Tyjera Logo

Data Recipient & Barbershop Agreement

Replaces the previous Data Processing Agreement

Last updated: November 20, 2025

1. Agreement Overview

This Agreement (the "Agreement") replaces the previous Data Processing Agreement and governs the relationship between Tyjera (as sole Data Controller) and the Barbershop (as restricted Data Recipient). This Agreement complies with GDPR and governs the processing of personal data in the context of the Tyjera platform.

By using Tyjera's services, the Barbershop agrees to the terms of this Agreement.

2. Parties & Data Roles

2.1 Tyjera: Sole Data Controller

Tyjera Einzelunternehmen is the sole data controller under GDPR Article 4(7). Tyjera determines:

  • The purposes for processing appointment and customer data
  • The technical and organizational means of processing
  • What data is collected, retained, secured, and deleted
  • Who may access data and under what conditions

2.2 Barbershop: Restricted Data Recipient

The Barbershop (Customer) is not a data controller, data processor, or joint controller. The Barbershop:

  • Receives appointment data from Tyjera solely to provide the booked service
  • May use data only for fulfilling the specific appointment booked
  • Must not independently determine data processing purposes or means
  • Must not retain, store, backup, or independently process customer data
  • Must not share customer data with third parties
  • Acknowledges all data remains under Tyjera's control and remains Tyjera's property

2.3 Tyjera's Role as Processor for Sub-Processors

Where Tyjera engages sub-processors (e.g., Clerk, Brevo, Mapbox), Tyjera acts as a processor under Article 28 GDPR with respect to those sub-processors. Tyjera remains the controller vis-à-vis the data subject (barbershop customers) and barbershops.

3. Subject Matter, Duration, and Nature of Processing

3.1 Duration

This Agreement remains in effect for the duration of the Barbershop's use of Tyjera's services and for 30 days following termination to allow for data return or deletion.

3.2 Nature and Purpose of Processing

Tyjera processes customer appointment data for the following purposes:

  • Facilitating appointment booking and confirmation
  • Sending appointment reminders and confirmations
  • Managing customer profiles and booking history
  • Providing analytics and business insights to barbershops (aggregated, non-personal data only)
  • Complying with tax, legal, and security obligations

Barbershops do NOT:

  • Determine the purposes of processing
  • Control how data is retained or secured
  • Receive raw customer data for independent processing
  • Receive payment data, customer history, or preferences

4. Tyjera's Obligations as Data Controller

4.1 Security Measures

Implementing appropriate technical and organizational measures to protect personal data (see Section 5).

4.2 Handling Data Subject Requests

Tyjera is responsible for responding to all data subject requests. Barbershops forward requests to Tyjera.

4.3 Managing Sub-Processors

Tyjera ensures all sub-processors comply with GDPR through Data Processing Agreements (Article 28).

4.4 Data Breach Notification

Tyjera reports data breaches in accordance with GDPR Articles 33 and 34.

4.5 Restrictions on Barbershop Data Use

Barbershops agree to:

  • Use customer data only to provide the specific appointment booked
  • Not retain customer data beyond the appointment date
  • Not access, view, or manipulate customer data through unauthorized means
  • Not export, download, or store customer information on personal devices
  • Immediately notify Tyjera of any data access, loss, or unauthorized use
  • Delete any personal customer data they may have recorded independently

5. Technical and Organizational Security Measures

Tyjera is committed to data security and applies the following measures to protect personal data in line with GDPR Art. 32, proportional to the size and resources of the business:

5.1 Encryption & Data Protection

Data transmitted via our platform is encrypted using industry-standard protocols (TLS). Password authentication is secured using industry-standard hashing algorithms.

  • TLS encryption for all data in transit
  • Password hashing using bcrypt or similar industry-standard algorithms
  • Secure authentication provided by Clerk (third-party authentication service)

Planned: We are actively working towards implementing encryption for data at rest and secure backup procedures.

5.2 Access Controls

Tyjera implements role-based access control (RBAC) to restrict platform access according to user roles:

  • Business Owners have full administrative access to their business data, including customer information, appointments, and settings
  • Professionals (barbers/stylists) have limited access only to the data necessary for providing services and managing their schedules
  • Access permissions are managed by the business owner account
  • Automatic session timeouts for inactive users

As Tyjera is currently operated by a single person, formal multi-factor authentication and regular access reviews will be implemented as the business scales.

5.3 Confidentiality

As a single-operator business, all access to personal data and systems is limited to the owner. Data protection principles and security best practices are followed in all operations.

Planned: As the business grows and additional personnel are hired, formal confidentiality agreements and data protection training will be established.

5.4 Data Backup and Availability

Tyjera hosts all data and services within Germany using infrastructure compliant with local data protection laws.

  • All data is hosted in Germany (EU)
  • Regular data backups are performed
  • DDoS protection via Cloudflare
  • Regular system updates and security patch management

Planned: We are actively planning enhancements to continuity and disaster recovery capabilities to improve uptime and service resilience.

Limitations: We have not yet implemented full geographic redundancy or high-availability failover systems. Occasional service interruptions may occur, and Tyjera disclaims liability for any downtime beyond its reasonable control.

5.5 Monitoring and Incident Response

While formal 24/7 security monitoring and continuous penetration testing are not yet in place, Tyjera monitors system health and security events regularly.

  • Regular monitoring of system logs and security events
  • Incident response procedures for data breaches (notification within 72 hours as required by GDPR Art. 33)
  • Security updates applied promptly when vulnerabilities are identified

Planned: Tyjera aims to enhance security testing, auditing processes, and monitoring capabilities as the platform grows.

