DATA PROCESSING AGREEMENT (DPA)


Last updated: April 23, 2026


1. How this DPA is accepted

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions ("Terms") between you ("Clinic User", "Controller", "you") and Mathias Systems LLC ("Estetis", "Processor", "we", "us").

No separate signature is required. This DPA is automatically accepted and becomes binding when you:

  1. Accept the Terms & Conditions, and

  2. Activate a paid subscription to the Service.

By doing the above, you confirm that you are authorized to enter into this DPA on behalf of your business and that you accept all of its terms. If you do not agree, do not use the Service.

This DPA prevails over any conflicting terms in the main Terms & Conditions regarding the processing of End Customer personal data.


2. Background and purpose

You use the Estetis Service to run loyalty, rewards, and membership programs for your customers ("End Customers"). In doing so, you upload and process personal data about those End Customers through our platform.

Under applicable data protection laws — including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Irish Data Protection Act 2018, and the Polish Act on the Protection of Personal Data — this makes you the Controller of End Customer personal data, and Estetis the Processor.

This DPA sets out the terms on which Estetis processes End Customer personal data on your behalf and satisfies the written contract requirement under Article 28(3) GDPR.


3. Definitions

Terms used in this DPA have the meanings given to them in the GDPR. In particular:

  • Personal Data — any information relating to an identified or identifiable natural person (here: End Customer data).

  • Processing — any operation performed on personal data.

  • Controller — the entity that determines the purposes and means of processing (you).

  • Processor — the entity that processes personal data on behalf of the Controller (Estetis).

  • Sub-processor — a third party engaged by the Processor to process personal data.

  • Data Subject — the individual to whom the personal data relates (End Customer).

  • Personal Data Breach — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

  • Standard Contractual Clauses (SCCs) — the clauses adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021.


4. Details of processing

  • Subject matter: provision of the Estetis loyalty, rewards, and membership platform.

  • Duration: for as long as your subscription is active, plus any post-termination retention period agreed in the Terms.

  • Nature and purpose: storing, organizing, retrieving, using, and transmitting End Customer personal data to enable loyalty tracking, membership management, rewards redemption, push notifications, and communications initiated by you.

  • Types of personal data: first name, last name, email address, phone number, date of birth, loyalty and membership activity (points, rewards, transactions, timestamps), and other data you voluntarily upload within the permitted scope.

  • Categories of data subjects: your End Customers.

Full details are set out in Annex A.


5. Your obligations as Controller

You are solely responsible for:

  • Having a valid lawful basis under Article 6 GDPR for processing End Customer data (typically consent or legitimate interests for loyalty programs).

  • Providing End Customers with your own privacy notice that meets Articles 13 and 14 GDPR.

  • Obtaining any required consents — particularly for marketing communications, push notifications, and newsletters sent via the Service.

  • Not uploading special-category data (health data, biometric data, racial/ethnic origin, political opinions, religious beliefs, sexual orientation) or data relating to criminal convictions. This data is contractually excluded from the Service.

  • Ensuring that End Customer data is accurate and lawfully collected.

  • Responding to Data Subject requests concerning their rights (access, rectification, erasure, etc.).

  • Complying with all other applicable data protection, marketing, and consumer protection laws.

You will indemnify Estetis against any claim, fine, or liability arising from your failure to meet these obligations.


6. Our obligations as Processor

Estetis will:

6.1 Process on documented instructions

Process End Customer personal data only on your documented instructions, including instructions regarding transfers of personal data to a third country. Your instructions are considered documented through: (a) the Terms, (b) this DPA, (c) your configuration and use of the Service, and (d) any additional written instructions you provide.

If we believe an instruction violates data protection law, we will inform you. We may refuse to follow an instruction that is manifestly unlawful.


6.2 Confidentiality

Ensure that our personnel authorized to process End Customer data are bound by written confidentiality obligations or appropriate statutory confidentiality.


6.3 Security

Implement appropriate technical and organizational measures to protect End Customer personal data in accordance with Article 32 GDPR. Current security measures are described in Annex B.


6.4 Assist you

Taking into account the nature of the processing and the information available to us, provide reasonable assistance with:

  • Responding to Data Subject rights requests (Articles 15–22 GDPR)

  • Security, breach notification, and Data Protection Impact Assessments (Articles 32–36 GDPR)

  • Consultations with supervisory authorities

Assistance is provided via the Service's built-in tools where possible (e.g., data export, deletion features). Extensive manual assistance may be subject to reasonable fees.


6.5 Breach notification

Notify you without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting End Customer data. Our notification will include the information required under Article 33(3) GDPR to the extent known.


6.6 Return or deletion

At your choice, delete or return all End Customer personal data at the end of the provision of the Service, unless storage is required by law. Standard deletion occurs within 90 days of termination, as set out in our Privacy Policy.


6.7 Compliance and audit

Make available to you information necessary to demonstrate compliance with Article 28 GDPR, including responses to reasonable written due-diligence questionnaires. We will permit audits on reasonable prior written notice, no more than once per year, subject to confidentiality, at your expense, and scheduled to avoid disruption to the Service. A third-party audit report, certification, or completed security questionnaire will satisfy audit requests where reasonably sufficient.


7. Sub-processors

7.1 General authorization

You grant Estetis general authorization to engage sub-processors to process End Customer personal data, provided that each sub-processor is bound by data protection obligations no less protective than those in this DPA.


