1. Data Controller
The data controller for data processing on this website and in the context of the offered digital services is:
2. General Information on Data Processing
We process personal data exclusively within the framework of applicable data protection regulations, in particular the General Data Protection Regulation (GDPR).
Personal data is any information relating to an identified or identifiable natural person, e.g. name, email address, telephone number, booking data or IP address.
Processing only takes place insofar as it is necessary for the provision of our website, our services, for communication with you or for the fulfillment of legal obligations.
3. Purposes and Legal Basis of Processing
We process personal data in particular for the following purposes:
- for the technical provision and security of the website
- for processing contact inquiries
- for carrying out pre-contractual measures
- for providing our SaaS and studio services
- for managing bookings, customer data, invoices and vouchers
- for fulfilling legal retention and proof obligations
- for ensuring IT security and system stability
Processing is carried out on the basis of:
- Art. 6 para. 1 lit. b GDPR (contract / pre-contractual measures)
- Art. 6 para. 1 lit. c GDPR (legal obligation)
- Art. 6 para. 1 lit. f GDPR (legitimate interests)
- Art. 6 para. 1 lit. a GDPR (consent, where separately obtained)
4. Website Access / Server Log Files
When accessing this website, information is automatically collected by the hosting provider or the technical systems used. This includes in particular:
- IP address
- Date and time of access
- Page / file accessed
- Referrer URL
- Browser type and browser version
- Operating system
- Access status / HTTP status code
This data is technically required to deliver the website, ensure stability and security, and detect misuse.
Legal basis: Art. 6 para. 1 lit. f GDPR.
Our legitimate interest lies in the secure, stable and error-free provision of the website.
The log data is only stored for as long as necessary for the stated purposes.
5. Contact
When you contact us by email, contact form or other means, we process the data you provide to handle your inquiry.
The following data may be processed in particular:
- Name
- Email address
- Phone number
- Content of the message
- Company/studio data if applicable
Legal basis:
• Art. 6 para. 1 lit. b GDPR, insofar as the inquiry is aimed at concluding or performing a contract
• otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in processing inquiries
6. Use of our SaaS and Studio Services
When you create a customer account, book a paid plan or use our studio/SaaS functions, we process the data required to provide and perform the services.
This includes in particular:
- Master data of the studio / company
- Contact details
- Access data
- Contract and order data
- Billing data
- Configuration data
- Usage and administration data
- Support and communication data
Purposes of processing:
- Setting up and managing the customer account
- Provision of booked functions
- Technical administration
- Support and troubleshooting
- Invoicing and contract management
Legal basis: Art. 6 para. 1 lit. b GDPR.
7. Appointment Bookings and Customer Data
When appointment bookings are managed or customer data is stored via our systems, we process the data necessary for this purpose. This may include the following categories in particular:
- Name
- Contact details
- Appointment and booking information
- Booked services
- Notes, as entered by the respective studio customer
- Voucher or invoice information
Insofar as we process this data for our studio customers as a processor, processing takes place exclusively on the instructions of the respective studio operator on the basis of a data processing agreement in accordance with Art. 28 GDPR.
7. Appointment Bookings and Customer Data
When appointment bookings are managed or customer data is stored via our systems, we process the data necessary for this purpose. This may include the following categories in particular:
- Name
- Contact details
- Appointment and booking information
- Booked services
- Notes, as entered by the respective studio customer
- Voucher or invoice information
8. Registration, Login and Access Protection
For the use of protected areas, we process access data and security-relevant information to authenticate user accounts, prevent misuse and ensure the security of the platform.
- Email address / login name
- Encrypted or hashed authentication data
- Login times
- Security-relevant log data
- Roles and permissions
Legal basis: Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR.
Our legitimate interest lies in the secure provision of the system and protection against unauthorized access.
