Last Updated: 3. Juli 2026
This Data Processing Agreement ("DPA") is the agreement required by Article 28 of the General Data Protection Regulation (GDPR). It governs the processing of personal data that Zeity carries out on your behalf when you use the Service to collect and manage the personal data of your own clients, with you acting as the controller and Zeity as the processor. This DPA forms part of and supplements our Terms of Service; capitalised terms not defined here have the meaning given in the Terms of Service.
This DPA is entered into between: β’ You β the account holder who registered for Zeity β as the 'controller' (Verantwortlicher / Auftraggeber) who decides on the purposes and means of processing your clients' personal data; and β’ Moon Regents, operator of the Zeity platform ("Zeity", "we", "us"), as the 'processor' (Auftragsverarbeiter / Auftragnehmer) that processes that personal data on your behalf and on your instructions. One Zeity account may operate several businesses. You warrant that you are authorised to enter into and be bound by this DPA, and that you do so on behalf of every business you create under your account. Each such business is the controller of its own clients' personal data, and you accept the obligations of the controller for all of them. This DPA forms part of and supplements the Terms of Service. Where the Terms and this DPA conflict in relation to the processing of your clients' personal data, this DPA prevails.
You, as the controller, are responsible for the lawfulness of the processing of your clients' personal data and for safeguarding the rights of the data subjects concerned, including responding to their requests as described in the 'Assistance to the Controller' section below. You warrant that your instructions to Zeity, including your configuration and use of the Service, comply with the GDPR and other applicable data-protection law, and that you have a valid legal basis for collecting and having Zeity process your clients' personal data. You must inform Zeity without undue delay of any error or irregularity you detect concerning the processing of personal data by Zeity. Where you enter special-category data within the meaning of Article 9(1) GDPR β for example health data disclosed in a client's free-text notes, or implied by the nature of an appointment type (such as physiotherapy, dermatology, dental, aesthetic, or mental-health services) β you, as the controller, are responsible for establishing a valid legal basis under Article 9(2) GDPR for that processing and for assessing whether a data protection impact assessment under Article 35 GDPR is required. Zeity provides the technical and organisational measures described in the 'Technical and Organisational Measures' section below, commensurate with the risk of the processing you instruct.
Subject matter and nature: Zeity processes your clients' personal data in order to provide the booking and appointment-management Service β including creating and managing bookings, sending appointment confirmations and reminders, storing client records and notes, and, where you enable it, facilitating upfront payments. Purpose: The processing is carried out solely to provide the Service to you and on your instructions, and not for any independent purpose of Zeity (such as its own analysis, quality assurance, or product optimisation using your clients' data). Duration: This DPA applies for as long as Zeity processes your clients' personal data on your behalf, including in backups, and continues until that data has been deleted or returned in accordance with the 'Deletion or Return' section below. Precedence: To the extent other agreements between you and Zeity contain arrangements on the protection of personal data, this DPA takes precedence, unless the parties expressly agree otherwise.
Categories of personal data processed (using the standard German data-category taxonomy): β’ Personal master data (Personenstammdaten) β client name β’ Communication data (Kommunikationsdaten) β email address and, where provided, phone number β’ Client history (Kundenhistorie) β booking and appointment history and the notes you record about a client β’ Contract-billing and payment data (Vertragsabrechnungs- und Zahlungsdaten) β where you enable online payments, transaction and payment-status metadata processed through our payment provider (Stripe); Zeity does not store full card details Categories of data subjects (betroffene Personen): β’ Your clients (Kunden) β and prospective clients (Interessenten) where relevant β who book or are booked into appointments through your booking page. Special categories of data (Article 9 GDPR) are not solicited by the Service, but may occur incidentally within the categories above β for example, health-related information disclosed in a client's free-text notes or implied by the nature of an appointment type. See 'Controller Responsibilities' above for the allocation of responsibility for such data.
Zeity processes your clients' personal data only on your documented instructions, in line with Article 28(3)(a) GDPR, unless required to process otherwise by Union or Member State law to which Zeity is subject; in that case, Zeity informs you of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. Your initial instructions are defined by this DPA, the Terms of Service, and your configuration and use of the Service. Any oral instruction is confirmed by you without undue delay in at least text form. Zeity informs you without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law, and is entitled to suspend execution of that instruction until you confirm or amend it. Transfers of personal data to a third country take place only on your documented instruction or where required by law. A legal obligation of a third country alone does not legitimise such a transfer (Article 48 GDPR). See the 'International Transfers' section below.
