DATA PROCESSING AGREEMENT

Between the Controller and Processor under GDPR Article 28

DPA Version: 1.0
Last Updated: February 28, 2026

PARTIES

CONTROLLER (the "Controller")

The salon or beauty business that accepts this Data Processing Agreement through the Processor's platform during account registration or subscription. The Controller's legal name, address, and contact details are as provided during account registration.

PROCESSOR (the "Processor")

WELT-ŠPED d.o.o.
Trading as: Lumera Studio Lab
Registered Address: Selska cesta 123/2, Zagreb, 10000, Croatia
Company Registration Number (OIB): 63453057610
Data Protection Contact: [email protected]

RECITALS

WHEREAS:

A. The Controller is a salon or beauty business that uses the Processor's software-as-a-service platform ("Platform") to manage appointments, bookings, and related salon operations;

B. In the course of providing the Platform, the Processor processes Personal Data on behalf of the Controller relating to the Controller's end customers (booking clients);

C. The Parties wish to comply with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and in particular Article 28, which requires that processing by a processor on behalf of a controller be governed by a contract that sets out the subject matter, duration, nature, and purpose of the processing, the types of Personal Data and categories of data subjects, and the obligations and rights of the controller;

D. This Data Processing Agreement ("DPA") forms part of the contractual relationship between the Parties and supplements the Processor's Terms of Service and other applicable agreements (collectively, the "Main Agreement");

E. This DPA governs only the processing of Personal Data of the Controller's end customers (booking clients) and does not cover the processing of Personal Data of the Controller's personnel or the Controller itself (which is governed by the Processor's Business Privacy Policy).

NOW IT IS AGREED as follows:

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

In this DPA, the following terms shall have the meanings set out below:

"Controller Personal Data" means Personal Data relating to the Controller's end customers (booking clients) that is processed by the Processor on behalf of the Controller under this DPA;
"Data Breach" or "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed;
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, the Croatian Personal Data Protection Act (if applicable), and any successor or replacement legislation;
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA;
"Main Agreement" means the Processor's Terms of Service and any other applicable agreement between the Parties governing the provision of the Platform;
"Personal Data" has the meaning given in Article 4(1) GDPR;
"Platform" means the Processor's software-as-a-service booking and salon management platform provided to the Controller;
"Processing" has the meaning given in Article 4(2) GDPR, and "process" and "processed" shall be construed accordingly;
"Sub-Processor" means any third party engaged by the Processor to process Controller Personal Data;
"Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 GDPR.

1.2 Interpretation

1.2.1 Headings are for convenience only and do not affect interpretation.

1.2.2 References to Articles and clauses are to Articles and clauses of this DPA unless otherwise stated.

1.2.3 Words in the singular include the plural and vice versa.

1.2.4 References to any statute or statutory provision include a reference to that statute or provision as amended, consolidated, or re-enacted from time to time.

2. SCOPE AND APPLICATION OF THIS DPA

2.1 Subject Matter and Duration

2.1.1 This DPA governs the Processing of Controller Personal Data by the Processor on behalf of the Controller for the purpose of providing the Platform and related services.

2.1.2 The duration of the Processing is for the term of the Main Agreement and any applicable notice or wind-down period, plus such additional time as may be necessary to comply with the return or deletion obligations in Clause 12.

2.2 Relationship to Main Agreement

2.2.1 This DPA forms an integral part of the Main Agreement and is incorporated by reference.

2.2.2 In the event of any conflict or inconsistency between the provisions of this DPA and the Main Agreement with respect to the Processing of Controller Personal Data, the provisions of this DPA shall prevail.

2.2.3 Nothing in this DPA reduces or limits any obligations the Processor may have under the Main Agreement or under Data Protection Laws.

2.3 Acceptance and Effective Date

2.3.1 This DPA becomes effective on the date the Controller accepts it by:

(a) checking the acceptance checkbox during account creation or subscription to the Platform; or

(b) clicking "Subscribe" or "Create Account" after being presented with a prominent notice of acceptance; or

(the "Effective Date").

2.3.2 By accepting this DPA, the Controller confirms that they have read and understood the terms of this DPA and the associated Terms of Service and Business Privacy Policy, and that they have had the opportunity to review these documents before acceptance.

2.3.3 The Processor shall record the Effective Date and the DPA version accepted by the Controller in its systems (database fields: salons.dpa_signed_at and salons.dpa_version).

2.3.4 Without prejudice to other remedies, the Processor may suspend or restrict access to the Platform if the Controller has not accepted the current version of this DPA where required by Data Protection Laws or by a Supervisory Authority.

3. DETAILS OF THE PROCESSING

The details of the Processing are set out in Schedule 1 (Details of Processing) to this DPA, which forms an integral part of this DPA.

4. INSTRUCTIONS AND COMPLIANCE

4.1 Processing on Instructions

4.1.1 The Processor shall process Controller Personal Data only on the documented instructions of the Controller, unless required to process by Union or Member State law to which the Processor is subject.

