Terminka Privacy Policy

This Privacy Policy explains how DOIT-BI Sp. z o.o. (operating under the brand Terminka) with its registered office in Wrocław, pl. Powstańców Śląskich 1/11, 53-329 Wrocław, entered into the KRS: 0001034827, NIP: 8992959861, REGON: 525250584 (hereinafter: "Terminka", "we", "our"), processes personal data of users of our mobile applications: Terminka Partner (for Partners: salons, studios, self-employed professionals), the Terminka application (for Clients), and the website terminka.com (collectively: the "Services"). Terminka is committed to protecting the privacy of its users and ensuring the security of processed personal data.
The Policy has been prepared in accordance with the GDPR (Regulation 2016/679 of 27 April 2016) and applicable Polish law.

The Data Controller for the use of the Services is DOIT-BI Sp. z o.o.
Contact: pl. Powstańców Śląskich 1/11, 53-329 Wrocław, e-mail: privacy@terminka.com (preferred channel), tel.: +48 570 704 956.
We have appointed a Data Protection Officer (DPO), who can be contacted via e-mail: rodo@terminka.com or in writing at the address provided above.

This Policy applies to:

• Partners – business users of the Terminka Partner application and the panel for salons/studios/self-employed professionals.
• Clients – individuals using the Terminka application to browse services and make bookings.

Processing roles:

• For Partner account data and Client data in the consumer application – Terminka acts as the data controller.
• For Partner’s client data (entered/processed by the Partner in Terminka Partner) – Terminka generally acts as a data processor.
  With the Partner, we enter into a data processing agreement (Annex: DPA).

We receive data:

• directly from you (registration, configuration, contact),
• from other users (e.g., a Client booking an appointment with a Partner),
• from integrations you connect (e.g., Google/Apple Calendar, payment provider, SMS),
• automatically while using the Services (logs, technical and analytical data).

We process, among others: identification and contact data, account data, booking and payment data, settings and preferences, technical data (device identifiers, IP, logs, cookies).
Detailed categories and purposes for Partners and Clients can be found in Annex A and Annex B.

We process data for the following purposes: providing and improving the Services, handling bookings, billing and invoicing, security and fraud prevention, analytics and statistics, communication and support, our own marketing (where permitted), and fulfilling legal obligations.
The legal bases are: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal obligation), or Art. 6(1)(f) GDPR (legitimate interest), and where required – consent (e.g., marketing communications, geolocation).
Details are provided in the Annexes.

We share data to the necessary extent with: hosting/cloud providers, product and analytics tools, SMS/e-mail notification providers, payment processors (PSPs – they process card details), entities providing support services (customer service, accounting, advisory, security), as well as public authorities when required by law.
The current list of data processors is published in a dedicated register (link in Annex C).

If we work with providers located outside the EEA, we ensure mechanisms compliant with Chapter V of the GDPR, in particular: adequacy decisions, Standard Contractual Clauses (SCC) and, where necessary, additional safeguards.

• account and configuration data – for the duration of the contract, and thereafter until the expiry of limitation periods for claims (generally up to 6 years),
• billing and accounting documents – 5 years counted from the end of the tax year,
• technical/security logs – typically up to 12 months, unless a longer period is required by law or a legitimate interest,
• data processed on the basis of consent – until consent is withdrawn.

You have the right to: access your data and obtain a copy, rectification, deletion (“right to be forgotten”), restriction, data portability, objection (including to marketing based on Art. 6(1)(f) GDPR), and to withdraw consent at any time (without affecting the lawfulness of processing before the withdrawal). To exercise your rights – write to us at privacy@terminka.com.
You also have the right to lodge a complaint with the President of the Polish DPA (UODO), ul. Stawki 2, 00-193 Warsaw.

How to delete your account: in the Terminka Partner / Terminka app: Profile → Personal profile settings → Delete account.

Alternatively, you can send a request from the email linked to your account to privacy@terminka.com.

Scope of deletion: we delete the account and associated data (profile, settings, content, booking/communication history, technical identifiers), except for data we are legally required to retain.

Export before deletion (Partner – Terminka Partner): upon request, we provide a data export (CSV/JSON). According to the DPA: export within 30 days, then data deletion in operational systems within 60 days; backups are overwritten according to retention cycles.

Legal retention periods and exceptions: billing documents are stored for 5 years after the end of the tax year; data needed to assert/defend claims – generally up to 6 years; security logs – typically up to 12 months. After these periods expire, data is permanently deleted or anonymized.

Partner’s client data: for data entered by the Partner, we act as a data processor; a deletion request submitted by the Partner is treated as an instruction to delete such data after providing the export, in accordance with §10 of the DPA.

Withdrawal of consents and notifications: marketing consents can be withdrawn in the settings; push notifications can be disabled in the system.

A detailed description of the data deletion process and exceptions can be found on the Data Deletion page.

We do not make decisions about you that produce legal effects solely through automated processing.
We may use simple profiling (e.g., feature recommendations) based on how you use the Services – relying on our legitimate interest.

