Schedulr Data Processing Addendum
Version: 7.0 (dpa_schedulr_2026_06_v7)
Effective Date: June 28, 2026
Last Updated: June 28, 2026
Accompanies: Terms of Service 6.0 and Privacy Policy 5.0
1. Purpose and Roles
This Data Processing Addendum ("DPA") forms part of and supplements the Schedulr Terms of Service (the "Agreement") and is incorporated into it for any organization owner that processes personal data about customers, staff, or other individuals through Schedulr ("Booking Data") subject to the GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), or a comparable law. Where this DPA conflicts with the rest of the Agreement, this DPA controls for the processing of Booking Data.
For Booking Data:
- the organization owner (and the organization they administer) is the data controller ("Controller"); and
- Holicow LLC ("Holicow", the "Processor") processes Booking Data only on the Controller's documented instructions.
For an organization owner's own account, platform billing, support, and security data, Holicow is an independent controller — see the Privacy Policy. This DPA governs Booking Data only and does not cover platform subscription billing processed by Paddle as merchant of record.
2. Definitions
Terms not defined here have the meaning given in the GDPR. "Data Subject", "personal data", "processing", "personal data breach", "special categories of data", and "supervisory authority" have their GDPR meanings. "Data Protection Law" means each privacy/data-protection law applicable to the processing. "SCCs" means the Standard Contractual Clauses annexed to EU Commission Implementing Decision (EU) 2021/914. "DPF" means the EU-U.S. Data Privacy Framework (and, where applicable, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework). "UK Addendum" means the UK Information Commissioner's International Data Transfer Addendum to the SCCs, version B1.0. "Sub-Processor" means a third party engaged by Holicow to process Booking Data.
3. Subject Matter and Details of Processing
The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of Data Subjects are set out in Annex I to this DPA. The Controller's instructions for processing are this DPA, the Agreement, and the configuration choices the Controller makes within the Service (including services, staff, locations, availability, notification settings, and booking forms). The Controller may give additional documented instructions consistent with the Service; Holicow will inform the Controller if, in its reasonable opinion, an instruction infringes Data Protection Law.
4. Controller (Organization Owner) Obligations and Warranties
The Controller warrants and undertakes that it:
- has, and will maintain, a valid lawful basis under Article 6 (and, for any special-category data, Article 9) for collecting and processing each Data Subject's personal data, and has provided all required transparency notices and obtained any required consent;
- will not configure or upload special-category data (Article 9) or data relating to criminal convictions (Article 10) unless it has a lawful basis and has notified Holicow so that appropriate measures can be assessed;
- will not use the Service to collect personal data about any child under 13 (COPPA); and for minors aged 13–17, including minors below the local GDPR digital-consent age (13–16), will maintain a valid lawful basis and any required parent, guardian, school, organizational, or other legally required authorization (the digital-consent age governs a minor's ability to self-consent, not whether the minor may be booked — see Section 4.1);
- gives Holicow documented, lawful instructions (this DPA, the Agreement, and in-product configuration constitute those instructions); and
- is responsible for the accuracy, quality, and lawfulness of the Booking Data and the means by which it acquired it, including customer-facing cancellation policies and notices shown at booking.
4.1 Minor Booking Data (Ages 13–17)
Where Booking Data includes minors aged 13–17, the Controller remains solely responsible for: determining the lawful basis for the processing; providing the required notices to the minor and parent/guardian; obtaining parent or guardian authorization where required; obtaining any necessary school or organizational authorization; restricting access, purpose, and the use of any sensitive data about the minor; responding to requests from the minor or their parent, guardian, or legal representative; and ensuring that the processing is appropriate to the age, context, and jurisdiction of the data subject, as set out in Section 4 of the Terms of Service. Holicow processes minor Booking Data only on the Controller's instructions and does not verify the Controller's authority, lawful basis, or parental/school authorization.
5. Processor (Holicow) Obligations
Holicow will:
- Process only on documented instructions — including with regard to transfers of Booking Data to a third country — unless required by applicable law, in which case Holicow will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
- Confidentiality — ensure persons authorized to process Booking Data are bound by an obligation of confidentiality.
- Security (Article 32) — implement and maintain the technical and organizational measures set out in Annex II.
- Sub-Processors — engage Sub-Processors only in accordance with Section 7.
- Assistance with Data-Subject rights — taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests to exercise Data-Subject rights (the Service provides organization data export and booking management tools). If a request reaches Holicow directly, Holicow will, without undue delay, forward it to the Controller and not respond except on the Controller's instruction or as legally required.