4.1.2 The Controller's instructions are set out in:

(a) this DPA and its schedules;

(b) the Main Agreement;

(c) the Controller's use of the Platform and its features (including but not limited to the creation, modification, and deletion of bookings and client records);

(d) any other written instructions reasonably given by the Controller from time to time that are consistent with the terms of this DPA and the Main Agreement.

4.1.3 If the Processor considers that an instruction from the Controller infringes Data Protection Laws, the Processor shall promptly inform the Controller and may suspend the relevant Processing until the Controller confirms or withdraws the instruction.

4.1.4 If the Processor is required by Union or Member State law to process Controller Personal Data for purposes other than those instructed by the Controller, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.

4.2 No Processing for Own Purposes

The Processor shall not process Controller Personal Data for any purpose other than as instructed by the Controller under this DPA, except where and to the extent required by applicable law.

4.3 Compliance with Data Protection Laws

4.3.1 Each Party shall comply with its respective obligations under Data Protection Laws in relation to the Processing of Controller Personal Data.

4.3.2 The Processor warrants that it is familiar with Data Protection Laws and that it is capable of fulfilling its obligations under this DPA.

5. CONFIDENTIALITY

5.1 Confidentiality Obligation

5.1.1 The Processor shall ensure that all persons authorised by the Processor to process Controller Personal Data (including the Processor's employees, contractors, and agents) are subject to a binding obligation of confidentiality (whether contractual or statutory) and receive appropriate training on Data Protection Laws and the handling of Personal Data.

5.1.2 The Processor shall not disclose Controller Personal Data to any third party except:

(a) to Sub-Processors in accordance with Clause 7;

(b) as instructed by the Controller;

(c) where required by applicable law, provided that (where lawful) the Processor first informs the Controller of the legal requirement.

6. SECURITY

6.1 Security Measures

6.1.1 The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing Controller Personal Data, taking into account:

(a) the state of the art;

(b) the costs of implementation;

(d) the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

6.1.2 Such measures shall include, as appropriate:

(a) the pseudonymisation and encryption of Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;

(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.

6.1.3 A high-level description of the Processor's current technical and organisational measures is set out in Schedule 2 (Security Measures).

6.1.4 The Processor shall keep its security measures under review and may update or modify them from time to time, provided that such updates or modifications do not result in a material degradation of the security of the Processing.

6.2 Security Incidents

In addition to the Personal Data Breach notification obligations in Clause 8, the Processor shall notify the Controller without undue delay of any security incident or event that may compromise the security or integrity of Controller Personal Data or the Platform.

7. SUB-PROCESSORS

7.1 General Authorisation

7.1.1 The Controller hereby grants the Processor general written authorisation to engage Sub-Processors to process Controller Personal Data, subject to the conditions set out in this Clause 7.

7.1.2 A list of the Processor's current Sub-Processors (including their identity, location, and the processing activities they perform) is set out in Schedule 3 (Sub-Processors) and is also published and maintained at:

https://lumerastudio.com/privacy-business#sub-processors

7.2 Sub-Processor Requirements

7.2.1 The Processor shall:

(a) enter into a written contract with each Sub-Processor that imposes data protection obligations on the Sub-Processor that are no less protective than those imposed on the Processor under this DPA, and in particular that require the Sub-Processor to implement appropriate technical and organisational measures such that the Processing meets the requirements of Data Protection Laws;

(b) ensure that each Sub-Processor is subject to obligations of confidentiality;

(c) remain fully liable to the Controller for the performance of any Sub-Processor's obligations under this DPA as if they were the Processor's own obligations.

7.3 Changes to Sub-Processors

7.3.1 The Processor may add or replace Sub-Processors from time to time, provided that:

(a) the Processor updates the Sub-Processor list in Schedule 3 and at the published URL;

(b) the Processor provides the Controller with at least thirty (30) calendar days' prior written notice of the intended addition or replacement (by email to the Controller's registered contact address or by notice in the Platform's administrative dashboard);

(c) the Controller has the opportunity to object to the new or replacement Sub-Processor on reasonable grounds relating to the protection of Controller Personal Data.

7.3.2 If the Controller objects in writing within the notice period on reasonable grounds, the Parties shall discuss the objection in good faith with a view to achieving a resolution. If no mutually acceptable resolution is reached within a reasonable period (not exceeding thirty (30) days), either Party may terminate the affected part of the services (or, if the Sub-Processor is integral to the Platform, the Main Agreement) on written notice, without penalty.

7.3.3 If the Controller does not object within the notice period, the Controller shall be deemed to have accepted the new or replacement Sub-Processor.

7.4 Copies of Sub-Processor Agreements

Upon written request by the Controller, the Processor shall provide a summary or redacted copy of its agreements with Sub-Processors, with commercially sensitive information removed, to enable the Controller to verify compliance with this Clause 7.

