Kimshi Simple
Kimshi Simple
OverviewSee how Kimshi Simple helps kids clubs calm bookings, registers, payments, and parent messages.What is Kimshi Simple?Understand how the product keeps club admin connected without adding more busywork.FeaturesExplore the tools for bookings, registers, payments, parent updates, and day-to-day club admin.PricingSee what happens after a preview and how live club plans work.MomentumSee how prepared follow-up helps with parent questions and schedule changes.SecurityReview platform security, compliance, and protection practices.
Kids Clubs
BlogArticles about operating session-based businesses and using the platform.HelpSupport for sign-in, MFA, and account access.ContactGet in touch about the product, setup, or your use case.
Company
Sign inGet started

Data Processing Addendum

Last updated: 2026-05-21

1. Parties

This Data Processing Agreement (“DPA”) is between:

  • The Company (“Processor”)
  • The Customer (“Controller”)

This DPA forms part of the Terms of Service.

2. Purpose

The Processor will process personal data on behalf of the Controller for:

  • Website hosting
  • Bookings and scheduling
  • Staff and client management
  • Family, attendee, and participant profile management
  • Restricted sensitive-data workflows where enabled and used by the Controller
  • File storage

3. Data Categories

Controller may store:

  • Names
  • Email addresses
  • Phone numbers
  • Addresses
  • Children’s names and participant details
  • Family and guardian relationships
  • Booking, attendance, and payment status information
  • Staff details, roles, suitability records, and safety-check information
  • Uploaded images/files

Where the Controller chooses to enable or use restricted sensitive-data features, the Processor may also process special-category personal data and other sensitive operational records on the Controller’s documented instructions. This may include health information, allergies, medical conditions, medication or equipment needs, disability or access needs, dietary requirements, emergency instructions, welfare notes, safeguarding-related information, incident records, and staff suitability or safety-check records.

The Controller is responsible for deciding what sensitive information is collected, identifying the applicable lawful basis and special-category condition, providing privacy information to data subjects, and ensuring that any additional legal requirements are met. The Processor does not require Controllers to collect special-category data and processes such data only to provide the Service and comply with the Controller’s documented instructions.

4. Processing Location

Primary processing:

  • eu-west-1 (Ireland)
  • eu-west-2 (London)

Supporting processing:

  • us-east-1 (Virginia) (AWS services)
  • CloudFront global edge network

5. Subprocessors

Processor may use subprocessors listed in the Subprocessor Disclosure.

6. International Transfers

Where data is transferred outside the UK/EU, Processor relies on:

  • Standard Contractual Clauses (SCCs)
  • UK GDPR Addendum

7. Security Measures

Processor implements:

  • Encryption
  • Role-based access controls, including restricted owner/admin access for sensitive records
  • Separate restricted endpoints for client, staff, and booking sensitive data
  • Audit logging for sensitive-data access and changes
  • Restricted reveal of sensitive booking data in the admin area
  • Network isolation
  • Monitoring and logging
  • Backup and recovery

Details in our Security & Data Protection page.

8. Controller Obligations

Controller must:

  • Identify and document the lawful basis for personal data collected
  • Identify and document the applicable special-category condition before collecting special-category data
  • Obtain consent where consent is the Controller’s chosen lawful route
  • Comply with applicable laws
  • Provide appropriate privacy information to clients, parents, guardians, staff, and participants
  • Avoid collecting unnecessary sensitive information
  • Respond to data subjects’ rights

9. Processor Obligations

Processor will:

  • Only process data on documented instructions
  • Ensure confidentiality
  • Notify Controller of breaches
  • Assist with Data Subject Rights
  • Assist with DPIAs
  • Delete or return data on termination

10. Data Breach

Processor will notify Controller without undue delay of breaches involving personal data.

11. Termination

Upon termination:

  • Data is deleted within 90 days
  • Backups expire automatically within their lifecycle

Contact

privacy@kimshisimple.com