TERMS AND POLICIES
Data Processing Addendum (DPA)
Effective Date: July 7, 2025
This Data Processing Addendum (“DPA”) forms part of the Hotel Jean Privacy Policy and governs how Hotel Jean (“we,” “us,” “our”) processes personal data on behalf of our clients (“you,” “your”) when providing services including brand identity, copywriting, design, website strategy, social media, and communications support.
This Data Processing Addendum (“DPA”) forms part of the agreement between Hotel Jean and its clients and governs the processing of personal data on behalf of clients in accordance with the Australian Privacy Act 1988 (Cth) and, where applicable, the EU General Data Protection Regulation (GDPR).
By using or accessing any of our Websites or Services, you agree to the terms of this DPA, which supplements the Hotel Jean Privacy Policy.
Table of Contents
1. Summary
Hotel Jean processes personal data on behalf of clients only to provide services, support, and communications. We implement strict security measures, assist with privacy requests, and ensure compliance with applicable data protection laws, including cross-border safeguards. Data is retained only as necessary and can be securely returned or deleted upon request.
2. Definitions & Interpretation
For the purposes of this DPA:
2.1. “Controller” means the entity that determines the purposes and means of processing personal data.
2.2. “Hotel Jean,” “we,” “us,” or “our” means Hotel Jean (our successors and assigns) or any person acting with authority from Hotel Jean.
2.3. “Processor” means Hotel Jean when processing personal data on your behalf.
2.4. “Personal Data” means any information relating to an identified or identifiable individual.
2.5. “Data Subject” means the individual to whom personal data relates.
2.6. “Processing” has the meaning given under applicable privacy or data protection laws, including the GDPR, CCPA, or Australian Privacy Principles.
2.7. “Sub-Processor” means any third-party engaged by Hotel Jean to process personal data on our behalf.
2.8. “Applicable Laws” means any data protection or privacy law applicable to your personal data, including:
Australia: Privacy Act 1988 (APPs)
EU: GDPR 2016/679
UK: UK GDPR
US: CCPA and other applicable state laws
2.9. “Client,” “you,” or “your” means the Client purchasing Services from us or any person acting on your behalf.
2.10. GDPR means Regulation (EU) 2016/679.
2.11. “Services” includes all incidental items, advice, designs, website development, branding, marketing, photography, copywriting, social media support, project management, and any other services provided by Hotel Jean. This includes but is not limited to any printed or virtual material, content calendars, social media support, website design, copywriting, samples, designs, drawings, images, graphics, advertising, search engine optimisation, publication, data, files, information or other associated documentation and goods, software, or any advice or recommendations, personal development, Website development, graphic design, consultancy, marketing assessment, brand development, integration of strategies, analysis, project management, videography, photography, or media sourcing, provided by us at your request from time to time (and where the context permits, the terms Incidental Items or Services shall be interchangeable for the other).
2.12. “Agreement” means our terms & conditions of trade, including this Privacy Policy, any SLA, orders, purchases, or schedules.
2.13. “Cookies” means small files stored on a user’s computer or device, holding data specific to a particular Client or Website.
2.14. “Personal Information” has the meaning given under the Privacy Act 2020 (NZ), the GDPR, or other applicable data protection legislation.
2.15. “Website” means a location accessible on the internet providing multimedia content via a graphical user interface.
2.16. Headings are for convenience only. References to legislation include all related regulations, instruments, guidelines, or amendments.
3. Roles and Responsibilities
3.1 Client as Controller
The Client acts as the Controller (under GDPR) and is responsible for ensuring that Personal Data is collected and provided to Hotel Jean lawfully. The Client act as the Controller of personal data collected from your clients, customers, or users.3.2 Hotel Jean as Processor
Hotel Jean acts as a Processor (under GDPR) and as a service provider or processor under the Privacy Act when processing Personal Data on behalf of the Client, in accordance with the Client’s instructions and this DPA.
4. Purpose and Scope of Processing
4.1. Hotel Jean may process personal data for the following purposes, including but not limited to:
Provision and delivery of agreed services (branding, website, content, social media).
Technical support, maintenance, and hosting of websites or platforms.
Analytics and reporting on service performance.
Communication and service-related notifications.
