Data Processing Agreement (DPA)

This DPA governs the obligations of RealHealers and the practitioner regarding the processing of client personal data when sessions are booked through the platform.

Effective from the moment the practitioner accepts the onboarding terms ("Accept DPA" checkbox) until account closure.

RealHealers (HealersTeam Witkowski, Switzerland) — platform operator, processor (Art. 28 GDPR) for the booking, Stripe Connect, calendar and communication services it provides.

Practitioner — independent service provider, controller of client personal data in the scope of the sessions delivered.

Where purposes and means are jointly determined (e.g. shared booking system), joint controllership (Art. 26 GDPR) may apply. Final classification subject to lawyer review.

Client identifiers (name, email, optional phone), booking data, optional "reason for visit" (Art. 9 GDPR with explicit consent), in-platform communication.

Purposes: contract performance (Art. 6(1)(b)), accounting obligations (1(c)), platform security and fraud prevention (1(f)).

Practitioner: process only for session delivery and accounting; no third-party disclosure without consent; basic security (strong passwords, no PII over unencrypted channels); report security incidents to info@realhealers.com within 24h; honour erasure requests except where retention is legally required.

RealHealers: technical safeguards (encryption, TLS 1.2+, RLS, MFA for admins), DPAs with subprocessors, processing-activities register, data-subject rights tooling (/api/data/export, /api/account/delete), 72h FDPIC breach notification per Art. 33 GDPR + revFADP Art. 24.

Subprocessor list published in the Privacy Policy (section 4); changes communicated 30 days in advance.

Practitioner may object on reasoned grounds and terminate the DPA with 60-day notice if the objection isn't accommodated.

Transfers to US-based subprocessors (Stripe, Resend, Anthropic, Mapbox) rely on Standard Contractual Clauses (EU Decision 2021/914). Switzerland has an EU adequacy decision.

Upon account closure, practitioner data is deleted or anonymised within 30 days (except records under legal retention).

JSON export available on request (Art. 20 GDPR).

Clients with upcoming bookings are notified of the closure.