Data Processing Agreement
Between ChildcareHub Ltd (Data Processor) and nursery/childcare providers (Data Controller) — compliant with Article 28 UK GDPR
This Data Processing Agreement ("DPA") forms part of the agreement between you, the nursery or childcare provider ("Controller"), and ChildcareHub Ltd ("Processor", "we", "us"), and governs the processing of personal data carried out by ChildcareHub on behalf of the Controller in connection with ChildcareHub Premium.
This DPA is entered into automatically when you accept the Premium Terms of Service. It applies for as long as ChildcareHub processes personal data on your behalf.
This DPA is intended to satisfy the requirements of Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meaning given in UK GDPR.
- Controller — the nursery or childcare provider that determines the purposes and means of processing parent inquiry data. This is you.
- Processor — ChildcareHub Ltd, which processes personal data on behalf of the Controller. This is us.
- Personal Data — the personal data described in clause 2 below, being the contact details of parents and carers who submit inquiries via ChildcareHub.
- Processing — any operation performed on Personal Data, including collection, storage, display, forwarding, and deletion, as described in clause 2.
- Data Subject — the parent or carer whose personal data is processed.
- Sub-processor — any third party engaged by ChildcareHub to process Personal Data on behalf of the Controller.
- UK GDPR — the UK General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
2. Scope and Purpose of Processing
ChildcareHub processes the following personal data on behalf of the Controller:
| Category | Data types | Data subjects |
|---|---|---|
| Parent inquiry data | Name, email address, phone number, and any message content submitted via inquiry forms on ChildcareHub | Parents and carers seeking childcare from the Controller |
The purpose of processing is to receive parent inquiries submitted via the ChildcareHub platform and to make them available to the Controller. Processing operations are limited to:
- Receiving and securely storing inquiry submissions
- Displaying inquiries within the nursery's account dashboard
- Forwarding inquiry details by email to the nursery contact address
- Deleting data in accordance with the retention schedule in clause 7
ChildcareHub will not process Personal Data for any purpose other than those set out above, unless required to do so by applicable law, in which case we will inform you before processing (to the extent permitted by law).
3. Data Processor Obligations
In accordance with Article 28(3) UK GDPR, ChildcareHub agrees to:
3.1 Process only on documented instructions
Process Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Premium Terms of Service, unless required by applicable law. Where ChildcareHub is required by law to process Personal Data in a way not covered by those instructions, we will notify you unless that law prohibits us from doing so.
3.2 Confidentiality
Ensure that any person authorised to process Personal Data on our behalf is subject to appropriate obligations of confidentiality, whether under a contractual obligation or a statutory duty.
3.3 Technical and organisational security measures
Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, as further described in clause 5.
3.4 Sub-processors
Not engage any sub-processor without the Controller's prior written consent. Where sub-processors are engaged, impose equivalent data protection obligations to those set out in this DPA by way of a written contract. ChildcareHub remains fully liable to the Controller for the acts and omissions of any sub-processor. See clause 4 for the sub-processors to which the Controller gives consent by accepting this DPA.
3.5 Data subject rights
Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of the UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). See clause 6 for how this works in practice.
3.6 Assistance with security and breach obligations
Taking into account the nature of processing, assist the Controller in ensuring compliance with obligations under Articles 32–36 of the UK GDPR (security of processing, breach notification to the ICO, breach notification to data subjects, and data protection impact assessments). This includes notifying the Controller of any personal data breach without undue delay, and in any event within 24 hours of becoming aware of it (see clause 5.5).
3.7 Deletion or return of data
At the choice of the Controller, delete or return all Personal Data at the end of the service, and delete existing copies, unless UK law requires storage of the Personal Data. See clause 7 for the retention schedule and deletion process.
3.8 Audit and compliance
Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. We may require reasonable advance notice of any audit (not less than 14 days except in the event of a suspected breach).
4. Sub-processors
The Controller provides general written consent to the engagement of the following sub-processors by accepting this DPA. ChildcareHub will ensure each sub-processor is subject to a written contract containing data protection obligations equivalent to those in this DPA.
| Sub-processor | Country | Purpose | Data processed |
|---|---|---|---|
| Stripe Inc | USA | Payment processing for Premium subscriptions | Nursery billing contact details; payment card data (Stripe-tokenised) |
| Supabase Inc | USA | Database hosting and storage | All Personal Data described in clause 2 |
| Vercel Inc | USA | Website hosting and content delivery | Request/response data in transit; server-side logs |
All three sub-processors are located in the United States. Transfers of Personal Data to the USA are made on the basis of Standard Contractual Clauses (UK International Data Transfer Agreements) or equivalent transfer mechanisms approved under UK GDPR.
