1. Subject Matter & Duration

This DPA governs the processing of personal data forwarded to Inbox2Sheet for the purpose of extracting and exporting data into Google Sheets. It remains in force for the duration of the customer's subscription.

2. Nature & Purpose of Processing

Inbox2Sheet processes personal data solely to provide:

• Email ingestion and parsing
• Data structuring, transformation, and export to Sheets
• AI-powered chat insights and data analysis
• Error handling, logging, and support

3. Categories of Data Subjects

• End customers of the Controller (e.g., booking clients, leads, correspondents)
• Controller's staff who forward emails or interact with the service

4. Types of Personal Data

Names, emails, phone numbers, booking details, payment amounts, and any other data contained in forwarded emails.

5. Processor Obligations

Bobook Limited shall:

• Process data only on documented instructions from the Controller
• Ensure staff are bound by confidentiality
• Implement appropriate technical and organizational measures (see Security Page)
• Assist the Controller in responding to data subject rights requests
• Notify Controller of any personal data breach within 72 hours
• Delete or return personal data at termination of the service
• Make available information necessary to demonstrate compliance

6. Subprocessors

Controller authorizes use of subprocessors listed at /legal/subprocessors. Bobook Limited shall:

• Ensure subprocessors are bound by data protection obligations equivalent to this DPA
• Inform Controller of new subprocessors with 30 days' notice (Controller may object)

7. International Data Transfers

Where subprocessors are outside the EEA/UK, Bobook Limited relies on:

• EU Standard Contractual Clauses (SCCs), and/or
• UK International Data Transfer Addendum (IDTA), and/or
• EU–US Data Privacy Framework (DPF)

8. Controller Obligations

Controller is responsible for:

• Lawful collection and forwarding of data
• Providing appropriate privacy notices to its own customers
• Configuring retention, deletion, and security settings in the platform

9. Termination

At contract end, all personal data will be deleted or returned to the Controller within 30 days, except backups securely destroyed within 90 days.

10. Governing Law

This DPA is governed by Irish law, with jurisdiction of the Irish Data Protection Commission.