Data Processing Addendum (DPA)
Last updated: 15 May 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between PiHub Systems (“Processor”) and the business customer (“Controller”) using MyQueue (“Service”).
Territory: India (unless otherwise agreed in writing).
Contact: support@pihubsystems.com
1. Roles
- Controller: The clinic / venue (and its authorized affiliates) determines why and how visitor and operational queue data is collected at its premises.
- Processor: PiHub Systems hosts and processes that data only on documented instructions from the Controller (via configuration and use of the Service), unless Indian law requires otherwise (in which case PiHub Systems shall inform the Controller unless prohibited).
2. Subject matter and duration
Subject matter: Providing hosted queue management (check-in, staff console, displays, optional messaging integrations, billing).
Duration: For the subscription/trial period and until deletion per retention rules or termination, unless law requires retention.
Processor registered office: Mahavir Nagar, Pakri, Patna-800002, Bihar, India.
3. Nature and purpose of processing
Processing includes storage, structuring, display on authorized interfaces, authentication for owners/staff flows, logging for security/reliability, and integration calls (e.g. payment provider; WhatsApp/SMS/voice gateways when enabled).
Purpose: Operating the queue as configured by the Controller, security, abuse prevention, and compliance with Processor’s legal obligations.
4. Categories of data subjects
- Visitors/patients joining the queue
- Staff and owner users of the Controller
- Optionally, billing contacts for the Controller
5. Categories of personal data
As entered or generated in the Service, including:
| Type | Detail |
|---|---|
| Identity / contact | Name; optional mobile number for alerts |
| Demographic (non-medical) | Age, locality/area as typed (MVP fields) |
| Queue metadata | Token number, timestamps, status, optional alert preference |
| Account | Owner identity via provider (e.g. email via Google); venue configuration |
| Technical | IP, device/browser signals, logs |
Explicitly excluded by design: Clinical notes, diagnoses, prescriptions, lab results. Controllers must not input such data into queue fields.
6. Special mention: phone numbers and names
- Phone numbers are processed solely for queue-related operations and configured transactional messages (e.g. WhatsApp/SMS templates), not for unrelated marketing by PiHub Systems.
- Names appear on staff and display interfaces for operational calling of tokens.
- Controllers remain responsible for lawful grounds, notice, and provider rules (including DLT for SMS in India).
7. Sub-processors
PiHub Systems may engage sub-processors listed at /legal/subprocessors. PiHub Systems remains responsible for their performance and will impose appropriate data protection terms.
Changes: PiHub Systems will notify Controllers of material sub-processor changes by email where feasible.
8. Controller obligations
Controller warrants that:
- It has authority to instruct processing.
- Its collection at the premises complies with applicable law (including consent where required).
- It will not instruct processing of unlawful content.
9. Security
PiHub Systems implements appropriate technical and organizational measures having regard to risk, including access controls, tenancy separation in product design, encryption in transit, and operational monitoring appropriate to stack (see Privacy Policy).
10. Assistance
PiHub Systems shall reasonably assist the Controller with Indian law obligations relating to security measures and consultations where applicable and proportionate.
11. Breach notification
PiHub Systems shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data in PiHub Systems systems, consistent with applicable law and investigation needs.
12. Return or deletion
On termination or upon Controller’s written email request, PiHub Systems shall delete or return Controller data within 90 days unless:
- Longer retention is required by law, or
- Data is aggregated/anonymized irreversibly for analytics not tied to individuals,
unless technically infeasible (PiHub Systems shall explain constraints).
Completed (done) queue rows may already be removable earlier via archive controls in-product (see /legal/data-retention).
13. Audit
Upon reasonable written email request (no more than once per year unless required by regulator), PiHub Systems may provide questionnaires or summaries of controls rather than unrestricted physical audits. Mandatory audits under Indian law shall be accommodated where applicable.
14. Records
PiHub Systems shall maintain records of processing activities required under applicable Indian law where applicable.
15. Order of precedence
If these terms conflict with an individually negotiated enterprise agreement signed by both parties, the signed agreement controls.
Disclaimer: Draft template — legal review required.