Legal

Data Processing Agreement

For Operator Customers of Bookable

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Master Terms of Service or other written agreement ("Principal Agreement") between The Bookings Group Limited ("Processor", "Bookable") and the Operator identified in the Principal Agreement ("Controller", "Operator") (each a "Party" and together the "Parties").

The Parties have agreed to enter into this DPA in order to set out the terms on which the Processor processes Personal Data on behalf of the Controller in connection with the Services. This DPA reflects the Parties' agreement on data protection in accordance with the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR.

1. Definitions

Capitalised terms used but not defined in this DPA have the meanings given in the Principal Agreement. The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Supervisory Authority" and related expressions have the meanings given in the UK GDPR.

Applicable Data Protection Law

All laws and regulations applicable to the Processing of Personal Data under this DPA, including the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and, to the extent applicable, the EU GDPR.

Approved International Transfer Mechanism

A transfer mechanism approved under Applicable Data Protection Law, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, adequacy decisions, or equivalent successor mechanisms.

EU SCCs

The Standard Contractual Clauses approved by the European Commission in Decision 2021/914/EU, as updated from time to time.

IDTA

The UK International Data Transfer Agreement issued by the Information Commissioner's Office.

Sub-processor

Any third-party processor engaged by Bookable that processes Personal Data on behalf of the Operator under this DPA.

UK Addendum

The International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office.

UK GDPR

The UK General Data Protection Regulation (Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018).

2. Roles and scope

2.1 Roles

The Parties agree that, with respect to the Processing of Personal Data under the Principal Agreement, the Operator is the Controller and Bookable is the Processor. Where the Operator is acting on behalf of another controller (for example, a venue group acting for individual venue entities), the Operator remains responsible for determining and implementing the correct controller-processor relationships and for ensuring it has authority to bind any underlying controllers.

2.2 Scope

This DPA applies to Bookable's Processing of Personal Data that is submitted to the Services, generated through use of the Services, or otherwise provided to Bookable on behalf of the Operator. It does not apply to Personal Data that Bookable Processes as a controller (for example, in connection with account administration, billing or its own marketing), which is governed by the Bookable Privacy Policy.

2.3 Processing details

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex 1.

3. Processing by Bookable

3.1 Documented instructions

Bookable will Process Personal Data only on documented instructions from the Operator, which are: (a) set out in the Principal Agreement, this DPA and the applicable Order Form; (b) given through the use of the Services and their configuration options; and (c) such further written instructions as the Operator provides from time to time and that are consistent with the scope of the Services. Bookable will inform the Operator if, in its opinion, an instruction infringes Applicable Data Protection Law, but the Processor has no general obligation to monitor instructions for legal compliance.

3.2 Permitted processing by law

Bookable may Process Personal Data where required by law to which it is subject. In such cases, Bookable will inform the Operator of the legal requirement before Processing, unless prohibited by law.

3.3 Compliance with law

Each Party will comply with its obligations under Applicable Data Protection Law. The Operator is responsible for the lawfulness of the Personal Data Processing that it instructs, including for establishing a valid lawful basis, providing required transparency information to Data Subjects, and obtaining any consents required.

4. Confidentiality of personnel

Bookable will ensure that personnel authorised to Process Personal Data are bound by contractual or statutory duties of confidentiality and have received appropriate data protection training. Access to Personal Data is granted on a need-to-know basis.

5. Security

5.1 Technical and organisational measures

Bookable will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, cost of implementation, nature and purposes of Processing, and risk to Data Subjects. The measures in force at the Effective Date are set out in Annex 2.

5.2 Updates

Bookable may update the measures from time to time provided the updates do not materially reduce the overall level of protection. Bookable will publish material changes via its Trust / Security page or equivalent.

6. Sub-processors

6.1 General authorisation

The Operator grants Bookable general authorisation to engage Sub-processors for the purpose of providing the Services. The current list of Sub-processors is set out in Annex 3 and maintained at /legal/subprocessors.

