"Personal Data" means any information relating to an identified or identifiable natural person processed through the SlotMe platform, including client names, phone numbers, email addresses, appointment history, and WhatsApp communication data. "Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction. "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates — primarily salon clients whose data is managed through the platform. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

The Processor shall process Personal Data on behalf of the Controller for the purpose of providing the SlotMe salon management platform, including: appointment scheduling and calendar management; client database management; AI-powered communication via WhatsApp; booking notifications and reminders. The duration of processing corresponds to the term of the Controller's subscription to the SlotMe platform, plus the data retention period specified in the Privacy Policy.

The Controller shall: ensure that it has a lawful basis for processing Personal Data through the platform (e.g., consent, legitimate interest, or contractual necessity); inform Data Subjects about the processing of their data, including the use of AI-powered features; ensure the accuracy of Personal Data entered into the platform; promptly notify the Processor of any data subject requests or complaints; comply with all applicable data protection laws, including GDPR/RODO.

The Processor shall: process Personal Data only on documented instructions from the Controller, unless required by EU or member state law; ensure that persons authorized to process Personal Data have committed themselves to confidentiality; implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk; not engage another processor without prior specific or general written authorization of the Controller; assist the Controller in ensuring compliance with data protection obligations; delete or return all Personal Data to the Controller after the end of the provision of services, at the Controller's choice; make available to the Controller all information necessary to demonstrate compliance with this DPA.

The Controller provides general authorization for the Processor to engage sub-processors. The Processor currently uses the following sub-processors: - Hetzner Online GmbH (Germany) — Cloud hosting and infrastructure - Cloudflare, Inc. (USA, with EU data processing) — CDN and frontend hosting - Google LLC (USA, with EU data processing) — AI services (Gemini) for automated communication - Twilio Inc. (USA, with EU data processing) — WhatsApp Business API for client messaging - Sentry (USA) — Error tracking and monitoring The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

The Processor implements the following technical and organizational measures: - Encryption of data in transit (TLS 1.3) and at rest - Access control with role-based permissions - Regular security assessments and penetration testing - Automated backups with encrypted storage - Logging and monitoring of data access - Employee confidentiality agreements and security training - Incident response procedures

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include: the nature of the breach, including categories and approximate number of Data Subjects affected; the name and contact details of the data protection point of contact; a description of the likely consequences of the breach; a description of measures taken or proposed to address the breach.

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR/RODO, including: right of access (Art. 15); right to rectification (Art. 16); right to erasure (Art. 17); right to restriction of processing (Art. 18); right to data portability (Art. 20); right to object (Art. 21). The SlotMe platform provides tools for Controllers to manage client data, including export and deletion capabilities accessible from the dashboard.

Where Personal Data is transferred outside the European Economic Area, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if an instruction infringes GDPR/RODO or other EU or member state data protection provisions.

Upon termination of the service agreement, the Processor shall, at the Controller's choice: return all Personal Data to the Controller in a commonly used, machine-readable format; or delete all Personal Data and certify the deletion in writing. The Controller has 90 days after account closure to request data export. After this period, the Processor shall securely delete all remaining Personal Data, unless retention is required by applicable law.