Data Processing Addendum (DPA) — PreBookmt

Last updated: 2026-05-14

This Data Processing Addendum ("DPA") forms part of the Terms of Service between:

• PreBookmt — Justin Azzopardi, trading as PreBookmt (sole trader), of Bellevue, Triq il-Merkanti, Ghajnsielem GSM 1951, Gozo, Malta, Malta VAT number MT32819405, contact legal@prebookmt.com (the "Processor" or "PreBookmt"); and

• The business owner who has accepted the Terms of Service (the "Controller" or "Customer").

This DPA reflects the requirements of Regulation (EU) 2016/679 (the "GDPR") and the Maltese Data Protection Act (Chapter 586). It governs the processing by PreBookmt of personal data belonging to the Controller's own customers and staff that the Controller uploads to or processes through the PreBookmt platform (the "Service").

This DPA is automatically accepted by every business owner when they accept the Terms of Service. A signed paper copy can be requested from legal@prebookmt.com and will be countersigned without modification on demand.

---

1. Definitions

Capitalised terms have the meanings given in the GDPR. The following additional terms apply:

• Customer Personal Data — personal data uploaded to the Service by the Controller, or generated within the Service by or about the Controller's own customers and staff, processed by PreBookmt on behalf of the Controller (e.g. customer names, contact details, booking history, messages, gallery photos, staff names and photos).
• Sub-processor — any third party engaged by PreBookmt to process Customer Personal Data on PreBookmt's behalf.
• Security Incident — any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
• TOMs — the technical and organisational measures described in Annex C.
• EU SCCs — the European Commission's Standard Contractual Clauses adopted by Decision (EU) 2021/914 of 4 June 2021.

2. Roles and scope

PreBookmt acts as Processor with respect to Customer Personal Data; the Controller acts as Controller.

Note: PreBookmt remains the independent Controller for personal data that PreBookmt itself collects about business-owner account holders (e.g. the business owner's own name, email, billing address). That processing is governed by the Privacy Policy, not this DPA. This DPA covers only the data the Controller uploads or processes on its own customers and staff.

This DPA applies to all processing of Customer Personal Data by PreBookmt under the Terms of Service. It does not apply to personal data that the Controller processes outside the Service (e.g. messages exchanged off-platform).

3. Purpose, nature, and duration of processing

Purpose	To provide the Service to the Controller — operating the Controller's business listing, bookings calendar, customer messaging, staff scheduling, reviews, gallery, multi-location features, and analytics.
Nature	Storage, retrieval, structuring, hosting, displaying, transmitting, deletion. No automated decision-making in the sense of GDPR Article 22.
Duration	For as long as the Controller's subscription is active, plus the legally required retention periods set out in the Privacy Policy.
Types of data	See Annex A.
Categories of data subjects	See Annex A.

4. Controller's obligations

The Controller:

• (a) shall comply with the GDPR and Maltese data protection law in its capacity as Controller;
• (b) shall have an appropriate lawful basis (Article 6 GDPR) and, where applicable, condition for special category data (Article 9 GDPR) for every act of processing it instructs PreBookmt to carry out;
• (c) shall provide its own customers with appropriate transparency information (Articles 13–14 GDPR) describing the processing carried out through PreBookmt;
• (d) shall obtain any consent required from data subjects, including consent for marketing communications, where the Controller subsequently uses Customer Personal Data for such purposes;
• (e) shall be solely responsible for the accuracy, quality, and legality of Customer Personal Data;
• (f) shall not upload to the Service any special category personal data (Article 9 GDPR) — including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation — except as strictly necessary to operate the booked service and where the Controller has a lawful basis under Article 9. PreBookmt's TOMs are designed for standard contact-and-booking data, not special category data;
• (g) shall not use the Service to process the personal data of children under 16 except for legitimate child-related bookings (e.g. a child's haircut booked by a parent) where the parent has given consent.

5. Processor's obligations

PreBookmt shall:

• (a) process Customer Personal Data only on the Controller's documented instructions, including with regard to transfers to third countries — except where required to do so by Union or Maltese law, in which case PreBookmt will inform the Controller before processing (unless the law prohibits such notification on important grounds of public interest);
• (b) treat the use of the Service in accordance with its documentation and the Terms of Service as standing documented instructions;
• (c) ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• (d) implement the TOMs described in Annex C in accordance with Article 32 GDPR;
• (e) engage Sub-processors only in accordance with Section 7 of this DPA;
• (f) assist the Controller, taking into account the nature of processing and the information available to PreBookmt, in fulfilling its obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);
• (g) assist the Controller with appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects exercising their rights under Articles 12–22 GDPR;
• (h) make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits as set out in Section 13;
• (i) immediately inform the Controller if, in PreBookmt's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

6. Security

PreBookmt has implemented the TOMs described in Annex C. PreBookmt shall maintain and, where reasonably appropriate, improve those measures throughout the term of this DPA. PreBookmt may update Annex C from time to time provided the level of protection is not materially degraded.