6.2 Notice of changes

Bookable will provide at least [30] days' prior notice of any intended addition or replacement of Sub-processors, by updating the list published at the URL above and, where the Operator has subscribed, by email notification. The Operator may object in writing on reasonable data protection grounds within [14] days of notice.

6.3 Objection procedure

If the Operator objects on reasonable data protection grounds, the Parties will discuss the objection in good faith. If no resolution is reached within [30] days, the Operator may, as its sole and exclusive remedy, terminate the affected part of the Services on written notice, and Bookable will refund any pre-paid Fees covering the period after termination of the affected Services.

6.4 Sub-processor obligations

Bookable will impose on each Sub-processor, by written contract, data protection obligations no less protective than those in this DPA (to the extent applicable to the relevant Processing). Bookable remains liable to the Operator for the performance of Sub-processors as if the acts were its own.

7. Assistance to the Controller

7.1 Data subject requests

Taking into account the nature of the Processing, Bookable will provide reasonable assistance by appropriate technical and organisational measures to enable the Operator to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law. Where technically feasible, functionality will be made available through the Services for the Operator to access, export, correct or delete Personal Data itself.

7.2 Direct requests

If a Data Subject request, enquiry or complaint is made directly to Bookable concerning Personal Data Processed on behalf of the Operator, Bookable will (a) promptly inform the Operator; (b) not respond substantively except to confirm that the request has been referred to the Operator, unless instructed otherwise by the Operator; and (c) provide reasonable assistance to the Operator.

7.3 DPIAs and consultations

Bookable will provide reasonable assistance to the Operator with data protection impact assessments and prior consultations with the Supervisory Authority, taking into account the nature of the Processing and the information available to Bookable.

7.4 Chargeable assistance

Assistance under this clause 7 is provided at no additional cost where provided via standard Service functionality. Bookable may charge on a time-and-materials basis at its then-current rates for assistance that requires material bespoke effort, such as complex investigations, reconstruction of historic records, or custom export formats.

8. Personal Data Breach notification

8.1 Notification to Operator

Bookable will notify the Operator without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA.

8.2 Contents of notification

The notification will, to the extent then known, describe: (a) the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) likely consequences; (c) measures taken or proposed; and (d) a point of contact for further information. Where not all information is available at the time of initial notification, Bookable will provide updates promptly as further information becomes known.

8.3 Cooperation

Bookable will cooperate with the Operator and take reasonable steps assisting the Operator in the investigation, mitigation and remediation of the Personal Data Breach. Bookable's notification of a Personal Data Breach is not an acknowledgement of fault or liability.

9. International transfers

9.1 Permitted transfers

The Operator authorises Bookable and its Sub-processors to transfer Personal Data to, and Process Personal Data in, countries outside the UK and the European Economic Area, provided that any such transfer is made pursuant to an Approved International Transfer Mechanism.

9.2 Mechanism

Where Bookable transfers Personal Data to a third country not subject to an adequacy decision, the EU SCCs (Module 2 or Module 3 as applicable) together with the UK Addendum, or the IDTA, will apply and are incorporated into this DPA by reference. Where required, the Parties will complete the relevant annexes to those clauses consistently with the details in Annexes 1–3 of this DPA. The Parties agree that, for the purposes of the EU SCCs: (a) in Module 2, the Operator is the data exporter and Bookable is the data importer; (b) the governing law is the laws of England and Wales (or, where required, such other law as specified by the applicable transfer mechanism); and (c) the competent courts are the courts of England and Wales.

9.3 Onward transfers

Where a Sub-processor is located outside the UK/EEA, Bookable will ensure that an Approved International Transfer Mechanism is in place with that Sub-processor.

10. Audits

10.1 Information

Bookable will make available to the Operator all information reasonably necessary to demonstrate compliance with this DPA, including the most recent results of independent third-party audits or certifications (such as SOC 2 Type II or ISO 27001, when obtained) under NDA.

