Data Processing Agreement

1. Definitions

• "Controller" means the entity (you, the Customer) that determines the purposes and means of the processing of Personal Data. The Customer is the Data Controller for the contact, child, and parent personal data entered into WaitlistCare for that Customer's purposes.
• "Processor" means the entity (WaitlistCare) that processes Personal Data on behalf of the Controller. WaitlistCare is a Data Processor (or "Service Provider" under CCPA) with respect to the Personal Data it handles on behalf of Customers via the WaitlistCare platform.
• "Personal Data" means any information relating to an identified or identifiable natural person that WaitlistCare processes on behalf of the Controller. For the purpose of this DPA, this specifically refers to information the Controller provides to WaitlistCare for processing ("Customer Data").
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
• "Applicable Data Protection Laws" means all privacy and data protection laws that apply to the processing of Personal Data under this DPA, including where relevant: the EU General Data Protection Regulation (GDPR) and UK GDPR, the California Consumer Privacy Act as amended by CPRA (CCPA), Canada's PIPEDA, and any other applicable privacy laws.
• "Subprocessor" means any third party engaged by WaitlistCare to process Customer Data on WaitlistCare's behalf.

2. Roles and Scope

• The Controller determines the purpose and means of processing.
• The Processor processes Personal Data only on behalf of and in accordance with the Controller's instructions.
• This DPA applies to all Personal Data entered into the WaitlistCare platform by or on behalf of the Controller.

3. Details of Processing

Subject Matter

Waitlist and enrollment management services provided by WaitlistCare to the Controller.

Duration

For the duration of the Agreement and until all Customer Data is deleted in accordance with this DPA.

Nature and Purpose of Processing

WaitlistCare processes Customer Data as needed to provide the Services, including:

• Storing and organizing waitlist entry data for display in the platform
• Transmitting email communications to contacts as directed by the Controller
• Processing payments through integrated payment providers on behalf of the Controller
• Storing and managing uploaded documents
• Calculating and managing waitlist positions
• Maintaining activity logs for audit purposes
• Providing public-facing status pages and self-signup forms
• Bot prevention and form validation on public-facing pages

WaitlistCare will not use Customer Data for any purpose other than providing the Services, except as permitted under the Agreement or as required by law. WaitlistCare will not sell Customer Data or process it for marketing or advertising purposes outside the scope of providing the Services.

Categories of Data Subjects

• Contacts (parents, guardians, patients, individuals on the waitlist)
• Dependents of contacts (children, if applicable to the Controller's use case)
• Emergency contacts and authorized persons
• Organization staff and team members

Types of Personal Data

Customer Data may include, depending on what the Controller inputs or collects:

• Contact details (names, email addresses, phone numbers)
• Dates of birth and gender
• Emergency contact information
• Notes, preferences, and application data
• Custom field data as configured by the Controller
• Uploaded documents (images, PDFs)
• Payment transaction data (amounts, transaction references; full payment card numbers are handled exclusively by Stripe and are never stored by WaitlistCare)
• Communication records (emails sent through the platform)
• Activity and audit log data
• Tags and status information

4. Processor Obligations

When processing Customer Data, WaitlistCare agrees to:

a. Act Only on Instructions

Process Customer Data only on documented instructions from the Controller, unless required otherwise by applicable law. The Agreement, this DPA, and the Controller's use of the Services constitute the Controller's instructions. WaitlistCare will not sell, share for cross-context behavioral advertising, or use Customer Data for any purpose other than providing the Services.

b. Confidentiality

Ensure that all persons authorized to process Customer Data are under an appropriate duty of confidentiality.

c. Security Measures

Implement and maintain appropriate technical and organizational security measures to protect Customer Data, including:

• 256-bit SSL/TLS encryption for all data in transit
• Encryption of data at rest via Google Cloud Platform
• Firebase Authentication with secure credential handling
• Firestore security rules enforcing role-based access controls
• Activity logging for audit trail

d. Data Subject Rights

Assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, etc.). If WaitlistCare receives a request directly from a data subject regarding Customer Data, WaitlistCare will inform the data subject to contact the Controller and will notify the Controller of the request. WaitlistCare will comply with reasonable instructions from the Controller to fulfill such requests.

e. Breach Notification

In the event WaitlistCare becomes aware of a personal data breach affecting Customer Data, WaitlistCare will notify the Controller without undue delay. Such notification will include details about the nature of the breach, affected data, and steps taken to address it. WaitlistCare will cooperate with the Controller in any required notifications to authorities or individuals.

f. Audit and Compliance

Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA. The Controller may audit WaitlistCare's compliance up to once per year upon reasonable notice, conducted during normal business hours without disrupting operations. The Controller will bear any costs of the audit.

