1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller via the Platform.
• “Processing” has the meaning given in UK GDPR Article 4(2).
• “Platform” means the MyTradePlatform web application and mobile applications.
• “Sub-processor” means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
• “UK GDPR” means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended.

2. Subject matter and duration

The Processor will process Personal Data on behalf of the Controller for the duration of the Controller's subscription to the Platform, and for 90 days following termination or expiry of the subscription (to permit data export and account reactivation). After this period, Personal Data will be permanently deleted unless the Controller requests earlier deletion under Section 6.

3. Nature and purpose of processing

The Processor processes Personal Data solely to provide the Platform services to the Controller, including:

• Storing client records, contact details, and job history entered by the Controller
• Generating and storing invoices and financial records
• Scheduling and managing appointments
• Sending communications to the Controller's clients on the Controller's instruction (where messaging features are enabled)
• Maintaining offline sync and backup of business data

The Processor will not process Personal Data for any purpose other than those specified in this DPA and the Terms of Service, unless required to do so by applicable law.

4. Types of personal data and categories of data subjects

Data subjects:The Controller's clients and prospective clients (individuals whose personal data the Controller enters into the Platform).

Types of personal data processed:

• Names and contact details (email address, telephone number, postal address)
• Job and appointment records (dates, locations, services provided, notes)
• Invoice and payment records (amounts, payment status, billing addresses)
• Treatment and health records, where entered by the Controller (certain service verticals only)
• Communication records (where messaging features are enabled)

The Controller is responsible for ensuring it has a lawful basis to enter and process any personal data relating to its clients on the Platform.

5. Obligations of the Processor

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller (which includes the Terms of Service and this DPA), unless required by law to process otherwise
2. Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations
3. Implement and maintain appropriate technical and organisational security measures to protect Personal Data against unauthorised access, loss, destruction, or disclosure (including encryption in transit via TLS and encryption at rest)
4. Not engage a new Sub-processor without first informing the Controller and providing an opportunity to object (see Section 7)
5. Assist the Controller in responding to requests from data subjects exercising their rights under UK GDPR, to the extent reasonably practicable
6. Assist the Controller in meeting its obligations under Articles 32–36 UK GDPR (security, breach notification, DPIAs) to the extent reasonably practicable given the nature of processing
7. At the Controller's choice, delete or return all Personal Data to the Controller at the end of the subscription, and delete existing copies unless storage is required by applicable law
8. Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA

6. Obligations of the Controller

The Controller shall:

1. Ensure it has a lawful basis under UK GDPR for all Personal Data entered into the Platform
2. Ensure it has appropriate privacy notices in place for its own clients
3. Notify the Processor promptly if it becomes aware of any actual or suspected Personal Data breach involving data processed on the Platform
4. Not instruct the Processor to process Personal Data in a way that would breach UK GDPR or any other applicable law

7. Sub-processors

The Controller provides general authorisation for the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes to this list (additions or replacements) via email or in-app notice, providing at least 14 days' notice. The Controller may object to changes on reasonable grounds.

Where sub-processors are located outside the UK/EEA, transfers are subject to appropriate safeguards (UK International Data Transfer Agreements or EU Standard Contractual Clauses as applicable).

8. Security measures

The Processor maintains the following technical and organisational measures:

• Encryption of all data in transit using TLS 1.2 or higher
• Encryption of data at rest within the database infrastructure
• Access controls limiting personnel access to production systems
• Regular automated database backups with point-in-time restore capability
• Error monitoring and incident alerting via Sentry
• Secure software development practices

9. Personal data breaches

In the event of a Personal Data breach affecting data processed under this DPA, the Processor will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address the breach.

10. Data subject rights

Where the Processor receives a request directly from a data subject relating to Personal Data processed on behalf of the Controller, the Processor will promptly forward the request to the Controller. The Processor will provide reasonable assistance to the Controller in responding to such requests.

11. Governing law

This DPA is governed by the laws of England and Wales and forms part of the agreement between the parties as described in the Terms of Service.