Amadoo Data Processing Agreement (DPA)

Last Updated: June 2026

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions between Amadoo (“Processor”, “we”, “our”, “us”) and the Customer (“Controller”, “you”, “your”).

This DPA applies where Amadoo processes Personal Data on behalf of the Customer in connection with the use of the Amadoo platform.

1. Definitions

For the purposes of this Agreement:

Controller
the organisation that determines the purposes and means of processing Personal Data.
Processor
the organisation that processes Personal Data on behalf of the Controller.
Personal Data
has the meaning given under UK GDPR.
Data Subject
the individual to whom Personal Data relates.
UK GDPR
the United Kingdom General Data Protection Regulation.
Processing
includes collecting, recording, storing, organising, using, transmitting, deleting, or otherwise handling Personal Data.

2. Roles of the Parties

The Customer acts as the Data Controller.

Amadoo acts as the Data Processor.

The Customer determines:

  • What data is collected
  • Why data is collected
  • How data should be used

Amadoo processes Personal Data solely on behalf of the Customer and in accordance with documented instructions.

3. Nature and Purpose of Processing

Amadoo provides nursery management software and processes Personal Data for the purposes of:

  • Child administration
  • Attendance tracking
  • Observations and learning journeys
  • Parent communication
  • Staff administration
  • Invoicing and payments
  • Funding management
  • Incident and accident records
  • Compliance reporting
  • AI-assisted drafting and administrative support

Processing is limited to what is necessary to provide the services requested by the Customer.

4. Categories of Personal Data

Depending on how the platform is used, Personal Data may include:

Child Information

  • Name
  • Date of birth
  • Gender
  • Learning records
  • Attendance records
  • Medical information
  • Dietary information
  • Allergy information
  • Development assessments
  • Observation records
  • Incident and accident reports
  • Photographs and uploaded files

Parent and Guardian Information

  • Name
  • Address
  • Email address
  • Telephone number
  • Emergency contact details
  • Payment information

Staff Information

  • Name
  • Email address
  • Telephone number
  • Employment records
  • Attendance records
  • Qualification records
  • Training records
  • DBS status information
  • Uploaded documents

5. Special Category Data

The Customer acknowledges that Personal Data may include Special Category Data, including:

  • Health information
  • Medical information
  • Allergy information
  • Dietary requirements
  • SEND information
  • Safeguarding-related information where uploaded by the Customer

Amadoo shall apply appropriate technical and organisational measures to protect such data.

6. Processor Obligations

Amadoo shall:

  • Process Personal Data only on documented instructions from the Customer
  • Ensure confidentiality of authorised personnel
  • Maintain appropriate security measures
  • Assist the Customer in complying with UK GDPR obligations where reasonably required
  • Notify the Customer of any Personal Data Breach without undue delay
  • Cooperate with supervisory authorities where legally required
  • Keep records of processing activities where required by law

7. Security Measures

Amadoo implements appropriate technical and organisational measures including:

  • Encrypted data transmission using HTTPS/TLS
  • Password-protected user accounts
  • Role-based access controls
  • Secure cloud infrastructure
  • Access logging and monitoring
  • Regular software updates and security patches
  • Secure data backups
  • Restricted employee access to production systems

Security measures may be updated from time to time to reflect industry standards and technological developments.

8. AI Processing (Ami)

Where the Customer chooses to use Ami, Amadoo's AI assistant, Personal Data may be processed to:

  • Draft observations
  • Generate reports
  • Draft communications
  • Provide administrative assistance

Amadoo does not use Customer Data to train public AI models.

The Customer remains responsible for reviewing and approving all AI-generated content before use.

9. Sub-Processors

The Customer authorises Amadoo to engage sub-processors where necessary to provide the services.

Current sub-processors may include:

Supabase

Purpose: Data hosting and database infrastructure.

Stripe

Purpose: Payment processing and financial transactions.

Email Service Providers

Purpose: Transactional email delivery and notifications.

Amadoo shall ensure that any authorised sub-processor is subject to appropriate contractual obligations regarding Personal Data protection.

A current list of sub-processors may be updated from time to time.

10. International Transfers

Amadoo will not transfer Personal Data outside the United Kingdom unless:

  • Adequate safeguards are in place; and
  • Such transfer complies with applicable data protection laws.

Where required, appropriate transfer mechanisms shall be implemented.

11. Data Subject Rights

Where a Data Subject exercises rights under UK GDPR, including requests relating to:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection

Amadoo shall provide reasonable assistance to the Customer where necessary.

The Customer remains responsible for responding to Data Subject requests.

12. Personal Data Breaches

If Amadoo becomes aware of a Personal Data Breach affecting Customer Data, Amadoo shall:

  • Notify the Customer without undue delay
  • Provide available information regarding the incident
  • Take reasonable steps to mitigate risks
  • Cooperate with the Customer in investigating the incident

13. Data Retention and Deletion

Upon termination of services and upon written request from the Customer, Amadoo shall:

  • Return Customer Data where technically feasible; or
  • Securely delete Customer Data

Amadoo may retain data where required by law or for legitimate legal, regulatory, accounting, or security purposes.

14. Audits and Information Requests

Upon reasonable written request, Amadoo shall provide information necessary to demonstrate compliance with this DPA.

Any audit request must:

  • Be reasonable
  • Not disrupt operations
  • Be subject to confidentiality obligations
  • Occur no more than once per calendar year unless required by law

15. Liability

Each party's liability under this DPA shall be subject to the liability limitations contained within the Amadoo Terms and Conditions.

Nothing in this DPA excludes liability where such exclusion is prohibited by law.

16. Governing Law

This DPA shall be governed by and interpreted in accordance with the laws of England and Wales.

Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

17. Contact Details

Amadoo

Email: info@amadooapp.com

For privacy, GDPR, or data protection enquiries, please contact us using the details above.