Data Protection Agreement
Fourteen platforms. Verified against official sources. The findings most practitioners discover too late.
Before you use any AI tool or booking platform with client data, you need a Data Processing Agreement in place. This document tells you which platforms have one, what account type you need, and — critically — which ones do not.
Midjourney has no enterprise DPA at any subscription level. ChatGPT Pro is a consumer account — it does not include a Data Processing Agreement. These are not obscure edge cases. They are two of the most widely used AI tools in professional practice right now. Using either with client data means you are in breach of Article 28 UK GDPR regardless of any other precautions you have taken.
Both Volumes of the Platform DPA Checker tell you the position for every platform — in plain language, with the exact path to find the DPA and what to record as your compliance evidence.
What the two volumes cover
VOLUME 1 — AI TOOLS -The AI platforms most professionals use for content, notes, and client work
ChatGPT / OpenAIClaude / AnthropicGoogle WorkspaceCanvaMailchimpZoomOtter.aiMidjourney ⚠
Includes the ChatGPT account type trap — Pro is not a business account. And the Midjourney finding that most creative professionals have not yet acted on.
VOLUME 2 — BOOKING & SCHEDULING
The platforms that hold client data passively — and continuously
FreshaTreatwellCalendlyAcuity SchedulingSquare AppointmentsBooksy ⚠
Includes specific guidance on booking platforms adding AI features — and the three questions to answer about every platform you use before those features process client data.
Three Findings that will change how you use these tools
No DPA at any level - Midjourney cannot be used lawfully with client data
No enterprise DPA exists for Midjourney at any subscription tier. If your work involves client photographs, creative briefs containing personal data, or any identifiable client material — Midjourney is not a compliant option under Article 28 UK GDPR.
Not a business account - ChatGPT Pro is a consumer account — despite the name
OpenAI classifies Free, Plus, and Pro as consumer plans. None include a Data Processing Agreement. The minimum account for lawful client data processing is ChatGPT Team. Many professionals on Pro accounts do not know this distinction exists.
Verify directly - Booksy's DPA position requires direct confirmation
No standalone service provider DPA was found in Booksy's published documentation. Practitioners using Booksy for consultation notes, allergy records, or health disclosures should contact support directly and document the response before continuing that use.
What’s Included
Fourteen platforms verified — DPA status, minimum account required, and where to find the DPA for each
Direct navigation paths — the exact URL or menu path to locate each DPA, so you spend minutes confirming rather than hours searching
Key findings for each platform — data location, transfer safeguard, model training status, and breach notification commitment
AI features in booking platforms — what new features are being added to Fresha, Booksy, and Square in 2026 and what each one means for your compliance position
When to re-verify — the five events that should trigger a re-check, including a minimum annual review cycle
What a DPA does not cover — consent, transparency, and your own documentation obligations remain yours regardless of the platform's DPA status