Three Chapters
LoginStart Free Trial
Start Free Trial

Last updated: March 2026

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Three Chapters Ltd (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) who uses the Three Chapters wedding CRM service.

This DPA sets out the terms on which we process personal data on your behalf in accordance with UK GDPR, EU GDPR (Regulation 2016/679), and the Data Protection Act 2018.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the applicable data protection legislation.

  • ControllerYou, the photographer or wedding professional who uses Three Chapters to manage your client data. You determine the purposes and means of processing personal data relating to your couples and clients.
  • ProcessorThree Chapters Ltd, registered in England and Wales, with registered address at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We process personal data on your behalf in order to provide the Three Chapters CRM service.
  • Personal dataAny information relating to an identified or identifiable natural person, as defined in Article 4(1) of UK/EU GDPR.
  • Data subjectsThe individuals whose personal data is processed under this DPA, primarily your couples, clients, and their guests (where applicable).
  • ProcessingAny operation performed on personal data, including collection, storage, retrieval, use, disclosure, and erasure.
  • Sub-processorA third party engaged by Three Chapters to process personal data on behalf of the Controller.
  • ServicesThe Three Chapters wedding CRM platform, including all features, edge functions, storage, and communications functionality.
  • Applicable data protection lawUK GDPR, EU GDPR (Regulation 2016/679), the Data Protection Act 2018, the Australian Privacy Act 1988, the California Consumer Privacy Act (as amended by CPRA), and any successor or supplementary legislation.

2. Scope of processing

This section describes the nature, purpose, and scope of the processing we carry out on your behalf.

Subject matter and purpose

Three Chapters processes personal data solely to provide the wedding CRM service to you. This includes storing and organising your client records, facilitating communications, generating invoices and proposals, and providing performance insights about your business.

Categories of data subjects

  • Couples and clients who enquire about or book your services
  • Guests (where you store guest list information)
  • Venue contacts and other wedding suppliers you collaborate with

Types of personal data

  • Names, email addresses, phone numbers, and postal addresses
  • Wedding date, venue, and event details
  • Communication history (emails, notes, messages)
  • Financial information (invoice amounts, payment records)
  • Documents and files uploaded to the platform (contracts, questionnaires, images)
  • Booking form submissions and proposal engagement data
  • Any other personal data you choose to store in the CRM

Duration of processing

We process personal data for the duration of our agreement with you (i.e. while your Three Chapters account is active), plus any retention period required by law or specified in our Privacy Policy.

Nature of processing

Processing operations include: collection (via booking forms and manual entry), storage, organisation, retrieval, display, transmission (emails, notifications), and erasure upon account closure or data deletion request.

3. Processor obligations

As your data processor, Three Chapters undertakes the following obligations:

Lawful processing

  • Process personal data only on your documented instructions, unless required to do so by applicable law. If we are required by law to process data beyond your instructions, we will inform you before doing so (unless the law prohibits this).
  • Not process personal data for any purpose other than providing the Services to you.
  • Immediately inform you if, in our opinion, an instruction from you infringes applicable data protection law.

Confidentiality

  • Ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations.
  • Limit access to personal data to those personnel who need it to perform their duties.

Assistance

  • Assist you, by appropriate technical and organisational measures, in fulfilling your obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, and objection).
  • Assist you in ensuring compliance with your obligations under Articles 32 to 36 of UK/EU GDPR (security, breach notification, data protection impact assessments, and prior consultation).

Deletion and return of data

  • Upon termination of the Services, delete all personal data processed on your behalf within 30 days, unless retention is required by applicable law (e.g. financial records for tax purposes).
  • Before deletion, provide you with the ability to export your data in a structured, machine-readable format.

4. Controller obligations

As the data controller, you are responsible for:

  • Ensuring that you have a lawful basis for processing the personal data of your couples and clients (e.g. legitimate interests, contract performance, or consent).
  • Providing appropriate privacy notices to your data subjects, informing them that you use Three Chapters as a data processor and explaining how their data will be used.
  • Ensuring that any personal data you input into Three Chapters is accurate and up to date.
  • Complying with all applicable data protection laws in relation to the personal data you control, including responding to data subject requests.
  • Not uploading special category data (e.g. health data, religious beliefs, sexual orientation) unless you have obtained explicit consent from the data subjects and informed us in advance.
  • Issuing documented processing instructions to us that comply with applicable data protection law.

We provide a template couple privacy notice at threechapters.app/couple-privacy-notice that you can adapt and share with your clients. This is a starting point only and does not constitute legal advice.

5. Sub-processors

You provide general written authorisation for us to engage the sub-processors listed below to process personal data on your behalf. Each sub-processor is bound by data processing obligations no less protective than those set out in this DPA.

Sub-processorPurposeLocationSafeguards
Supabase, Inc.Database hosting, authentication, file storageEU (Frankfurt, Germany)Standard Contractual Clauses (SCCs)
Resend, Inc.Transactional email delivery (booking confirmations, reminders, invoices)United StatesStandard Contractual Clauses (SCCs)
Stripe, Inc.Payment processing (subscription billing, invoice payments)United States / European UnionStandard Contractual Clauses (SCCs), PCI DSS Level 1
Cloudflare, Inc.Website hosting, content delivery, DDoS protectionGlobal edge network (primary processing in EEA/UK)Standard Contractual Clauses (SCCs)
Anthropic, PBCAI-assisted text generation (email draft suggestions, when used)United StatesStandard Contractual Clauses (SCCs)

Changes to sub-processors

We will notify you at least 30 days before adding or replacing a sub-processor by updating this page and, where you have opted in, sending you an email notification. If you have a reasonable objection to a new sub-processor, you may notify us in writing within 14 days of our notification. We will work with you in good faith to find a resolution. If no resolution can be reached, you may terminate the affected Services without penalty.

