Legal

Data Processing Agreement

Template - Last updated: March 2026

This Data Processing Agreement (DPA) is entered into between the salon named in the biflo.ai account (the “Controller”) and KRM Consultants Limited (trading as biflo.ai) (the “Processor”). It forms part of and supplements the Terms of Service. By using biflo.ai, the Controller agrees to this DPA. This agreement meets the requirements of UK GDPR Article 28.

1. Parties and Subject Matter

Party	Role	Details
The Salon	Controller	As named in the biflo.ai account. Determines the purposes and means of processing caller data.
KRM Consultants Limited (trading as biflo.ai)	Processor	Registered in England and Wales. Processes caller data on behalf of the salon.

Subject matter: AI voice reception processing of inbound telephone calls on behalf of the salon.

Duration: For the term of the subscription agreement, plus the data retention periods specified below.

Nature and purpose: Answering inbound calls, transcribing conversations, extracting booking information, creating appointment records, and notifying salon staff.

2. Personal Data Processed

2.1 Types of Personal Data

Caller telephone numbers (CLI for voice, WhatsApp number for messages)
Names, where provided by callers during the conversation
Booking preferences: preferred stylist, services, dates and times
Voice call transcripts and WhatsApp message transcripts
Messages and notes left by callers

2.2 Categories of Data Subjects

Salon clients (inbound callers and WhatsApp users)
Prospective clients making enquiries

3. Controller Obligations

As the data controller, the salon (Controller) is responsible for:

Establishing and documenting a lawful basis for processing caller data under UK GDPR Article 6
Informing callers at the start of each call that calls are AI-handled and may be recorded
Ensuring their ICO registration covers the use of AI telephone reception
Responding to data subject rights requests from callers (we will assist within 72 hours)
Notifying biflo.ai promptly of any data subject rights requests received directly

4. Processor Obligations (biflo.ai)

KRM Consultants Limited (trading as biflo.ai), as data processor, shall:

Process personal data only on documented instructions from the Controller (i.e., the configuration of the service)
Ensure all staff with access to personal data are bound by confidentiality obligations
Implement appropriate technical and organisational security measures (see section 6)
Not engage any new sub-processors without giving the Controller prior written notice and opportunity to object
Assist the Controller in fulfilling data subject rights requests within 72 hours of receiving a forwarded request
Assist the Controller with security obligations, breach notifications, DPIAs, and prior consultations
At the choice of the Controller, delete or return all personal data upon termination of the agreement
Make available all information necessary to demonstrate compliance with Article 28 obligations

5. Sub-Processors

biflo.ai uses the following sub-processors. By entering into this DPA, the Controller provides general authorisation for their use. We will provide at least 14 days notice before adding new sub-processors.

Sub-Processor	Processing Activity	Location	Safeguard
Supabase	Database storage	EU (Frankfurt)	Adequacy decision
LiveKit	Voice processing	UK/EU	EU adequacy / UK IDTA
Deepgram	Speech-to-text	US	UK IDTA
OpenAI	Language model	US	UK IDTA
Cartesia	Text-to-speech	US	UK IDTA
Telnyx	Telephony / SIP / SMS	EU (Amsterdam)	Adequacy decision
Meta Platforms	WhatsApp Cloud API	EU (Ireland)	Adequacy decision
Stripe	Payment processing	US/EU	UK IDTA

6. Security Measures

biflo.ai implements the following technical and organisational security measures:

AES-256 encryption at rest for all personal data stored in Supabase
TLS 1.3 encryption in transit for all data transmissions
Row-Level Security (RLS) in the database - each salon can only access its own data
Role-based access controls (RBAC) with least-privilege principles
Multi-factor authentication for admin access to production systems
Regular security code reviews and dependency audits
Supabase hosted in EU (Frankfurt) - EU/UK data residency for stored data
Data minimisation - only data necessary for the service is collected and retained

7. Data Retention and Deletion

Data Type	Default Retention	Configurable
Call and message transcripts	30 days	Yes (7-365 days)
Caller profiles	Duration of subscription	No
Booking records	7 years	No (legal requirement)
All caller data on termination	Deleted within 30 days	Earlier deletion on request

8. Data Breach Notification

In the event of a personal data breach, biflo.ai will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

The Controller is responsible for notifying the ICO and affected data subjects where required under UK GDPR Articles 33 and 34.

9. Data Subject Rights Assistance

biflo.ai will assist the Controller in responding to data subject rights requests, including: access, rectification, erasure, restriction, portability, and objection. When we receive a direct request from a data subject relating to a specific salon, we will forward it to that salon within 72 hours. We will provide technical assistance to fulfil the request within 28 days.

10. Audit Rights

biflo.ai will make available all information necessary to demonstrate compliance with this DPA upon written request. Where the Controller requires an audit of processing activities, we will facilitate reasonable inspection, subject to reasonable advance notice (minimum 14 days) and at the Controller's cost.

11. Contact and Queries

For data processing queries, to exercise rights, or to report a breach:

KRM Consultants Limited (trading as biflo.ai)
Suite 8 Room 2, Excelsior House, 3-5 Balfour Road, Ilford, Essex IG1 4HP
Email: hello@biflo.ai