8. PERSONAL DATA BREACH NOTIFICATION

8.1 Notification to Controller

8.1.1 The Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Controller Personal Data.

8.1.2 The notification shall include, to the extent known at the time of notification:

(a) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) the name and contact details of the Processor's data protection contact or other point of contact from whom more information can be obtained;

(d) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach and, where appropriate, to mitigate its possible adverse effects.

8.1.3 If it is not possible to provide all the information in paragraph 8.1.2 at the same time, the Processor may provide the information in phases, provided that the initial notification is made within the time limit in paragraph 8.1.1.

8.2 Cooperation and Assistance

8.2.1 The Processor shall cooperate with the Controller and provide such further information and assistance as the Controller may reasonably require to enable the Controller to:

(a) investigate, mitigate, and remediate the Personal Data Breach;

(b) comply with its obligations under Article 33 (notification to the Supervisory Authority) and Article 34 (communication to Data Subjects) GDPR;

8.2.2 The Processor shall not inform any third party (including Data Subjects, the media, or Supervisory Authorities) of a Personal Data Breach affecting Controller Personal Data without the Controller's prior written consent, except where required by applicable law or by a Supervisory Authority.

8.3 Breach Records

The Processor shall maintain a record of all Personal Data Breaches affecting Controller Personal Data in accordance with Article 33(5) GDPR and shall make such records available to the Controller and, where required, to the Supervisory Authority.

9. DATA SUBJECT RIGHTS

9.1 Controller's Responsibility

9.1.1 The Controller is responsible for responding to requests from Data Subjects exercising their rights under Data Protection Laws (including the rights of access, rectification, erasure, restriction of processing, data portability, objection, and not to be subject to automated decision-making).

9.1.2 To the extent that a Data Subject submits a request directly to the Processor, the Processor shall promptly (and in any event within five (5) business days) forward the request to the Controller and shall not respond to the request except on the Controller's documented instructions or as required by law.

9.2 Processor's Assistance

9.2.1 The Processor shall provide reasonable assistance to the Controller to enable the Controller to respond to Data Subject requests, taking into account the nature of the Processing and the information available to the Processor.

9.2.2 Such assistance includes providing the following tools and features within the Platform:

(a) Export of individual client data – the ability to export all Personal Data relating to a single Data Subject in a structured, commonly used, and machine-readable format (e.g., JSON);

(b) Bulk export of customer data – the ability to export all Controller Personal Data in CSV or other structured format;

(c) Client anonymisation – the ability to irreversibly anonymise a Data Subject's Personal Data where the Controller determines that deletion is not appropriate (e.g., for accounting or legal retention purposes);

(d) Client deletion – the ability to permanently delete a Data Subject's appointments and related Personal Data;

(e) Audit logging – a log of data exports, anonymisations, and deletions to assist the Controller in demonstrating compliance.

9.2.3 Upon the Controller's written request, the Processor shall provide such further information or assistance as is reasonably necessary to enable the Controller to respond to a Data Subject request, within a reasonable time and subject to reimbursement of reasonable costs if the assistance requires significant additional work beyond the tools described in paragraph 9.2.2.

10. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

10.1 At the Controller's written request, the Processor shall provide such information and assistance as the Controller reasonably requires to enable the Controller to comply with its obligations under Articles 35 (data protection impact assessment) and 36 (prior consultation with the Supervisory Authority) GDPR, taking into account the nature of the Processing and the information available to the Processor.

10.2 If the assistance referred to in this Clause 10 requires significant additional work by the Processor beyond the provision of existing documentation, the Processor may charge a reasonable fee (to be agreed in advance) for such assistance.

11. AUDITS AND INSPECTIONS

11.1 Information and Records

The Processor shall make available to the Controller such information and records as are reasonably necessary to demonstrate the Processor's compliance with its obligations under this DPA and Data Protection Laws.

11.2 Audits by Controller

11.2.1 The Controller (or an independent third-party auditor appointed by the Controller) may, on reasonable prior written notice and subject to the conditions in this Clause 11, audit the Processor's compliance with this DPA by:

(a) inspecting the Processor's relevant records, systems, and facilities; and/or

(b) requesting and reviewing written responses to an audit questionnaire prepared by the Controller or its auditor.

11.2.2 Such audits shall be subject to the following conditions:

(a) Frequency: No more than once per calendar year, unless:

(i) required by Data Protection Laws or by a Supervisory Authority; or

(ii) the Controller has reasonable grounds to believe that the Processor has materially breached this DPA or suffered a Personal Data Breach;

(b) Notice: At least thirty (30) calendar days' prior written notice (or such shorter period as may be required by a Supervisory Authority);

(c) Scope: The audit shall be limited to matters reasonably relevant to the Processor's Processing of Controller Personal Data and compliance with this DPA;

(d) Timing: Audits shall be conducted during normal business hours and in a manner that does not unreasonably interfere with the Processor's business operations;

(e) Confidentiality: The Controller and any auditor shall:

(i) execute a confidentiality agreement acceptable to the Processor before the audit;

(ii) not access the Personal Data of any other customer of the Processor;

(iii) treat all information obtained during the audit as confidential;

(f) Cost: The Controller shall bear the cost of the audit, except where the audit reveals a material breach by the Processor, in which case the Processor shall reimburse the Controller's reasonable audit costs.

