StudioOps is a sole trader business based at 5 Barcote Close, Swindon, SN25 2BH. Data protection contact: hello@studioops.uk.
This Data Processing Addendum forms part of the StudioOps Terms of Service where a studio uses StudioOps to process personal data about its own customers, prospects, staff, or contacts.
1. Roles
For personal data that a studio enters into StudioOps about its own customers and contacts:
- the studio is the controller;
- StudioOps is the processor.
For personal data about StudioOps account users, billing contacts, support contacts, and website visitors, StudioOps may act as controller. That is covered by the Privacy Notice.
2. Subject matter and duration
StudioOps processes personal data to provide workflow software to the studio.
Processing continues for as long as the studio uses StudioOps and for any further period needed for export, backups, legal obligations, dispute handling, and account closure.
3. Nature and purpose of processing
StudioOps may collect, store, organise, retrieve, update, transmit, delete, and otherwise process personal data as needed to provide:
- enquiry management;
- customer records;
- appointments;
- quotes;
- invoices;
- payment-request tracking;
- customer-space links;
- emails and customer communication;
- AI-assisted drafting, where enabled;
- support, security, diagnostics, and service improvement.
4. Categories of data subjects
Data subjects may include:
- studio customers and prospects;
- wedding party contacts or related contacts entered by the studio;
- studio owners and staff;
- suppliers or business contacts entered by the studio.
5. Categories of personal data
Personal data may include:
- names;
- email addresses;
- phone numbers;
- appointment details;
- service notes;
- quote and invoice details;
- payment status and limited payment metadata;
- message history;
- photos or attachments uploaded by the studio;
- customer-space access tokens in hashed form;
- audit and activity logs.
Studios should avoid adding unnecessary sensitive data.
6. Studio instructions
StudioOps will process personal data only on documented instructions from the studio, unless required by law.
The Terms of Service, product settings, and actions taken by authorised studio users are documented instructions.
7. Confidentiality
StudioOps will ensure that people authorised to process personal data are subject to appropriate confidentiality obligations.
8. Security
StudioOps will use appropriate technical and organisational measures designed to protect personal data, including:
- access controls;
- tenant separation;
- server-side handling of sensitive keys;
- secure passwordless authentication where applicable;
- hashed customer-space tokens;
- audit logging for sensitive actions where implemented;
- backups and operational monitoring;
- use of reputable infrastructure providers.
9. Sub-processors
StudioOps may use sub-processors to provide the service, such as hosting, database, storage, email, analytics, AI, and payment providers.
StudioOps currently uses the following sub-processors:
| Provider | Purpose |
|---|---|
| Vercel | Hosting |
| Supabase | Database, authentication, storage |
| Resend | Email delivery |
| Stripe | StudioOps subscription billing |
| Square | Payment status via the studio’s own connected Square account |
| OpenAI | AI-assisted drafting |
| Anthropic | AI-assisted drafting |
| Google (Gemini) | AI-assisted drafting |
| Beehiiv | Marketing newsletter |
Where a studio connects its own Square account, Square acts under the studio’s own agreement with Square in relation to card payments. StudioOps uses the Square connection to record payment status.
StudioOps will give the studio at least 14 days’ notice before adding or replacing a sub-processor that processes the studio’s customer personal data. If the studio reasonably objects to a new sub-processor on data protection grounds, it can raise this with StudioOps, and if the concern cannot be resolved the studio may stop using the affected feature or end its subscription.
StudioOps puts a written contract in place with each sub-processor that imposes data protection obligations equivalent to those in this Addendum. StudioOps remains responsible to the studio for the performance of its sub-processors’ data protection obligations.
10. International transfers
Some sub-processors process personal data outside the UK, including in the United States (for example OpenAI, Anthropic, and Google). Where personal data is transferred outside the UK, StudioOps relies on UK adequacy regulations where they apply, or on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures needed.
11. Assistance
StudioOps will provide reasonable assistance to help the studio respond to data subject requests, security incidents, and compliance obligations, taking into account the nature of the processing and the information available to StudioOps.
12. Personal data breach
StudioOps will notify the studio without undue delay after becoming aware of a personal data breach affecting the studio’s personal data. StudioOps aims to notify within 48 hours of becoming aware, so the studio can meet its own 72-hour regulatory deadline where one applies.
The notification should include known details about the nature of the breach, affected data, likely consequences, and steps taken or proposed.
13. Deletion and return
On account closure or on the studio’s request, StudioOps will delete or return the studio’s customer personal data, at the studio’s choice, and delete existing copies, unless retention is required by law. Some data may remain in secure backups for a limited period before automatic deletion.
Data export is available at no fee.
14. Audit
StudioOps will make reasonable information available to demonstrate compliance with this Addendum.
For early customers, this will normally be handled through written responses rather than formal on-site audits.
15. Contact
Data protection contact: hello@studioops.uk.
Related: Terms of Service · Privacy Notice · Cookie Notice
