Skip to main content
Back to Home

Data Processing Agreement

Last updated: June 2026

1. Parties

This Data Processing Agreement is entered into between the business owner ('Controller') and Zommo, a service operated by Fundacja Rozwoju Przedsiębiorczości 'Twój StartUp', a foundation registered in Poland (KRS: 0000442857, NIP: 5213641211, REGON: 146433467, registered address: ul. Żurawia 6/12 lok. 766, 00-503 Warszawa, Poland) ('Processor'). The Controller determines the purposes and means of processing personal data. The Processor processes personal data on behalf of the Controller solely to provide the Zommo booking services.

2. Subject Matter and Purpose

The Processor shall process personal data on behalf of the Controller for the purpose of providing Zommo's booking flow services. This includes storing, organizing, and displaying booking information, managing customer appointments, and facilitating communication between the Controller and their customers.

3. Duration of Processing

The Processor shall process personal data for the duration of the service agreement between the Controller and Zommo. Processing will cease upon termination of the agreement, subject to the data return and deletion provisions outlined in Section 10.

4. Categories of Data

The personal data processed includes: customer names, email addresses, phone numbers, booking dates and times, service preferences, booking notes, and payment references. For business owners, we additionally process business name, contact details, and account credentials.

5. Processing Operations

Processing operations include: collection and storage of booking data, organization and structuring of appointment records, retrieval and display of booking information in the dashboard, transmission of booking confirmations and reminders, and generation of anonymized analytics reports.

6. Sub-Processors

The Processor engages the following sub-processors: Vercel (application hosting, EU region); Neon (PostgreSQL database storage, EU-Central Frankfurt); and Brevo (transactional email notifications, EU). The Controller will be notified of any changes to sub-processors with 30 days advance notice.

7. Security Measures

The Processor implements appropriate technical and organizational measures including: encryption of data in transit (TLS 1.2+) and at rest, role-based access controls, regular security audits and vulnerability assessments, secure development practices, automated backup procedures, and incident response protocols.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests under GDPR Articles 15-22, including rights of access, rectification, erasure, restriction, data portability, and objection. The Processor shall assist the Controller in fulfilling data subject requests via email at dpa@zommo.app within 72 hours. Dashboard tools for data subject rights management are planned for a future release.

9. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include the nature of the breach, categories of data affected, approximate number of data subjects concerned, and measures taken or proposed to address the breach.

10. Data Return and Deletion

Upon termination, the Controller may request data export or deletion by contacting dpa@zommo.app. Data will be returned in a machine-readable format or securely deleted within 30 days. Dashboard data export functionality is planned for a future release. Deletion is confirmed in writing upon completion. dpa@zommo.app.