BBookRails

Data Processing Agreement

Last updated: May 1, 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the BookRails Terms of Service. Where applicable law (including GDPR, UK GDPR, and CCPA) requires a DPA between the parties, this agreement governs. It applies when BookRails processes personal data on your behalf.

Definitions

"Controller" means you, the merchant or developer. "Processor" means BookRails. "Personal Data" has the meaning in applicable data protection law. "Processing" means any operation performed on Personal Data.

Scope & roles

BookRails acts as a Processor when processing customer (consumer) personal data you provide (e.g., name, email for booking notifications). BookRails acts as a Controller for platform-level data (reliability scores, aggregate usage). Consumer data is processed solely to operate the booking service.

Processor obligations

BookRails will: process Personal Data only on your documented instructions; ensure personnel with access are bound by confidentiality; implement appropriate technical and organizational security measures; assist you in fulfilling data subject rights requests; notify you promptly of any data breach affecting your data; delete or return data on termination.

Sub-processors

BookRails uses sub-processors for cloud infrastructure (Microsoft Azure), email delivery (SendGrid), and payment processing (Stripe, when enabled). The current sub-processor list is available at bookrails.ai/legal/sub-processors. We will provide 30 days' notice before adding new sub-processors.

International transfers

Personal Data is primarily stored in the United States. Transfers from the EEA or UK are covered by Standard Contractual Clauses (SCCs) in the form approved by the European Commission. Contact privacy@bookrails.ai for signed SCCs.

Audits & assistance

BookRails will provide reasonable assistance to help you demonstrate compliance with applicable data protection law, including completing data protection impact assessments. Audit requests require 30 days' notice and are subject to confidentiality obligations.

Data breach

In the event of a Personal Data breach affecting your data, BookRails will notify you without undue delay (and in any event within 72 hours of becoming aware) with available information about the nature, scope, and likely consequences of the breach.

Deletion & return

On termination of services, BookRails will, at your choice, delete or return your Personal Data and delete existing copies unless legally required to retain them. Reliability attestation records (which may contain booking IDs and outcome data) are retained for 7 years for integrity and dispute resolution purposes.

Questions about these terms? legal@bookrails.ai