LavaBookingsLavaBookings

Data processing agreement

Last updated: May 2026

1. Parties and scope

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Layernest Ltd (“Processor”) and the business account holder (“Controller”) who uses LavaBookings to manage client bookings, payments, and communications.

This DPA applies to all personal data that the Controller’s clients (“data subjects”) provide through the LavaBookings platform and that the Processor handles on the Controller’s behalf.

2. Definitions

“Personal data”, “processing”, “data subject”, “controller”, and “processor” have the meanings given in the UK GDPR and the Data Protection Act 2018.

3. Data processed

We process the following categories of personal data on your behalf:

  • Client names, email addresses, and phone numbers
  • Booking dates, times, service types, and preferences
  • Payment amounts and transaction references (card details are held by Stripe, not us)
  • Notes and attachments you add to client records
  • Communication history (emails, SMS sent through the platform)

4. Purpose and instructions

We process personal data only to provide the LavaBookings service as described in our Terms of Service and as instructed by you. We will not use your clients’ data for our own marketing or sell it to third parties.

5. Sub-processors

We use the following sub-processors, each bound by data processing terms at least as protective as this DPA:

  • Google Cloud / Firebase — hosting, database, authentication (EU/US)
  • Stripe — payment processing (US/EU)
  • Resend — transactional and marketing emails (US)
  • Netlify — application hosting and edge delivery (Global)

We will notify you at least 30 days before adding a new sub-processor. If you object, you may terminate your subscription without penalty.

6. Security measures

We implement appropriate technical and organisational measures including:

  • Encryption at rest and in transit (TLS 1.3)
  • Role-based access controls
  • Regular security audits
  • Firestore security rules restricting data access to authorised users
  • HMAC-signed tokens for sensitive operations

7. Data subject rights

We will assist you in responding to data subject requests (access, rectification, erasure, portability) by providing the tools in your dashboard and API endpoints for data export and deletion.

8. Data breach notification

We will notify you without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting data we process on your behalf. We will provide sufficient detail for you to meet your own notification obligations.

9. Data retention and deletion

Upon termination of your subscription, we retain your data in read-only mode for 90 days. After that, we permanently delete all personal data processed on your behalf, except where retention is required by law.

10. International transfers

Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

11. Audits

On reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA and allow for audits conducted by you or an independent auditor.

12. Contact

Questions about this DPA? Email dpa@lavabookings.com or write to:

Layernest Ltd
Data Protection Officer
London, United Kingdom