Data Processing Agreement

Last updated: October 30, 2025

This Data Processing Agreement (“Agreement” or “DPA”) is an integral part of the Timerise Terms and Conditions, which govern the use of the Timerise Platform.

1. DEFINITIONS

The following terms have the meanings assigned below and as defined in applicable personal data protection laws, including the GDPR:

• “Timerise” means Timerise Sp. z o.o., with its registered office in Wrocław, Poland, at ul. Księcia Witolda 49/15, 50-202 Wrocław, e-mail: [email protected], tax identification number (NIP): 8971890756.
• “Agreement” means this Data Processing Agreement.
• “Main Agreement” means the agreement under which the Controller uses Timerise Services, as defined in the Timerise Terms and Conditions.
• “Services” means the services provided by Timerise, including access to and use of the Timerise Platform.
• “Platform” means Timerise’s online booking platform and API, developed and maintained by Timerise, which may be integrated into the Controller’s website and used by end-users.
• “Personal Data” means any information relating to an identified or identifiable natural person processed under this Agreement.
• “Processing” means any operation performed on Personal Data, such as collection, recording, storage, alteration, retrieval, use, disclosure, erasure, or destruction.
• “Data Controller” or “Controller” means the entity that determines the purposes and means of Processing Personal Data — that is, you as a Timerise customer.
• “Data Processor” or “Processor” means Timerise, which processes Personal Data on behalf of the Controller.
• “Sub-Processor” means any third-party entity engaged by Timerise to assist in providing the Services and which processes Personal Data on behalf of the Controller.
• “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
• “Force Majeure” means circumstances beyond a Party’s reasonable control, including natural disasters, war, strikes, epidemics, or government restrictions.

2. GENERAL PROVISIONS

The Controller entrusts Timerise with the Processing of Personal Data solely for the purpose of providing the Services under the Main Agreement.

Processing will be carried out in accordance with the GDPR and this Agreement.

Personal Data entrusted to Timerise typically includes data of end-users using the Timerise Platform in connection with the Controller’s services. The scope of such data is detailed in Appendix No. 1.

Timerise will process Personal Data only for the duration of the Main Agreement and solely on documented instructions from the Controller.

Timerise shall promptly inform the Controller if, in its opinion, an instruction violates applicable data protection law.

No automated decision-making or profiling within the meaning of Article 22 GDPR will occur under this Agreement.

3. CONTROLLER’S STATEMENTS

By entering into this Agreement, the Controller declares that:

• Personal Data are processed in connection with its business or statutory activity;
• it has a valid legal basis for Processing the Personal Data in accordance with the GDPR or other applicable laws;
• there are no legal obstacles preventing Timerise from Processing Personal Data as entrusted under this Agreement.

The Controller shall promptly notify Timerise of any circumstances that may affect lawful Processing or Timerise’s ability to fulfill its obligations under this Agreement.

4. TECHNICAL AND ORGANIZATIONAL MEASURES

Timerise will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, and purposes of Processing.

A description of Timerise’s security measures will be provided to the Controller within 10 business days upon written request. Such information constitutes Timerise’s trade secret and must be treated as confidential.

Only authorized persons acting under Timerise’s authority and bound by confidentiality will have access to Personal Data. Timerise maintains a record of such authorized personnel.

5. PROCESSOR’S DUTIES

Timerise shall:

• assist the Controller, through appropriate technical and organizational measures, in responding to requests from data subjects exercising their rights under Chapter III of the GDPR;
• assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and available information;
• promptly inform the Controller of any proceedings, decisions, or inspections by supervisory authorities concerning the entrusted Personal Data;
• not delete or alter Personal Data without documented instructions from the Controller.

6. AUDITS

Timerise will make available all information necessary to demonstrate compliance with this Agreement and allow audits, subject to confidentiality and trade secret limitations.

The Controller must notify Timerise at least 14 business days in advance, specifying the audit’s scope.

Audits must not unduly disrupt Timerise’s operations, may not last longer than 3 business days, and may be conducted no more than once per calendar year unless a justified security incident occurs.

If an audit requires Timerise to provide written responses or documentation, Timerise shall do so within 7 business days of receiving the request.

All audit costs are borne by the Controller.

Timerise may refuse an audit if it breaches these conditions or is conducted by a Timerise competitor.

7. SUB-PROCESSORS

Timerise has a general authorization to engage Sub-Processors. The list of current Sub-Processors is attached as Appendix No. 2.

Timerise shall notify the Controller in advance of any intended changes regarding Sub-Processors. The Controller may object within 5 business days of receiving notice.

If the Controller objects, Timerise may terminate this Agreement and/or the Main Agreement on 14 days’ notice without liability, provided that during the notice period, Timerise will not use the disputed Sub-Processor.

Timerise will ensure that all Sub-Processors are bound by data protection obligations consistent with this Agreement and the GDPR.

8. PERSONAL DATA BREACHES

If Timerise becomes aware of a Personal Data breach, it shall notify the Controller within 48 hours and provide the following information (to the extent available):

• description of the nature of the breach, including categories and approximate number of affected data subjects and records;
• contact details of a person for further information;
• likely consequences of the breach;
• measures taken or proposed to address and mitigate its effects.

If complete information cannot be provided immediately, it may be supplied in phases without undue delay.

Timerise shall maintain a record of all Personal Data breaches.

9. LIABILITY

Timerise’s total liability for any damages arising from Processing of Personal Data under this Agreement shall not exceed EUR 3,000 in aggregate.

Neither Party shall be liable for non-performance or delay due to Force Majeure, provided that reasonable efforts are made to mitigate and resume performance. Each Party shall promptly inform the other of such circumstances.

10. CCPA (CALIFORNIA CONSUMER PRIVACY ACT)

If the Controller processes Personal Data of California residents and transfers such data to Timerise under this Agreement, the Controller must inform Timerise prior to Processing.

Timerise shall not collect, use, retain, or disclose such Personal Data for any purpose other than as necessary to perform the Services or as required by law.

Timerise will not sell or share California residents’ Personal Data and shall not be liable for the Controller’s non-compliance with the CCPA.

11. TERMINATION

If Timerise breaches this Agreement and fails to remedy the breach within 14 days of notice, the Controller may terminate this Agreement with immediate effect.

Upon termination or expiry, Timerise shall, at the Controller’s choice, delete or return all Personal Data and delete any copies unless storage is required by law. This will be completed within 14 days.

Timerise may retain anonymized data, which no longer qualifies as Personal Data under the GDPR.

12. FINAL PROVISIONS

• The remuneration payable to Timerise under the Main Agreement includes performance of its obligations under this DPA.
• This Agreement takes effect upon the effective date of the Main Agreement and forms an integral part thereof.
• Any amendments must be made in electronic form to be valid.
• The Appendices form an integral part of this Agreement:
  • Appendix No. 1 – Scope of Personal Data entrusted for Processing
  • Appendix No. 2 – List of Sub-Processors
• If any provision of this Agreement is found invalid, the remaining provisions shall remain in full force and effect.
• This Agreement is governed by Polish law, and any disputes shall be resolved amicably within 30 days or, failing that, by the competent court in Wrocław, Poland.