11.2.3 The Processor may provide or procure an independent third-party audit report (e.g., SOC 2, ISO 27001, or similar) in lieu of an on-site audit, provided that the report is reasonably recent (not more than twelve (12) months old) and covers the matters the Controller seeks to audit.

11.3 Regulatory Audits

The Processor shall cooperate with and assist the Controller in responding to any audit, inspection, or investigation by a Supervisory Authority relating to the Processing of Controller Personal Data.

12. RETURN AND DELETION OF CONTROLLER PERSONAL DATA

12.1 Return or Deletion on Termination

12.1.1 Upon termination or expiry of the Main Agreement (or earlier upon the Controller's written request), the Processor shall, at the Controller's choice:

(a) return a complete copy of all Controller Personal Data to the Controller in a structured, commonly used, and machine-readable format (e.g., CSV, JSON); and/or

(b) delete all Controller Personal Data from the Processor's systems and those of its Sub-Processors.

12.1.2 If the Controller does not specify a choice under paragraph 12.1.1 within thirty (30) calendar days after termination or expiry of the Main Agreement, the Processor may proceed with deletion.

12.1.3 The Processor shall complete the return and/or deletion within thirty (30) calendar days after the Controller's request or the end of the thirty (30) day period in paragraph 12.1.2, except as set out in paragraph 12.2.

12.2 Legal Retention

12.2.1 The Processor may retain copies of Controller Personal Data to the extent and for such period as required by Union or Member State law (for example, for tax, accounting, or legal purposes).

12.2.2 Any Controller Personal Data retained under paragraph 12.2.1 shall:

(a) remain subject to the confidentiality and security obligations in this DPA;

(b) be processed only to the extent and for the purposes required by the applicable law;

12.3 Certification of Deletion

Upon the Controller's written request, the Processor shall provide a written certificate signed by an authorised representative of the Processor confirming that Controller Personal Data has been returned and/or deleted in accordance with this Clause 12, subject to paragraph 12.2.

13. INTERNATIONAL DATA TRANSFERS

13.1 Transfers Outside the EEA

13.1.1 The Processor shall not transfer or permit the transfer of Controller Personal Data to a country or territory outside the European Economic Area (the "EEA") unless:

(a) the European Commission has adopted an adequacy decision under Article 45 GDPR in respect of that country or territory; or

(b) appropriate safeguards are in place under Article 46 GDPR (such as Standard Contractual Clauses, Binding Corporate Rules, or an approved certification mechanism) and Data Subjects have enforceable rights and effective legal remedies.

13.1.2 The Processor shall ensure that any Sub-Processor to whom Controller Personal Data is transferred outside the EEA is contractually bound by equivalent data protection obligations.

13.2 Current Transfers

13.2.1 The Processor's current Sub-Processors and the jurisdictions to which Controller Personal Data may be transferred are listed in Schedule 3.

13.2.2 Where a Sub-Processor is located outside the EEA or processes Controller Personal Data outside the EEA, Schedule 3 sets out the safeguards in place to protect Controller Personal Data (e.g., Standard Contractual Clauses, adequacy decision, or other approved mechanism).

13.3 Cooperation with Regulatory Changes

If there is any change in Data Protection Laws or regulatory guidance that affects the lawfulness or adequacy of international transfers under this Clause 13, the Parties shall cooperate in good faith to implement such additional measures or contractual terms as may be necessary to ensure continued compliance.

14. LIABILITY AND INDEMNIFICATION

14.1 Liability Cap

14.1.1 Subject to paragraph 14.1.2, each Party's aggregate liability under or in connection with this DPA (whether in contract, tort, or otherwise) shall be limited to the liability cap set out in the Main Agreement.

14.1.2 Nothing in this DPA shall limit or exclude either Party's liability for:

(a) death or personal injury caused by its negligence;

(b) fraud or fraudulent misrepresentation;

(d) any other liability that cannot be limited or excluded by applicable law.

14.2 Indemnification by Processor

The Processor shall indemnify and hold harmless the Controller from and against all claims, losses, damages, costs, and expenses (including reasonable legal fees) arising out of or in connection with the Processor's breach of this DPA or Data Protection Laws, except to the extent that such claims arise from the Controller's instructions or the Controller's breach.

