Data Processing Addendum

Last updated: 27 May 2026. This Data Processing Addendum forms part of the Terms & Conditions for provider customers using ChildLogs as a processor.

1. Scope and roles

When a provider uses ChildLogs to enter, store, organise, share, or otherwise process childcare records or related personal data for its own purposes, the provider is normally the data controller and ChildLogs acts as the processor for that provider data.

This addendum applies only to that processor relationship. It does not override cases where ChildLogs acts as a controller for its own account administration, security, support, service diagnostics, fraud prevention, or business records.

2. Subject matter, duration, nature, and purpose

The subject matter of the processing is the provision of childcare software, parent portal, document acknowledgement, visitor logging, invoicing, notifications, and related support features. Processing continues for as long as the provider uses the service and for any limited retention period reasonably required for security, backups, dispute handling, or lawful winding-down of the service relationship.

3. Types of personal data and categories of data subjects

Depending on how the provider uses the service, processing may include provider account details, staff user details, parent and guardian details, child profile data, emergency contacts, attendance records, care records, incidents, medication notes, observations, uploaded files, signatures, visitor log data, invoice records, payment-related references, and associated technical records.

Data subjects may include provider owners, staff members, parents, guardians, emergency contacts, children, visitors, and invoice recipients or payers.

4. Controller instructions

ChildLogs will process provider-controlled personal data only on the provider’s documented instructions, including the provider’s use of the live product, configured settings, support requests, and other written directions, unless processing is required by applicable law.

If ChildLogs believes an instruction infringes applicable data protection law, we may pause the relevant processing and notify the provider where legally permitted.

5. Confidentiality

ChildLogs will ensure that people authorised to process provider-controlled personal data are subject to appropriate confidentiality obligations.

6. Security measures

ChildLogs will implement and maintain reasonable technical and organisational measures designed to protect provider-controlled personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures may include account authentication controls, role-based access controls, encrypted transport, audit-style event records for key actions, signed file access where appropriate, environment-based secret management, and backup or resilience safeguards suitable for the service.

7. Subprocessors and service providers

The provider authorises ChildLogs to use subprocessors and infrastructure providers where reasonably necessary to operate the service. These may include hosting and virtual server providers, database and infrastructure services, S3-compatible object storage providers including Hetzner object storage where configured, email delivery or SMTP infrastructure, web push infrastructure, and Stripe for subscription billing, connected account onboarding, hosted invoice payments, and related payment events.

ChildLogs will remain responsible for managing those providers in a manner consistent with applicable processor obligations.

8. International transfers

Where provider-controlled personal data is transferred outside the UK and the transfer is not covered by UK adequacy regulations, ChildLogs will aim to use an appropriate transfer mechanism, such as the UK International Data Transfer Agreement, the UK Addendum, or another lawful safeguard or exception permitted under applicable data protection law.

9. Assistance with data subject rights

Taking into account the nature of the processing and the information available to us, ChildLogs will provide reasonable assistance to help the provider respond to requests relating to access, correction, deletion, restriction, portability, or objection, where the provider cannot reasonably fulfil the request without that assistance.

10. Security incidents and breach support

If ChildLogs becomes aware of a personal data breach affecting provider-controlled personal data, we will notify the affected provider without undue delay and provide reasonable information available to us to help the provider assess and meet its own reporting or notification obligations.

11. Audits and information

On reasonable request, ChildLogs will make available information reasonably necessary to show that it is meeting its processor obligations under this addendum. Formal audit requests must be proportionate, limited to provider-controlled processing, and must not require access that would compromise the confidentiality, security, or rights of other customers or systems.

12. Deletion or return at end of service

At the end of the provider’s use of the service, ChildLogs will aim to delete or place provider-controlled personal data beyond active use within a reasonable period, except where data must be retained for lawful reasons, system integrity, backups, fraud prevention, security, dispute handling, or evidential record preservation. Immediate deletion from backups may not always be technically possible, but retained backup data will remain subject to appropriate safeguards until it is overwritten or securely deleted in the normal cycle.

13. Provider responsibilities

Providers remain responsible for determining their lawful basis, any special category condition, retention obligations, safeguarding decisions, parent access permissions, document suitability, invoice accuracy, and whether the service’s records, signatures, audit history, or exports are sufficient for the provider’s own legal or regulatory needs.

14. Contact

If you need help with this addendum or processor-related questions, email info@childlogs.com.