1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CaterTrackr Ltd ("Processor", "we", "us") and the customer ("Controller", "you") and governs our processing of personal data on your behalf in connection with the CaterTrackr service management platform.

This DPA is designed to meet the requirements of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by CaterTrackr on your behalf, including customer names, contact details, addresses, job records, and equipment service histories.

"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.

"Sub-processor" means any third party engaged by CaterTrackr to process Personal Data on your behalf.

3. Scope and Purpose of Processing

We process Personal Data solely for the purpose of providing the CaterTrackr service management platform, including:

• Managing customer records and contact information
• Tracking equipment, assets, and service histories
• Managing job assignments, scheduling, and completion
• Generating invoices and financial records
• Sending service notifications and reminders
• Providing customer portal access to service records

4. Data Security

We implement appropriate technical and organisational measures to protect Personal Data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and multi-tenant data isolation
• Regular security assessments and monitoring
• Secure session management with HttpOnly cookies
• Rate limiting and brute-force protection
• Audit logging of administrative actions

5. Sub-processors

We use the following sub-processors to deliver our service:

• Neon (neon.tech) — PostgreSQL database hosting (EU/UK regions available)
• Google Cloud Platform — Object storage for photos and documents
• Stripe — Payment processing and subscription billing
• Resend — Transactional email delivery
• Xero / QuickBooks — Accounting integration (only when connected by you)

We will notify you before adding or replacing any sub-processor that processes Personal Data.

6. Data Subject Rights

We assist you in fulfilling your obligations to respond to data subject requests, including:

• Right of Access: Data export functionality available from your account settings
• Right to Erasure: Account and company deletion with PII clearing and scheduled permanent removal
• Right to Portability: JSON data export containing all customer, asset, job, and service records
• Right to Rectification: Full editing capabilities for all records within the platform

7. Data Retention and Deletion

Upon termination of your subscription or deletion of your account, we will soft-delete your data immediately (clearing all personally identifiable information) and permanently delete all remaining records within 30 days.

You may request immediate data export at any time via the account settings page or by contacting us at privacy@catertrackr.com.

8. Breach Notification

In the event of a Personal Data breach, we will notify you without undue delay (and in any case within 72 hours of becoming aware) and provide all information reasonably required for you to fulfil your breach notification obligations.

9. International Transfers

We primarily process data within the United Kingdom and European Economic Area. Where data is transferred to sub-processors outside these regions, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

10. Contact

For questions about this DPA or our data processing practices, contact our Data Protection Officer at privacy@catertrackr.com.