- Assistance with Articles 32–36 — assist the Controller in ensuring security, notifying personal data breaches, conducting data-protection impact assessments, and consulting supervisory authorities, taking into account the information available to Holicow.
- Breach notification — notify the Controller without undue delay and, where feasible, within 72 hours after confirming a personal data breach affecting Booking Data, providing the information then reasonably available (the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed).
- Deletion or return — at the Controller's choice, delete or return all Booking Data after the end of the provision of the Service, and delete existing copies unless applicable law requires storage, in accordance with the retention schedule in the Privacy Policy (including the 90-day post-lapse export window and automated purge).
- Audits and information — make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, subject to the guardrails in Section 6.
6. Audit Guardrails
The Controller's audit right (Section 5.9 and SCC Clause 8.9) is satisfied, in the first instance, by Holicow making available its security documentation, completed security questionnaires, and any third-party reports it holds. Where that is insufficient to demonstrate compliance, the Controller may conduct an audit: on at least 30 days' prior written notice; no more than once in any 12-month period (unless required by a supervisory authority or following a personal data breach); during business hours; subject to confidentiality; in a manner that does not disrupt Holicow's operations or compromise other customers' data; and at the Controller's expense.
7. Sub-Processors
The Controller grants Holicow general written authorization to engage the Sub-Processors listed in Annex III. Holicow will: (a) impose data-protection obligations on each Sub-Processor that are no less protective than this DPA by written contract; (b) remain fully liable to the Controller for each Sub-Processor's performance; and (c) give the Controller at least 30 days' advance notice of the addition or replacement of a Sub-Processor (by updating Annex III and notifying organization owners), during which the Controller may object on reasonable data-protection grounds. If the parties cannot resolve a good-faith objection, the Controller may terminate the affected organization account as its sole remedy.
8. International Transfers
Holicow processes Booking Data in the United States. Where the Controller's processing is subject to the GDPR, UK GDPR, or FADP and Holicow's processing of Booking Data constitutes a restricted transfer, the parties agree:
EU/EEA transfers — the SCCs are incorporated by reference and apply as follows:
- Module Two (Controller → Processor) applies to the transfer from the Controller (data exporter) to Holicow (data importer).
- Module Three (Processor → Sub-Processor) applies to onward transfers from Holicow to its Sub-Processors.
- Clause 7 (Docking clause): applies.
- Clause 9 (Sub-Processors): Option 2 (general written authorization), with the notice period in Section 7.
- Clause 11 (Independent dispute resolution): the optional language does not apply.
- Clause 17 (Governing law): the law of the EU member state in which the data exporter (Controller) is established; where the Controller is not established in the EU, the law of Ireland.
- Clause 18 (Forum and jurisdiction): the courts of that member state (or Ireland, as applicable).
- The technical and organizational measures referenced in Annex II satisfy Annex II of the SCCs; Annex I and Annex III of this DPA populate the corresponding SCC annexes.
UK transfers — the UK Addendum is incorporated by reference as set out in Annex IV.
Swiss transfers — for Swiss-origin Booking Data, the adaptations in Annex IV apply.
In the event of a conflict between the SCCs/UK Addendum and this DPA, the SCCs/UK Addendum prevail with respect to the transfer.
9. Liability and Term
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. This DPA takes effect when the Controller accepts the Agreement and continues for as long as Holicow processes Booking Data. Sections governing confidentiality, deletion/return, and liability survive termination.
Annex I — Details of Processing
A. List of Parties
- Data exporter (Controller): the organization owner that accepts the Agreement and this DPA. Contact, role, and signature are evidenced by the owner's accepted account record and the Terms-acceptance audit log. Activities: operating a service business and managing appointments through Schedulr. Role: controller.
- Data importer (Processor): Holicow LLC, 1164 Palmer Loop, Chewelah, WA 99109, USA; [email protected]. Activities: providing the Schedulr appointment scheduling platform. Role: processor.
B. Description of Transfer
- Categories of Data Subjects: the individuals the Controller schedules or lists in the Service — end-customers who book appointments, staff members, and other individuals whose data the Controller enters; may include minors aged 13–17 where the organization serves a school, youth, or community purpose (see Section 4.1).
- Categories of personal data: identifiers and contact data (name, email, phone); appointment details (date, time, service, staff, location, status); optional notes or custom fields the Controller enables; organization branding assets (such as logos); cancellation-policy acceptance metadata (timestamp, IP address, user-agent where captured); and notification delivery metadata.
- Special-category data: none intended; the Controller must not configure or collect special-category data without a lawful basis and notice to Holicow (Section 4).