5.6 Barbershop Data Access Controls

Barbershop owners and their staff have controlled access to customer data through the platform:

  • Business owners have full access to historical appointment and customer data specifically related to their business operations
  • Professionals (staff) have limited access only to their assigned appointments and necessary customer contact information
  • Data access is strictly controlled through the platform and limited to what is necessary for managing bookings, customer communication, and service delivery
  • Barbershops cannot bulk export customer data for external use beyond what the platform provides for business operations
  • Barbershops cannot access data belonging to other businesses or users

Restrictions: Barbershops must not retain customer data independently outside the Tyjera platform or use customer data for purposes beyond providing the booked services.

6. Sub-Processors

The following sub-processors assist Tyjera in processing customer data:

Important: These sub-processors are engaged by Tyjera (as data controller). Barbershops do not directly share data with sub-processors. Tyjera ensures all sub-processors comply with GDPR obligations through Data Processing Agreements (Article 28).

Clerk (Clerk.com Inc.)

Service:
Authentication and user management
Location:
USA (EU data residency available)
Data Processed:
User authentication credentials, email, name, profile data
Safeguards:
Standard Contractual Clauses (SCCs), GDPR-compliant DPA

PostHog (PostHog Inc.)

Service:
Product analytics (only with user consent)
Location:
EU (hosted on eu.i.posthog.com)
Data Processed:
Anonymized usage data, page views, feature usage
Safeguards:
EU hosting, GDPR-compliant, 90-day data retention

Brevo (Brevo SAS, formerly Sendinblue)

Service:
Transactional emails, marketing emails, chat widget
Location:
EU (Germany)
Data Processed:
Email addresses, names, communication history
Safeguards:
EU-based, GDPR-compliant, ISO 27001 certified

Mapbox (Mapbox Inc.)

Service:
Maps and location services (only with user consent)
Location:
USA
Data Processed:
Location queries, IP addresses (temporary)
Safeguards:
Standard Contractual Clauses (SCCs), minimal data retention

Cloudflare (Cloudflare Inc.)

Service:
CDN, DDoS protection, security
Location:
Global network with EU data centers
Data Processed:
IP addresses, technical logs (temporary)
Safeguards:
Standard Contractual Clauses (SCCs), GDPR-compliant DPA

Changes to Sub-Processors

Tyjera may update this list of sub-processors from time to time. We will notify the Barbershop at least 30 days in advance of any new sub-processor.

7. International Data Transfers

Tyjera primarily stores and processes data within the European Union. However, some sub-processors (Clerk, Mapbox, Cloudflare) may involve transfers to countries outside the EEA.

For transfers to third countries, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs for all transfers to processors in third countries.
  • Adequacy Decisions: Where applicable, we rely on European Commission adequacy decisions for certain countries.
  • Additional Measures: We conduct transfer impact assessments and implement supplementary measures (encryption, access controls) as needed.

8. Assistance with Data Subject Rights

Tyjera (as controller) is responsible for responding to data subject requests. Barbershops will cooperate by:

  • Confirming appointment details if requested by Tyjera
  • Not independently responding to customer data requests
  • Forwarding any customer requests for data access/deletion to Tyjera

If a customer contacts their barbershop about their data, the barbershop should direct them to contact Tyjera at [email protected].

9. Audit and Inspection Rights

Tyjera (as controller) maintains audit and inspection rights over sub-processors and the overall processing system. Barbershops do not have audit rights over customer data; however, Tyjera will respond to reasonable requests for information about how customer data is processed.

10. Data Retention and Deletion

Upon termination of the Barbershop's use of Tyjera:

  • Tyjera will retain customer appointment data according to the retention schedule in the Privacy Policy
  • The Barbershop has no right to request deletion or export of customer data
  • Any customer data the Barbershop may have retained independently must be securely deleted

11. Liability and Indemnification

Under GDPR Article 82:

  • Tyjera (as controller) is liable for damages caused by violations of GDPR controller obligations
  • Barbershops are liable for damages caused by their unauthorized use of customer data or violation of the data handling restrictions in Section 4.5
  • Tyjera is not liable for barbershop violations; barbershops shall indemnify Tyjera for damages caused by the barbershop's misuse of customer data

12. Barbershop Data Protection Obligations

By using Tyjera's services, the Barbershop agrees to:

12.1 Data Handling

  • Not store, backup, or retain customer appointment data beyond what is necessary for service delivery
  • Not access customer data through unauthorized means or for purposes other than service delivery
  • Not export, download, or copy customer lists or personal information
  • Immediately notify Tyjera of any actual or suspected data breach or misuse

12.2 Compliance

  • Comply with this Agreement and Tyjera's Privacy Policy
  • Not claim to be independent data controller for customer data
  • Inform customers that their data is controlled by Tyjera (not the barbershop)
  • Cooperate with Tyjera in responding to regulatory inquiries or data subject requests

12.3 Termination

  • Upon termination, immediately cease accessing or using any customer data
  • Return or delete any customer information retained independently
  • Provide written confirmation of data deletion upon request

12.4 Violations

Material violations of these data protection obligations may result in:

  • Immediate suspension of platform access
  • Termination of access to the Services
  • Legal action to enforce compliance
  • Liability for damages caused by violations

Barbershops are responsible for any damages caused by violations.

13. Contact Information

For questions about this Agreement or to exercise any rights under this Agreement:

Data Protection Inquiries: Data Protection Inquiries: [email protected]

Data Subject Requests: Data Subject Requests: [email protected]

Technical Support: Technical Support: [email protected]

This Agreement is incorporated into and forms part of the Terms of Service between Tyjera and the Barbershop. In case of conflict, this Agreement prevails on matters of data protection.