Privacy Policy
Effective: April 15, 2026
1. Who we are
Casy ("we", "our", "the service") is booking software for independent beauty professionals and small studios. Website: https://casy.beauty . Contact: [email protected] . For purposes of GDPR, Casy acts as a data controller for account data and a data processor for data uploaded by business users about their clients.
2. Data we collect
- Account data: name, phone number, email (if provided).
- Booking data: date, time, service, professional, location.
- Technical data: IP address, browser type, pages visited — for analytics and security.
- OTP sessions: temporary authorization codes, retained for no more than 5 minutes.
3. How we use your data
- Providing the service: authentication, booking management, reminders.
- Communication: SMS/Telegram reminders about appointments.
- Service improvement: aggregate usage analytics (no personal identifiers).
- Security: fraud detection and prevention.
4. Data sharing
We do not sell your personal data. We share data only with:
- Beauty professionals / venues: your name and phone are shared with the venue you book with.
- SMS providers: to deliver OTP codes and appointment reminders.
- Hosting providers: for data storage and processing (servers in the EU).
- Law enforcement: only when legally required by valid court order or equivalent process.
5. Retention
- Account data — until account deletion or 3 years of inactivity.
- Booking data — 2 years after the appointment completes.
- OTP sessions — 5 minutes.
- Technical logs — 90 days.
6. Your GDPR rights
If you are in the EU/EEA or UK, the GDPR gives you the following rights:
- Access (Art. 15): request a copy of your personal data.
- Rectification (Art. 16): correct inaccurate data.
- Erasure (Art. 17): the "right to be forgotten".
- Restriction (Art. 18): limit how we process your data.
- Portability (Art. 20): export your data in a machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interest.
- Withdraw consent: for any processing based on consent.
- Lodge a complaint: with your local Data Protection Authority.
To exercise any right — email [email protected] . We respond within 30 days.
7. Cookies
We use strictly necessary cookies for authentication and session management. We do not use advertising or cross-site tracking cookies. If we enable analytics cookies in the future, we will request your consent first.
8. Changes to this policy
We will notify you of material changes via email or Telegram. Continued use of the service after changes take effect indicates acceptance of the updated policy.
9. Contact
Privacy questions: [email protected]
10. Lawful basis for processing (GDPR Art. 6)
- Contract (Art. 6(1)(b)): providing the booking service you signed up for.
- Legitimate interest (Art. 6(1)(f)): fraud prevention, service security, aggregate analytics.
- Consent (Art. 6(1)(a)): optional marketing communications (you can withdraw anytime).
- Legal obligation (Art. 6(1)(c)): compliance with tax, accounting, and lawful authority requests.
11. International transfers
Your data is stored on servers located in the European Union. If we ever transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure equivalent protection.
12. Your California (CCPA) rights
If you are a California resident, you have the right to:
- Know what personal information is collected about you.
- Request deletion of your personal information.
- Opt out of the sale of your personal information (we do not sell).
- Non-discrimination for exercising these rights.
To exercise, email [email protected] with "CCPA Request" in the subject.
13. Children's privacy
Casy is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe we have, contact us — we will delete it.