01.Article 1 — Parties
This Data Processing Agreement (hereinafter "DPA") is concluded between:
The Data Controller (hereinafter "the Professional")
The professional operating a beauty or wellness establishment having subscribed to the WezBook platform, as identified in their Account.
The Data Processor (hereinafter "WezBook")
- Company name : WezBook
- Legal form : [TO BE COMPLETED]
- Registered office : [TO BE COMPLETED]
- SIRET : [TO BE COMPLETED]
- Email : contact@wezbook.com
02.Article 2 — Definitions
- Personal Data : any information relating to an identified or identifiable natural person (article 4.1 of the GDPR).
- Processing : any operation performed on Personal Data (collection, recording, storage, consultation, transmission, deletion, etc.).
- Data Subject : natural person whose Personal Data is processed.
- Data Breach : security breach resulting in destruction, loss, alteration, unauthorized disclosure or unauthorized access to Personal Data.
- Sub-processor : any sub-processor engaged by WezBook to process Personal Data on behalf of the Professional.
- Documented Instructions : written instructions from the Professional concerning the Processing of Personal Data.
- Supervisory Authority : the French Data Protection Authority (CNIL).
03.Article 3 — Purpose and Scope of Processing
3.1 Purpose
This DPA defines the conditions under which WezBook, as data processor, processes Personal Data on behalf of the Professional, as data controller, in the context of WezBook platform use.
This DPA supplements the Terms of Sale (TOS) and the Privacy Policy.
3.2 Nature and purposes of processing
WezBook processes Personal Data for the following purposes:
- Appointment and time slot management
- Customer relationship management for the salon (customer file, history)
- Sending SMS reminders and email notifications on behalf of the salon
- Recording cash register transactions via the WezPay module (optional supplement, compliant with art. 286-I-3°bis of the French CGI)
- Production of statistics and analytics for the salon
3.3 Duration of processing
Processing is carried out throughout the duration of the Professional's WezBook subscription.
At the end of the subscription, data is processed in accordance with article 4.7 of this DPA, subject to legal retention obligations (notably the retention of cash register data for 6 years pursuant to article L.102 B of the LPF).
3.4 Categories of data subjects
- End customers of the salon (registered and temporary)
- Employees and collaborators of the salon
3.5 Types of personal data processed
| Category | Data |
|---|---|
| Identity | First name, last name |
| Contact information | Phone number, email address |
| Appointments | Dates, times, booked services, assigned employee, status |
| Customer notes | Free text comments added by the Professional |
| Transactions (WezPay) | Amounts, service details, payment method (type only), receipts, cash closures, refunds, credits |
| Technical data | Internal identifiers, timestamps |
3.6 Sensitive data
WezBook is not designed to process special categories of data within the meaning of article 9 of the GDPR (health data, racial or ethnic origin, political opinions, etc.).
The Professional undertakes not to enter sensitive data in free text fields (customer notes), unless they have obtained the explicit consent of the Data Subject in accordance with article 9.2(a) of the GDPR. WezBook does not control the content of free text fields and cannot be held liable for their content.
04.Article 4 — WezBook's Obligations (data processor)
4.1 Processing on documented instructions (art. 28.3(a))
WezBook processes Personal Data only on documented instructions from the Professional. Instructions are deemed given by the Professional via:
- Use of Platform features (each action constitutes an instruction)
- Parameters configured in the salon management space
- Any additional written instruction transmitted by email
WezBook does not process Personal Data for purposes other than those provided for in this DPA. If WezBook is required by EU or French law to carry out processing, it will inform the Professional before processing, unless legally prohibited.
WezBook will immediately inform the Professional if, in its opinion, an instruction constitutes a violation of the GDPR or other EU or French data protection provisions.
4.2 Confidentiality (art. 28.3(b))
WezBook ensures that persons authorized to process Personal Data:
- Commit to respect confidentiality through a written agreement
- Are subject to an appropriate legal obligation of confidentiality
Access to Personal Data is limited to members of WezBook staff who need it as part of their duties.
4.3 Security of processing (art. 28.3(c) and art. 32)
WezBook implements appropriate technical and organizational measures to ensure a level of security adapted to the risk, as described in Annex 1 of this DPA.
These measures include notably:
- Encryption of Personal Data in transit (TLS/HTTPS) and at rest (AES-256, AWS)
- Ability to ensure confidentiality, integrity, availability and resilience of systems
- Ability to restore access to data in a timely manner in case of incident
- Regular testing of the effectiveness of security measures
4.4 Further sub-processing (art. 28.3(d) and art. 28.2)
General authorization — The Professional grants WezBook a general written authorization to use sub-processors for the execution of the processing described in this DPA. The list of sub-processors is detailed in Annex 2.
Notification of changes — WezBook will inform the Professional of any addition or replacement of sub-processor at least 30 days before the change is implemented, by email or notification on the Platform.
The Professional has 15 days from notification to raise a motivated objection. In the absence of objection within this period, the change is deemed accepted.
In case of objection, the parties shall endeavor to find a solution. If no agreement is reached, the Professional may terminate their subscription without penalty.
