Legal

Data Processing Addendum

Version 18 July 2026 - Australia
Purpose. This Addendum applies when Taper processes a barbershop's End-user personal information to provide the Service. It forms part of the Taper Terms of Service.

1. Parties and roles

The Customer named on the Taper account is the controller of its End-user data. Jai Austin Barfoot, sole trader, ABN 87 274 343 489, trading as Taper by Aiandi, is the processor. Taper remains the controller of account, security, billing, and support information it collects for its own business operations.

2. Processing details

3. Documented instructions

Taper will process Customer Data only to provide and secure the Service, comply with the Customer's documented use of product controls, or comply with law. Taper will tell the Customer if an instruction appears unlawful, unless law prevents notice.

4. Customer obligations

The Customer must have a lawful basis for all Customer Data; provide required collection notices; obtain express photo, AI, and marketing consents where required; avoid uploading unnecessary data; keep staff access current; and respond to End-user requests. Taper is not a facial-recognition, surveillance, or identity-verification service.

5. Confidentiality and security

Taper restricts access to people and providers who need it to operate the Service and who are bound by confidentiality obligations. Measures include HTTPS, password hashing, role-based and tenant-scoped access, server-side secret storage, authenticated AI entitlements and quotas, rate limiting, security logging, restricted backups, dependency review, and documented incident response.

6. Subprocessors and overseas processing

The Customer authorises Taper to use subprocessors needed to provide the Service. Current categories include DigitalOcean (Sydney hosting), Stripe (billing), Resend or an SMTP provider (transactional email), and OpenAI (AI image processing). Stripe, email providers, and OpenAI may process information outside Australia, including in the United States.

Taper will assess material new subprocessors, require appropriate contractual and security commitments, and post or notify Customers of material changes where practical. A Customer with a reasonable data-protection objection should contact privacy@taper.style promptly so the parties can discuss an alternative.

7. Individual rights

Taper will reasonably assist the Customer with access, correction, deletion, consent withdrawal, and complaint requests. The app provides export, per-client photo deletion, full client deletion, and account-closure controls. If an End-user contacts Taper directly, Taper may refer the request to the relevant shop and will assist where legally permitted.

8. Deletion, return, and backups

On a valid instruction or scheduled account closure, Taper will delete or return Customer Data unless law requires retention. Deleted production data may remain in access-restricted disaster-recovery backups for up to 30 days before ageing out. Such backups will not be used for ordinary processing and, if restored after an incident, valid deletion requests will be reapplied.

9. Security incidents

Taper will investigate a confirmed incident involving Customer Data and notify the affected Customer without undue delay after obtaining enough information to provide a useful notice. Taper will provide available details about the nature of the incident, affected data, likely consequences, and mitigation, and will cooperate with legally required notifications.

10. Evidence and audits

On reasonable written request, Taper will provide information needed to demonstrate the controls in this Addendum. Audits must be proportionate, protect other customers and Taper's security, avoid service disruption, and use existing reports or remote evidence first. Bespoke audit costs may be charged where permitted and agreed in advance.

11. Priority and contact

If this Addendum conflicts with the Terms about processing Customer Data, this Addendum prevails. Liability remains governed by the Terms to the extent permitted by law. Questions and requests: privacy@taper.style or hello@taper.style.