VetLocal
FeaturesHow it worksPricingFree auditFAQ
csen
Log inCreate account

Legal

Data Processing Agreement (DPA)

Last updated: May 15, 2026

This Data Processing Agreement ("DPA") is an annex to the Terms of Service and becomes binding the moment the Customer ("Controller") begins processing personal data of third parties through the Service — typically Google review content containing patient names. The Provider acts as a processor within the meaning of Art. 28 GDPR.

This document is available in Czech and English. In case of conflict the Czech version prevails.

Contents

  1. 1. Subject matter, nature and purpose
  2. 2. Data categories and data subjects
  3. 3. Provider's obligations as processor
  4. 4. Sub-processors
  5. 5. International transfers
  6. 6. Personal data breach
  7. 7. Data subject rights
  8. 8. Audit
  9. 9. Liability
  10. 10. Final provisions

1. Subject matter, nature and purpose

Subject: the processing of personal data of the Controller's patients (and other data subjects who published a review on the Controller's Google Business Profile) for the purpose of operating DentalLocal — in particular:

• synchronisation of reviews and generation of AI response drafts, • storage of review content, patient names and ratings, • analysis of profile performance and monthly reports.

Duration of processing matches the duration of the main contract + 30 days (export window) + statutory accounting retention.

2. Data categories and data subjects

Categories of data processed:

• Patient's name (or nickname) as shown on Google, • public profile picture from Google, • review text (may contain health-related information about treatment, procedures, perception of care), • 1–5 star rating, • date the review was published.

Categories of data subjects: patients, possibly caregivers of patients, who voluntarily published a review on Google. Special-category data (health data under Art. 9 GDPR) is processed by the Provider only insofar as it is contained in the review text published by the data subject themselves; the Controller's legal basis is necessity for the establishment, exercise or defence of legal claims (Art. 9(2)(f)) or the explicit consent manifested by publishing the review.

3. Provider's obligations as processor

The Provider undertakes to:

a) Process personal data solely on documented instructions from the Controller (including this DPA). b) Ensure that persons authorised to process the data are bound by confidentiality. c) Adopt appropriate technical and organisational measures under Art. 32 GDPR (encryption in transit and at rest, data isolation, access control, logging, incident response plan). d) Cooperate with the Controller in exercising data subjects' rights and in communication with the supervisory authority. e) After contract termination, at the Controller's choice, return or delete the data (within 30 days), except copies required by law (accounting documents). f) Provide the Controller with information necessary to demonstrate compliance with Art. 28 GDPR, including audits (see Art. 8 below).

4. Sub-processors

The Controller grants the Provider general authorisation to engage the sub-processors listed in the Privacy Policy (dentallocal.cz/en/privacy, section 4). The Provider will notify the Controller of any changes at least 30 days in advance; the Controller may object to a new sub-processor and, in such case, terminate the main contract.

5. International transfers

Where personal data is transferred outside the EEA, transfer takes place exclusively on the basis of:

• an adequacy decision by the European Commission (e.g. EU-US Data Privacy Framework), or • Standard Contractual Clauses 2021/914 (module 3 — processor-to-processor),

supplemented by additional measures (encryption, pseudonymisation) where required by local legislation of the recipient.

6. Personal data breach

The Provider will notify the Controller of any personal data breach without undue delay, no later than 72 hours after becoming aware of it. The notification will include a description of the breach, expected consequences, measures taken and the contact person.

7. Data subject rights

If a data subject contacts the Provider directly with a request to exercise their rights (access, rectification, erasure, objection, portability), the Provider will not respond to the request and will forward it to the Controller within 5 business days. The Controller is responsible for responding under GDPR.

8. Audit

The Controller has the right once every 12 months to audit DPA compliance at its own expense — on the basis of a written request with 30 days' notice, during normal business hours, in a manner that does not disrupt operation of the Service. The audit may be carried out by an independent auditor bound by confidentiality. In lieu of audit, the Controller may accept SOC 2 / ISO 27001 audit reports of sub-processors (Supabase, Vercel, Stripe) where available.

9. Liability

Liability is governed by the Terms of Service (Art. 12). Where GDPR imposes direct liability on the processor towards the data subject (Art. 82), the Provider bears liability only to the extent of obligations directly imposed by GDPR.

10. Final provisions

This DPA applies for as long as the Provider processes personal data for the Controller. Changes to this DPA take effect 30 days after notice by email; the Controller may object and, in such case, terminate the contract. In the event of conflict between this DPA and the main contract, this DPA prevails.

VetLocal

AI Google profile manager for Czech veterinary practices.

Product

  • Features
  • Pricing
  • Free audit
  • Dentists by city
  • Sign up
  • Log in

Legal

  • Privacy
  • Terms
  • Cookies
  • Data Processing Agreement

Contact

    danila.s.anikin@gmail.com

© 2026 VetLocal. All rights reserved.·powered by Lokwave

·

Made in Prague · GDPR · EU data