14.3 Indemnification by Controller

The Controller shall indemnify and hold harmless the Processor from and against all claims, losses, damages, costs, and expenses (including reasonable legal fees) arising out of or in connection with:

(a) the Controller's instructions to the Processor that infringe Data Protection Laws;

(b) the Controller's failure to obtain a lawful basis or necessary consent for the Processing of Controller Personal Data;

14.4 Article 82 GDPR

Without prejudice to Clauses 14.2 and 14.3, each Party acknowledges that under Article 82 GDPR, a Data Subject who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the Controller or the Processor.

15. TERM, AMENDMENT, AND TERMINATION

15.1 Term

This DPA shall take effect on the Effective Date and shall continue in force for so long as the Processor processes Controller Personal Data on behalf of the Controller under the Main Agreement, and thereafter for such period as is necessary to comply with Clause 12 (return and deletion of data).

15.2 Amendment of DPA

15.2.1 The Processor may amend this DPA from time to time to reflect:

(a) changes in Data Protection Laws or regulatory guidance;

(b) changes to the Processor's Processing activities, Sub-Processors, or security measures;

(d) other changes that do not materially reduce the Processor's obligations or the Controller's rights under this DPA.

15.2.2 The Processor shall notify the Controller of any material amendment by:

(a) publishing the updated DPA at https://lumerastudio.com/dpa and updating the DPA version number;

(b) providing notice to the Controller by email or by notice in the Platform's administrative dashboard at least thirty (30) calendar days before the amendment takes effect.

15.2.3 If the Controller objects to a material amendment that reduces the Controller's rights or increases the Controller's obligations, the Controller may terminate the Main Agreement on written notice within the notice period. If the Controller does not terminate within the notice period, the Controller shall be deemed to have accepted the amendment.

15.2.4 If the amendment is required by Data Protection Laws or by a Supervisory Authority, the Processor may require the Controller to re-accept the updated DPA by clicking "Accept DPA" in the Platform's administrative dashboard. If the Controller does not re-accept within a reasonable period, the Processor may suspend access to the Platform.

15.3 Termination

15.3.1 Either Party may terminate this DPA (and the Main Agreement, if applicable) by written notice if the other Party materially breaches this DPA and fails to remedy the breach within thirty (30) calendar days after receiving written notice of the breach.

15.3.2 Upon termination of this DPA, Clause 12 (return and deletion of data) shall apply.

15.3.3 Clauses 5 (Confidentiality), 12 (Return and Deletion), 14 (Liability and Indemnification), and 16 (Governing Law and Dispute Resolution) shall survive termination of this DPA.

16. GOVERNING LAW AND DISPUTE RESOLUTION

16.1 Governing Law

This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the Republic of Croatia.

16.2 Jurisdiction

16.2.1 Each Party irrevocably agrees that the courts of Zagreb, Croatia shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA (including non-contractual disputes or claims).

16.2.2 Nothing in this Clause 16 shall limit the right of a Data Subject to lodge a complaint with a Supervisory Authority or to seek a judicial remedy under Articles 77, 78, and 79 GDPR.

17. GENERAL PROVISIONS

17.1 Entire Agreement

This DPA, together with the Main Agreement and its schedules, constitutes the entire agreement between the Parties with respect to the Processing of Controller Personal Data and supersedes all prior or contemporaneous agreements, representations, or understandings (whether written or oral) on that subject.

17.2 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not be affected or impaired.

17.3 Waiver

No failure or delay by either Party in exercising any right or remedy under this DPA shall constitute a waiver of that right or remedy, nor shall any single or partial exercise of any right or remedy preclude any other or further exercise of it or the exercise of any other right or remedy.

17.4 Third-Party Rights

17.4.1 This DPA does not confer any rights on any third party, except that Data Subjects are intended third-party beneficiaries of Clauses 5 (Confidentiality), 6 (Security), 8 (Personal Data Breach Notification), 9 (Data Subject Rights), and 12 (Return and Deletion).

17.4.2 The rights of Data Subjects under paragraph 17.4.1 are without prejudice to any rights of Data Subjects under Data Protection Laws.

17.5 Notices

17.5.1 Any notice required or permitted to be given under this DPA shall be in writing and shall be delivered by email or other electronic means to the contact address provided by the receiving Party.

17.5.2 Notices to the Controller shall be sent to the email address registered in the Controller's account or displayed in the Platform's administrative dashboard.

17.5.3 Notices to the Processor shall be sent to: [email protected]

17.5.4 A notice shall be deemed to have been received:

(a) if sent by email, at the time of transmission (provided no delivery failure notification is received); or

(b) if delivered by other means, on the date of delivery.

17.6 Counterparts and Electronic Acceptance

17.6.1 This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

17.6.2 The Controller's acceptance of this DPA by checking the acceptance checkbox during account creation or subscription, or by clicking "Accept DPA" in the Processor's administrative dashboard, shall be legally binding and shall have the same force and effect as a handwritten signature.

17.6.3 The Processor shall maintain a record of the Controller's acceptance (including the date and the DPA version) in accordance with Data Protection Laws and good business practice.

18. CONTROLLER ACKNOWLEDGEMENTS

By accepting this DPA, the Controller acknowledges and agrees that:

(a) the Controller has read and understood this DPA and the schedules attached to it;

(b) the Controller is responsible for ensuring that it has a lawful basis under Data Protection Laws for the Processing of Controller Personal Data and for providing any required notices and obtaining any required consents from Data Subjects;

(c) the Controller is responsible for the accuracy, quality, and legality of Controller Personal Data and the means by which the Controller acquired Controller Personal Data;

(d) the Controller's instructions to the Processor (including the use of the Platform's features) comply with Data Protection Laws;

(e) the Controller shall not instruct the Processor to process special categories of Personal Data (as defined in Article 9 GDPR) or Personal Data relating to criminal convictions (as defined in Article 10 GDPR) without first obtaining the Processor's written consent and ensuring that such Processing is lawful under Data Protection Laws;

(f) the Controller shall promptly notify the Processor if the Controller becomes aware of any Personal Data Breach, complaint, or investigation by a Supervisory Authority that may affect the Processor's Processing of Controller Personal Data;

(g) the Processor's provision of the Platform and Processing of Controller Personal Data in accordance with this DPA does not relieve the Controller of its own obligations under Data Protection Laws, and the Controller remains fully responsible for compliance with Data Protection Laws in its capacity as Controller.

SCHEDULE 1: DETAILS OF PROCESSING

1. Subject Matter and Duration

Subject matter: The Processor processes Controller Personal Data in order to provide the Platform (a software-as-a-service booking and salon management system) to the Controller.

Duration: For the duration of the Main Agreement and such additional period as is necessary to return or delete Controller Personal Data in accordance with Clause 12 of the DPA.

2. Nature and Purpose of Processing

The Processor processes Controller Personal Data for the following purposes on behalf of the Controller:

Purpose	Description
Booking and appointment management	Collecting and storing end-customer name, email, phone number, and appointment details (date, time, selected service) to create, modify, display, and manage bookings in the Controller's administrative dashboard and calendar.
Communication	Sending booking confirmations, reminders, cancellation notices, and other service-related messages to end customers via email (using the Processor's email service provider).
Payment processing	Where the Controller has enabled payment at booking: passing end-customer data (name, email, and transaction details) to the Processor's payment service provider (Stripe) to process deposits or full payments. The Processor does not store payment card details; these are processed and stored by Stripe in accordance with PCI DSS standards.
Calendar synchronisation	Where the Controller or the Controller's staff members have connected Google Calendar: synchronising appointment details (which may include end-customer name, appointment time, and service) to Google Calendar so that appointments appear in the Controller's or staff's calendar.
Data subject rights and compliance	Providing tools and features to enable the Controller to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) and to comply with Data Protection Laws, including: export of individual client data, bulk export of customer data in CSV format, client anonymisation, client deletion, and audit logging of data protection actions.
Security, fraud prevention, and audit	Processing as necessary to ensure the security and integrity of the Platform, to prevent and detect fraud or abuse, and to maintain an audit trail (for example, recording the IP address from which a booking is made and logging administrative actions).

3. Types of Personal Data

The Processor processes the following categories of Controller Personal Data:

Category	Data Elements	Source / Storage
Identity and contact data	Full name, email address, telephone number	Provided by the end customer at the time of booking or entered by the Controller or Controller's staff in the administrative dashboard. Stored in the `appointments` table.
Booking and appointment data	Appointment date and time (start and end), appointment status (e.g., pending, confirmed, completed, cancelled), selected service(s) (service name, duration, price), free-text notes or special requests	Stored in the `appointments` and `services` tables.
Consent and marketing preferences	GDPR consent flag (indicating whether the end customer has consented to the processing of their Personal Data), marketing opt-in flag (indicating whether the end customer has consented to receive marketing communications)	Stored in the `appointments` table (fields: `gdpr_consent`, `marketing_opt_in`).
Payment-related data	Where payment is processed: payment status, transaction reference, amount paid, payer name and email (for reconciliation and receipts). Payment card data is processed and tokenised by Stripe and is not stored by the Processor.	Stored in the `payments` table (if applicable) and processed by Sub-Processor Stripe.
Technical and audit data	IP address of the device used to make a booking, timestamps of bookings and administrative actions, audit logs of data exports, anonymisations, and deletions	Stored in the `appointments` table (field: `client_ip_address`) and in the `gdpr_audit_log` table.
Calendar synchronisation data	Appointment details (name, time, service) synchronised to Google Calendar when the Controller or staff member has connected their calendar	Processed and stored by Sub-Processor Google LLC in accordance with Google's terms.