Compliance with legal obligations (e.g., tax or regulatory reporting).
4.2. Hotel Jean may process Personal Data for the purposes of providing services, including but not limited to:
Website design, development and management
Brand, content and communications services
Marketing, email and analytics setup
Hosting, integrations and platform configuration
4.3. Categories of data subjects may include:
Client customers, subscribers, users or employees
4.4. Categories of Personal Data may include:
Contact details (name, email, phone number)
Website usage and analytics data
Transactional or enquiry data
Content supplied by the Client
Processing will be limited to what is necessary to perform the services.
4.5. Hotel Jean will:
Process Personal Data only on documented instructions from the Client
Not use Personal Data for its own purposes
Inform the Client if to the best of Hotel Jean’s knowledge, an instruction appears to infringe applicable law
5. Security Measures and Confidentiality
5.1. Hotel Jean implements reasonable technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, including:
Secure hosting environments
Access controls and authentication
Platform-level security provided by third-party providers (e.g. Squarespace)
Restricted access to authorised personnel only
Security measures are appropriate to the nature of the data and the risks involved. We will maintain these measures in accordance with industry best practices and Applicable Laws.
6. Sub-Processors
7.1. We may engage third-party Sub-Processors (e.g., hosting providers, analytics platforms, stock image providers) to process personal data.
7.2. Authorisation: the Client authorises Hotel Jean to engage Sub-Processors where necessary to deliver services.
7.3. Approved Sub-Processors may include but are not limited to: Squarespace, Stripe, Squarespace Payments, Shopify, Google, Acuity Scheduling. A list of current Sub-Processors is available on request at legal@hoteljean.com.
7.4. You may object to a Sub-Processor for reasonable data protection concerns.
7. Data Subject Rights
Data subjects may exercise their rights of access, correction, erasure, restriction, objection or data portability by contacting us using the details set out in our Privacy Policy.
We will assist you, to the extent reasonably possible, in responding to requests from Data Subjects to:
Access personal data
Correct or update personal data
Request deletion or restriction of processing
Object to processing where applicable
Exercise any rights under GDPR, CCPA, or Australian Privacy Principles
Requests should be submitted to legal@hoteljean.com.
8. Data Transfers
8.1. Personal data may be transferred outside of Australia or other jurisdictions for service provision.
8.2. Such transfers will be safeguarded by appropriate legal mechanisms, including:
EU Standard Contractual Clauses (SCCs) for EU/UK data
US Privacy Shield / Data Privacy Framework compliance
Equivalent contractual protections for other jurisdictions
Requests should be submitted in accordance with the Privacy Policy, to: legal@hoteljean.com.
9. Breach Notification
9.1. Hotel Jean will notify the Client without undue delay after becoming aware of a data breach affecting Personal Data processed under this DPA.
9.2. Notification will include details of the breach and steps taken to mitigate risks, in accordance with applicable laws. Hotel Jean will provide reasonable assistance to enable the Client to meet notification obligations under the Notifiable Data Breaches (NDB) scheme and/or GDP.
10. Data Retention and Deletion
10.1. We retain personal data only as long as necessary to fulfill the purposes outlined in this DPA or as required by law.
10.2. Upon termination of services, personal data will be returned or securely deleted upon your request, unless retention is required by law or legitimate business obligations.
11. Liability
11.1. Each party’s liability under this DPA is subject to the limitations of liability set out in the applicable agreement, except where prohibited by law.
11.2. The Client is responsible for their own compliance as a Controller, including obtaining consents from Data Subjects.
11.3. Any regulatory penalties arising from the Client’s failure to comply with Applicable Laws are their own responsibility.
12. Modifications
We may update this DPA to comply with changes in Applicable Laws or service practices.
Updates will be posted within our Privacy Policy, with the effective date revised.
13. Governing Law
This DPA is governed by the laws of Australia, without limiting any mandatory rights available under applicable data protection laws.
14. Order of Precedence
In the event of a conflict:
This DPA
The Privacy Policy
The Terms & Conditions
13. Contact Us
Email: legal@hoteljean.com
Mail (Domestic and International):
Hotel Jean
PO Box 2172
Burleigh Waters, QLD 4221
Australia