Data Processing Agreement (DPA)

Name: Glanevo
Author: Glanevo

Last updated: April 2, 2026

Roles

The salon business is the controller of personal data relating to its operations. Glanevo processes such data as a processor on the customer's instructions, in line with GDPR Article 28 and applicable local law.

Scope & instructions

Processing covers appointments, customer and staff records, payment metadata, notifications, and support — only as needed to provide the service under the agreement. Glanevo will not process for unrelated purposes except where required by law.

Security measures

Technical and organizational measures include encryption, access controls, secure development practices, vendor review, and incident response. Further detail may be provided in a security annex on request.

Sub-processors

Representative sub-processors include Stripe, iyzico, Twilio, Netgsm, Resend, Neon (PostgreSQL), Vercel, and AI providers (e.g. Groq, Google, Anthropic) with data minimization. The list may change; material updates will be communicated as required by contract or law.

Breach notification

If Glanevo becomes aware of a personal data breach affecting customer data, we will notify the customer without undue delay to enable timely regulatory or data-subject notifications, typically aiming for an initial notice within 72 hours where feasible.

End of processing & deletion

On termination, Glanevo will support export and then delete or return data per instructions, subject to legal retention obligations. A typical completion target is within 30 days after export window, unless otherwise agreed.