Parties
Controller: The Customer — restaurant or hospitality business operator who has entered into a subscription agreement with the Kilivi Service. Processor: Kilivi — provider of the online booking system.
Data Processing Agreement (DPA)
pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR)
This Data Processing Agreement ('Agreement') governs the terms of personal data processing between the Customer (data controller) and Kilivi (data processor) in accordance with Art. 28 GDPR.
Last updated: June 1, 2025
1. Subject and scope of processing
The Processor processes personal data solely for the purpose of providing the Service — managing reservations, sending confirmation emails and SMS reminders, and displaying dashboard analytics. Additional processing only occurs based on documented instructions from the Controller.
2. Categories of data and data subjects
Categories processed: guest name and contact details (email, phone); reservation date and time; party size; special requests (may include health/dietary information — special category data under Art. 9 GDPR). Data subjects: restaurant guests (customers of the Controller). The Controller is responsible for the lawfulness of collecting these data and for obtaining any required consent from data subjects.
3. Processor obligations
The Processor undertakes to: process data only according to documented instructions from the Controller; ensure data confidentiality (employees and sub-processors are bound by confidentiality); implement appropriate technical and organizational measures (encryption, access control, audit logs); not transfer data to third parties without the Controller's instruction, except to listed sub-processors; assist the Controller in responding to data subject rights requests; delete or return data after contract termination.
4. Sub-processors
The Processor uses the following approved sub-processors: Stripe Inc. (payment gateway), SmsManager.cz (SMS), Railway.app (hosting). The Processor informs the Controller of planned changes to sub-processors at least 30 days in advance, giving the Controller opportunity to object.
5. Security
The Processor implements appropriate technical and organizational measures including: data encryption in transit (TLS 1.2+) and at rest; access control based on least privilege; regular data backups; incident response procedure — in the event of a personal data breach, the Processor notifies the Controller without undue delay and no later than 72 hours.
6. Data subject rights
The Processor assists the Controller in handling data subject requests for access, rectification, erasure, or portability within a reasonable timeframe. The Controller bears primary responsibility for communicating with data subjects.
7. Duration and termination
This Agreement remains in effect for the duration of the subscription. Upon termination, the Processor will delete or anonymize all processed data within 30 days, unless the Customer requests a data export.
8. Contact
For DPA inquiries contact: kilivi-dev@gmail.com