Legal

Data Processing Agreement

Last updated: 17 May 2026

01 Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CrownSuite ("Processor") and the salon owner ("Controller") who registers for a CrownSuite account. CrownSuite is a trading name of T J Bungwe, a sole trader based in the United Kingdom.

This DPA is entered into to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and governs the processing of personal data that CrownSuite carries out on behalf of the salon owner.

By creating a CrownSuite account, the salon owner agrees to this DPA.

02 Definitions

"Controller" means the salon owner who determines the purposes and means of processing customer personal data through CrownSuite.

"Processor" means CrownSuite, which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).

"Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.

"Sub-processor" means a third party engaged by CrownSuite to process personal data on behalf of the Controller.

03 Scope of Processing

CrownSuite processes the following personal data on behalf of salon owners:

Data category	Data types	Purpose
Customer identity	First name, last name	Booking identification
Customer contact	Email address, phone number	Booking confirmations & communication
Booking details	Service, date, time, price, hair length, special requests	Appointment management
Payment references	Stripe payment IDs, deposit amounts	Payment verification

Processing is carried out solely for the purpose of providing the CrownSuite booking management platform. CrownSuite will not process personal data for any other purpose unless instructed by the Controller or required by law.

04 Obligations of the Processor

CrownSuite shall:

Process personal data only on documented instructions from the Controller, unless required by law
Ensure that all personnel with access to personal data are bound by confidentiality obligations
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and data isolation
Not engage any sub-processor without prior written authorisation from the Controller (see Section 06)
Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
Assist the Controller in ensuring compliance with obligations relating to security, breach notification, impact assessments, and consultation with supervisory authorities
At the Controller's choice, delete or return all personal data upon termination of the service, and delete existing copies unless required by law
Make available to the Controller all information necessary to demonstrate compliance with this DPA

05 Obligations of the Controller

The salon owner shall:

Ensure that there is a lawful basis for the processing of customer personal data (e.g. legitimate interest for booking management)
Provide customers with appropriate privacy information about how their data is processed through CrownSuite
Ensure that any personal data provided to CrownSuite has been collected lawfully and with any required consent
Notify CrownSuite promptly of any data subject requests that require CrownSuite's assistance

06 Sub-processors

The Controller authorises CrownSuite to engage the following sub-processors:

Sub-processor	Purpose	Location
Stripe, Inc.	Payment processing	USA (EU SCCs in place)
Twilio SendGrid	Transactional email delivery	USA (EU SCCs in place)
Railway Corp	Application hosting & database	EU/EEA region

CrownSuite will notify the Controller by email at least 14 days before adding or replacing a sub-processor. If the Controller objects, they may terminate their account within that 14-day period.

CrownSuite ensures that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

07 Security Measures

CrownSuite implements the following technical and organisational measures:

Encryption in transit: all connections use HTTPS/TLS
Encryption at rest: database hosted on encrypted storage
Password security: bcrypt hashing with automatic salting
Data isolation: multi-tenant architecture using acts_as_tenant, ensuring each salon's data is logically separated
Access controls: role-based authentication (owner, admin, stylist) scoped per salon
Rate limiting: Rack::Attack throttling on login, signup, password reset, and booking endpoints
Account lockout: automatic lockout after 5 failed login attempts
Booking tokens: public-facing booking URLs use random tokens instead of sequential IDs
Session security: encrypted session cookies with CSRF protection

08 Data Breach Notification

In the event of a personal data breach, CrownSuite shall:

Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach
Provide the Controller with sufficient information to enable them to meet their obligation to notify the ICO within 72 hours, including the nature of the breach, categories of data affected, approximate number of individuals affected, and measures taken to mitigate the breach
Cooperate with the Controller in investigating and remediating the breach
Document the breach and the response in an internal incident register

The Controller remains responsible for notifying the ICO and affected individuals as required under UK GDPR Articles 33 and 34.

09 International Transfers

Where personal data is transferred outside the United Kingdom, CrownSuite ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner's Office, or reliance on an adequacy decision.

Application data, including the database, is hosted within the EU/EEA. Stripe and SendGrid may process limited personal data (email addresses, payment references, and booking details) in the USA; these transfers operate under UK/EU Standard Contractual Clauses.

10 Data Subject Requests

If CrownSuite receives a request directly from a data subject (e.g. a salon customer), CrownSuite will promptly redirect the request to the relevant salon owner unless legally prohibited from doing so.

CrownSuite will provide reasonable technical assistance to the Controller in fulfilling data subject requests, including data export functionality.

11 Audit Rights

The Controller has the right to audit CrownSuite's compliance with this DPA. Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and no more than once per year unless a data breach has occurred.

CrownSuite may provide audit evidence through written documentation, certifications, or third-party audit reports where available.

12 Data Retention & Deletion

Upon termination of the salon owner's account:

CrownSuite will retain all data for 30 days to allow the Controller to export their data
After 30 days, all personal data (customers, bookings, account information) will be permanently deleted from active systems
Backup copies will be purged within 90 days of account termination
Payment records required for UK tax compliance will be retained for 7 years in anonymised form

13 Term & Termination

This DPA remains in effect for the duration of the salon owner's CrownSuite account. It terminates automatically when the account is closed and all data has been deleted in accordance with Section 12.

Obligations relating to confidentiality and data deletion survive termination of this DPA.

14 Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

15 Contact

For questions about this DPA, contact us at [email protected].