BuildAble POS

Data Processing Agreement

This agreement governs how BuildAble POS processes personal data on behalf of our customers.

Effective Date: 1 January 2026

Version: 1.0

Last Updated: 15 May 2026

This Data Processing Agreement (DPA) is entered into between BuildAble POS ("Processor", "we", "us") and the customer ("Controller", "you") using the BuildAble POS Services. This DPA forms part of the Terms of Service and applies to the processing of personal data by BuildAble POS on behalf of the Controller.

By using BuildAble POS Services, you agree to the terms of this DPA. If you are entering into this DPA on behalf of a company or other legal entity, you represent that you have the authority to bind such entity to this DPA.

1. Definitions

Personal Data
Any information relating to an identified or identifiable natural person (data subject) that is processed by BuildAble POS on behalf of the Controller through the POS Services.
Controller
The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this context, the Controller is the shop or business using BuildAble POS Services.
Processor
The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. BuildAble POS acts as the Processor under this DPA.
Data Subject
An identified or identifiable natural person whose personal data is processed by BuildAble POS on behalf of the Controller.
Processing
Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Sub-Processor
A third-party data processor engaged by BuildAble POS to process personal data on behalf of the Controller.
Shop
The organisation, business, or entity that has subscribed to BuildAble POS Services and uses the platform to manage point-of-sale operations, repairs, inventory, and customer data.
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
UK GDPR
The UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

2. Scope & Roles

2.1 Roles of the Parties

  • Controller: The shop using BuildAble POS Services determines the purposes and means of processing personal data of its customers, staff, and business contacts.
  • Processor: BuildAble POS processes personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries or international organisations, unless required to do so by Union or Member State law to which the Processor is subject.

2.2 Description of Processing

Subject matterProvision of point-of-sale, repair management, inventory tracking, and sales reporting services.
DurationFor the duration of the shop's subscription to BuildAble POS Services, plus any data retention period specified in Section 9.
Nature and purposeProcessing is necessary to provide POS Services, including customer management, repair ticketing, sales transactions, inventory management, reporting, and communication features.
Types of personal dataContact information (names, email addresses, phone numbers); business information (shop names, addresses); customer data (repair records, sales transactions, inventory data); staff data (names, roles, PIN codes); usage data (login times, feature usage, IP addresses).
Categories of data subjectsShop employees and authorised users; customers of the shop; business contacts and suppliers.

3. Data Processor Obligations

BuildAble POS shall comply with the following obligations as a data processor:

  • Process only on documented instructions:BuildAble POS will process personal data only in accordance with the Controller's documented instructions, including as set out in this DPA and the Terms of Service, unless required by applicable law.
  • Confidentiality: All personnel authorised to process personal data are bound by confidentiality obligations.
  • Security measures: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
    • AES-256-GCM encryption for sensitive data at rest
    • TLS 1.2+ for all data transmission
    • Role-based access control (RBAC) with hierarchical permissions
    • Row Level Security (RLS) on all database tables
    • Regular security assessments and penetration testing
  • Sub-Processor governance: Ensure that any Sub-Processor engaged meets the same data protection obligations as set out in this DPA.
  • Assistance to the Controller: Assist the Controller in ensuring compliance with its obligations under data protection law, including responding to data subject requests, conducting data protection impact assessments, and consulting with supervisory authorities.
  • Return or deletion: At the end of the provision of services, delete or return all personal data to the Controller, and delete existing copies unless Union or Member State law requires storage of the personal data.

4. Sub-Processors

The Controller grants BuildAble POS general authorisation to engage the Sub-Processors listed below. BuildAble POS shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes.

Sub-ProcessorPurposeLocation
RailwayApplication hosting and deployment infrastructureUnited States / EU
SupabaseDatabase hosting, authentication, and real-time data servicesEU (London, UK)
CloudflareContent delivery network (CDN), DDoS protection, and DNS servicesGlobal
ResendTransactional and notification email deliveryUnited States
StripePayment processing and subscription managementUnited States / EU

All Sub-Processors are subject to data processing agreements that ensure compliance with GDPR, UK GDPR, and other applicable data protection laws.

5. Data Subject Rights

BuildAble POS shall assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law, including:

  • Right of access: Data subjects have the right to obtain confirmation as to whether their personal data is being processed, and where that is the case, access to the personal data.
  • Right to rectification: Data subjects have the right to have inaccurate personal data corrected without undue delay.
  • Right to erasure ("right to be forgotten"): Data subjects have the right to have their personal data deleted where there is no compelling reason for its continued processing.
  • Right to restrict processing: Data subjects have the right to restrict the processing of their personal data in certain circumstances.
  • Right to data portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller.
  • Right to object: Data subjects have the right to object to the processing of their personal data in certain circumstances, including for direct marketing purposes.

BuildAble POS shall provide the Controller with the necessary functionality and assistance to fulfil these requests, including data export and deletion capabilities.

6. Data Breach Notification

In the event of a personal data breach, BuildAble POS shall:

  • Notify the Controller without undue delay and, where feasible, no later than 24 hours after becoming aware of the breach.
  • Provide the Controller with all information necessary to enable the Controller to comply with its obligation to report the breach to the supervisory authority, including:
    • The nature of the breach, including categories and approximate numbers of data subjects and records concerned
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach and mitigate its potential adverse effects
  • Document all personal data breaches, comprising the facts relating to the breach, its effects, and the remedial action taken.

