1. Roles and scope

For personal information of Individual Users processed through the Receptioner platform, the Customer is the data controller and Receptioner is the data processor. The Customer determines the purposes and means of processing; Receptioner processes only on documented instructions from the Customer as set out in the Terms of Service, the Customer's configuration of the Services, and any additional written instructions.

This DPA applies for as long as Receptioner processes personal information on the Customer's behalf.

2. Nature and purposes of processing

Subject matter: Provision of the Receptioner booking and business-management platform.

Duration: For the term of the Customer's subscription and any post-termination export period as set out in the Terms of Service.

Nature and purpose: Collection, storage, hosting, transmission, display, editing, deletion, and back-up of personal information to deliver the Services.

Categories of data subjects: Individual Users of the Customer (clients, patients), Customer's staff, and other persons whose information the Customer enters into the platform.

Categories of personal information: Contact details, appointment and booking data, service history, payment metadata, uploaded documents and photos, and (where the Customer collects it) health information, medical history, allergies, medications, pregnancy status, and other sensitive information collected through intake forms.

3. Receptioner's obligations

Receptioner will:

• Process personal information only on the Customer's documented instructions, save where required by law;
• Ensure that personnel authorised to process personal information are bound by confidentiality obligations;
• Implement the technical and organisational security measures described in clause 5 of this DPA and our Trust & Security Overview;
• Assist the Customer, on reasonable request and at the Customer's cost, to respond to requests from Individual Users exercising their rights under applicable privacy law (including access, correction, and deletion requests);
• Notify the Customer of a confirmed personal data breach affecting the Customer's Individual Users as soon as practicable, and in any event without undue delay (aiming for notification within 72 hours consistent with the Office of the Privacy Commissioner's guidance);
• At the end of the Services, make personal information available for export for 30 days and thereafter delete it in accordance with the Terms of Service.

4. Customer's obligations

The Customer warrants that it:

• Has a lawful basis to collect, store, and process the personal information it enters into the platform, including any sensitive or health information;
• Has obtained all necessary consents from Individual Users for the collection and processing (including via intake forms);
• Will respond to Individual User rights requests that are properly directed to the Customer as the data controller;
• Will export and retain any information it is required to keep under applicable law before any Receptioner-initiated deletion.

5. Security

Receptioner will implement and maintain reasonable technical and organisational security measures appropriate to the risk, including:

• Encryption of personal information in transit (TLS) and at rest (AES-256);
• Role-based access control and least-privilege principles for personnel;
• Multi-factor authentication for internal administrative access;
• Audit logging of access to production systems;
• Regular backups (retained up to 35 days) and documented disaster-recovery processes;
• Monitoring, vulnerability management, and periodic security review of subprocessors;
• A documented incident-response plan and privacy-breach notification process.

A more detailed description is available on our Trust & Security Overview.

6. Subprocessors

The Customer gives Receptioner a general authorisation to engage subprocessors for the purposes of delivering the Services. Our current list of subprocessors is published at receptionerapp.com/subprocessors.

We will impose, by written contract, data-protection obligations on each subprocessor that are substantially equivalent to those in this DPA. For material changes to the subprocessor list that affect the processing of personal information, we will provide reasonable prior notice via email or in-product notification.

If the Customer reasonably objects to a new subprocessor on data-protection grounds, the Customer may terminate the affected subscription by written notice to privacy@receptionerapp.com before the change takes effect. In that case, We will refund the pro-rata portion of any pre-paid Fees attributable to the unused remainder of the then-current Billing Cycle for the affected subscription. If the Customer does not object before the change takes effect, the Customer is deemed to have accepted the new subprocessor.

7. International transfers

Personal information processed through the Receptioner platform is hosted in Australia (AWS Sydney) with redundant backup in the European Union (AWS Stockholm). It may also be transferred to other jurisdictions in connection with subprocessors providing development, support, monitoring, or telecommunications services (see our published Subprocessors list).

For any such transfer, we rely on the following gateways under Information Privacy Principle 12 of the Privacy Act 2020 (NZ) and Australian Privacy Principle 8 of the Privacy Act 1988 (Cth):

• Comparable safeguards by contract. We bind each subprocessor by written contract to data-protection obligations substantially equivalent to those required of us under the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988, including obligations relating to security, confidentiality, breach notification, and onward transfer.
• Limited and de-identified telemetry. Subprocessors based in jurisdictions without an adequacy or comparable-protection determination (in particular, monitoring providers based in the United States) receive only technical telemetry (error traces, performance metrics, system logs) with sensitive fields scrubbed where configured. They do not receive customer records, booking data, intake-form responses, or health information in the ordinary course.
• Other lawful bases. Where IPP 12 or APP 8 permits a transfer on another basis (for example, where the transfer is necessary for the performance of a contract with the individual, or where the individual has authorised the transfer after being informed), we may rely on that basis instead.

8. Audit

On reasonable prior written notice and no more than once per 12 months (except following a confirmed material privacy breach), the Customer may request information reasonably necessary to demonstrate Receptioner's compliance with this DPA. Where the Customer requires an on-site audit, the audit will be at the Customer's cost, conducted during business hours, subject to confidentiality obligations, and conducted in a manner that does not disrupt the Services or breach Receptioner's obligations to other customers.

9. Automated decision-making

As at the date of this DPA, Receptioner does not use personal information to make automated decisions that have a legal or similarly significant effect on any individual, and does not use personal information to train general-purpose artificial intelligence or machine-learning models. If this changes, we will update this DPA and the Privacy Policy and provide notice before new features take effect.

10. Liability

The liability of each party under this DPA is governed by, and subject to, the limitation of liability and indemnification provisions of the Terms of Service.

11. Precedence

In the event of a conflict between this DPA and the Terms of Service on matters concerning the processing of personal information, this DPA prevails. In the event of a conflict between this DPA and a signed Order Form or Addendum on matters concerning the processing of personal information, the signed document prevails.

12. Contact

Questions about this DPA should be directed to privacy@receptionerapp.com. A countersigned copy of this DPA is available on request for customers who require a signed document for their records.