Obligations of sub-processors — WezBook contractually imposes on each sub-processor the same data protection obligations as those provided for in this DPA (article 28.4 of the GDPR). WezBook remains fully responsible to the Professional for the performance by its sub-processors of their obligations.
4.5 Assistance for data subjects' rights (art. 28.3(e))
WezBook assists the Professional, through appropriate technical and organizational measures, to fulfill their obligation to respond to requests for the exercise of Data Subjects' rights:
- Right of access (art. 15)
- Right to rectification (art. 16)
- Right to erasure (art. 17)
- Right to restriction of processing (art. 18)
- Notification obligation (art. 19)
- Right to portability (art. 20)
- Right to object (art. 21)
WezBook provides data export features (JSON, CSV) and customer deletion functions in the Platform.
Limitation — Cash register data: in accordance with article 17.3(b) of the GDPR, the right to erasure does not apply to cash register data recorded via WezPay, which is subject to a legal retention obligation of 6 years (article L.102 B of the Book of Tax Procedures) and unalterability (article 286-I-3°bis of the French CGI). WezBook will inform the Professional of this limitation so that they can inform the Data Subject.
When WezBook directly receives a request for the exercise of rights from a Data Subject, it will transmit it to the Professional within 48 hours.
4.6 Assistance for security and notification obligations (art. 28.3(f))
WezBook assists the Professional to ensure compliance with their obligations under articles 32 to 36 of the GDPR:
Data breach notification (art. 33 and 34) — WezBook will notify the Professional of any Data Breach within 48 hours of becoming aware of it, providing:
- The nature of the breach
- The categories and approximate number of Data Subjects
- The likely consequences of the breach
- Measures taken or proposed to remedy the breach
WezBook will cooperate with the Professional to enable them to notify the CNIL within the 72-hour period provided for in article 33 of the GDPR.
Impact assessment (art. 35 and 36) — WezBook will provide the Professional with the information necessary for carrying out a data protection impact assessment (DPIA), if required, as well as for any prior consultation with the CNIL.
4.7 Fate of data at end of contract (art. 28.3(g))
Upon expiration or termination of the subscription, at the Professional's choice:
Option A — Return: The Professional may request export of all their Personal Data in a structured and readable format (JSON, CSV) within 30 days of subscription end.
Option B — Deletion: In the absence of an export request within 30 days, WezBook will delete the Personal Data within an additional 30 days (i.e. 60 days after the end of the subscription).
Exception — Cash register data (art. 286-I-3°bis of the French CGI): Cash register data recorded via the WezPay module is retained for a minimum of 6 years in accordance with tax obligations (article L.102 B of the Book of Tax Procedures). The Professional may request export of this data at any time during this period. At the expiration of the 6-year period, this data will be deleted.
Backups: Backup copies containing Personal Data will be purged in accordance with the backup rotation cycle, within a maximum period of 90 days after deletion of production data.
4.8 Audit and inspection (art. 28.3(h))
WezBook makes available to the Professional all information necessary to demonstrate compliance with its obligations under article 28 of the GDPR.
WezBook authorizes and contributes to audits, including inspections, carried out by the Professional or an auditor mandated by them, under the following conditions:
- The Professional sends a written audit request with 30 days notice
- The audit is carried out during business hours
- The auditor is subject to a confidentiality obligation
- The audit must not disproportionately disrupt WezBook's activities
WezBook may propose the provision of independent audit reports, security certifications or compliance reports as an alternative to on-site audit.
Audit costs are borne by the Professional, unless the audit reveals a breach by WezBook of its obligations under this DPA.
05.Article 5 — Professional's Obligations (data controller)
The Professional, as data controller, undertakes to:
- Have a valid legal basis for each processing of Personal Data entrusted to WezBook (consent, contract performance, legitimate interest, etc.)
- Inform Data Subjects (their end customers) of the processing of their data, in accordance with articles 13 and 14 of the GDPR, notably of the existence of WezBook as data processor
- Only transmit to WezBook lawful and accurate Personal Data
- Not enter sensitive data (art. 9 GDPR) in free text fields without having obtained the explicit consent of the Data Subject
- Give instructions compliant with the GDPR and applicable law
- Supervise processing and verify WezBook's compliance
- Respond to requests for the exercise of Data Subjects' rights within legal deadlines
06.Article 6 — Data Transfers Outside the EU/EEA
6.1 Principle
Personal Data is hosted within the European Union (AWS — Ireland and Frankfurt regions).
6.2 Transfers to the United States
Some of WezBook's sub-processors are located in the United States. Transfers of Personal Data to these sub-processors are framed by:
- The EU-US Data Privacy Framework (DPF) — European Commission adequacy decision of July 10, 2023, for DPF-certified sub-processors
- The Standard Contractual Clauses (SCC) approved by European Commission Implementing Decision 2021/914, for non-DPF-certified sub-processors
6.3 Additional safeguards
WezBook undertakes to:
- Verify that each sub-processor located outside the EU/EEA has appropriate safeguards
- Inform the Professional of any change affecting international transfers
- Suspend transfers if safeguards are no longer ensured
The details of safeguards per sub-processor are provided in Annex 2.
