Data Processing Agreement

DATA PROCESSING AGREEMENT

Last updated: 17 February 2026

This Data Processing Agreement (“DPA”) forms part of the BookaVue Terms of Service and applies whenever BookaVue processes Personal Data on behalf of a Customer.

By using the Service, the Customer agrees to this DPA.

BookaVue is a trading name of Deplova Ltd, a company registered in England and Wales (company number 16633010), with registered office at 85 Great Portland Street, London, W1W 7LT, United Kingdom.

1. DEFINITIONS

Controller, Processor, Personal Data, Data Subject, Processing, and Personal Data Breach have the meanings given under UK GDPR and EU GDPR (where applicable).

Customer = the business using BookaVue

BookaVue = the Processor

2. ROLE OF THE PARTIES

The Customer acts as Data Controller.

BookaVue acts as Data Processor. We will process Personal Data only on the documented instructions of the Customer, including instructions communicated through normal configuration and use of the Service, unless required otherwise by applicable law.

BookaVue does not determine the purposes of processing End User booking data.

3. SUBJECT MATTER AND PURPOSE

Nature of processing:

Provision of property viewing booking and scheduling software.

Types of Personal Data may include:

  • name
  • email
  • phone number
  • appointment details
  • communications content
  • technical metadata

Categories of Data Subjects:

  • property viewers
  • prospective tenants or buyers
  • Customer staff users

Duration:

For the duration of the Customer’s subscription and limited retention thereafter.

4. CUSTOMER OBLIGATIONS

The Customer warrants that:

  • it has a lawful basis for collecting the Personal Data
  • it provides appropriate privacy notices
  • it responds to data subject rights requests
  • it complies with marketing and electronic communications laws
  • its instructions comply with applicable law

The Customer remains responsible for accuracy and legality of Personal Data.

5. PROCESSOR OBLIGATIONS

BookaVue shall:

  • process Personal Data only to provide the Service
  • ensure staff confidentiality obligations
  • implement appropriate security measures
  • assist the Customer with rights requests where reasonably possible
  • assist with DPIAs where required
  • notify Customer of Personal Data Breaches without undue delay
  • delete or return Personal Data upon termination (subject to backups and legal obligations)

6. SUBPROCESSORS

The Customer authorises BookaVue to use subprocessors necessary to operate the Service, including hosting, email delivery and payment providers.

The Customer provides general authorisation for the use of subprocessors engaged from time to time to deliver the Service, provided such subprocessors are bound by data protection obligations no less protective than this Agreement.

BookaVue will ensure subprocessors are bound by data protection obligations.

An up-to-date list may be provided upon request.

7. INTERNATIONAL TRANSFERS

Where Personal Data is transferred outside the UK/EEA, BookaVue shall rely on appropriate safeguards such as adequacy regulations or standard contractual clauses.

8. SECURITY MEASURES

BookaVue implements appropriate technical and organisational measures including:

We will implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

  • encrypted transmission (HTTPS)
  • access controls
  • authentication protections
  • monitoring and logging
  • restricted personnel access

9. DATA BREACHES

We will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

Notification will include available details to assist the Customer’s reporting obligations.

10. AUDITS

The Customer may request reasonable information demonstrating compliance.

Any audits or inspections must be reasonable, subject to prior written notice, conducted during normal business hours, and not more than once in any 12-month period unless required by law or following a confirmed security incident.

Formal audits must:

  • be reasonable
  • not disrupt service
  • occur no more than once in any 12-month period unless required by law or following a confirmed security incident

11. DATA RETURN AND DELETION

Upon termination of the Services, Customer Personal Data may be made available for export for a limited period (typically up to 30 days). Thereafter, Personal Data will be deleted or anonymised, usually within 30–90 days, unless retention is required by law.

12. LIABILITY

Liability is subject to the limitations in the BookaVue Terms of Service.

13. GOVERNING LAW

This DPA is governed by the same law and jurisdiction as the Terms of Service.

---

ANNEX 1 — SUBJECT MATTER AND DURATION

Subject matter: Provision of the BookaVue property viewing and lead management SaaS.

Duration: For the duration of the Services and any post-termination retention period.

ANNEX 2 — CATEGORIES OF DATA AND DATA SUBJECTS

Data subjects: Customers, authorised users, property viewers, prospective buyers or tenants.

Data categories: Contact details, booking data, communication data, technical and usage data.

ANNEX 3 — TECHNICAL AND ORGANISATIONAL MEASURES

Access controls, encryption in transit, secure hosting, authentication controls, logging, monitoring, and incident response procedures.