Clinic Membership
    Get started

    Data Processing Agreement

    Clinic Membership by Apavai Ltd

    Last updated: May 2026

    1. Parties and roles

    This Data Processing Agreement ("DPA") forms part of the agreement between you, the clinic or business using Clinic Membership ("Controller", "you"), and Apavai Ltd, trading as Clinic Membership, company number 17036797, registered office 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ ("Processor", "we", "us").

    You act as the data controller for personal data relating to your patients and members. We act as your data processor when we process that personal data on your behalf through the Clinic Membership platform, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

    2. Subject matter and duration

    We process personal data to provide the Clinic Membership service, including membership management, patient records you enter, bookings, invoicing, communications, and payment processing integrations. Processing continues for the duration of your subscription and until you delete data or we delete it in line with our retention policies after termination.

    3. Nature and purpose of processing

    Processing includes storing, organising, retrieving, using, disclosing (where you direct), and deleting personal data as necessary to:

    • Host and operate your clinic's membership and patient accounts
    • Process membership applications, agreements, and payments via Stripe Connect on your connected account
    • Send service-related emails and notifications you configure
    • Provide scheduling, reporting, and support features you enable
    • Maintain security, backups, and audit logs

    4. Types of personal data and data subjects

    Categories of data subjects include your patients, members, and staff users you invite. Categories of personal data may include:

    • Identity and contact details (name, email, phone, address)
    • Membership and treatment plan information
    • Booking and attendance records
    • Payment and transaction metadata (card data is processed by Stripe; we do not store full card numbers)
    • Communications and notes you record in the platform
    • Technical logs (IP address, device/browser data) for security and support

    5. Your obligations as controller

    You warrant that you have a lawful basis and, where required, appropriate consents to process personal data and to instruct us as processor. You are responsible for the accuracy of data you upload and for providing privacy information to your patients. You will not instruct us to process personal data in breach of UK GDPR.

    6. Our obligations as processor

    We will:

    • Process personal data only on your documented instructions, including as set out in this DPA and your use of the platform
    • Ensure persons authorised to process personal data are bound by confidentiality
    • Implement appropriate technical and organisational measures to protect personal data
    • Assist you, where reasonably possible, with data subject requests and your compliance obligations
    • Notify you without undue delay after becoming aware of a personal data breach affecting your data
    • At your choice, delete or return personal data when you cease using the service, subject to legal retention requirements
    • Make available information necessary to demonstrate compliance and allow audits on reasonable notice, subject to confidentiality and security

    7. Sub-processors

    You authorise us to engage sub-processors who assist in providing the service. Key sub-processors include Stripe (payments), Railway (application hosting and database), Vercel (frontend hosting and CDN), Resend (email delivery), Cloudflare (security, CDN, and backup storage), Sentry (error monitoring), and, where a clinic enables it, Google (Calendar sync). We impose data protection terms on sub-processors that are substantially similar to this DPA. We will inform you of material changes to sub-processors where required by law. A current list is available on request or in our Privacy Policy.

    8. International transfers

    Personal data is processed using infrastructure hosted in the United States (including our primary database and API servers) and may be processed in other countries where our sub-processors operate. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement and/or UK Addendum to the EU Standard Contractual Clauses, and data protection terms with our sub-processors.

    9. Security

    We maintain administrative, physical, and technical safeguards appropriate to the risk, including encryption in transit, access controls, regular backups, and regular monitoring. Details of our security practices may be provided on request.

    10. Liability

    Each party's liability under this DPA is subject to the limitation of liability in our Terms and Conditions. Nothing in this DPA limits either party's liability for breaches of UK GDPR where liability cannot be limited by law.

    11. Contact

    For data protection enquiries or general support, contact us via the contact form on our website.