7. Data Transfers

BuildAble POS may transfer personal data to countries outside the European Economic Area (EEA) or the United Kingdom, subject to the following safeguards:

  • Standard Contractual Clauses (SCCs): Transfers to Sub-Processors in third countries are governed by EU Commission Standard Contractual Clauses or UK Addendum to the EU SCCs, as appropriate.
  • Adequacy decisions: Where a country has been recognised by the European Commission or UK authorities as providing an adequate level of data protection, personal data may be transferred to that country without additional safeguards.
  • Data minimisation: BuildAble POS shall ensure that only the personal data necessary for the specific purpose of the transfer is transferred, and that appropriate technical and organisational measures are in place to protect that data.

8. Audits & Compliance

BuildAble POS shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection law.

  • Audit rights:The Controller has the right to audit BuildAble POS's compliance with this DPA. Such audits may be conducted by the Controller or an independent auditor appointed by the Controller.
  • Audit frequency: Audits shall be conducted no more than once per calendar year, unless the Controller has reasonable grounds to believe that BuildAble POS is not complying with this DPA.
  • Notice:The Controller shall provide at least 30 days' prior written notice of any audit, except where there are reasonable grounds to believe that BuildAble POS is not complying with this DPA.
  • Cooperation: BuildAble POS shall cooperate with the Controller and any auditor appointed by the Controller, and shall provide access to relevant documentation, systems, and personnel.
  • Certifications: BuildAble POS maintains relevant security certifications and compliance attestations, including SOC 2 and ISO 27001, and shall provide copies of such certifications upon request.

9. Data Retention & Deletion

BuildAble POS shall retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.

  • Active subscription:Personal data is retained for the duration of the Controller's active subscription to BuildAble POS Services.
  • Post-termination: Upon termination of the subscription, BuildAble POS shall delete or return all personal data to the Controller within 90 days, unless otherwise instructed by the Controller or required by applicable law.
  • Legal obligations: In certain circumstances, BuildAble POS may be required to retain personal data for longer periods to comply with legal obligations, resolve disputes, or enforce agreements.
  • Security logs: Audit and security logs may be retained for up to 12 months for security and compliance purposes.

10. Controller Instructions

BuildAble POS shall process personal data only in accordance with the Controller's instructions, which include:

  • The purposes of processing as set out in this DPA and the Terms of Service.
  • The types of personal data and categories of data subjects as described in Section 2.
  • Any additional instructions provided by the Controller through the BuildAble POS platform or in writing.

If BuildAble POS believes that an instruction infringes applicable data protection law, it shall inform the Controller without delay.

11. Data Protection Impact Assessment

BuildAble POS shall assist the Controller in conducting data protection impact assessments (DPIAs) where required by applicable data protection law, including by providing:

  • Information about the nature, scope, context, and purposes of the processing carried out by BuildAble POS.
  • Details of the technical and organisational measures implemented to ensure the security of processing.
  • Information about any known risks to the rights and freedoms of data subjects.
  • Recommendations for mitigating measures to address identified risks.

12. Liability & Indemnification

Each party shall be liable for damages caused by processing only where it has not complied with the obligations of this DPA or applicable data protection law.

  • BuildAble POS shall be liable for the acts and omissions of its Sub-Processors as if they were its own.
  • BuildAble POS shall indemnify and hold the Controller harmless against any claims, damages, or expenses arising from BuildAble POS's breach of this DPA or applicable data protection law, except where such breach is caused by the Controller's instructions or actions.
  • The Controller shall indemnify and hold BuildAble POS harmless against any claims, damages, or expenses arising from the Controller's breach of this DPA or applicable data protection law, or from the Controller's instructions that infringe applicable law.

13. Term & Termination

This DPA shall remain in effect for the duration of the Controller's use of BuildAble POS Services and shall automatically terminate upon termination of the subscription.

  • Upon termination, BuildAble POS shall, at the Controller's choice, delete or return all personal data to the Controller, except where applicable law requires retention.
  • The obligations of confidentiality, data security, and liability shall survive termination of this DPA.
  • Either party may terminate this DPA if the other party materially breaches its obligations and fails to remedy the breach within 30 days of written notice.

14. Amendments

BuildAble POS reserves the right to amend this DPA from time to time to reflect changes in legal requirements, our practices, or the POS Services.

  • Material changes to this DPA will be notified to the Controller at least 30 days before they take effect, unless required by applicable law.
  • Continued use of BuildAble POS Services after the effective date of any changes constitutes acceptance of the amended DPA.
  • If the Controller does not agree to the amended DPA, the Controller may terminate the subscription in accordance with the Terms of Service.

15. Governing Law & Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of England and Wales.

  • Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
  • Nothing in this DPA shall prevent either party from seeking injunctive or other interim relief in any court of competent jurisdiction.
  • This DPA is without prejudice to the rights of data subjects to bring claims directly against either party under applicable data protection law.

16. Contact Information

If you have any questions about this DPA or wish to exercise your rights, please contact us using the details below.

Data Protection Officer
dpo@buildable.cloud
Privacy Inquiries
privacy@buildable.cloud
Legal Department
legal@buildable.cloud
General Support
support@pos.buildable.cloud

We aim to respond to all inquiries within 72 hours. For urgent data protection matters, please contact our Data Protection Officer directly.

Privacy PolicyTerms of ServiceSecurity