Skip to content

Launch offer £4.99/mo + £1.99 each extra, 6 months. Use code LAUNCH2026

Back home

Data Processing Agreement

Last updated: 12 June 2026

This Data Processing Agreement ("DPA") forms part of our terms of service and sets out how WhealBit (a sole trader, "StayBinder", "we") processes personal data on behalf of a host. It is designed to meet Article 28 of the UK GDPR. It is plain-language copy and not a substitute for legal advice.

1. Roles of the parties

For the guest data collected through a host's guides, the host is the controller and StayBinder is the processor. For the host's own account and billing data, StayBinder is the controller (see our privacy notice).

2. Subject-matter, duration, nature and purpose

We process guest personal data only to provide the StayBinder service to the host, namely publishing welcome guides and collecting the guest submissions the host enables. Processing lasts for as long as the host's account is active, and then for the short period described in clause 9.

3. Personal data and data subjects

  • Data subjects: the host's guests, who view a guide and may choose to submit information.
  • Categories of data: an optional guestbook name and message; stay-feedback rating, sentiment, message and optional contact detail; and reported-issue descriptions. Guests are not required to provide a name or contact detail.

4. Our obligations as processor

  • Instructions. We process guest data only on the host's documented instructions, including as set out in the terms and this DPA, unless required by law.
  • Confidentiality. People authorised to process the data are bound by appropriate confidentiality obligations.
  • Security (Art. 32). We apply appropriate technical and organisational measures, including encryption in transit, access controls, and tenancy isolation enforced at the database level (row-level security), on managed, reputable infrastructure.

5. Sub-processing

The host gives general authorisation for us to engage the sub-processors listed on our sub-processor page. We impose data protection terms on each that are no less protective than this DPA, and we will give notice of any intended change so the host can object.

6. International transfers

Our core platform (Supabase) hosts data in the UK / EEA. Where a sub-processor transfers data outside the UK, the transfer is protected by the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision.

7. Assisting the host

Taking into account the nature of the processing, we assist the host in responding to data-subject requests and in meeting their security, breach and impact-assessment obligations, so far as the service allows.

8. Personal-data breach

If we become aware of a personal-data breach affecting guest data, we will notify the host without undue delay and provide the information the host reasonably needs to meet their own notification duties.

9. Deletion and return on termination

When a host closes their account, deletion cascades through our systems: account, property and guest-submission records are removed, and associated uploaded images are purged from storage. We delete or return guest data after the end of the service, except where the law requires us to retain it.

10. Audit

We make available the information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, on reasonable notice and subject to confidentiality.

11. Precedence and contact

In the event of a conflict between this DPA and the terms of service on a matter of personal-data processing, this DPA prevails. Questions can be sent to info@staybinder.co.uk.