Book Salon Oy Privacy Policy

This privacy statement describes how Book Salon Oy processes personal data. Processing personal data includes, for example, the use, collection, storage, transfer, and disclosure of personal data. This privacy statement describes, among other things, what personal data is collected and for what purposes it is used.

This privacy statement applies to the following individuals (collectively referred to as the “Data Subject”):

• Entrepreneurs, employees, and other individuals representing or providing services on behalf of Book Salon Oy’s business customers (“Business Customer”), such as barber shops and other various businesses (“Businesses”);
• Individuals who create a Book Salon user account (”End User”) to use Book Salon Oy’s booking or payment services (”Service” or ”Services”); and
• Individuals who visit Book Salon Oy’s website.

Book Salon Oy's Services may include links to external websites or services provided by other organizations. Book Salon Oy does not control these external websites or services operated by other organizations, and this privacy statement does not apply to their use. Book Salon Oy is not responsible for the privacy practices of these external websites or services.

The terms Data Subject, personal data, processing of personal data, controller, processor, and other related terms used in this privacy statement are defined in the General Data Protection Regulation (2016/679, "GDPR"). In addition to GDPR, Book Salon Oy complies with other applicable national data protection laws ("data protection legislation") in the processing of personal data.

The statement reviews

1. Contact details of the controller and contact details of the data protection officer
2. What information do we collect and for what purpose?
3. What rights does the Data Subject have and how can they be exercised?
4. For what purpose do we use the data and on what basis do we process it?
5. How long do we keep the information?
6. Recipients of data and transfers of data to third countries
7. What are the risks associated with data processing and how do we protect the data?

Contact details of the controller and the data protection officer

Book Salon Oy
Business ID 2786121-4

Lapinlahdenkatu 16
00180 Helsinki

Data Protection Officer: Jonne Castrén

Book Salon Oy
℅ Data Protection Officer
Lapinlahdenkatu 16
00180 Helsinki

What information do we collect and for what purpose?

We only collect information from our users that is necessary for the operation and development of the Service:

• Information related to identification and authentication, communication and implementation of the Service: name and e-mail address. Under no circumstances do we store passwords in a readable form.
• Facebook information accepted by the user in connection with Facebook authentication.
• In connection with Google authentication, an identifier that connects the Data Subject to their Google Account.
• Purchase history of registered users (receipts). We retain receipts as required by the Accounting Act and use the information anonymously to profile purchasing behavior.
• Our website uses cookies to optimize the operation of the website. We store information anonymously in cookies, such as the IP address and the information about the device and browser used.
• Information related to email and chat customer service that we retain to improve customer service.

Personal information we collect directly from the Data Subject

We mainly collect the above information directly from the Data Subject themselves when registering, logging in, using the Service, adding a payment card, making a purchase or requesting customer service. This information is used to communicate either to provide or produce Services to the customer.

Personal information we collect from third parties

We only collect information from third parties in connection with Facebook authentication. In this context, we store the user's email address and Facebook ID.

What rights does the Data Subject have and how can they be exercised?

The data subject has rights regarding the personal data held by Book Salon Oy. The data subject’s rights are as follows:

Right of access to personal data

The data subject has the right to access the personal data we hold. However, access to information may need to be restricted for reasons of law and the protection of the privacy of others.

Right to rectify data

The data subject has the right to request the correction of incorrect or incomplete information.

Right to delete data

The data subject has the right to request the deletion of his data. Data can be deleted, for example, in the following cases:

• The data subject withdraws their consent and there are no other grounds for processing
• The data subject objects to the processing of the data and there are no other grounds for continuing the processing

Right to restrict processing

The data subject has the right to restrict the processing of their personal data.

Right of objection

The data subject has the right to object to the processing of their data.

Right to data portability

The data subject has the right to receive the personal data provided in a machine-readable form. The right applies to personal data that have been processed automatically on the basis of a contract or consent.

Right to withdraw consent

The data subject has the right to withdraw their consent at any time without prejudice to the lawfulness of the processing carried out before the withdrawal, if the processing is based on consent. Withdrawal of consent may affect our ability to provide Services.

Right to lodge a complaint with the supervisory authority

The data subject also has the right to lodge a complaint with the supervisory authority if they suspect that their personal data is being used improperly or unlawfully.

Exercising these rights

To exercise the data subject's rights, please contact Book Salon Oy's data protection officer. Access to stored personal information is also possible through our website and our iOS and Android applications.

Data Protection Officer:

Book Salon Oy
℅ Data Protection Officer
Lapinlahdenkatu 16
00180 Helsinki

For what purpose do we use the data and on what basis do we process it?