07.Article 7 — Duration
This DPA takes effect on the date of subscription to WezBook and remains in force throughout the subscription period.
The following articles survive the end of the DPA:
- Article 4.2 (confidentiality) — without time limit
- Article 4.7 (fate of data) — until all data is effectively deleted
- Article 4.8 (audit) — for 1 year after the end of the subscription
- Article 8 (liability) — in accordance with applicable limitation periods
- Annex 2 (sub-processors) — for the duration of data retention
08.Article 8 — Liability
8.1 WezBook's liability
WezBook is liable for damage caused by processing not compliant with the obligations specifically incumbent on the processor under the GDPR or when it acted outside the lawful instructions of the Professional or contrary to them (article 82.2 of the GDPR).
8.2 Professional's liability
The Professional is liable for damage caused by processing not carried out in accordance with the GDPR (article 82.2 of the GDPR), notably regarding the lawfulness of their instructions and compliance with their information obligations to Data Subjects.
8.3 Limitation
WezBook's liability under this DPA is subject to the limitations provided for in the Terms of Sale.
09.Article 9 — Applicable Law and Jurisdiction
This DPA is governed by French law.
In case of dispute, the parties undertake to seek an amicable solution. Failing that, the dispute will be submitted to the competent courts of [TO BE COMPLETED].
The competent Supervisory Authority is the French Data Protection Authority (CNIL).
10.Annex 1 — Technical and organizational measures (art. 32 GDPR)
Encryption
| Measure | Detail |
|---|---|
| Encryption in transit | TLS 1.2+ / HTTPS for all communications |
| Encryption at rest | AES-256 via AWS (keys managed by AWS KMS) |
| Password hashing | BCrypt |
Access control
| Measure | Detail |
|---|---|
| Authentication | Firebase Authentication with JWT tokens |
| Role-based access control | RBAC system (user, employee, admin) |
| Data isolation | Multi-tenant architecture with isolation per salon |
| Principle of least privilege | Access limited to strictly necessary data |
Protection against attacks
| Measure | Detail |
|---|---|
| Rate limiting | Protection against brute force attacks (Bucket4j) |
| Input validation | Systematic sanitization and validation |
| Webhook verification | Signature verification (Stripe, Twilio, Resend) |
| CORS protection | Restrictive configuration |
Monitoring and logging
| Measure | Detail |
|---|---|
| Audit trail | Logging of sensitive actions |
| Monitoring | Continuous infrastructure monitoring |
Backup and continuity
| Measure | Detail |
|---|---|
| Backups | Regular automated backups (AWS) |
| Restoration | Tested restoration procedures |
| Hosting | AWS Europe regions (Ireland eu-west-1 / Frankfurt eu-central-1) |
Tax compliance measures (art. 286-I-3°bis of the French CGI)
| Measure | Detail |
|---|---|
| Unalterability | Chaining and digital signature of cash register data |
| Traceability | Exhaustive logging of each cash register operation |
| Retention | Secure archiving for minimum 6 years |
| Compliance | Individual publisher's certificate no. ATT-WEZPAY-2026-001 (art. 286-I-3°bis of the French CGI) |
11.Annex 2 — List of sub-processors
| Sub-processor | Processing | Data processed | Location | Transfer safeguards |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, storage, backup | All data (encrypted) | Europe (Ireland / Frankfurt) | Data in EU |
| Firebase (Google) | Authentication | Email, name, user identifier | USA | DPF + SCC |
| Stripe | Payments and subscriptions | Customer identifiers, transaction data | USA | DPF + SCC |
| Twilio | SMS sending | Phone numbers, SMS content | USA | DPF + SCC |
| Resend | Email sending | Email addresses, email content | USA | SCC |
| SumUp | Payment terminal payments | Transaction references | Europe (Ireland) | Data in EU |
| Google Places | Salon geolocation | Addresses, GPS coordinates | USA | DPF + SCC |
Any modification of this list will be notified to the Professional in accordance with article 4.4 of this DPA.
12.Annex 3 — Description of processing
| Purpose | Operations | Legal basis (Professional) | Categories of data | Retention period |
|---|---|---|---|---|
| Customer management | Collection, storage, consultation, modification, deletion | Contract performance / Legitimate interest | Identity, contact info, notes | Duration of relationship, then 1 year |
| Appointment management | Collection, storage, consultation | Contract performance | Identity, contact info, appointment details | Duration of relationship, then 1 year |
| SMS reminders | Consultation, transmission (Twilio) | Contract performance | Phone number, appointment details | Sending duration |
| Email notifications | Consultation, transmission (Resend) | Contract performance | Email address, content | Sending duration |
| Cash register recording (WezPay) | Collection, storage, archiving | Legal obligation (art. 286-I-3°bis of the French CGI) | Transactions, amounts, payment methods | 6 years (tax obligation) |
| Statistics | Consultation, aggregation | Legitimate interest | Appointment and cash register data (aggregated) | Subscription duration |
For any question regarding this DPA, contact us at: contact@wezbook.com
Other legal pages
Have questions about our terms?
Our team is here to help you understand your rights and our responsibilities.