7.2 Current sub-processors

The current list of sub-processors is set out in Annex C below.


7.3 Changes

We will notify you by email or in-app notification at least 30 days before adding or replacing a sub-processor. You may object to a new sub-processor on reasonable data-protection grounds within 30 days of notification. If we cannot reasonably accommodate your objection, you may terminate your subscription and receive a pro-rata refund for the unused prepaid period.


7.4 Liability for sub-processors

We remain liable to you for the acts and omissions of our sub-processors to the same extent as for our own acts and omissions.


8. International data transfers
8.1 Transfers outside the EEA

Because Estetis is established in the United States and some of our sub-processors are located outside the European Economic Area, End Customer personal data may be transferred outside the EEA.


8.2 Safeguards

Where required, such transfers are governed by one of the following mechanisms under Chapter V GDPR:

  • EU–U.S. Data Privacy Framework certification (where applicable to the recipient, e.g., Stripe)

  • Standard Contractual Clauses (SCCs) adopted by the European Commission in Decision (EU) 2021/914, Module 2 (Controller to Processor), which are incorporated by reference into this DPA and deemed signed by both parties as of the effective date of the Terms

  • Other lawful transfer mechanisms recognized under applicable law


8.3 Governing clauses for SCCs

Where the SCCs apply:

  • Clause 7 (docking): does not apply

  • Clause 9 (sub-processors): Option 2, general authorization with 30-day notice (Section 7.3 above)

  • Clause 11 (redress): independent dispute resolution option does not apply

  • Clauses 17 and 18 (governing law / forum): Republic of Ireland

  • Annexes I, II, III of the SCCs are populated by Annexes A, B, and C of this DPA


9. Liability

Each party's liability under this DPA is subject to the limitations set out in the main Terms. Nothing in this DPA excludes or limits either party's liability for:

  • Death or personal injury caused by negligence

  • Fraud or willful misconduct

  • Any liability that cannot be excluded under applicable law


10. Conflict and precedence

In the event of any conflict between this DPA and the main Terms regarding the processing of End Customer personal data, this DPA prevails.

In the event of any conflict between this DPA and the SCCs, the SCCs prevail.


11. Term

This DPA applies for as long as Estetis processes End Customer personal data on your behalf, and survives termination of the main Terms to the extent required for post-termination return, deletion, or legal compliance.


12. Governing law

This DPA is governed by the laws of the State of New Mexico, USA, except that where the SCCs apply, disputes arising under the SCCs are governed by the law of the Republic of Ireland, in accordance with Clause 17 of the SCCs.


13. Contact

For any questions about this DPA or to exercise rights under it:

Mathias Systems LLC
1209 Mountain Road Pl NE, Ste N
Albuquerque, New Mexico 87110, USA
Email: matt@estetis.app


ANNEX A — Details of processing

Subject matter Loyalty, rewards, and membership management platform
Nature and purpose Storing, organizing, retrieving, using, and transmitting End Customer data to enable loyalty tracking, membership administration, rewards redemption, push notifications, and communications initiated by the Clinic User
Duration Duration of the subscription + applicable retention period (see Privacy Policy)
Categories of data subjects End Customers of the Clinic User (individuals who are customers, members, or prospects of the Clinic User's business)
Types of personal data Identity data (first name, last name), contact data (email, phone number), date of birth, loyalty and membership activity (points, rewards, transactions, timestamps), preferences and settings configured by the Clinic User
Special-category data None. Clinic Users are contractually prohibited from uploading special-category data Frequency of processing Continuous for the duration of the subscription


ANNEX B — Technical and organizational security measures

Estetis implements the following measures to protect End Customer personal data (Article 32 GDPR):

Encryption in transit TLS 1.2+ for all communications between clients, the Service, and sub-processors
Encryption at rest Database-level encryption provided by our hosting and infrastructure providers
Access control Role-based access to production systems; access limited to authorized personnel on a need-to-know basis; multi-factor authentication for admin accounts
Authentication Password hashing using industry-standard algorithms; session management and secure cookies Network security Firewalls and access controls at the infrastructure level, provided by our hosting sub-processor Monitoring and logging Application and infrastructure logs retained for security and incident-response purposes Backup and recovery Regular automated backups; documented recovery procedures
Vendor management Security review of sub-processors; contractual data protection obligations
Personnel Confidentiality obligations; onboarding guidance on data protection
Incident response Documented process for identifying, investigating, and reporting Personal Data Breaches
Data minimization Only the data types listed in Annex A are collected and processed
Deletion Automated deletion workflows aligned with retention schedule in the Privacy Policy

Estetis reviews and updates these measures as the Service evolves. Material changes will not result in a degradation of protection.

ANNEX C — Sub-processors

As of the date of this DPA, Estetis uses the following sub-processors to process End Customer personal data:

Stripe, Inc. Payment processing (subscription billing) USA EU-US Data Privacy Framework + SCCs
Intercom R&D Unlimited Company Customer support and messaging Ireland / USA SCCs (where applicable) [Hosting provider] Application and database hosting [To be confirmed] [SCCs / DPF, as applicable]
[Transactional email provider] Sending service notifications [To be confirmed] [SCCs / DPF, as applicable]


If we add or change sub-processors, we will update this Annex and notify you as set out in Section 7.3.


Log in

Build my app

Product

Affiliates

Help

Contact

Log in

Build my app

Product

Product

Affiliates

Help

Legal

Privacy Policy

Terms

DPA