TurnoHub
Login
← Back to Home

Data Processing Agreement

Effective Date: 22 March 2026

This Data Processing Agreement ('DPA') is entered into between the Data Controller (the Business User as identified in the TurnoHub account registration) and the Data Processor (TurnoHub, contactable at [email protected]). This DPA supplements the Terms of Service. In the event of a conflict, this DPA shall prevail with respect to data protection obligations.

Section 1: Definitions

Terms not defined herein shall have the meaning given in Regulation (EU) 2016/679 (GDPR). 'Sub-Processor' means any third party engaged by TurnoHub to process data on behalf of the Controller.

Section 2: Nature, Purpose, and Scope of Processing

2.1 Nature

Collection, storage, retrieval, use, transfer, and deletion of personal data via the TurnoHub platform.

2.2 Purpose

To provide booking management, CRM functionality, client communication, and analytics to the Controller's business.

2.3 Duration

For the term of the Controller's active subscription, and for thirty (30) days following termination to allow data export, after which data will be deleted.

2.4 Categories of Data Subjects

End-clients of the Controller (salon clients, barbershop clients, tattoo studio clients); Staff members of the Controller.

2.5 Types of Personal Data

Names (first name, surname); Contact information (phone number, email address); Booking and appointment history; Service preferences and notes; Any other data entered by the Controller or their clients via the booking interface.

Section 3: Obligations of the Processor

TurnoHub, as Processor, agrees to:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorised to process personal data have committed to confidentiality
  • Implement the technical and organisational security measures set out in Section 5
  • Assist the Controller in fulfilling its obligations to respond to data subject rights requests
  • Assist the Controller in ensuring compliance with GDPR Articles 32–36
  • Delete or return all personal data to the Controller at the end of the service relationship
  • Make available all information reasonably necessary to demonstrate compliance with this DPA

Section 4: Sub-Processors

The Controller provides general authorisation to TurnoHub to engage the following sub-processors:

  • Supabase, Inc. — Database infrastructure (EU region)
  • Resend, Inc. — Email communication
  • Anthropic, Inc. — AI assistant processing
  • Lemon Squeezy (A Stripe company) — Payment processing

TurnoHub shall inform the Controller of any intended changes with at least thirty (30) days' notice.

Section 5: Technical and Organisational Security Measures

5.1 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • All data at rest is encrypted using AES-256 encryption (via Supabase infrastructure)
  • Passwords are hashed using industry-standard algorithms (bcrypt)

5.2 Access Controls

  • Access to production data is restricted to authorised personnel only
  • Role-based access control (RBAC) is enforced within the platform
  • Row-Level Security (RLS) policies are applied at the database level

5.3 Infrastructure

  • Services hosted on Hetzner VPS infrastructure located in the European Union (Helsinki, Finland)
  • Automated backups performed by Supabase with point-in-time recovery
  • Network traffic managed via Traefik reverse proxy with automated SSL certificate renewal

5.4 Organisational Measures

  • Confidentiality obligations for all personnel with access to personal data
  • Regular review of access permissions
  • Incident response and notification procedures in place

Section 6: Personal Data Breach Notification

In the event of a personal data breach, TurnoHub shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.

Section 7: Data Subject Rights

TurnoHub shall promptly forward to the Controller any data subject requests received that relate to data processed on behalf of the Controller.

Section 8: International Transfers

Where personal data is transferred to sub-processors outside the EEA, TurnoHub ensures appropriate safeguards are in place including Standard Contractual Clauses (SCCs).

Section 9: Governing Law

This DPA is governed by the laws of Spain and subject to the jurisdiction of the courts of Valencia, Spain.

Contact: [email protected]