We use, among others: encryption (HTTPS/TLS), access control (roles/ACL), backups, monitoring, updates, and incident response procedures.

The user’s web browser may store text files ("cookies") on the computer’s disk. Cookies are necessary for the proper functioning of the service, particularly for user authentication. Depending on how they are used, cookies may constitute personal data. Detailed information on how to modify browser settings, block, or filter cookies can be found at:

https://www.aboutcookies.org/

Terminka uses cookies or similar technologies in its Services to maintain user sessions, better tailor the Services to user needs, and generate statistics that improve the functioning of the platform, including session cookies, persistent cookies, first-party cookies, and third-party cookies.

The user may delete or block cookies in their browser settings; however, this may limit some functionalities of the service.

• Calendar (Partner): synchronization and blocking of time slots (after enabling integration).
• Contacts (Partner): one-time access to device contacts solely for quick import of the client base (name and surname, phone number, email – if available); requires system consent; no continuous synchronization; permission can be revoked in settings.
• Notifications (Partner and Client): reminders and transactional/service messages; marketing – only with consent.
• Camera/Gallery (Partner): profile and service photos; (Client) – e.g., avatars.
• Geolocation (Client): searching for nearby services – only with consent, which can be withdrawn in settings.
• Device storage: storing local settings.

The Services are not directed to individuals under the age of 18. We do not knowingly process data of such persons.
If personal data of individuals under 18 is processed without the consent of their legal guardians, appropriate steps will be taken to remove such data as quickly as possible.

We may update this Policy for legal or functional reasons. We will inform you about material changes in the app and/or on the terminka.com website.

The bottom of the document will always show the effective date.

A1. Data categories

• Account and identification: first and last name, company name, VAT/NIP, REGON, address, e-mail, phone number, hashed password, preferences and settings.
• Salon profile and structure: branch names, addresses, work schedules, photos, service categories, price lists, promotions.
• Staff: names/roles, work schedules, leave, calendars, account permissions.
• Partner’s clients (entered by the Partner): contact details, visit history, notes, marketing consents (if collected by the Partner).
• Bookings and communication: appointment times, statuses, SMS/e-mail/push reminders, conversation threads within the Services.
• Billing and payouts: invoice data, transaction identifiers, settlement account details, balance/reports.
• Technical data: device identifiers, IP, logs, diagnostic data.

A2. Purposes and legal bases

• Providing and maintaining the Services (account, configuration, bookings, synchronizations) – Art. 6(1)(b) GDPR.
• Billing, taxes, complaints – Art. 6(1)(c) GDPR.
• Analytics, security, fraud prevention – Art. 6(1)(f) GDPR.
• Terminka’s own B2B marketing – Art. 6(1)(f) GDPR; channels requiring consent – in accordance with national laws (UŚUDE/PT).
• Integrations (calendars, payments, SMS) – Art. 6(1)(b)/(f) GDPR.
• Processing of Partner’s client data as a processor – under the DPA (Terminka acting as data processor).

A3. Retention periods

• account/configuration data – for the duration of the contract + up to 6 years,
• accounting documents – 5 years from the end of the tax year,
• security logs – up to 12 months,
• Partner’s client data – according to the Partner’s instructions and the DPA.

A4. Permissions and cookies

• as in the main Policy’s “cookies” section; additionally, the Partner may manage cookies on their own website (if using Terminka widgets/iframes – we apply our technical/analytical cookies according to the consent banner).

B1. Data categories

• Client account: first and last name/pseudonym, e-mail, phone number, hashed password; social login (if used) – provider identifiers.
• Preferences and activity: saved salons/services, search and booking history, ratings and reviews, notification settings.
• Bookings: appointment times, statuses, reminders, communication with the Partner.
• Payments and financial products: transaction identifiers, payment statuses, codes/coupons, gift cards; card details are processed by the PSP in accordance with PCI DSS.
• Geolocation (optional): approximate/precise location for the “nearby” feature.
• Technical data: device, OS, IP, logs, advertising identifiers (if used according to system settings).

B2. Purposes and legal bases

• Account and bookings – Art. 6(1)(b) GDPR.
• Transactional communication and reminders – Art. 6(1)(b) GDPR.
• Payments and billing – Art. 6(1)(b)/(c) GDPR (legal requirements).
• Analytics, personalization, security – Art. 6(1)(f) GDPR.
• Marketing (e.g., newsletter, marketing notifications), geolocation, advertising identifiers – consent.
  
  You can withdraw consent in the app settings/consent banner or via the "unsubscribe" link.

B3. Retention periods

• account data – until the account is deleted + limitation period for claims,
• booking/payment data – according to legal/tax requirements,
• marketing consent data – until consent is withdrawn.

B4. Reviews and user-generated content

• By publishing reviews/ratings, you agree to their visibility (with your name/pseudonym). Content that violates the law or the Terms may be removed.

The current list of key providers (hosting/cloud, analytics, communication, payments) is published and kept up to date on the Subprocessors page.
In the case of transfers outside the EEA, we apply the mechanisms described in the Data transfers outside the EEA section.

Effective date: 06.11.2025
Version: 1.0 (EN)