Data Processing Agreement

Effective: 22 May 2026 · GDPR Article 28

This Data Processing Agreement ("DPA") forms an integral part of RINDIQ's Terms of Service. By registering and using the RINDIQ platform, the Controller agrees to the terms of this DPA. No additional signature is required.

1. Parties

Processor: Kristaps Mudurs, trading as RINDIQ, Jelgava, Latvia. Email: [email protected].

Controller:The legal or natural person who registers on the RINDIQ platform and uses it to manage client appointments for their business (the "Controller").

2. Subject matter and purpose of processing

RINDIQ as Processor processes personal data on behalf of the Controller to provide an online appointment management platform. Specifically, the processing includes:

  • Creating, updating and deleting the Controller's client appointments
  • Storing client contact information
  • Sending automated reminder emails
  • Maintaining visit history for reliability scoring
  • Transmitting payment data to Stripe Connect (if the Controller has enabled this)
  • Storing audit log records

Processing occurs only to achieve the Controller's specified purposes and in accordance with its instructions.

3. Categories of data and data subjects

Data subjects

The Controller's clients — natural persons who book services through the RINDIQ platform.

Categories of personal data

  • Identification data: first name, last name
  • Contact information: email address, phone number
  • Appointment data: service type, date, time, status
  • Payment data: Stripe Payment Intent ID (card data is never stored on RINDIQ servers)
  • Behavioural data: visit history, reliability score
  • Notes: free-text notes added to a client profile by the Controller's staff

Special category personal data (GDPR Article 9) is not processed.

4. Processor obligations

RINDIQ undertakes to:

  • Process data only in accordance with the Controller's documented instructions
  • Ensure confidentiality obligations for all persons involved in the processing
  • Implement the security measures required by GDPR Article 32 (see Section 6)
  • Comply with conditions for engaging sub-processors (see Section 5)
  • Assist the Controller in fulfilling data subject rights
  • Delete or return all personal data upon termination of the service (see Section 8)
  • Provide the Controller with evidence of GDPR compliance upon request
  • Immediately inform the Controller if an instruction infringes GDPR

5. Sub-processors

The Controller hereby authorises RINDIQ to use the sub-processors listed below. RINDIQ will give at least 30 days' notice of any planned changes.

Sub-processorPurposeLocation
Garmtech SIAServer hosting and databaseEU (Latvia)
Resend Inc.Email deliveryUSA (SCCs apply)
Stripe Inc.Payment processing (if enabled)USA / EU (SCCs apply)
Google LLCCalendar sync and OAuth authentication (if enabled)USA / EU (SCCs apply)

SCCs — European Commission Standard Contractual Clauses for transfers to third countries.

6. Security measures

RINDIQ implements the following technical and organisational measures:

  • Encrypted data transmission (TLS 1.2+)
  • Password hashing (bcrypt)
  • Multi-tenant data isolation — each account's data is logically segregated across all API queries
  • JWT session authentication with httpOnly cookies
  • Daily database backups with encrypted storage
  • Role-based access control (administrators and staff see different data)
  • Full audit log for significant actions

7. Assistance with data subject rights

Where the Controller receives a data subject request (access, rectification, erasure, portability), RINDIQ provides the necessary tools:

  • Erasure: delete an individual client's data from the admin panel
  • Export: export all client data in CSV format
  • Account deletion: irrevocably delete all personal data associated with the account

If a data subject contacts RINDIQ directly, the request will be forwarded to the relevant Controller within 72 hours.

8. Retention and deletion

RINDIQ retains personal data for as long as the Controller's account is active. Upon account deletion:

  • The account and associated active data are retained for 90 days to allow recovery in case of accidental deletion and to allow data export (GDPR portability right)
  • After 90 days, active data is irreversibly deleted
  • Backup copies retain data for no longer than 30 days after active data deletion and are then overwritten
  • An explicit Controller request for immediate deletion (GDPR Art. 17 — right to be forgotten) is honored regardless of the 90-day period above
  • Stripe payment data is retained in accordance with Stripe's policy (typically 7 years for tax purposes)
  • Statutory obligations may require longer retention (e.g., accounting records) — in such cases data is retained only to the extent required by the relevant law

9. Personal data breaches

In the event of a personal data breach, RINDIQ will notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach (the GDPR Art. 33 deadline). The notification will include all available information needed by the Controller to file a notification with the Data State Inspectorate and, where required, with affected data subjects under GDPR Art. 33–34.

To the extent reasonably possible, RINDIQ will also assist the Controller in mitigating the effects of the breach and in limiting its impact.

10. Location of processing

Personal data is processed in the European Union (Garmtech SIA servers in Latvia), except where sub-processors operate outside the EU (Resend, Stripe, Google) — in which case Standard Contractual Clauses apply.

11. Term and termination

This DPA remains in force for as long as the Controller uses the RINDIQ platform and terminates automatically upon cessation of the service. Upon termination, RINDIQ will delete or return all personal data in accordance with Section 8.

12. Amendments

RINDIQ may amend this DPA by notifying the Controller at least 30 days in advance by email. Continued use of the platform after that period constitutes acceptance of the updated terms.

13. Governing law

This DPA is governed by the laws of the Republic of Latvia. The supervisory authority is the Data State Inspectorate ( dvi.gov.lv). Disputes shall be resolved in the courts of Latvia.

14. Force majeure

Neither Party is liable for failure or delay in performing its obligations under this DPA caused by circumstances beyond that Party's reasonable control, including but not limited to: internet service provider disruptions, cyberattacks, DDoS attacks, data center outages, failures of cloud services (Stripe, Resend, Twilio, Google), natural disasters, war, terrorism, government action, strikes, or pandemics. In such cases, the affected Party will make reasonable efforts to restore normal operations as soon as possible and will promptly notify the other Party of the force majeure event and its impact on performance.

Force majeure does notrelieve RINDIQ of its GDPR obligations regarding personal data breach notification (see Section 9) or its obligations regarding the protection of data subjects' rights.

15. Contact

For questions about this DPA, contact: [email protected]