10.2 Audit rights

The Operator may, on reasonable prior written notice (not less than [30] days) and not more than once per year (unless required more frequently by a Supervisory Authority or following a confirmed Personal Data Breach), conduct or mandate an independent third-party auditor (who is not a competitor of Bookable and is bound by confidentiality obligations) to conduct an audit of Bookable's compliance with this DPA.

10.3 Scope and limits

Audits will: (a) be carried out during normal business hours; (b) not unreasonably interfere with Bookable's operations; (c) be subject to Bookable's security, confidentiality and policies; and (d) not include access to other customers' data, trade secrets or sensitive security information except to the extent strictly necessary and appropriately redacted. Remote audit through a questionnaire and submission of current certifications will satisfy the audit obligation where it provides the Operator with adequate assurance.

10.4 Costs

Each Party bears its own costs. Bookable may charge for the cost of its personnel time in supporting the audit at its then-current professional services rates, except where the audit reveals material non-compliance, in which case Bookable's reasonable costs will be borne by Bookable.

11. Return and deletion

Upon termination or expiry of the Principal Agreement, or on earlier written request by the Operator, Bookable will, at the Operator's option, return or delete the Personal Data Processed on behalf of the Operator, and delete existing copies, unless storage is required by law. Standard self-service export tools are available through the Services. Bookable will complete deletion from production systems within [30] days and from back-ups in accordance with its routine back-up rotation schedule (typically within [90] days). Bookable will confirm completion in writing on request.

12. Liability

Each Party's liability under or in connection with this DPA (including under the EU SCCs, UK Addendum or IDTA where incorporated) is subject to the exclusions and limits of liability set out in the Principal Agreement. For the avoidance of doubt, nothing in this DPA confers on a Data Subject rights beyond those conferred under Applicable Data Protection Law or the applicable transfer mechanisms.

13. General

13.1 Conflict

In the event of conflict between this DPA and the Principal Agreement in relation to Personal Data, this DPA prevails. In the event of conflict between this DPA and the EU SCCs / UK Addendum / IDTA in relation to international transfers, the applicable transfer mechanism prevails to the extent required by law.

13.2 Changes to Applicable Data Protection Law

If changes to Applicable Data Protection Law require amendments to this DPA to maintain compliance, the Parties will negotiate in good faith to amend this DPA accordingly.

13.3 Term

This DPA takes effect on the Effective Date of the Principal Agreement and continues until the later of: (a) termination or expiry of the Principal Agreement; and (b) the date on which Bookable ceases to Process any Personal Data on behalf of the Operator.

13.4 Governing law

This DPA is governed by the laws of England and Wales. The Parties submit to the exclusive jurisdiction of the courts of England and Wales.

Annex 1 — Details of Processing

A. Subject matter and duration

Subject matter: provision of the Bookable platform and related services as set out in the Principal Agreement.

Duration: for the term of the Principal Agreement and such further period as Bookable retains Personal Data in accordance with clause 11.

B. Nature and purpose of Processing

To provide the Services, including: receiving, validating and routing booking enquiries and reservations; managing availability and inventory across channels; transmitting bookings to and from TMS platforms and Integration Partners; generating confirmations and reminders; taking deposits or prepayments via third-party payment providers; producing reports and analytics; providing customer support; maintaining security and integrity of the Services; and complying with law.

C. Types of Personal Data

• Guest contact details: name, email, phone number, postal address (where provided).
• Booking information: date, time, venue, party size, occasion, preferences, allergens and dietary requirements (noting that some of these may be special category data).
• Payment metadata: transaction references, card type, last four digits (full payment card data is processed by third-party payment providers, not by Bookable).
• Communications: correspondence between guests, Operators and Bookable support; SMS/email delivery metadata.
• Online identifiers: IP addresses, device identifiers, cookie and widget analytics data.
• Operator user data: names, business contact details, login credentials, role assignments, activity logs.

D. Categories of Data Subjects

• Guests and prospective guests of the Operator's Venues.
• Operator personnel and Authorised Users.
• Third parties named in bookings (for example, co-diners or the lead booker's party).

