This Data Processing Agreement (“Agreement” or “DPA”) is an integral part of the Timerise Terms & Conditions, which govern the delivery of custom booking system projects by Timerise. It applies whenever Timerise processes personal data on behalf of the Client in the course of a Project, in particular during data migration, development, testing, deployment, and post-delivery support.
1. Definitions
The following terms have the meanings assigned below and as defined in applicable personal data protection laws, including the GDPR:
- “Timerise” means Timerise Sp. z o.o., with its registered office in Wrocław, Poland, at ul. Księcia Witolda 49/15, 50-202 Wrocław, e-mail: hello@timerise.ai.
- “Agreement” means this Data Processing Agreement.
- “Main Agreement” means the Statement of Work together with the Timerise Terms & Conditions, under which Timerise delivers a Project to the Client.
- “Project” means the engagement to design, develop, migrate, deploy, and hand over a custom Booking System, as defined in the Main Agreement.
- “Booking System” means the dedicated booking software engineered by Timerise for the Client under the Main Agreement.
- “Personal Data” means any information relating to an identified or identifiable natural person processed under this Agreement.
- “Processing” means any operation performed on Personal Data.
- “Data Controller” or “Controller” means the entity that determines the purposes and means of Processing Personal Data, that is, the Client.
- “Data Processor” or “Processor” means Timerise, which processes Personal Data on behalf of the Controller during a Project.
- “Sub-Processor” means any third-party entity engaged by Timerise to assist in delivering the Project.
- “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
2. General Provisions
- The Controller entrusts Timerise with the Processing of Personal Data solely for the purpose of delivering the Project under the Main Agreement, in particular migrating data from the Controller’s legacy systems, developing and testing the Booking System, deploying it to the target infrastructure, and providing agreed post-delivery support.
- Processing will be carried out in accordance with the GDPR and this Agreement.
- The scope of Personal Data, categories of data subjects, and the nature of Processing are detailed in Section 13 (Scope of Processing).
- Timerise will process Personal Data only for the duration of the Project (including the agreed post-delivery support, to the extent support requires such Processing) and solely on documented instructions from the Controller.
- Upon Handover, the Client operates the Booking System as the sole Controller. Timerise does not process data held in the delivered Booking System after Handover, except where the Controller grants access for the purpose of post-delivery support.
3. Controller’s Statements
By entering into this Agreement, the Controller declares that:
- Personal Data are processed in connection with its business or statutory activity;
- It has a valid legal basis for Processing the Personal Data;
- It is authorized to entrust Timerise with the Personal Data contained in the systems from which data are migrated, and there are no legal obstacles preventing Timerise from Processing Personal Data as entrusted.
4. Technical and Organizational Measures
- Timerise will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access control, and environment separation.
- Only authorized persons bound by confidentiality will have access to Personal Data.
5. Processor’s Duties
Timerise shall:
- Assist the Controller in responding to requests from data subjects (Chapter III GDPR);
- Assist the Controller in ensuring compliance with security and breach notification obligations (Articles 32–36 GDPR);
- Promptly inform the Controller of any proceedings or inspections by authorities;
- Not delete or alter Personal Data without instructions from the Controller.
6. Audits
- Timerise will make available information necessary to demonstrate compliance and allow audits.
- The Controller must notify Timerise at least 14 business days in advance.
- Audits must not unduly disrupt operations and may last up to 3 business days.
7. Sub-Processors
- The Controller grants Timerise a general authorization to engage the Sub-Processors listed in Section 14 (List of Sub-Processors).
- Timerise shall notify the Controller in advance of any intended addition or replacement of Sub-Processors, giving the Controller the opportunity to object.
- Timerise imposes on each Sub-Processor data protection obligations no less protective than those in this Agreement.
8. Personal Data Breaches
If Timerise becomes aware of a Personal Data breach, it shall notify the Controller within 48 hours and provide details on the nature of the breach and measures taken.
9. Liability
- Timerise’s total liability for damages arising from Processing under this Agreement shall not exceed the fees paid by the Client for the relevant Project, consistent with the limitation of liability in the Terms & Conditions.
- Neither Party shall be liable for non-performance due to Force Majeure.
10. CCPA (California Consumer Privacy Act)
- If the Controller entrusts Timerise with Personal Data of California residents, Timerise shall not use such data for any purpose other than delivering the Project.
- Timerise will not sell or share California residents’ Personal Data.
11. Termination
- Upon completion or termination of the Project (or, where applicable, expiry of the post-delivery support), Timerise shall, at the Controller’s choice, delete or return all Personal Data within 14 days, unless storage is required by law. Data handed over as part of the delivered Booking System remain with the Controller.
12. Final Provisions
- Any amendments must be made in electronic form to be valid.
- This Agreement is governed by Polish law.
13. Scope of Processing
Categories of data subjects
- End-Users of the Controller (customers making bookings in the legacy or new system)
- Employees and contractors of the Controller (system users, staff calendars)
Categories of Personal Data
- Identification and contact data: name, e-mail address, phone number
- Booking data: booking history, dates, services booked, notes attached to bookings
- Account data of the Controller’s staff: name, e-mail address, role
- Payment-related metadata (e.g. transaction identifiers), where migrated; Timerise does not process full payment card data
Nature and purpose of Processing
- Migration of data from the Controller’s legacy systems to the new Booking System
- Development, testing, and validation of the Booking System
- Deployment to the Controller’s target infrastructure
- Defect diagnosis and resolution during post-delivery support
14. List of Sub-Processors
- Google Cloud EMEA Limited – cloud infrastructure and AI model processing (EU regions where available)
- Supabase, Inc. – database and authentication infrastructure
- Vercel Inc. – application hosting
- Twilio Inc. (SendGrid) – transactional e-mail delivery
- Slack Technologies Limited – internal team communication and project notifications
The current list applicable to a specific Project is confirmed in the Statement of Work. Changes are notified in accordance with Section 7.
© 2026 Timerise Sp. z o.o. – All rights reserved.