1. Who we are
Polooma is provided by the entity identified in the imprint at the bottom of this page. We are the data controller for data we collect about you (the salon owner / staff member); for client data uploaded to the panel, you are the controller and we are the processor — see the DPA.
2. What data we collect
Account data (name, email, billing address); usage data (pages visited, features used, error logs); marketing data (with consent — what you click in our newsletters); and any data you voluntarily submit through forms or the contact channel.
3. Why we use it
To provide and improve the service (legitimate interest and contract performance); to bill you (contract); to send you product updates and security notices (legitimate interest); and to send marketing — only with your explicit consent (Art. 6(1)(a) GDPR).
4. Legal basis (Art. 6 GDPR)
Performance of contract for service delivery and billing; legitimate interest for security, fraud prevention, and product improvement; consent for marketing emails and analytics cookies. You can withdraw consent at any time from the cookie banner or by contacting us.
5. How long we keep it
Account data: as long as your account is active, plus 7 years for tax and audit purposes after closure. Marketing data: until you unsubscribe. Usage logs: 90 days for operational logs, 2 years for security logs. Backups are retained for 30 days after deletion.
6. Who we share it with
We use sub-processors for hosting (EU-based), email delivery, payment processing (Stripe / Adyen), and analytics. The full list is published and updated; we notify you 30 days before adding a new sub-processor. We do not sell your data, ever.
7. International transfers
All processing happens within the European Union. We do not transfer personal data outside the EU/EEA. If a future sub-processor were to require it, we would do so only under Standard Contractual Clauses approved by the European Commission, and we would notify you in advance.
8. Your rights
Under GDPR you have the right to access your data, to rectify it, to erase it, to restrict or object to processing, to data portability, and to withdraw consent. To exercise any of these, email privacy@polooma.com — we respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
9. Security
See our Security page for technical and organizational measures: EU-only servers, encryption at rest and in transit, RBAC, audit logs, regular penetration testing, GDPR-trained staff with access on a need-to-know basis.
10. Children
Polooma is not directed at children under 16. We do not knowingly collect data from children. If you become aware that a child has provided us with personal data, contact privacy@polooma.com and we will delete it.
11. Changes to this Policy
We may update this policy. Material changes will be notified via email and the panel at least 30 days in advance.
12. Contact
Questions or rights requests: privacy@polooma.com. Data Protection Officer (when one is appointed): dpo@polooma.com.