This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the practice (“Controller”) and Meihua Future Manufacturing LIMITED operating Bookwell (“Processor”). It governs processing of personal data — including patient data — that the Processor performs on behalf of the Controller.
A signed counterpart is available for practices that require one. Request it at legal@trybookwell.com; this online version applies by default to all paid accounts.
The practice is the Controller and determines the purposes of processing. Bookwell is the Processor and acts only on documented instructions from the Controller, except where law requires otherwise. Bookwell does not use patient data for its own purposes, model training, or advertising.
Processing covers the lifetime of the Controller’s account and the categories of data necessary to operate scheduling, patient records, reminders, messaging, and payments. On termination, data is deleted or returned per the retention terms below.
Bookwell uses a limited set of subprocessors for hosting, SMS/email delivery, and payment processing. Each is bound by data-protection terms no less protective than this DPA. The current list is available on request at legal@trybookwell.com; material changes are notified with a reasonable objection window.
The Processor maintains the technical and organisational measures described on the Security page, including encryption in transit and at rest, access control, and audit logging. Measures may evolve but will not materially decrease the protection of personal data during the term.
Where personal data of EU/UK data subjects is transferred outside the originating jurisdiction, transfers are made under appropriate safeguards such as Standard Contractual Clauses, supplemented by the security measures above.
The Processor will assist the Controller in responding to data-subject requests and will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s data, with information sufficient to meet the Controller’s own notification obligations.
On account termination, the Controller may export its data for 30 days. After that window, patient data is deleted from production systems, with encrypted backups expiring on their normal rotation. Specific retention requirements can be agreed in a signed counterpart.