Data Processing Agreement

1. Purpose & Scope

1.1 This Data Processing Agreement ("DPA") governs the processing of personal data between ENSŌ and Studio Owners and Facilitators ("Partners") in connection with the use of the ENSŌ platform.

1.2 This DPA forms part of the Professional Terms and is incorporated by reference therein. By accepting the Professional Terms, you also accept this DPA.

1.3 This DPA is concluded in accordance with Article 28 of the General Data Protection Regulation (GDPR/AVG).

2. Roles

2.1 ENSŌ as Data Controller: ENSŌ is the data controller for the personal data of users (including Guests and Partners) that it collects and processes for its own purposes — such as account management, platform operations, payment processing and legal compliance. This is governed by ENSŌ's Privacy Policy.

2.2 Partner as Data Controller: The Partner is an independent data controller with respect to personal data of their Guests and clients that the Partner processes for their own purposes (e.g. managing their own studio's client database, direct marketing, or offline services).

2.3 Joint Processing: With respect to booking-related personal data exchanged via the Platform (e.g. a Guest's name and contact details shared with the Partner to fulfil a booking), ENSŌ and the Partner act as joint controllers under Article 26 GDPR. Each party is independently responsible for processing within their own sphere. ENSŌ's processing is governed by this DPA and the Privacy Policy. The Partner's processing is governed by the Partner's own privacy policy and applicable law.

3. Personal Data Processed

3.1 The following categories of personal data may be shared between ENSŌ and the Partner in connection with the Platform:

• Guest account data: name, email address.
• Booking data: booking details (date, time, session, Room), booking status, payment status.
• Communication data: messages exchanged via the Platform between Guests and Partners.
• Attendance data: check-in records, no-show status.

3.2 ENSŌ does not share full payment card data with Partners. Payment processing is handled by Stripe under Stripe's own data processing agreements.

4. Partner Obligations

As a Partner, you agree to:

• process personal data of Guests only for the purposes necessary to perform the booked service and in accordance with applicable law (including the GDPR),
• maintain an appropriate privacy policy that informs your Guests about how you process their personal data,
• implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss or breach,
• not share personal data received via ENSŌ with third parties without a valid legal basis,
• notify ENSŌ promptly (and in any case within 48 hours) if you become aware of a personal data breach involving data shared by ENSŌ,
• fulfil data subject rights requests (access, rectification, erasure, portability) for data under your control within the legally required timeframes,
• delete or return personal data received via ENSŌ when it is no longer necessary for the purpose for which it was shared, unless legal retention obligations apply.

5. ENSŌ's Obligations

ENSŌ agrees to:

• process personal data only as necessary for the provision of the Platform and related services,
• implement appropriate technical and organisational measures to protect personal data,
• assist Partners in fulfilling data subject requests to the extent that the data is under ENSŌ's control,
• notify Partners promptly of any personal data breach affecting data shared between the parties,
• use sub-processors (e.g. Stripe for payment processing, cloud hosting providers) subject to appropriate data processing agreements,
• process personal data in the EU/EEA or in countries with an adequate level of data protection.

6. Sub-processors

6.1 ENSŌ uses the following main sub-processors in connection with the Platform:

• Stripe — payment processing (USA; subject to EU-US Data Privacy Framework / Standard Contractual Clauses)
• SendGrid / Twilio — transactional email delivery
• Cloud hosting provider — platform infrastructure (EU region where applicable)

6.2 ENSŌ will inform Partners of any intended changes to the list of sub-processors that may materially affect data protection, giving Partners a reasonable opportunity to object.

7. International Transfers

Where personal data is transferred outside the EEA (e.g. in connection with Stripe), ENSŌ ensures an adequate level of protection via Standard Contractual Clauses (SCCs), adequacy decisions or other appropriate safeguards in accordance with Chapter V GDPR.

8. Duration & Termination

8.1 This DPA remains in force for as long as the Partner's Professional account is active and processes personal data via the Platform.

8.2 Upon termination of the Partner's account, the Partner must cease using personal data received via ENSŌ except where legal retention obligations require otherwise.

9. Liability

Each party is responsible for its own compliance with the GDPR and applicable data protection law. Neither party shall be liable for data protection breaches caused solely by the other party's acts or omissions. The liability limitations set out in the Professional Terms apply to this DPA to the extent permitted by law.

10. Governing Law

This DPA is governed by the laws of the Netherlands. Any disputes will be submitted to the competent courts in Amsterdam.

11. Contact

For data protection enquiries: info@ensobooking.com

You also have the right to lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens.