Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between OpenHouse AI Limited (“Processor”, “OpenBook”) and the business using OpenBook (“Controller”, “you”).
When you, as a business, store and process information about your customers on OpenBook, you are the data controller for that customer data and OpenBook is your processor. This DPA explains how OpenBook handles that role.
If you don't process personal data about identifiable people (e.g. you only do anonymous bookings), this DPA may not apply to you. For most businesses on OpenBook, it does.
This DPA is GDPR-compliant for the EU and is intended to satisfy Article 28 of the GDPR.
1. Definitions
The following terms have their meanings as defined in the GDPR (EU 2016/679):
personal data, processing, controller, processor, data subject, sub-processor, personal data breach.
In addition:
- “Customer Data” means personal data about your customers (consumers) that you upload, generate, or process through OpenBook.
- “Services” means the OpenBook platform.
2. Roles
- You are the Controller of Customer Data.
- OpenBook is the Processor.
- For OpenBook's own data (your account, billing, usage logs), OpenBook is the Controller — see the Privacy Policy for that.
3. Scope and instructions
OpenBook will only process Customer Data:
- To provide the Services as described in the Terms of Service
- On your documented instructions, including via your normal use of the dashboard
- As required by EU or Irish law (in which case we'll notify you unless prohibited from doing so)
If you give us an instruction that we believe breaches GDPR or other data protection law, we'll tell you and we may decline to act on it.
4. Categories of data and data subjects
| Categories of data subjects | Categories of personal data |
|---|---|
| Your customers (consumers) | Name, email, phone, booking history, package balances, communication history, payment metadata (not card details), staff preferences |
| Your staff | Name, email, role, photo, schedule |
5. Sub-processors
OpenBook uses the sub-processors listed in our Privacy Policy (Section 5) to deliver the Services. By accepting this DPA, you authorise OpenBook to use these sub-processors. Each is bound by terms providing equivalent data protection.
We'll notify you (by email and via the dashboard) at least 30 days before adding or replacing a sub-processor that processes Customer Data. If you object to a new sub-processor on reasonable data protection grounds, you may terminate the affected Service without penalty.
6. Confidentiality
OpenBook personnel with access to Customer Data are bound by confidentiality obligations. As of the effective date, only Sam Donworth has production access. Access is granted on a need-to-know basis and removed when no longer required.
7. Security
OpenBook will implement appropriate technical and organisational security measures to protect Customer Data, including:
- Encryption in transit (TLS 1.3)
- Encryption at rest (Supabase default AES-256)
- Row-level security on every database table
- Authentication-gated access (Google, Apple, or magic-link sign-in; no passwords stored)
- Card data is never received or stored by OpenBook (handled by Stripe directly)
- Logical separation of business data via row-level security tied to owner_id
- Routine backups (30 days rolling)
- Vulnerability monitoring on our infrastructure providers (Vercel, Supabase, Stripe)
- Restricted production access (currently one person)
We'll review and update these measures as the platform grows.
8. Data subject requests
If a customer of yours contacts OpenBook directly to exercise their GDPR rights (access, deletion, etc.), we'll forward the request to you and assist as reasonably required. Most data subject requests should go through you, the controller.
You can fulfil most requests directly from your dashboard:
- Access — your dashboard shows all data we hold for each customer
- Portability — you can export any customer's data as CSV
- Erasure — you can delete a customer record, which removes them from your account (booking records may be retained for tax purposes per Section 11)
- Rectification — you can edit customer records directly
If you need OpenBook's help to fulfil a request you can't handle from the dashboard, email sam@openhouseai.ie.
9. Personal data breaches
If OpenBook becomes aware of a personal data breach affecting Customer Data, we'll:
- Notify you without undue delay, and in any event within 72 hours of becoming aware
- Provide you with the information you need to comply with your own breach notification obligations under GDPR Articles 33 and 34
- Cooperate with you to investigate, mitigate and remediate
You're responsible for notifying the supervisory authority (the Irish DPC) and affected data subjects when required — though we'll help.
10. Data Protection Impact Assessments (DPIAs)
If you need to carry out a DPIA in relation to your use of OpenBook, OpenBook will provide reasonable assistance. For most local service businesses processing standard booking data, a DPIA is not required.
11. Retention and deletion
OpenBook will retain Customer Data for as long as you maintain your account and instruct us to keep it. On termination of your account:
- Customer Data is retained for 30 days as part of the grace period for your customers
- After the grace period, it's archived for 12 months in case of reactivation
- After 12 months, it's permanently deleted from our active systems within 30 days
- Backups containing Customer Data are deleted within a further 30 days
If a tax/accounting record retention requirement applies (e.g. transaction records the Revenue Commissioners may need), the relevant records may be retained longer in accordance with Irish tax law.
You can request earlier deletion of specific Customer Data at any time by deleting it from your dashboard or by emailing sam@openhouseai.ie.
12. International transfers
Customer Data is primarily stored in the EU (Ireland). Where sub-processors based outside the EU/EEA receive Customer Data (Stripe, Resend, OpenAI, Meta), transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission. The current set of SCCs (2021/914) is incorporated into our agreements with these sub-processors.
13. Audits
You can request reasonable information about OpenBook's data processing practices once per year, by writing to sam@openhouseai.ie. As a small operator, we don't currently support on-site audits, but we'll provide written responses to reasonable questions and share any third-party security reports we have.
14. Liability
Liability under this DPA is governed by the limitation of liability clause in the main Terms of Service.
15. Term and termination
This DPA is effective as long as OpenBook processes Customer Data on your behalf. It terminates automatically when your OpenBook account is closed and the retention period in Section 11 has expired.
16. Conflicts
If there's a conflict between this DPA and the Terms of Service or Privacy Policy in respect of Customer Data, this DPA prevails.
17. Governing law
This DPA is governed by Irish law and subject to the exclusive jurisdiction of the Irish courts.
18. Contact
For DPA-related queries:
Email: sam@openhouseai.ie
Post: OpenHouse AI Limited, Ballinvarosig, Carrigaline, Co. Cork, Ireland