Privacy Policy

1. Preamble and Data Controller

This Privacy Policy describes how Marco D'Arminio (hereinafter «ZenBookr», «we», «our»), as Data Controller, collects, uses, shares and protects personal data of users who interact with the ZenBookr platform — available on the domains zenbookr.app, app.zenbookr.app, book.zenbookr.app — and the related iOS and Android mobile applications (collectively, the «Platform»).

By using the Platform, you confirm you have read and understood this Notice. Please read carefully before signing up or providing personal data.

2. Definitions

• Professional: registered user (hairdresser, beautician, spa, personal trainer, etc.) who uses the Platform to manage appointments, clients and payments, as a business operator or freelancer.
• End-Client: user who books services from a Professional via book.zenbookr.app or the mobile app.
• Personal Data: any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
• Processing: any operation performed on Personal Data (Art. 4(2) GDPR).
• Controller: the entity determining purposes and means of processing (ZenBookr for its own processing; the Professional for their own clients' data uploaded to the Platform).
• Processor: the entity processing data on behalf of the Controller (ZenBookr acts as Processor for the data of Professionals' clients — see Section 13).

3. Categories of data collected

3.1 Data you provide voluntarily

We collect data you provide directly during registration, while using the Platform, or in communications with us:

For Professionals:

• Identification and contact data: name, surname, email, phone, password (encrypted)
• Business data: company name, VAT, tax ID, business address, category, services offered, salon/studio photos, opening hours
• Stripe Connect onboarding (to receive payments from clients): name, date of birth, tax ID, address, IBAN, ID document — collected directly by Stripe during KYC, never stored on our servers
• Subscription billing data: handled via Stripe (card tokenization); we do not store card numbers
• Uploaded content: profile and service photos, descriptions, prices, technical sheets, internal notes
• Data about your clients: name, email, phone, date of birth, notes (allergies, preferences), appointment history — this data belongs to your processing, in which you are Controller and we are Processor (see Section 13)

For End-Clients:

• Identification: name, email, phone
• Booking data: date and time, requested service, chosen Professional, address (mobile services), notes
• Payment data: handled exclusively via Stripe; we do not receive or store card data
• Reviews and content: text of any reviews left for professionals

For anyone contacting us (contact form, waitlist, AI chat, quote modal):

• Name, email, optional phone, message content, business type (waitlist), category of interest
• reCAPTCHA v3 token (anti-spam) — see Section 11

3.2 Data collected automatically

• Usage data: pages visited, sections used, time spent, navigation paths, searches, clicks
• Device data: device type, OS, browser, screen resolution, language, timezone
• IP address (anonymized for analytics)
• Approximate geolocation (city level, from IP) — for suggesting nearby professionals. Precise geolocation is requested only with explicit device consent.
• Cookie identifiers and similar technologies — see Cookie Policy
• Security logs: login attempts, source IPs, timestamps — to prevent fraud, abuse, unauthorized access

4. Purposes and legal basis for processing

We process your Personal Data for the purposes below, always with a valid legal basis under Art. 6 GDPR. For data in «special categories» (Art. 9 GDPR) we apply specific bases as indicated.

Profiling and automated decisions: the only automated processing is the optimized price suggestion ("Smart Pricing") for Professionals. The Professional retains full decision control. We do not make automated decisions with legal effects under Art. 22 GDPR.

4bis. DAC7 Processing (Professionals only)

For users registered as Professionals only, ZenBookr collects and processes the following data to comply with reporting obligations under EU Directive 2021/514 (DAC7), implemented in Italy by D.Lgs. 32/2023:

• Tax Identification Number (TIN) and State of tax residence;
• VAT number (if held);
• business name or first/last name;
• main address; business registration number (for legal entities);
• IBAN or account identifier (collected by Stripe Connect during KYC);
• annual aggregated income and transaction count via the Platform;
• timestamp of DAC7 acknowledgement.

Legal basis: legal obligation (Art. 6(1)(c) GDPR + D.Lgs. 32/2023). Retention: minimum 10 years (Art. 4(4) D.Lgs. 32/2023). Recipients: Italian Revenue Agency; other EU/non-EU tax authorities under automatic exchange agreements. Rights: access and rectification (Arts. 15-16 GDPR) fully apply; erasure (Art. 17) and objection (Art. 21) limited during the legal retention period (Art. 17(3)(b) GDPR).

Before the annual report (by 31 January), the Professional receives a copy of their data with 10 days to request rectification.

5. Processing methods

Your Personal Data is processed with electronic tools, hosted on Google Firebase cloud infrastructure (Firestore, Cloud Storage, Cloud Functions, Authentication) with servers primarily in the EU (region europe-west1, Belgium).