E. Special category data

Dietary information and allergens may reveal information about health or religious beliefs. The Operator is responsible for ensuring that its capture and use of such information has a lawful basis under Article 9 UK GDPR and for providing appropriate transparency information to Data Subjects.

Annex 2 — Technical and Organisational Measures

Bookable implements and maintains the following measures, which may be updated in accordance with clause 5.2. Further detail is available in the Bookable Security Policy and on request under NDA.

A. Governance

• Written information security policy, incident response plan and business continuity plan, reviewed at least annually.
• Defined security roles and responsibilities.
• Risk assessment process covering confidentiality, integrity, availability and resilience.
• Vendor risk management process including data protection assessment of Sub-processors.

B. Access control

• Role-based access control with least-privilege principles.
• Multi-factor authentication for administrative and production access.
• Single sign-on and centralised identity management for internal personnel.
• Periodic access reviews and prompt revocation on role change or termination.
• Credentials and secrets managed using a dedicated secrets management service.

C. Encryption

• Personal Data encrypted in transit using TLS 1.2 or higher.
• Personal Data encrypted at rest using AES-256 or equivalent.
• Keys managed through a cloud key management service with restricted access.

D. Infrastructure

• Production systems hosted in Google Cloud Platform (or equivalent) data centres in the UK/EU.
• Network segmentation, firewalls and private networking.
• Intrusion detection and monitoring of security-relevant events.
• Protection against DDoS attacks at the edge.

E. Application security

• Secure software development lifecycle including code review, static analysis and dependency scanning.
• Vulnerability management programme with defined remediation SLAs.
• Independent penetration testing at least annually; findings remediated in line with severity.
• Hardened configuration of servers and containers.

F. Logging and monitoring

• Centralised logging of application and infrastructure events.
• Retention of security-relevant logs in line with policy.
• Alerting on anomalous activity.

G. Business continuity and resilience

• Automated, encrypted back-ups with tested restore procedures.
• Defined recovery time and recovery point objectives.
• Documented incident response procedure with defined severity levels and escalation paths.

H. Personnel

• Pre-employment screening appropriate to role and applicable law.
• Contractual confidentiality and data protection obligations.
• Data protection and information security training on induction and at least annually.

I. Physical security

• Production infrastructure hosted in certified cloud data centres with physical access controls.
• Office access controls for Bookable premises; printed materials containing Personal Data are restricted.

J. Deletion and disposal

• Defined retention and deletion schedules.
• Secure deletion of decommissioned media and storage.

Annex 3 — Sub-processors

The following Sub-processors may be engaged to Process Personal Data on behalf of the Operator. The current list is maintained at /legal/subprocessors.

Google Cloud (Google LLC / Google Ireland Limited)

Hosting, infrastructure, storage, email and workspace. Region: UK/EU primary.

[Stripe Payments UK Ltd / Stripe Payments Europe Ltd]

Payment processing (Operator is typically merchant of record).

[Email / SMS delivery provider — e.g. SendGrid, Twilio]

Transactional email and SMS for confirmations, reminders and Operator communications.

[Customer support and helpdesk platform]

Support ticketing and communications.

[Error monitoring — e.g. Sentry]

Application error tracking and performance monitoring.

[Product analytics — e.g. Microsoft Clarity, Google Analytics 4]

Website and widget analytics (where enabled).

[TMS partners used by the Operator — Collins, SevenRooms, ResDiary, Zonal, etc.]

Where the Operator uses these platforms, Bookable transmits bookings to them on the Operator's instruction. The Operator should verify the contractual relationship with each TMS.

[Integration Partners activated by the Operator — e.g. Reserve with Google, Fever]

Distribution channels activated at the Operator's election.

Note: This sub-processor list is indicative and must be reviewed and completed against the current live sub-processor inventory before publication.

The Bookings Group Limited

Registered in England and Wales with company number 11689193

Registered office: c/o Bright Beany Accounting, Cumberland House, 35 Park Row, Nottingham, England, NG1 6EE

Version: 1.0 | Last updated: 1 March 2026