7. Sub-processors

7.1 General authorisation

The Controller grants PreBookmt general written authorisation to engage Sub-processors to assist in the provision of the Service, subject to this Section 7.

7.2 Current Sub-processors

The list of authorised Sub-processors, together with the processing each performs, is set out in Annex B. The current list is also published at prebookmt.com/sub-processors and reflects PreBookmt's actual deployed stack.

7.3 Changes to Sub-processors

PreBookmt will notify the Controller of any intended addition or replacement of a Sub-processor at least 30 days in advance by:

• Email to the registered account email; and
• Updating the public list at prebookmt.com/sub-processors.

The Controller may object to the engagement of a new Sub-processor on reasonable data-protection grounds by emailing legal@prebookmt.com within 30 days of the notification. PreBookmt will then either:

• (a) refrain from engaging the proposed Sub-processor; or
• (b) propose an alternative; or
• (c) where neither (a) nor (b) is reasonably feasible, allow the Controller to terminate the affected portion of the Service and receive a pro-rata refund for the unused, prepaid portion of the subscription.

7.4 Sub-processor agreements

PreBookmt shall enter into a written contract with each Sub-processor imposing data protection obligations substantially similar to those imposed on PreBookmt under this DPA, including the same obligations on security and breach notification. PreBookmt remains fully liable to the Controller for the performance of every Sub-processor's obligations.

8. International transfers

Some Sub-processors are established outside the European Economic Area. Where personal data is transferred outside the EEA, PreBookmt relies on the following safeguards:

• EU SCCs entered into with the Sub-processor, in the version adopted by Commission Decision (EU) 2021/914; and/or
• An applicable adequacy decision under Article 45 GDPR.

The Controller authorises PreBookmt to enter into the EU SCCs with Sub-processors on the Controller's behalf, acting as the Controller's mandated agent for that purpose only.

A copy of the relevant SCCs and accompanying Transfer Impact Assessment is available on request from legal@prebookmt.com.

9. Personal data breach

9.1 Notification

PreBookmt shall notify the Controller of any Security Incident affecting Customer Personal Data without undue delay and, where feasible, within 72 hours of becoming aware of it. The notification will include, to the extent then known:

• a description of the nature of the incident;
• the categories and approximate number of data subjects and records affected;
• the likely consequences of the incident;
• the measures taken or proposed to be taken to address it and mitigate its possible adverse effects.

Where it is not feasible to provide all of the above information at the same time, PreBookmt may provide it in phases without further undue delay.

9.2 Cooperation

PreBookmt shall cooperate with the Controller and provide the assistance the Controller reasonably requires to comply with Articles 33–34 GDPR (notification to the supervisory authority and to affected data subjects).

9.3 Records

PreBookmt shall maintain internal records of all Security Incidents in accordance with Article 33(5) GDPR.

10. Data subject rights

PreBookmt shall, taking into account the nature of processing and to the extent technically feasible, assist the Controller in responding to data subject requests, including:

• providing the Controller with tools within the Service to access, export, correct, or delete Customer Personal Data;
• on the Controller's documented request, providing additional support, which may be charged at PreBookmt's reasonable rates if the request is materially in excess of typical platform features.

Where a data subject contacts PreBookmt directly to exercise rights with respect to Customer Personal Data, PreBookmt will promptly forward the request to the Controller and will not respond to the data subject directly except to acknowledge receipt and to direct the data subject to the Controller.

11. DPIAs and prior consultations

PreBookmt shall, taking into account the nature of processing and the information available to it, provide reasonable assistance to the Controller in carrying out a data protection impact assessment ("DPIA") under Article 35 GDPR and prior consultations under Article 36 GDPR.

12. Audits

12.1 Information rights

PreBookmt shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and the GDPR, including (without limitation):

• the TOMs documented in Annex C;
• the current Sub-processor list and the agreements summary;
• the latest available third-party security certifications or audit reports relating to PreBookmt's Sub-processors (e.g. Supabase SOC 2, Stripe PCI DSS, Cloudflare SOC 2).