We adopt appropriate technical and organizational security measures:

• Encryption in transit: HTTPS/TLS 1.2+
• Encryption at-rest: data encrypted on Google Cloud servers
• Password hashing: bcrypt with unique per-user salt
• Multi-Factor Authentication (MFA) via TOTP and Passkey/WebAuthn
• Firebase App Check to prevent API abuse
• reCAPTCHA v3 on public forms
• Firewall, monitoring, automatic alerts
• Automatic daily backups, 30-day retention
• Least-privilege access policies with operation logs
• Confidentiality contracts with all collaborators and external suppliers

6. Recipients and data sharing

We share your Personal Data only when necessary, bound by data protection contracts (Art. 28 GDPR) where applicable:

We do not sell your Personal Data to third parties. We do not share data with advertisers or data brokers. Our revenue is exclusively the subscription paid by Professionals.

7. Transfers outside the European Union

Your Personal Data is processed primarily within the EEA. Some suppliers may transfer data to the US or other non-EU countries.

In such cases we ensure transfers occur on the basis of:

• Adequacy decision by the European Commission (e.g. EU-US Data Privacy Framework)
• Standard Contractual Clauses (SCCs) approved by Commission Decision 2021/914
• Supplementary measures where necessary (encryption, pseudonymization)

You can request a copy of the safeguards by writing to privacy@zenbookr.app.

8. Data retention periods

• Account data: for contract duration. On deletion we erase identifying data within 30 days, except where law requires retention.
• Booking, billing, fiscal data: 10 years from the transaction date (Italian fiscal law, art. 2220 c.c.).
• Marketing data: until withdrawal or 24 months of inactivity.
• Access and security logs: 12 months.
• Analytics data: aggregated and anonymized after 26 months (GA4).
• Email communications: 24 months unless a specific legitimate interest applies.
• Backups: 30 days with automatic rotation.

At the end of retention, data is securely deleted or rendered anonymous.

9. Your rights as Data Subject

Under Arts. 15-22 GDPR you have the right to:

• Access (Art. 15) · Rectification (Art. 16) · Erasure (Art. 17) · Restriction (Art. 18) · Portability (Art. 20) · Objection (Art. 21) · Withdrawal of consent (Art. 7(3)) · Not be subject to automated decisions (Art. 22)

How to exercise your rights

• Write to privacy@zenbookr.app
• Via email to info@zenbookr.app
• By postal mail to the registered office: Vico Malvina 9, 70042 Mola di Bari (BA), Italy
• Many actions (account deletion, data export, marketing preferences) can be performed in your account settings

We respond without undue delay and within 30 days (extendable by 60 days for complex/voluminous requests, Art. 12(3) GDPR). The service is free; we may charge a reasonable fee for manifestly unfounded or excessive requests only.

10. Marketing and promotional communications

Only with your explicit, free consent (collected via dedicated checkbox, never pre-ticked), we may send:

• Newsletter about Platform news
• Promotional offers and discount codes
• Personalized suggestions based on usage
• Invitations to surveys, beta tests, events

You can withdraw consent at any time: click «Unsubscribe» in any marketing email, edit preferences in your account, or write to privacy@zenbookr.app.

Service communications (booking confirmations, invoices, security alerts, password resets, Terms updates) are NOT subject to marketing consent: they continue while your account is active.

11. Cookies and similar technologies

We use technical cookies (always active) and non-technical cookies (analytics and marketing) with your consent. For full details see our Cookie Policy.

12. Minors

ZenBookr services are not intended for minors under 16. We do not knowingly collect Personal Data of minors under 16 without consent of the holder of parental responsibility (Art. 8 GDPR). If we become aware, we delete without delay. If you are a parent and believe your minor provided us data, contact privacy@zenbookr.app.

13. Dual role: ZenBookr as Controller and as Processor

13.1 ZenBookr as Data Controller

For Professional accounts, End-Client accounts registered directly, subscription payment data, marketing communications, security and usage data. This Privacy Policy applies.

13.2 ZenBookr as Data Processor

For data Professionals upload regarding their own clients (client cards, notes, service history, before/after photos, etc.), ZenBookr acts as Processor on behalf of the Professional, who is the Controller.

This relationship is governed by the Data Processing Agreement (DPA), which the Professional accepts as part of the Terms for Professionals.

As an End-Client, if you booked a service with a Professional, for processing carried out by the Professional the Professional is the Controller, and GDPR rights must be exercised directly with them.

14. Changes to this Privacy Policy

• Material changes: we provide at least 30 days' notice via email and in-app notice.
• Minor changes: posted on this page with an updated «Last updated» date.

Continued use after a change takes effect constitutes acceptance.

15. Complaints to the supervisory authority

Without prejudice to any other remedy, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) or with the supervisory authority of your EU Member State (Art. 77 GDPR).

Before filing a complaint, please contact us at privacy@zenbookr.app — we'll address your concerns constructively.

16. Contacts

We are not required to appoint a DPO under Art. 37 GDPR. All requests are handled by our privacy team. We will update this page if we appoint a DPO in future.