Laima — AI Booking Assistant for Salons | 24/7 Automated Scheduling

1. Roles and Scope

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Krista Vitolska, trading as Laima ("Processor") and the Subscriber ("Controller").

You are the Data Controller for Client Data — you determine the purposes and means of processing. We are the Data Processor — we process Client Data solely on your behalf.

Scope: Appointment booking and business management for beauty and wellness businesses. Duration is the term of subscription plus 30 days. Data subjects are your Clients. Types of data include names, emails, phone numbers, appointment details, preferences, booking history, and AI conversation content.

2. Our Obligations as Processor

Instructions: We process Client Data only on your documented instructions unless required by law.

Confidentiality: All persons authorised to process data are bound by confidentiality obligations.

Security: We implement encryption in transit and at rest, row-level security, secure authentication, access controls, and rate limiting.

3. Sub-processors

We use the following sub-processors: Supabase (database, EU Ireland), Anthropic (AI processing, US), Stripe (payments, US), Google (calendar sync, US), Vercel (hosting, global), Upstash (rate limiting, EU), and Resend (email, EU/US).

We will inform you of changes to sub-processors with 14 days' notice.

4. Data Subject Rights

We will assist you in responding to data subject requests including access, rectification, erasure, restriction, portability, and objection.

5. Data Breach Notification

We will notify you within 72 hours of becoming aware of a personal data breach affecting Client Data, including the nature, scope, likely consequences, and measures taken.

6. Deletion and Return

Upon termination, we delete all Client Data within 30 days unless required by law. You may request a data export before deletion.

7. International Transfers

Where Client Data is transferred outside the EEA or UK, we ensure appropriate safeguards including EU Standard Contractual Clauses and UK International Data Transfer Agreements.

8. Your Obligations as Controller

You must ensure a lawful basis for processing, provide clear privacy information to your Clients, ensure your instructions comply with data protection laws, and respond to data subject requests in a timely manner.

9. Contact

Laima
Operated by Krista Vitolska
Email: hello@getlaima.com