WheelOwl WheelOwl

Data processing agreement (DPA)

Last updated June 2026

This data processing agreement (DPA) pursuant to Art. 28 GDPR is an annex to the WheelOwl terms of service between ByteZoo Labs UG (haftungsbeschränkt), Domenica-Niehoff-Twiete 2, 22765 Hamburg, Germany ("the Provider", processor) and the studio operating a WheelOwl account ("the Studio", controller). It is concluded by account creation and governs all member personal data the Studio processes in WheelOwl.

§ 1 Subject matter and term

Subject matter: operation of the WheelOwl studio-management software (SaaS). Term: duration of the main contract; ends with account or studio deletion.

§ 2 Nature and purpose of processing

Hosting, storage, display, transmission (e-mail notifications), export, and deletion of member data for studio administration: membership and plan management, check-in tracking, firing and billing records, monthly charge summaries, and optional firing-service orders.

§ 3 Categories of data and data subjects

Categories: contact data (name, e-mail, phone), membership and plan data, visit times (check-ins), firing and billing records, optional photos of pottery pieces. Data subjects: studio members, guests/customers of the optional firing service, studio staff.

§ 4 Processing on instruction

The Provider processes personal data only on documented instruction from the Studio. Use of WheelOwl's functions and their configuration by the Studio constitutes instruction.

§ 5 Confidentiality

Persons authorized to process data are bound to confidentiality (Art. 28(3)(b) GDPR).

§ 6 Technical and organisational measures (TOMs)

The Provider implements the following measures:

  • Encryption in transit (TLS)
  • Encryption at rest at the hosting provider
  • Tenant isolation by studio_id at application level plus PostgreSQL row-level security
  • Role-based access control (admin/member)
  • JWT-based session validation
  • Security headers (CSP, HSTS)
  • Secrets confined to server-side code
  • EU hosting (Frankfurt) for the database
  • Daily backups

§ 7 Sub-processors

The Studio consents to the following sub-processors. The Provider informs studio admins by e-mail at least 30 days before adding or replacing a sub-processor; the Studio may object for good cause and terminate if no resolution is reached.

  • Supabase Inc. — database, authentication, file storage. Infrastructure EU (Frankfurt); EU Standard Contractual Clauses.
  • Cloudflare Inc. — hosting and content delivery. USA/global; EU-US Data Privacy Framework and Standard Contractual Clauses.
  • Plus Five Five Inc. (Resend) — transactional e-mail. EU dispatch (Ireland), service data USA; Data Privacy Framework and Standard Contractual Clauses.
  • Anthropic PBC — only when the Studio itself enables AI features (default off). USA; EU Standard Contractual Clauses.

Changes to sub-processors are announced as described above; the Studio may object for good cause within the notice period.

§ 8 Assistance and data-subject rights

The Provider supports the Studio in responding to data-subject requests through built-in functions: per-member CSV export (member detail and member self-service), member erasure (members page — scrubs name, e-mail, phone, and avatar and severs the login; billing snapshots and already-sent notification recipients are retained as immutable audit records), and studio deletion (settings). Beyond that: wheelowl@bytezoolabs.com.

§ 9 Notification duties

The Provider informs the Studio without undue delay of personal-data breaches concerning the Studio's data (Art. 33(2) GDPR).

§ 10 Deletion and return

On termination the Studio can export its data beforehand (CSV exports). Studio deletion scrubs profile and member PII as described in the privacy policy; billing audit records are retained per statutory retention duties. Audit and proof rights (Art. 28(3)(h) GDPR): the Provider provides the information necessary to demonstrate compliance on request.

German law applies. The liability rules of the terms of service apply accordingly. If this DPA conflicts with the terms of service, the DPA prevails for data-protection matters.

Terms of service · Impressum · Privacy policy