Zeity ensures that persons authorised to process the personal data have committed themselves to confidentiality (Articles 28(3)(b), 29 and 32(4) GDPR) or are under an appropriate statutory obligation of confidentiality, and have been made familiar with the relevant data-protection requirements. Those persons process the personal data only on your instructions, unless legally required to do otherwise. This obligation continues after they stop working on the processing.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk to the rights and freedoms of data subjects, Zeity implements all appropriate technical and organisational measures required under Article 32 GDPR, including as relevant: β’ Pseudonymisation and encryption of personal data (encryption in transit via HTTPS/TLS and encryption of stored data at rest) β’ Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services β’ The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident (recoverability, backups) β’ A process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures β’ Identification and authentication of users, and access controls limiting access to personal data to authorised persons on a need-to-know basis β’ Measures to protect personal data during transfer β’ Measures to protect personal data during storage β’ Physical security of the locations where personal data is processed β’ Event logging (for example of authentication and of data entry, modification or deletion) These measures may be further developed to reflect technical progress; Zeity may implement alternative adequate measures provided the agreed level of security is not reduced, and informs you without undue delay of any material change.
You grant Zeity general written authorisation to engage subprocessors (further processors) to provide the Service. Zeity currently uses the following subprocessors: β’ Supabase, Inc. β database and hosting of your client and appointment data β processor β hosted in the EU (Stockholm); incidental support access is covered by Supabase's DPA and the EU Standard Contractual Clauses. β’ Resend (Plus Five Five, Inc.) β transactional and booking emails to your clients β processor β United States; EUβUS Data Privacy Framework (primary) with the EU Standard Contractual Clauses, Module 2 (controller-to-processor), as a fallback safeguard. β’ Stripe Payments Europe, Ltd. (Ireland), with Stripe, LLC (United States) β payment processing β Stripe acts as a processor for the payment processing you instruct and, in addition, as an independent controller for its own anti-money-laundering, financial-crime-compliance and fraud-prevention purposes β United States transfer under the EUβUS Data Privacy Framework (primary), with the EU Standard Contractual Clauses, Modules 1 and 2, as a fallback safeguard, together with supplementary measures (encryption in transit and at rest). β’ Vercel, Inc. (United States) β application hosting and content delivery β processor for your data (and controller for its own aggregated service and usage data) β compute is executed in the EU (Frankfurt), with residual United States processing (global edge network, backups) under the EUβUS Data Privacy Framework (primary), with the EU Standard Contractual Clauses, Module 2, as a fallback safeguard. β’ Better Stack (Better Stack s.r.o., Czech Republic) β production logging (with PII masking) β processor β hosted in the EU (Nuremberg); no third-country transfer. Zeity imposes on each subprocessor, by contract and in accordance with Article 28(2)β(4) GDPR, data-protection obligations equivalent to those set out in this DPA, and remains fully liable to you for the performance of each subprocessor's obligations. Zeity verifies each subprocessor's technical and organisational measures before processing begins and at regular intervals thereafter, and makes the results available on request. Zeity ensures that you can exercise your rights under this DPA β in particular your control rights β directly against subprocessors. Zeity notifies you of any intended addition or replacement of a subprocessor at least 30 days in advance in text form, giving you the opportunity to object before your clients' data is handed over. If you object on reasonable data-protection grounds before the data is transferred, you may terminate the affected part of the Service. Onward sub-processing by a subprocessor requires Zeity's prior consent, and all data-protection obligations in this DPA are imposed down the chain. You may request the current list of subprocessors at any time.
Zeity notifies you without undue delay after becoming aware of a personal data breach affecting your clients' personal data, so that you can meet your own obligations under Articles 33 and 34 GDPR. The notification includes, to the extent available, the nature of the breach, its likely consequences, and the measures taken or proposed to address it. Zeity documents the incident and makes that documentation available to you for any further measures.
