach, including the categories and approximate number of data subjects and records affected (to the extent known);
• the likely consequences of the breach;
• the measures taken or proposed to address the breach.

You are responsible for assessing whether you are required to notify the Information Commissioner’s Office (ICO) or affected data subjects, and for making any such notifications. We will provide you with reasonable assistance in doing so.

11. International data transfers

Some of our sub-processors are located outside the UK (including in the United States). Where Personal Data is transferred to a country that does not provide an equivalent level of data protection to the UK, we will ensure appropriate safeguards are in place in accordance with Data Protection Law. These may include:

• reliance on UK adequacy regulations where applicable;
• UK International Data Transfer Agreements (IDTAs) or UK Addendums to EU Standard Contractual Clauses where required;
• transfers to processors certified under recognised frameworks such as the UK-US Data Bridge.

Details of the safeguards used for each sub-processor are available on request.

12. Audit rights

You may, with reasonable prior written notice (at least 30 days) and no more than once per year, request information from ReserveNI to verify compliance with this DPA. ReserveNI will provide relevant documentation and answer reasonable written questions. Physical audits of ReserveNI infrastructure are conducted through our sub-processors’ existing audit and certification programmes (such as SOC 2 reports from Supabase or Vercel), which we will make available on request in lieu of a separate on-site audit.

13. Changes to this DPA

We may update this DPA from time to time to reflect changes in Data Protection Law, our processing activities, or sub-processors. We will provide at least 14 days’ notice of material changes by email. Continued use of the platform after the effective date of changes constitutes acceptance of the updated DPA.

14. Contact and data protection queries

For data protection queries, data subject rights requests relating to our processing, or to raise a concern about data protection practices, please contact us at: hello@reserveni.com.

If you have concerns about how Personal Data is handled that we have not resolved to your satisfaction, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.