Skip to content
MobileStockPOS
Start free
Back to home
Legal · v1.0-draft

Data Processing Agreement

How Hostnicker processes personal data your shop submits on behalf of its customers.

Last updated:

Placeholder: This document is a first-draft template and must be reviewed by a UK-qualified solicitor before public launch.

Parties

Processor:

Hostnicker Web Solution LTD
London, GB

Controller: The customer (“you”) subscribed to MobileStockPOS, in relation to personal data you submit about your shop's own customers, staff, and suppliers.

Subject matter and duration

We process personal data on your behalf for the sole purpose of providing the Service. Processing continues while your subscription is active and for the 30-day read-only period afterwards. After 90 days we delete all personal data we hold as a processor, subject to the limited legal retention exceptions in the Privacy Policy.

Nature and purpose

  • Storing your shop's product, sales, customer, repair, and supplier records.
  • Running the POS, reports, receipts, and subscription emails.
  • Monitoring availability, debugging, and rate-limiting to prevent abuse.

Categories of data subjects and data

Data subjects: Your customers, staff, and suppliers.

Categories of personal data: Names, email addresses, phone numbers, addresses, optional national ID where you choose to record it, purchase history, repair-ticket details, preferred language.

We do not process special categories of data (health, biometric, political opinion, etc.) and you undertake not to upload them.

Sub-processors

The sub-processors listed in our Privacy Policy also process data under this DPA. We will notify you by email at least 14 days before onboarding any new sub-processor. You may object in writing; if we cannot reach agreement, you may terminate the affected subscription and receive a pro-rata refund for any unused yearly period.

Cross-border transfers

Where sub-processors operate outside the UK, transfers are governed by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or an applicable adequacy decision. For Asian jurisdictions with local data-residency requirements, we work with you to identify an appropriate Supabase region.

Security measures

  • Encryption in transit (TLS 1.2+) and at rest (Supabase-managed).
  • Row-Level Security on every tenant table.
  • Column-level encryption on sensitive fields (phone, email, NIC).
  • Least-privilege access for Hostnicker staff.
  • Audit logs with hash-chained integrity.
  • Periodic backup-restore drills with documented outcomes.

Data subject rights

You are responsible for handling data subject requests relating to your shop's customers. We assist promptly on request: export, deletion, access, correction.

Data breach notification

We will notify you without undue delay (and in any case within 72 hours) of a personal data breach affecting your data, with the information you need to meet your own notification obligations.

Audit

Once per calendar year on reasonable notice, you may request documented evidence of our compliance (SOC 2-style review summaries, sub-processor list, security policies). On-site audits are by mutual agreement and at your cost.

Termination

On termination of the subscription, we delete all personal data we hold as a processor within 90 days, unless legally required to retain it. A certificate of destruction is available on request.

Governing law

This DPA is governed by the laws of England and Wales.

Contact

DPA-related correspondence goes to the DPO email in the company block above.