Taking into account the nature of the processing and the information available to it, Zeity assists you by appropriate technical and organisational measures, insofar as possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (such as access, rectification, erasure, restriction and portability). Zeity does not itself respond to such requests but forwards them to you without undue delay, and acts on the data only on your documented instruction. Zeity also assists you in ensuring compliance with your obligations under Articles 32 to 36 GDPR β security of processing, notification of a personal data breach to the supervisory authority and to affected data subjects, data protection impact assessments, and prior consultation. On request, Zeity cooperates with the supervisory authority (Article 31 GDPR) and informs you without undue delay of any inspection or measure by a supervisory authority insofar as it relates to this processing.
On termination of the processing, and at your choice, Zeity deletes or returns all your clients' personal data and deletes existing copies, unless Union or Member State law requires continued storage. No copies are made without your knowledge, except backup copies necessary to ensure proper data processing and data that must be retained to comply with legal retention obligations (for example under German tax law). Return is supported through the data export flow (which provides your data in a structured, machine-readable format); deletion is supported through the data deletion flow. A deletion record (protocol) is provided on request. Zeity may retain documentation that serves to prove that processing was carried out properly.
You have the right, in coordination with Zeity, to carry out inspections β including sample checks, which are generally announced in reasonable time β or to have them carried out by an auditor you appoint, during normal business hours and without disproportionately disrupting Zeity's operations. Zeity makes available all information necessary to demonstrate compliance with Article 28 GDPR and this DPA, and in particular demonstrates the implementation of the technical and organisational measures. Proof of the technical and organisational measures may also be provided through adherence to approved codes of conduct (Article 40 GDPR), certification under an approved certification mechanism (Article 42 GDPR), or current attestations or reports by independent bodies (for example auditors, internal audit, or data-protection auditors). Such proof does not remove your other control rights. You may request the current list of subprocessors at any time.
Some subprocessors process personal data outside the European Economic Area (EEA). Where processing takes place within the EEA β our database (Stockholm), logging (Nuremberg) and application compute (Frankfurt) β no third-country transfer occurs in the routine course of processing; however, EEA-hosted subprocessors may nonetheless involve occasional, incidental support access from outside the EEA, which is covered by the EU Standard Contractual Clauses. Where personal data is transferred to the United States (Resend; Stripe; and Vercel's global edge network and backups), the transfer relies primarily on the recipient's certification under the EUβUS Data Privacy Framework (an EU adequacy decision), with the EU Standard Contractual Clauses incorporated as a fallback safeguard, together with supplementary technical measures such as encryption. Because the EUβUS Data Privacy Framework adequacy decision is currently subject to legal challenge, the EU Standard Contractual Clauses are retained as a fallback safeguard; for these US transfers the competent supervisory authority is the Irish Data Protection Commission, and the SCC portions of the Stripe, Vercel and Resend agreements are governed by Irish law. For example, Vercel's data processing agreement as a whole is governed by the law of the State of California; only the SCC portion incorporated into that agreement is governed by Irish law. A transfer takes place only on your documented instruction or where required by law; a legal obligation of a third country alone does not legitimise a transfer (Article 48 GDPR). Zeity maintains a transfer-impact assessment covering these transfers.
Each party is liable for its own compliance with the obligations that apply to it under the GDPR and this DPA. As between the parties, liability is allocated in accordance with the Terms of Service, including any limitations of liability set out there. Nothing in this DPA or the Terms of Service limits or excludes either party's liability to data subjects under Article 82 GDPR, or any other liability that cannot be limited or excluded under applicable law.
Zeity may update this DPA from time to time, for example to add a subprocessor, reflect new features, or meet legal requirements. Each version carries a 'Last Updated' date and is recorded so that the version in force at any time can be established. Where a change would materially reduce the protection afforded to your clients' personal data, we will seek your agreement to that change rather than relying on notice alone. Other changes take effect on the date stated; your continued use of the Service after that date constitutes acceptance.
This DPA is governed by the law of the Federal Republic of Germany, without prejudice to any mandatory data-protection law that applies irrespective of choice of law. This DPA is made available in German, English and Turkish. The German-language version is the authoritative version; versions in other languages are provided as a convenience translation only and create no separate rights or obligations. In the event of any inconsistency between language versions, the German version prevails.
For questions about this Data Processing Agreement or any data-protection matter relating to Zeity's processing on your behalf, contact: Moon Regents Antoniusplatz 1 47805 Krefeld Germany Email: info@zeity.me Phone: +49 163 8635043 We will respond to all inquiries within 30 days.