Note on special categories of Personal Data: The Processor does not request or intend to process special categories of Personal Data (e.g., health data, biometric data, data revealing racial or ethnic origin) or Personal Data relating to criminal convictions. However, the Controller or end customers may include such data in free-text fields (e.g., appointment notes or special requests). If the Controller instructs the Processor to process special categories of Personal Data, the Controller must ensure that it has a lawful basis under Article 9 or Article 10 GDPR (such as explicit consent or another exception) and that such processing is documented in the Controller's instructions.

4. Categories of Data Subjects

The Controller Personal Data processed under this DPA relates to the following categories of Data Subjects:

End customers (booking clients) of the Controller: individuals who book appointments with the Controller (or on whose behalf appointments are booked) using the Platform, including prospective clients, current clients, and past clients.

5. Obligations and Rights of the Controller

In addition to the obligations set out in the main body of the DPA, the Controller:

(a) shall ensure that it has a lawful basis for the Processing of Controller Personal Data (for example, consent, contract, legitimate interests, or legal obligation);

(b) shall provide clear and transparent privacy notices to Data Subjects in accordance with Articles 13 and 14 GDPR, informing them of the Processing, the identity of the Controller and Processor, the purposes of Processing, Data Subjects' rights, and any international transfers or Sub-Processors;

(c) shall obtain any required consents from Data Subjects (for example, for marketing communications or for processing special categories of data) and maintain records of such consents;

(d) shall not instruct the Processor to process special categories of Personal Data or data relating to criminal convictions without the Processor's prior written consent and without ensuring lawful processing under GDPR;

(e) may use the tools provided by the Processor (as described in Schedule 1, section 2) to respond to Data Subject requests and to comply with its obligations under Data Protection Laws;

(f) shall notify the Processor promptly of any complaint, investigation, or enforcement action by a Supervisory Authority that may affect the Processor's Processing of Controller Personal Data.

SCHEDULE 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The Processor implements and maintains the following technical and organisational measures to protect Controller Personal Data. This is a high-level summary; detailed security documentation may be provided on request and subject to confidentiality obligations.

1. Access Control

User authentication: Multi-factor authentication (MFA) available for administrative accounts; password policies enforced (minimum length, complexity).
Role-based access control (RBAC): Access to Controller Personal Data is restricted to Processor personnel and systems on a need-to-know basis; different roles (e.g., developer, support, administrator) have different permission levels.
Identity and access management: Centralized identity management; regular review and revocation of access rights when personnel leave or change roles.

2. Data Security and Encryption

Encryption in transit: All data transmitted between end users, the Controller, and the Processor's systems is encrypted using TLS 1.2 or higher.
Encryption at rest: Controller Personal Data stored in the Processor's database is encrypted at rest using industry-standard encryption (AES-256 or equivalent).
Key management: Encryption keys are managed securely and rotated regularly in accordance with best practices.

3. Data Hosting and Infrastructure

Hosting location: Controller Personal Data is hosted in the European Economic Area (EEA), specifically using Supabase's EU region (e.g., Ireland or Frankfurt).
Infrastructure security: The Processor uses reputable cloud service providers (Sub-Processors) that maintain ISO 27001, SOC 2, or equivalent certifications and implement physical security controls at their data centres.
Redundancy and availability: The Processor's infrastructure includes backup and disaster recovery measures to ensure the availability and resilience of the Platform.

4. Data Minimisation and Retention

Data minimisation: The Processor collects and processes only the Personal Data that is necessary for the purposes set out in Schedule 1.
Retention: Controller Personal Data is retained for as long as the Controller uses the Platform and, after termination, for such period as is necessary to comply with legal retention obligations or the Controller's instructions (see DPA Clause 12).
Deletion: The Processor implements automated and manual processes for the secure deletion of Controller Personal Data when no longer required.

5. Security Monitoring and Incident Response

Logging and monitoring: The Processor logs access to and actions on Controller Personal Data and monitors for suspicious or unauthorised activity.
Intrusion detection and prevention: Security monitoring tools are deployed to detect and respond to potential security threats.
Incident response: The Processor maintains a documented Personal Data Breach response procedure (see DPA Clause 8) and a security incident response plan.

6. Vulnerability Management and Testing

Secure development: The Processor follows secure coding practices and conducts code reviews and security testing during development.
Vulnerability scanning: Regular vulnerability scans and penetration tests are performed (internally or by third parties) to identify and remediate security weaknesses.
Patch management: The Processor applies security patches and updates to its systems in a timely manner.

7. Organisational Measures

Confidentiality: All Processor personnel with access to Controller Personal Data are subject to confidentiality obligations (contractual or statutory).
Training: Processor personnel receive training on Data Protection Laws, security best practices, and the handling of Personal Data.
Vendor management: The Processor maintains a vendor management process to assess and monitor the security and data protection practices of Sub-Processors.
Policy and documentation: The Processor maintains internal data protection and security policies, procedures, and documentation.