6. Data security measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of UK/EU GDPR. These measures include, but are not limited to:

Encryption

  • All data encrypted in transit using TLS 1.2 or higher
  • All data encrypted at rest using AES-256
  • Database connections secured via SSL/TLS

Access control

  • Row Level Security (RLS) on every database table, scoping all data to the photographer's team
  • Role-based access with principle of least privilege
  • JWT-based authentication with short-lived tokens
  • No shared database credentials between tenants

Infrastructure

  • Hosted on SOC 2 Type II certified infrastructure (Supabase / AWS)
  • Automated backups with point-in-time recovery
  • DDoS protection via Cloudflare
  • Edge functions isolated per request

Organisational

  • Background checks for all personnel with access to production systems
  • Mandatory security awareness training
  • Documented incident response procedures
  • Regular review of access privileges

We regularly review and update these measures to reflect changes in technology, threats, and our processing activities. A full description of our security practices is available in our Privacy Policy.

7. Data breach notification

In the event of a personal data breach (as defined in Article 4(12) of UK/EU GDPR), we will:

  • Notify you without undue delay and in any event within 72 hours of becoming aware of the breach, providing sufficient information to allow you to meet your own obligations to report the breach to the relevant supervisory authority.
  • Provide the following information (to the extent available at the time of notification, with further details supplied as they become known):
  • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
  • The name and contact details of our point of contact for further information
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including mitigation of its adverse effects
  • Cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
  • Not notify any data subject directly about the breach without your prior written approval, unless required to do so by applicable law.
  • Document all breaches, including the facts, effects, and remedial actions taken, and make this documentation available to you on request.

Breach notifications will be sent to the email address associated with your Three Chapters account. Please ensure this is kept up to date and monitored.

8. Data subject rights

We will assist you in responding to requests from data subjects exercising their rights under applicable data protection law, including:

  • Right of accessProviding copies of personal data we hold on your behalf.
  • Right to rectificationCorrecting inaccurate or incomplete personal data.
  • Right to erasureDeleting personal data when there is no lawful reason to continue processing it.
  • Right to restrictionPausing processing while a dispute or request is resolved.
  • Right to data portabilityProviding personal data in a structured, commonly used, machine-readable format.
  • Right to objectCeasing processing based on legitimate interests where the data subject objects.

If we receive a request directly from one of your data subjects, we will promptly redirect them to you (as the Controller) unless applicable law requires us to respond directly. We will not respond to data subject requests without your prior authorisation, except to acknowledge receipt and redirect.

Three Chapters provides self-service tools within the CRM to help you fulfil data subject requests, including data export and deletion features accessible from your account settings. Couples can also submit data requests via the client portal.

9. International data transfers

Your primary data is stored in the European Union (Frankfurt, Germany) via Supabase. However, some sub-processors are located outside the EEA/UK, primarily in the United States.

Transfer mechanisms

Where personal data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place in accordance with Chapter V of UK/EU GDPR:

  • Standard Contractual Clauses (SCCs)We have entered into SCCs (as approved by the European Commission and the UK Information Commissioner's Office) with each sub-processor that processes data outside the EEA/UK.
  • UK International Data Transfer Agreement (IDTA)Where applicable, we use the UK IDTA or the UK Addendum to the EU SCCs for transfers from the UK.
  • Supplementary measuresWe implement supplementary technical measures (such as encryption in transit and at rest) where needed to ensure an essentially equivalent level of protection.

Transfer impact assessments

We conduct transfer impact assessments for each sub-processor located outside the EEA/UK, evaluating the legal framework in the recipient country and the effectiveness of the safeguards in place. These assessments are updated periodically and are available on request.

10. Term and termination

This DPA takes effect when you create a Three Chapters account and remains in force for the duration of our provision of the Services to you.

On termination

  • You may export your data at any time using the data export features in your account settings.
  • Upon termination or expiry of the Services, we will delete all personal data processed on your behalf within 30 days, unless retention is required by applicable law.
  • Financial records (invoices, payment history) may be retained for up to 7 years to comply with UK tax obligations.
  • We will provide written confirmation of deletion upon your request.

Survival

The obligations in this DPA that by their nature should survive termination (including confidentiality, data deletion, and breach notification) will continue to apply after the termination of the Services.

11. Audit rights

We will make available to you all information reasonably necessary to demonstrate compliance with our obligations under this DPA and applicable data protection law.

Audit process

  • You may request an audit of our data processing activities no more than once per calendar year, with at least 30 days' prior written notice.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt our operations.
  • You (or your appointed independent auditor) may inspect our processing facilities, interview staff, and review relevant documentation, subject to reasonable confidentiality protections.
  • We may satisfy audit requests by providing relevant certifications, audit reports (e.g. SOC 2 reports from our infrastructure providers), or other documentation that demonstrates compliance.

Costs

Each party bears its own costs in connection with any audit. If you require an audit beyond the scope described above, we may charge a reasonable fee to cover our costs, which we will agree with you in advance.

12. Contact

If you have questions about this DPA, our data processing practices, or wish to exercise any of the rights described in this agreement, please contact us:

For complaints about our data processing, you may also contact the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority if you are based in the EU.

If you are based in Australia, you may also contact the Office of the Australian Information Commissioner (oaic.gov.au), phone 1300 363 992.