5. Subprocessors

The Controller provides general authorization for WaitlistCare to engage Subprocessors as needed to deliver the Services. WaitlistCare ensures all Subprocessors are bound by data protection obligations no less protective than those in this DPA.

Current Subprocessors

WaitlistCare will notify the Controller of any intended addition of new Subprocessors and give the Controller the opportunity to object on legitimate grounds. If the Controller does not object in writing within 10 days, the new Subprocessor will be deemed accepted. If the parties cannot resolve an objection, the Controller may terminate the Services with a pro rata refund of prepaid fees for unused services.

6. International Data Transfers

Customer Data is primarily stored on Google Cloud Platform servers in the United States. If the Controller is subject to laws restricting cross-border data transfers (such as GDPR), the parties agree to the following:

• The European Commission's Standard Contractual Clauses (SCCs) for Controller-to-Processor transfers (Module Two) are incorporated by reference, including the UK International Data Transfer Addendum where applicable.
• The parties will cooperate in good faith to execute any additional transfer mechanisms required to legitimize international transfers.
• WaitlistCare will abide by the requirements of the SCCs when handling EU/UK personal data.

7. Data Return and Deletion

• During the service term, the Controller can access and export Customer Data through the platform (e.g., CSV export of waitlist data).
• Upon termination of the Services, the Controller may request return of Customer Data. WaitlistCare can provide standard exports within 30 days of termination.
• After such period, WaitlistCare will delete all Customer Data from its systems, except where retention is required by law or for legitimate business purposes (e.g., transaction records, dispute resolution, backup retention).
• WaitlistCare may retain anonymized or aggregated data that does not identify any individual, for analytics and service improvement purposes.
• At the Controller's request, WaitlistCare can certify in writing that deletion has been completed.

8. Controller Responsibilities

The Controller is responsible for:

• Legal Basis: Ensuring that data processing instructions given to WaitlistCare are lawful, including obtaining any necessary consents from contacts (e.g., parental consent for children's data under COPPA) and having a valid legal basis for processing.
• Data Accuracy: Inputting and maintaining accurate personal data in the system.
• Privacy Notices: Providing appropriate privacy notices to individuals whose data is entered into the platform.
• Data Subject Requests: Handling communications and requests from data subjects regarding their data, with WaitlistCare's assistance as needed.
• Third-Party Access: Ensuring that any third party granted access to the Controller's WaitlistCare account complies with equivalent data protection obligations.
• Compliance: Complying with all laws applicable to the Controller's use of the Services, including any industry-specific regulations (e.g., FERPA for educational institutions).

9. Children's Data

WaitlistCare's Services are designed to help organizations manage waitlists that may include children's information (e.g., childcare, preschool, after-school programs). This data is provided by authorized adults — parents, guardians, or organization staff. WaitlistCare does not knowingly collect personal information directly from children.

Where the Children's Online Privacy Protection Act (COPPA) or similar laws apply, the Controller is responsible for obtaining verifiable parental consent before entering children's personal information into the platform. WaitlistCare processes children's data solely as directed by the Controller in its role as Processor.

10. CCPA Service Provider Provisions

Where the California Consumer Privacy Act (as amended by CPRA) applies and WaitlistCare processes "Personal Information" on behalf of the Controller, WaitlistCare certifies that it:

• Acts as a "Service Provider" as defined under the CCPA.
• Will not sell or share Personal Information for targeted advertising.
• Will not retain, use, or disclose Personal Information for any purpose other than providing the Services as permitted by the Controller.
• Will not retain, use, or disclose Personal Information outside of the direct business relationship between WaitlistCare and the Controller.
• Will not combine Personal Information received from the Controller with personal information from other sources, except as permitted under the CCPA.
• Will ensure any Subprocessors handling Personal Information are bound by equivalent restrictions.

11. Miscellaneous

Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set forth in the Agreement.

Termination

This DPA automatically terminates upon deletion of all Customer Data by WaitlistCare after the end of Services, or upon termination of the Agreement, except for provisions that survive (confidentiality, data return/deletion obligations).

Order of Precedence

In the event of conflict between this DPA and the Agreement regarding the processing of Customer Data, this DPA shall prevail. In the event of conflict between this DPA and any Standard Contractual Clauses or mandatory law, the latter shall prevail.

Amendments

Except as required by changes in law, any amendment to this DPA must be in writing and agreed by both parties.

Governing Law

This DPA is governed by the same law and jurisdiction as the Agreement (State of North Carolina, United States), unless required otherwise by applicable data protection law.

12. Contact

For any privacy or data processing inquiries, please contact us:

Contact us here