ChildcareHub will notify the Controller of any proposed changes to this sub-processor list (whether by adding or replacing sub-processors) with at least 30 days' written notice, giving the Controller the opportunity to object to such changes. If the Controller objects and the parties cannot agree a resolution, the Controller may terminate this DPA (and the associated subscription) without penalty.
5. Data Security
Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, ChildcareHub implements the following technical and organisational measures:
5.1 Encryption in transit
All data transmitted between users and the ChildcareHub platform is encrypted using HTTPS/TLS. Unencrypted connections are rejected.
5.2 Encryption at rest
Personal Data stored in the ChildcareHub database is encrypted at rest by Supabase using AES-256 encryption.
5.3 Access controls
Access to Personal Data is restricted to authorised personnel only, using role-based access controls and authenticated sessions. Nursery account holders can only access inquiries addressed to their own listing.
5.4 Backups
Regular automated backups are maintained by Supabase. Backups are retained for 90 days, after which they are permanently deleted.
5.5 Breach notification
In the event of a personal data breach affecting data processed under this DPA, ChildcareHub will notify the Controller without undue delay and, in any event, within 24 hours of becoming aware of the breach. Notification will include, to the extent available at the time: the nature of the breach; categories and approximate number of data subjects and records affected; likely consequences; and measures taken or proposed to address the breach. This notification is intended to assist the Controller in meeting its own 72-hour reporting obligation to the ICO under Article 33 UK GDPR.
6. Data Subject Rights
The Controller, as the Data Controller, is responsible for responding to data subjects (parents and carers) who exercise their rights under UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.
ChildcareHub will assist the Controller in fulfilling such requests where the request concerns Personal Data processed by ChildcareHub on the Controller's behalf. Where a data subject contacts ChildcareHub directly, we will acknowledge the request and promptly refer the data subject to the Controller, unless we are the appropriate party to respond (for example, in relation to our own separate processing as a Data Controller).
To request assistance with a data subject rights request, please contact us at hello@childcarehub.co.uk. We will respond within 5 business days.
7. Data Retention and Deletion
| Data | Retention period | Deletion trigger |
|---|---|---|
| Parent inquiry data (live database) | For the duration of the nursery's active subscription | Deleted within 30 days of subscription cancellation or termination |
| Parent inquiry data (backups) | Up to 90 days after the live data is deleted | Automatically purged after 90 days by Supabase backup rotation |
At the end of a subscription, the Controller may request the return of their inquiry data (in CSV format) by contacting us at hello@childcarehub.co.uk within 14 days of cancellation. After 30 days, the data will be permanently deleted and cannot be recovered.
ChildcareHub may retain anonymised or aggregated data (from which no individual can be identified) after termination for analytical purposes. This is not subject to the deletion obligations above.
8. Liability and Indemnification
Each party is responsible for its own compliance with applicable data protection law, including UK GDPR and the Data Protection Act 2018.
If ChildcareHub causes a breach of the Controller's data protection obligations by acting outside or contrary to the lawful instructions of the Controller, ChildcareHub may be held liable for that part of the damage attributable to its own fault, in accordance with Article 82 UK GDPR.
ChildcareHub's total liability under or in connection with this DPA (whether in contract, tort, negligence, or otherwise) shall not exceed the limitations set out in the Premium Terms of Service.
Nothing in this DPA limits either party's liability for fraud, death or personal injury caused by negligence, or any other liability that cannot lawfully be excluded.
9. Term and Termination
This DPA is effective from the date the Controller accepts the Premium Terms of Service and shall remain in force for as long as ChildcareHub processes Personal Data on behalf of the Controller.
This DPA terminates automatically upon expiry or termination of the Premium subscription. Termination of this DPA does not affect the validity of any other agreement between the parties.
Upon termination, the data deletion obligations in clause 7 apply. ChildcareHub will confirm to the Controller in writing when deletion is complete if requested.
10. Governing Law
This DPA is governed by the laws of England and Wales. The UK GDPR and the Data Protection Act 2018 apply to all processing carried out under this DPA. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
A note about your business contact details
This DPA covers ChildcareHub's processing of parent inquiry data as your Data Processor. For information on how we process your business contact details (such as your name, email, and phone number) as a nursery provider in our own capacity as a Data Controller, please see our Privacy Notice.
11. Contact
If you have any questions about this DPA or your data protection obligations, please contact us at hello@childcarehub.co.uk.
This DPA was last updated on 20 February 2026.