8. Business Continuity

Backup: Regular backups of Controller Personal Data are performed and tested to ensure data can be restored in the event of data loss or system failure.
Disaster recovery: The Processor maintains a business continuity and disaster recovery plan to ensure the availability of the Platform and the protection of Controller Personal Data in the event of a major incident.

Note: The Processor reviews and updates these measures from time to time to adapt to new threats and to reflect the state of the art. The Controller may request an updated summary or further details on reasonable notice and subject to confidentiality obligations (see DPA Clause 11).

SCHEDULE 3: SUB-PROCESSORS

The Processor currently engages the following Sub-Processors to process Controller Personal Data on its behalf. This list is also published and maintained at:

https://lumerastudio.com/privacy-business#sub-processors

Sub-Processor	Purpose of Processing	Location / Data Transfer	Safeguards
Supabase Inc.	Database hosting, authentication, and storage of appointment and related data (including all Controller Personal Data stored in the Platform).	European Economic Area (EEA) – hosted in EU region (e.g., Ireland or Frankfurt). Data does not leave the EEA.	Data Processing Agreement with Supabase; Supabase maintains ISO 27001 and SOC 2 Type II certifications; data hosted in the EEA.
Stripe, Inc.	Payment processing: processing deposits and full payments at the time of booking on behalf of the Controller, including processing of payment card data and related transaction data.	European Economic Area (EEA) and may involve transfers to the United States or other countries where Stripe operates.	Stripe Data Processing Agreement incorporating Standard Contractual Clauses (SCCs) for international transfers; Stripe is PCI DSS Level 1 certified; Stripe's DPA available at https://stripe.com/legal/dpa
Resend, Inc.	Transactional email delivery: sending booking confirmations, reminders, cancellations, and other service-related emails to end customers on behalf of the Controller.	United States and global (depending on email routing).	Data Processing Agreement with Resend incorporating Standard Contractual Clauses (SCCs) for international transfers; Resend's security and data protection documentation available on request.
Google LLC	Calendar synchronisation: where the Controller or Controller's staff members have connected Google Calendar, the Processor uses the Google Calendar API to synchronise appointment details (including end-customer names and appointment times) to the user's Google Calendar.	European Economic Area (EEA) and may involve transfers to the United States or other countries where Google processes data.	Google Cloud Data Processing Amendment (incorporating Standard Contractual Clauses for international transfers); Google maintains ISO 27001, SOC 2, and other certifications; Google's data processing terms available at https://cloud.google.com/terms/data-processing-addendum

Changes to Sub-Processors:

The Processor may add, replace, or remove Sub-Processors from time to time in accordance with Clause 7 of the DPA. The Processor shall notify the Controller of any such change by:

Updating this Schedule 3 and the Sub-Processor list published at the URL above; and
Providing at least thirty (30) calendar days' prior written notice to the Controller by email or by notice in the Platform's administrative dashboard.

The Controller may object to a new or replacement Sub-Processor on reasonable grounds relating to data protection within the notice period, in accordance with Clause 7.3 of the DPA.

End of Data Processing Agreement

SIGNATURE / ACCEPTANCE

This Data Processing Agreement is accepted by the Controller electronically during the account creation and subscription process.

Processor:
WELT-ŠPED d.o.o. (trading as Lumera Studio Lab)

Authorised Signatory: Roman Jančić
Title: CEO
Date: February 28, 2026
Email: [email protected]

Controller:
[Legal name of salon/business as registered during account creation]
[Address as provided during registration]

Acceptance:
By checking the acceptance checkbox during account creation or by clicking "Subscribe" or "Create Account" after being presented with the terms, or by clicking "Accept DPA" in the administrative dashboard, the Controller accepts and agrees to be bound by this Data Processing Agreement version 1.0.

Date of Acceptance: Automatically recorded as dpa_signed_at in the Processor's database
DPA Version Accepted: Automatically recorded as dpa_version in the Processor's database (Version 1.0)

For inquiries or questions about this DPA, please contact:

Data Protection Contact:
Email: [email protected]
Address: WELT-ŠPED d.o.o., Selska cesta 123/2, Zagreb, 10000, Croatia

Document History:

Version	Date	Summary of Changes
1.0	February 28, 2026	Initial version of Data Processing Agreement under GDPR Article 28. Includes clickwrap acceptance mechanism at account creation/subscription.

APPENDIX: TERMS OF SERVICE INTEGRATION CLAUSE

The following clause should be added to your Terms of Service to legally bind this DPA to your main contract:

Data Processing Agreement

To the extent that WELT-ŠPED d.o.o. (trading as Lumera Studio Lab) processes any Personal Data of your end-customers (booking clients) on your behalf in the course of providing the Platform, such processing will be subject to our Data Processing Agreement (DPA) available at https://lumerastudio.com/dpa, which is hereby incorporated by reference into these Terms of Service. By accepting these Terms, you also accept the DPA. The DPA sets out the parties' obligations with respect to data protection and compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (GDPR).

END OF DOCUMENT