12.2 Audit rights

The Controller may, no more than once per twelve-month period and on at least 30 days' written notice, audit PreBookmt's compliance with this DPA. Audits shall:

• be conducted during business hours and in a manner that does not unreasonably disrupt PreBookmt's operations;
• be subject to a confidentiality undertaking on the Controller's auditors;
• not require PreBookmt to disclose information relating to other PreBookmt customers, to other Sub-processors' confidential information, or to PreBookmt's source code or proprietary infrastructure beyond what is reasonably needed to assess this DPA's performance.

Where the Controller is itself audited or supervised by a regulator, the Controller may request that PreBookmt assist with the regulatory audit on the same terms.

12.3 Costs

Each party bears its own costs of audit. Where an audit identifies a material non-conformance attributable to PreBookmt, PreBookmt shall remedy it at its own cost.

13. Return or deletion of data

On termination of the Controller's subscription or on the Controller's written request, PreBookmt shall, at the Controller's choice, either:

• (a) return Customer Personal Data to the Controller in a structured, commonly used, machine-readable format (e.g. CSV/JSON export); or
• (b) delete Customer Personal Data from PreBookmt's production systems, save where Union or Maltese law requires continued storage of certain records (notably tax and accounting records, retained per the Privacy Policy).

In either case, PreBookmt shall delete all remaining copies from active systems within 30 days of termination and from backups within the standard backup-rotation period (typically 90 days). Data retained under (b) above shall be retained in pseudonymised form to the extent technically feasible.

A certificate of deletion is available on written request to legal@prebookmt.com.

14. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in Terms of Service §D.3. Nothing in this DPA limits liability that cannot be limited under Maltese law (including fraud, gross negligence, or liability for damages caused by infringement of the GDPR to the extent prohibited by Article 82 GDPR).

For the avoidance of doubt, liability between Controller and Processor for damages claimed by data subjects under Article 82 GDPR shall be apportioned in accordance with each party's responsibility for the damage.

15. Term and termination

This DPA takes effect on the date the Controller accepts the Terms of Service or first uses the Service as a business owner, whichever is earlier, and remains in force for as long as PreBookmt processes Customer Personal Data on the Controller's behalf.

This DPA terminates automatically on termination of the Terms of Service. Sections 9 (Personal data breach in respect of incidents predating termination), 13 (Return or deletion), and 14 (Liability) survive termination to the extent reasonably necessary.

16. Precedence

In the event of any conflict between this DPA, the Terms of Service, and the Privacy Policy, the following order of precedence applies, with respect to the processing of Customer Personal Data only:

1. This DPA (including Annexes A–C)
2. The Terms of Service
3. The Privacy Policy

17. Changes to this DPA

PreBookmt may update this DPA from time to time to reflect:

• changes in applicable data protection law;
• changes in PreBookmt's actual processing operations;
• additions to or changes in Sub-processors (see Section 7.3).

Material changes will be notified by email and in-app banner at least 30 days before they take effect.

18. Governing law and jurisdiction

This DPA is governed by the laws of Malta. The courts of Malta have exclusive jurisdiction over any dispute arising out of or related to this DPA, save where mandatory consumer or data-subject jurisdiction provisions apply under EU law.

19. Contact

Purpose	Address
Privacy / data subject queries	privacy@prebookmt.com
Legal notices, audit requests, DPA-related correspondence	legal@prebookmt.com
General support	support@prebookmt.com

Postal: Justin Azzopardi t/a PreBookmt, Bellevue, Triq il-Merkanti, Ghajnsielem GSM 1951, Gozo, Malta.

---

Annex A — Description of processing

Element	Detail
Subject matter of processing	Provision of the PreBookmt platform to the Controller for the management of the Controller's bookings, customers, staff, and business listing.
Duration of processing	Term of the Controller's subscription, plus required retention periods (see Privacy Policy §6).
Nature of processing	Storage, retrieval, structuring, hosting, displaying, transmitting, deletion.
Purpose of processing	Enabling the Controller to operate its business through the Service.
Type of personal data	Customer first name and (optional) last name; customer email; customer phone number; booking date, time and service; messages between customer and Controller; gallery photos (if uploaded by Controller); staff first and last names; staff photo; staff hours and time-off; location addresses; review text; loyalty points; IP address (transient, for rate-limiting); push-notification tokens.
Special category data	None expected. Controller is prohibited from uploading special category data save where strictly necessary (see DPA §4(f)).
Categories of data subjects	The Controller's own customers; the Controller's staff members; the Controller's own representatives.