9. Massage Finder Login and Booking Synchronization
On studio websites operated through our system, end users can log in with their Massage Finder account. After explicit consent by the user on massage-finder.de, the following personal data is transmitted to the studio:
- Name
- Email address
- Phone number
Legal bases:
• Art. 6 para. 1 lit. a GDPR (user consent on massage-finder.de) for receiving the personal data
• Art. 6 para. 1 lit. b GDPR (contract performance) for booking processing
• Art. 6 para. 1 lit. f GDPR (legitimate interest) for booking synchronization with Massage Finder
10. Payment and Billing Data
In the context of paid services, we process data required for billing, accounting and receivables management, e.g.:
- Name / company
- Billing address
- VAT ID / tax data, where required
- Booked tariffs
- Invoices
- Payment status
- Transaction references
Legal basis:
• Art. 6 para. 1 lit. b GDPR for contract performance
• Art. 6 para. 1 lit. c GDPR for fulfilling legal retention and accounting obligations
11. Cookies, Local Storage and Similar Technologies
Our website or application may use technically necessary cookies or comparable technologies to provide basic functions, security, language settings, session management or login states.
Insofar as exclusively technically necessary technologies are used, this is done on the basis of our legitimate interest in a functional and secure provision of the website and services.
Insofar as non-necessary cookies or similar technologies, in particular for tracking, analysis, marketing or external comfort functions, are used, this is only done after separate consent.
Legal basis:
• Art. 6 para. 1 lit. f GDPR for necessary functions
• Art. 6 para. 1 lit. a GDPR for processing requiring consent
• supplementary § 25 TDDDG for storing information in terminal equipment or accessing it
12. Service Providers / Recipients
To provide our services, we use service providers who may process personal data on our behalf. These include providers in the areas of:
- Cloud hosting / infrastructure
- Email communication
- Support and ticket systems
- DNS and domain management
- Optional integrations such as calendar or notification services
We conclude data processing agreements with these service providers where necessary.
13. Hosting and Processing in the EU
The primary productive data processing components are usually operated in the EU, particularly in AWS eu-central-1 (Frankfurt am Main, Germany).
Public content may be delivered via caching or content delivery technologies for performance and security reasons. Technical connection data such as IP addresses may be processed in the process.
14. Third Country Reference / Access from Thailand
Our company is based in Thailand. Personal data is primarily processed in the EU. However, it may happen in individual cases that authorized persons in Thailand access data stored in the EU as part of support, maintenance, error analysis or technical administration.
Insofar as this involves a third country transfer within the meaning of the GDPR, this is carried out on the basis of appropriate safeguards, in particular the EU standard contractual clauses according to Art. 46 GDPR as well as supplementary technical and organizational measures. These include in particular access restrictions, role-based permissions, encryption, logging and case-by-case access.
A copy of the relevant safeguards can be requested upon request, insofar as this is not prevented by legal or contractual confidentiality obligations.
15. Storage Period
We only store personal data for as long as necessary for the respective purposes or as long as legal retention periods exist.
Typical criteria for storage duration are:
- Duration of the contractual relationship
- Processing of inquiries
- Legal retention periods
- Proof and defense interests
- Technical backup and recovery cycles
Insofar as data is no longer required after the end of the contract, it will be deleted or blocked, provided that no legal obligations prevent this.
16. Obligation to Provide Data
The provision of personal data is sometimes legally or contractually required. Without the required data, we may not be able to provide certain services, in particular registration, booking, support or contract performance.
17. Automated Decisions / Profiling
Exclusively automated decision-making within the meaning of Art. 22 GDPR does not take place unless we expressly state otherwise.
18. Rights of Data Subjects
Within the framework of the legal requirements, you have the following rights:
- Right to information
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object to processing based on legitimate interests
- Right to revoke consent given at any time with effect for the future
To exercise your rights, a notification to the contact details mentioned above is sufficient.
19. Right to Complain to a Supervisory Authority
You have the right to complain to a data protection supervisory authority if you believe that the processing of your personal data violates data protection law. This right arises from Art. 77 GDPR.
20. Changes to this Privacy Policy
We reserve the right to adapt this privacy policy if this is necessary due to legal, technical or organizational changes. The version published on this website applies in each case.