Legal

Privacy Policy

This policy separates salon owner data from salon end-customer data. The final text should be legally reviewed before launch.

Controller

{{COMPANY_NAME}}, {{STREET}}, {{POSTAL_CODE}} {{CITY}}, Email: {{SUPPORT_EMAIL}}

Data protection contact

{{DATA_PROTECTION_CONTACT_OR_NOTE}}

Website and log files

When visiting the website, we process IP address, time, user agent, and referrer for technical delivery and security. The legal basis is Art. 6(1)(f) GDPR.

Required storage

We only use technically required storage mechanisms. Non-essential tracking cookies are not set without explicit consent. Section 25 TDDDG applies.

Salon accounts

For salon owners, we process email address, salon name, Stripe customer ID, contract status, and technical usage data to fulfill the contract under Art. 6(1)(b) GDPR.

Payments via Stripe

Payments are processed through Stripe Payments Europe. Payment and contract data may be transferred to Stripe. Details are available in Stripe's privacy notices.

AI image processing

End-customer photos are processed only for the respective consultation. The goal is temporary processing without permanent photo storage. The salon is the controller; FRIZZAI! acts as processor.

Data processing agreement

A data processing agreement under Art. 28 GDPR is concluded for salon end-customer data. The DPA is part of onboarding.

Subprocessors

  • Supabase: database, authentication, storage, EU/Frankfurt, DPA required
  • Stripe Payments Europe: payment processing, Ireland/possible US transfer, DPA/SCC to be reviewed
  • Google Gemini API: AI image processing, EU region targeted, DPA/subprocessor setup to be reviewed
  • Resend/Postmark: transactional emails, EU/US depending on setup, DPA required

Retention

Account and contract data are stored for the contract term and then deleted or anonymized according to legal requirements. Photo and session data should generally be temporary or stored for a maximum of 24 hours.

Data subject rights

Data subjects have rights to access, rectification, deletion, restriction, portability, objection, and complaint with a data protection supervisory authority.

Last updated

April 30, 2026