Book Salon Oy processes personal data in order to fulfill its legal and contractual obligations. The legal bases for our proceedings are:

Implementation of the agreement

Fulfillment of contractual obligations, i.e. the provision of our Service, is the main legal basis for our processing of personal data. The agreement is formed between Book Salon Oy and the user when the user registers for the Service. The data subject agrees to the processing of data in accordance with the privacy policy by using the Service. We process personal information in order to provide the Service ordered from us, to the extent necessary.

Statutory obligation

In addition to the agreements, our operations are subject to legal obligations under which we process personal information. Examples of these are accounting legislation and legislation on payment intermediation.

Consent

In order to develop our website, we collect analytical information about the use of the website based on consent. You give your consent by accepting cookies when you visit the site.

For data collected for marketing purposes, a separate consent will be collected from Data Subjects, which can be revoked at any time. The user has the opportunity to block the use of cookies by changing the settings of their browser according to the instructions of the browser manufacturer and to clear any cookies from the browser cache. Clearing cookies does not stop possible data collection.

How long do we keep the information?

Personal information is retained only for the duration of the contractual relationship, unless otherwise required by law, such as the Accounting Act. For example, purchase transactions are retained for the period required by the Accounting Act, but the information is anonymized at the end of the contractual relationship.

We retain anonymous visitor analytics information for the website only for as long as it is necessary for monitoring and developing marketing and customer service.

Recipients of personal data and transfers of personal data to third countries outside the EU or EEA

Personal data may be disclosed or transferred to third parties for the purposes described in this privacy statement when there is a legal basis for such disclosure or transfer.

Book Salon complies with data protection legislation when disclosing personal data.

Providing Services requires that certain personal data of the End User is disclosed to the Business to which the End User makes a booking through the Service. The disclosed personal data becomes part of the receiving Business’s personal data register, and the Business, as an independent data controller, is responsible for the lawful processing of the received personal data. Further information is available in each Business’s privacy statement.

Book Salon Oy uses subcontractors and partners to produce Services and for related personal data processing, such as providers of Business Customer identification services, companies providing various technical platforms, email and SMS service providers, payment card companies, and other entities acting as personal data processors. They process the Data Subject’s personal data in the manner determined by Book Salon Oy. For example, information related to End User’s transactions may be transferred to the payment service provider’s system for billing purposes. Book Salon Oy has ensured that contracts required by data protection legislation have been concluded with these entities.

Personal data may be disclosed to authorities based on mandatory legislation. Personal data may also need to be disclosed if Book Salon is involved in legal proceedings or similar legal processes.

If Book Salon Oy is involved in a business transaction, merger, or other corporate arrangement, Book Salon Oy may need to disclose personal data to parties involved in the corporate arrangement.

Personal data is primarily processed within the European Union (“EU”) and the European Economic Area (“EEA”). However, personal data may also be processed outside the EU or EEA. If personal data is transferred outside the EU or EEA, Book Salon Oy ensures that the transfer of personal data is carried out using a mechanism that meets the requirements for data transfer set forth in the applicable data protection legislation. If there is no European Commission decision on the adequacy of data protection in the area, Book Salon Oy may use, for example, the European Commission’s approved standard contractual clauses to ensure the security of the transfer.

What are the risks associated with data processing and how do we protect the data?

The biggest risk associated with user data in connection with the system is that the personal data and purchase history accumulated in the system fall into the wrong hands, for example in connection with a data breach. If this unlikely risk materializes, the data can be used to determine a user's buying behavior, infer their location on the days of the transaction, and send spam.

Large-scale data leaks will always be reported to the contractor (contact person), regardless of whether the matter is subject to notification or not.

The goal of Book Salon Oy's security measures is to secure the availability of information and information systems, ensure their confidentiality, ensure the integrity of information and minimize the damage caused by possible deviations. Hedging measures are based on a risk assessment of the operation and are proportionate to the management of the protected object and the risks to it.

Measures to ensure information security and data protection are:

Measures to increase the availability and usability of information aim to ensure that relevant information is available when needed. Such measures include ensuring the functioning of the systems, backups, deputy staff schemes and the proper archiving of information.

The integrity of the data is ensured through system audits and controls. The purpose of security measures and guidelines is to prevent errors and negligence in the processing of data.

The confidentiality of the information is ensured by organizational and technical means. Organizational means include e.g. non-disclosure agreements, defined business processes, guidelines and staff training. The technical means are e.g. implementation of virus and malware filtering, encryption of communications, strong identification, security and encryption of the data network and terminals, locking and surveillance of premises, and the use of a specialized partner for the destruction of paper material.

Last updated: 27.8.2024