Data Processing Agreement

Last updated: 20 April 2026

This Data Processing Agreement (“DPA”) governs the processing of personal data by LGH B.V., trading as 425 Scheduler (“Processor”), on behalf of the professional user (“Controller”) who subscribes to the 425 Scheduler platform.

1. Scope and roles

The Controlleris the Pro (service professional) who uses 425 Scheduler to manage their clients, sessions, and invoices. The Controller determines the purposes and means of processing their clients' personal data.

The Processor is LGH B.V., which provides the 425 Scheduler software platform and processes personal data on behalf of the Controller as described in this agreement.

2. Subject matter and duration

• Subject matter: Provision of scheduling and invoicing software
• Duration: For the duration of the Controller's subscription to 425 Scheduler
• Nature of processing: Storage, retrieval, display, and transmission of personal data
• Purpose: Enabling the Controller to manage their business operations, including client scheduling, attendance tracking, invoicing, and communication

3. Types of personal data processed

• Client names and email addresses
• Session dates, times, types, and notes
• Invoice amounts, dates, and payment status
• Client progress notes and attendance records
• Communication records (email notifications sent via the platform)

4. Data subjects

The data subjects are the Controller's clients — individuals who receive services from the Pro and whose data is entered into 425 Scheduler by the Pro.

5. Processor obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorised to process personal data have committed themselves to confidentiality
• Implement appropriate technical and organisational security measures, including encryption in transit (TLS), row-level security in the database, and access controls
• Not engage another processor without prior written authorisation of the Controller (see sub-processors below)
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
• Notify the Controller without undue delay (and within 72 hours) after becoming aware of a personal data breach
• Delete or return all personal data to the Controller at the end of the service, unless retention is required by law
• Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28

6. Sub-processors

The Controller authorises the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes to this list at least 30 days in advance.

7. Controller rights

The Controller has the right to:

• Access all personal data processed on their behalf
• Request correction or deletion of data
• Export data in a structured format
• Audit the Processor's compliance with this DPA
• Terminate this DPA by cancelling their subscription

8. Data breach notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and within 72 hours of becoming aware of the breach. The notification shall include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address the breach.

9. Return and deletion of data

Upon termination of the subscription, the Processor shall retain the Controller's data for 12 months to allow for reactivation. After 12 months, all personal data shall be permanently deleted, except where retention is required by applicable law.

10. Governing law

This DPA is governed by the laws of the Netherlands and is subject to the jurisdiction of the competent court in Den Haag, Netherlands.

Contact

For questions about this DPA, contact us at privacy@scheduler.t425g.com.