You are using an unsupported browser. Please switch to a different browser to get the best experience.

Black Belt Digital is launching in beta. If you see something that doesn’t look right, See It, Say It, Sort It.

Contact us

Data Processing Addendum

This Data Processing Addendum (Addendum or DPA) forms part of the Terms of Service between Black Belt Digital Ltd (Processor, we, us, our, BBD) and the customer identified in the relevant account or subscription (Controller, you, your). This Addendum applies where BBD processes personal data on your behalf in connection with the Service. If there is a conflict between this Addendum and the Terms, this Addendum prevails in relation to data protection matters.

1. Roles of the parties

You are the data controller in respect of any personal data you upload, collect, store, transmit, or otherwise process using the Service, including data relating to patients, leads, customers, staff, or website visitors. BBD acts as a data processor only to the extent that we process personal data on your documented instructions for the purpose of providing the Service. Where BBD processes personal data for its own purposes, such processing is governed by our Privacy Policy and BBD acts as an independent controller.

2. Scope of processing

This Addendum applies to personal data processed by BBD on your behalf through use of the website builder, hosting, forms, lead capture, analytics tools, integrations, support services, and related features. The nature of processing includes hosting, storage, transmission, display, backup, and deletion of personal data as required to provide the Service. The duration of processing is the term of your subscription plus any limited post-termination retention period described in the Terms and Privacy Policy.

3. Categories of data subjects and personal data

Data subjects may include your patients, prospective patients, customers, prospective customers, website visitors, staff, contractors, and other individuals whose data you choose to upload or collect through the Service. Personal data may include names, contact details, enquiry content, appointment requests, images, before and after images, IP addresses, and any other data you choose to submit. Where you upload special category data, including health related data, you confirm you have a lawful basis and explicit consent where required.

4. Your obligations as controller

You confirm that you have provided all required notices to data subjects, obtained all required consents, and have a lawful basis for processing personal data and special category data. You are responsible for the accuracy, quality, and legality of personal data and for complying with all applicable data protection laws. You must not instruct BBD to process personal data in a way that would violate applicable law. You are responsible for responding to data subject requests and regulatory enquiries relating to your data.

5. BBD obligations as processor

BBD will process personal data only on your documented instructions, unless required to do otherwise by law. We will ensure that persons authorised to process personal data are subject to confidentiality obligations. We will implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are risk-based and appropriate to the nature of the Service. No security measure is infallible.

6. Sub processors

You authorise BBD to engage sub-processors to provide parts of the Service, including hosting providers, cloud infrastructure providers, analytics services, support tools, and security services. We will ensure sub-processors are subject to data protection obligations consistent with this Addendum. A current list of sub-processors may be made available on request. We may update sub-processors from time to time. Continued use of the Service constitutes acceptance of such updates.

7. International transfers

Personal data may be processed in countries outside your own, including outside the UK and EEA. Where required by law, BBD will rely on appropriate safeguards such as standard contractual clauses or equivalent transfer mechanisms. You acknowledge that use of a global SaaS platform involves international data flows.

8. Assistance with data subject rights

Taking into account the nature of processing, BBD will provide reasonable assistance to enable you to respond to data subject requests to exercise their rights, where technically feasible and where such requests relate to personal data processed by BBD on your behalf. You acknowledge that BBD cannot respond directly to data subjects on your behalf. Requests must come from you, and assistance may be subject to reasonable fees where permitted by law.

9. Personal data breaches

BBD will notify you without undue delay after becoming aware of a personal data breach affecting personal data processed on your behalf, unless the breach is unlikely to result in risk to individuals. The notification will include available information reasonably required to meet your obligations. You are responsible for assessing notification obligations to regulators and data subjects.

10. Deletion and return of data

On termination or expiry of your subscription, BBD will, in accordance with the Terms, delete or anonymise personal data processed on your behalf, unless retention is required by law or for legitimate backup and disaster recovery purposes. Backup copies may persist for a limited period before being overwritten. We do not guarantee the retrieval of data after termination.

11. Audits and information

BBD will make available information reasonably necessary to demonstrate compliance with this Addendum. You agree that audits will be limited to written requests or third-party certifications where possible. On-site audits are subject to reasonable notice, confidentiality, and cost reimbursement, and may be refused where they pose security or operational risk.

12. Liability

Liability arising out of this Addendum is subject to the limitations of liability set out in the Terms. BBD’s total liability for data protection-related claims will not exceed the liability cap specified in the Terms.

13. Governing law

This Addendum is governed by the laws of England and Wales, and disputes are subject to the jurisdiction provisions set out in the Terms, unless mandatory local law requires otherwise.

14. Order of precedence

If there is any conflict between this Addendum, the Terms, and other agreements, this Addendum prevails solely in relation to data protection obligations.