- Frequency: continuous, for the duration of the organization's use of the Service.
- Nature and purpose: storage, organization, display, import/export, scheduling, and transmission of Booking Data to operate appointment booking, staff calendars, customer notifications, and related organization features.
- Retention: per the retention schedule in the Privacy Policy, including up to 90 days after platform access ends for export, then automated deletion.
- Onward transfers to Sub-Processors: subject matter, nature, and duration as in Annex III.
C. Competent Supervisory Authority
The supervisory authority of the EEA member state in which the Controller (data exporter) is established; or, where the Controller is not established in the EEA, the supervisory authority of the member state in which the relevant Data Subjects are located. For UK data, the UK ICO; for Swiss data, the FDPIC.
Annex II — Technical and Organizational Security Measures
Holicow maintains, at a minimum, the following measures (Article 32 / SCC Annex II):
- Encryption: TLS (HTTPS) for all data in transit; encryption at rest for backups and object storage where applicable; one-way hashing of account passwords.
- Access control: role-based, least-privilege access to production systems; unique accounts; multi-factor authentication for administrative access; revocation on personnel changes.
- Pseudonymization/minimization: collection limited to data needed to provide the Service; scheduled scrubbing of incidental audit metadata per the Privacy Policy.
- Network and application security: firewalling and network isolation; secure software-development practices; input validation; dependency and vulnerability management with timely patching.
- Logging and monitoring: audit logging of administrative and security-relevant events; monitoring and alerting.
- Resilience and recovery: regular encrypted backups; documented restore procedures; redundancy provided by the hosting platform.
- Personnel: confidentiality obligations and security awareness for staff with access to Booking Data.
- Incident response: a documented breach-response process supporting the notification commitment in Section 5.7.
- Sub-Processor management: written data-protection terms and security review of Sub-Processors (Annex III).
- Physical security: delegated to the underlying cloud providers (Annex III), which maintain access-controlled, certified data-center facilities.
Annex III — Sub-Processors
The Controller authorizes the following Sub-Processors for Booking Data. Holicow remains responsible for their performance and imposes terms no less protective than this DPA.
The Transfer mechanism column uses the abbreviations defined in Section 2:
- SCCs — Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), incorporated in Section 8.
- DPF — EU-U.S. Data Privacy Framework (and UK/Swiss extensions where applicable), where the Sub-Processor maintains an active certification.
| Sub-Processor | Service / role | Nature of processing | Location | Transfer mechanism |
|---|---|---|---|---|
| Laravel Holdings, Inc. | Application hosting and database (Laravel Cloud) | Hosting, storage, and processing of Booking Data | United States | SCCs |
| Amazon Web Services, Inc. (Amazon SES) | Transactional email | Delivery of booking confirmations, reminders, and staff notifications | United States | SCCs / DPF |
| Twilio Inc. (if SMS enabled) | SMS messaging | Delivery of SMS verification and transactional messages where enabled | United States / global | SCCs / DPF |
Note: Platform subscription billing for Schedulr itself is processed by Paddle.com Market Limited as merchant of record. Paddle is not a Sub-Processor of Booking Data under this DPA; Holicow acts as an independent controller for platform billing data. Optional end-customer payment features are not offered today; if Holicow introduces a feature that processes Booking Data through a third-party payment provider, that provider will be added to this annex with at least 30 days' notice under Section 7 before the feature is generally available.
Annex IV — UK and Swiss Transfer Elections
UK Addendum (Tables 1–4):
- Table 1 (Parties): exporter = the Controller (organization owner); importer = Holicow LLC (details in Annex I.A).
- Table 2 (Selected SCCs): the EU SCCs as completed in this DPA, Modules Two and Three, with the elections in Section 8.
- Table 3 (Appendix information): as set out in Annexes I, II, and III.
- Table 4 (Ending the Addendum): the Importer may end the Addendum as set out in Section 19 of the Addendum.
Swiss adaptations: for Swiss-origin Booking Data, references in the SCCs to the GDPR are read as references to the revised Swiss FADP (nFADP), which has been in force since 1 September 2023; the competent authority is the FDPIC; and the governing law for the Swiss transfer is Swiss law.
DPF: where a Sub-Processor is certified under the EU-U.S. Data Privacy Framework (and the UK/Swiss extensions), Holicow may rely on that certification for transfers to that Sub-Processor in addition to or instead of the SCCs.
Contact
Data-protection enquiries and requests under this DPA:
Holicow LLC Attn: Privacy 1164 Palmer Loop Chewelah, Washington 99109 United States