Annex B — Sub-processors

Sub-processor	Service	Region	Transfer mechanism (if outside EEA)	Privacy Policy
Supabase Inc.	Database hosting, authentication, file storage	EU (Frankfurt)	n/a — data stays in EU	https://supabase.com/privacy
Stripe Inc.	Subscription billing processing (for the Controller's subscription only)	US + Ireland	EU SCCs	https://stripe.com/privacy
Expo (650 Industries Inc.)	Push notification delivery	US	EU SCCs	https://expo.dev/privacy
PostHog Inc.	Anonymised product analytics	EU (Frankfurt — eu.i.posthog.com)	n/a — data stays in EU	https://posthog.com/privacy
Functional Software Inc. (Sentry)	Error and crash monitoring	EU	n/a — data stays in EU	https://sentry.io/privacy
Resend Inc.	Transactional email delivery	US + EU	EU SCCs	https://resend.com/legal/privacy-policy
Cloudflare Inc.	DNS, CDN, inbound email routing for prebookmt.com	Global	EU SCCs	https://www.cloudflare.com/privacypolicy
Vercel Inc.	Hosting for prebookmt.com marketing site	Global	EU SCCs	https://vercel.com/legal/privacy-policy
Apple Inc.	App Store distribution of PreBookmt iOS app	Global	EU SCCs (where applicable)	https://www.apple.com/legal/privacy
Google LLC	Google Play distribution of PreBookmt Android app	Global	EU SCCs	https://policies.google.com/privacy

The current canonical list is published at prebookmt.com/sub-processors.

Annex C — Technical and Organisational Measures (TOMs)

The following measures are implemented in accordance with Article 32 GDPR.

C.1 Confidentiality

• Access to Customer Personal Data in production systems is restricted to the sole developer (Justin Azzopardi) on a least-privilege basis.
• Each Sub-processor is bound by a written confidentiality obligation in its contract with PreBookmt.
• Customer Personal Data is segregated by business_id foreign keys and protected by Row-Level Security (RLS) policies on every database table containing it, enforced at the database layer regardless of the calling application.

C.2 Integrity

• All traffic to the Service is encrypted in transit using TLS 1.2 or higher.
• Data at rest is encrypted using AES-256 (provided by Supabase).
• Password storage is delegated to Supabase Auth (industry-standard hashing).
• Webhook signatures from Stripe are cryptographically verified before any database write.
• All API endpoints are subject to rate-limiting; suspicious activity is logged for review.

C.3 Availability

• The Service is hosted on Supabase (database) and Vercel (marketing site) with built-in redundancy and automatic failover.
• Daily encrypted backups are retained for 30 days.
• Point-in-time recovery (PITR) is available for the Supabase production database.

C.4 Identification and access control

• Authentication is via email/password with optional two-factor authentication (TOTP).
• Business-owner accounts with a paid subscription are encouraged to enable 2FA; future updates may make this mandatory.
• All authentication events are logged.
• Failed logins are rate-limited.

C.5 Logging and monitoring

• Application errors and exceptions are captured by Sentry (EU region).
• Anonymised product analytics are captured by PostHog (EU region).
• Webhook events from Stripe are persisted with idempotency keys (processed_webhook_events) to prevent replay.

C.6 Vendor management

• Each Sub-processor has been selected based on the security and data-protection commitments published in its public documentation and on the availability of EU SCCs where applicable.
• Sub-processor list is reviewed at least annually.

C.7 Personnel

• Justin Azzopardi is the sole developer and operator. Personnel-related TOMs (background checks, training, separation of duties) are not applicable at the current scale and will be revisited when staff are engaged.

C.8 Data minimisation and pseudonymisation

• Customer Personal Data fields requested at booking are limited to those required to deliver the service (name, contact, time, service).
• After account deletion, financial records retained under tax law are pseudonymised by nulling or hashing identifiable fields where possible.

C.9 Incident response

• Any Security Incident is investigated immediately on detection.
• Affected Controllers are notified within 72 hours per DPA §9.
• A post-incident review is documented and retained.

C.10 Updates

These TOMs may be updated to reflect changes in the Service, in Sub-processors, or in industry best practice, provided the level of protection is not materially degraded. The most current version of Annex C is at prebookmt.com/dpa.