Legal
GDPR Article 28 compliant agreement between Tailro (Processor) and merchants (Controller).
Effective date: March 29, 2026
Data Controller
The merchant ("you") — the business entity that has signed up for Tailro and uses the platform to manage appointments for their end customers.
Data Processor
Tailro — the SaaS appointment scheduling platform that processes personal data on behalf of the Controller.
Contact: [email protected]
| Item | Detail |
|---|---|
| Subject matter | Processing of appointment booking and customer management data on behalf of the Controller's business |
| Nature of processing | Storage, retrieval, updating, email notification delivery, Shopify synchronisation, analytics aggregation |
| Purpose of processing | Delivery of the Tailro appointment scheduling service as described in the Terms of Service |
| Duration of processing | For the duration of the active subscription; data is deleted within 30 days of account closure (except payment records retained 7 years) |
| Categories of data subjects | End customers of the merchant (individuals who book appointments) |
| Categories of personal data | Name, email address, phone number, appointment history (date, time, service, staff, status, price paid), payment transaction references |
Tailro will only process personal data on the documented instructions of the Controller (i.e. as necessary to deliver the agreed service). Tailro will inform the Controller if it believes any instruction infringes applicable data protection law.
Tailro ensures that all personnel authorised to process personal data are under an appropriate duty of confidentiality (whether by contractual obligation or statutory duty).
Tailro implements the following technical and organisational security measures:
Tailro engages the following sub-processors to deliver the service. The Controller grants general authorisation for these sub-processors:
| Sub-Processor | Purpose | Data Transferred |
|---|---|---|
| Razorpay | Payment processing for merchant subscriptions and customer appointment payments | Billing amounts, transaction references (no card/UPI data stored by Tailro) |
| Google (Calendar API) | Appointment synchronisation to merchant's Google Calendar | Appointment title, date/time, staff name, meeting URL |
| Google (OAuth) | Merchant and customer authentication via Google Sign-In | Email address, name, Google sub-ID |
| Shopify | Merchant store integration and customer sync | Customer name, email, phone number |
| Cloudflare (R2 Storage) | File storage and CDN delivery for logos, images, invoices | Uploaded files (logos, gallery images, invoice documents) |
| Cloudflare (Custom Domains) | SSL/DNS management for merchant custom booking domains | Merchant's custom domain hostname |
| SMTP Email Provider | Transactional email delivery (appointment confirmations, reminders, OTPs) | Recipient email address, appointment details |
Tailro will notify the Controller at least 30 days in advance of any intended changes to sub-processors (additions or replacements), giving the Controller the opportunity to object.
Tailro will provide reasonable assistance to the Controller in fulfilling its obligations to respond to data subjects' requests to exercise their rights (access, erasure, rectification, portability, restriction, objection) — taking into account the nature of the processing.
In the event of a personal data breach affecting the Controller's data, Tailro will notify the Controller without undue delay after becoming aware of the breach, providing sufficient information for the Controller to meet its regulatory notification obligations.
Upon termination of the service agreement, Tailro will, at the Controller's choice, delete or return all personal data processed under this DPA, and delete existing copies — unless storage is required by applicable law (e.g. payment records retained 7 years).
Tailro will make available to the Controller all information reasonably necessary to demonstrate compliance with GDPR Article 28 obligations, and will allow for and contribute to audits or inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and confidentiality obligations.
Tailro and its sub-processors may process personal data outside the European Economic Area (EEA). Where such transfers occur, Tailro will ensure that appropriate safeguards are in place, including:
The Controller (merchant) agrees to:
This DPA is governed by the laws of India, consistent with the Terms of Service. Where EU GDPR applies, both parties agree to comply with their respective obligations under GDPR.
For questions about this DPA or to request a signed copy, contact us at [email protected].
© 2026 Tailro. All rights reserved.