Privacy Policy

1. Controller

The controller within the meaning of the EU General Data Protection Regulation (GDPR) is:

Ing. Kenny Tran, BA

Sole proprietor (Einzelunternehmer)

Marx-Reichlich Straße 2A

5020 Salzburg, Austria

VAT ID: ATU82918318

We operate the Software-as-a-Service platform "blushy" for beauty and wellness studios at blushy.at ("Service" or "Platform").

A data protection officer is not legally required. For any privacy-related matter, please contact us at [email protected].

2. Dual role: Controller and Processor

blushy processes personal data in two distinct roles. The distinction is decisive under data protection law:

2.1 As controller

For data that studios and their staff provide as part of the contractual relationship with us (registration, account, billing, support), and for visitors of this website, blushy is the controller within the meaning of Art. 4(7) GDPR.

2.2 As processor

Where a studio processes data of its end customers (contact data, appointment history, treatment notes, etc.) using the platform, the studio is the controller and blushy is the processor within the meaning of Art. 4(8) GDPR. The terms of this processing relationship are governed by our Data Processing Agreement (DPA), which is binding for every studio upon registration.

End customers of a studio should direct requests for access, deletion or otherwise primarily to the studio. blushy supports the studio in handling such requests but cannot independently decide on these data.

3. Processed data categories and purposes

3.1 Website visit (blushy.at)

Processed data: truncated IP address, user agent, referrer, time of access, requested URL, HTTP status code
Purpose: providing the website, security, protection against abuse and attacks (bot protection, DDoS mitigation)
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, functional website)

3.2 Studio account registration and management

Processed data: first and last name, email, password (hashed and salted), studio name, language, timezone, role
Purpose: providing the account, authentication, multi-user management
Legal basis: Art. 6(1)(b) GDPR (performance of contract)

3.3 Contract handling and billing

Processed data: studio name, address, VAT ID, billing details, payment method (tokenised via Stripe — we do not store credit card data), subscription status, invoice history
Purpose: contract handling, billing, tax and accounting obligations
Legal basis: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal obligation — Austrian BAO, UGB)

3.4 End-customer data within the platform (processed on behalf of the studio)

Processed data: first and last name, contact data (email, phone, address), date of birth, appointments, treatments, chosen services, notes stored by the studio, images, marketing consents, payment status
Purpose: providing the features used by the studio (calendar, customer management, booking, invoicing, reminders, marketing dispatch)
blushy's role: processor — see DPA
Legal basis: lies with the studio as controller (typically Art. 6(1)(b) GDPR and, where applicable, Art. 9 GDPR for health-related data)

3.5 Public booking (studio's online booking page)

Processed data: first and last name, email, phone, chosen service, desired time slot, optional notes, bot-protection token (Cloudflare Turnstile)
Purpose: booking processing on behalf of the studio, abuse prevention
Legal basis: Art. 6(1)(b) GDPR (pre-contract with the studio); bot protection Art. 6(1)(f) GDPR

3.6 Sending emails, SMS and WhatsApp messages

Processed data: recipient address/phone number, message content, send time, delivery status, open and click events (email)
Purpose: booking confirmations, reminders, cancellations, marketing messages (initiated by the studio)
Legal basis: depending on purpose: transactional messages Art. 6(1)(b) GDPR (contract); marketing only on the end customer's consent (Art. 6(1)(a) GDPR, § 174 Austrian TKG 2021)

3.7 AI-powered assistant "Lars"

Processed data: the studio's knowledge base (treatments, prices, opening hours), incoming booking, change or information requests from end customers via email/WhatsApp
Purpose: automated suggestions to the studio (e.g. booking proposal, response suggestion)
Important: the studio takes the final decision. There is no solely automated decision within the meaning of Art. 22 GDPR.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the studio and blushy in efficient handling of inquiries). For details see section 13.

3.8 Calendar integrations

Processed data: OAuth tokens, calendar events (title, time, description) — if the studio activates an integration
Purpose: syncing external calendars (e.g. Google Calendar)
Legal basis: Art. 6(1)(b) GDPR (performance of contract)

3.9 Product analytics

Processed data: pseudonymised events (page views, clicks, feature usage), pseudonymous user ID, workspace ID
Purpose: product improvement and stability monitoring
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner)

3.10 Server and security logs

Processed data: trace IDs, HTTP method, path, status code, user ID, workspace ID, error messages (no end-customer names)
Purpose: stability, security, error analysis
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

4. Legal bases at a glance

Art. 6(1)(a) GDPR (consent): non-essential cookies, newsletter, direct marketing to end customers.
Art. 6(1)(b) GDPR (contract): account, booking, payment, transactional communication.
Art. 6(1)(c) GDPR (legal obligation): tax and commercial law retention (BAO, UGB), AML.
Art. 6(1)(f) GDPR (legitimate interest): security, abuse prevention, stability, logging, analytics where not consent-based.
Art. 28 GDPR (processing on behalf of): processing of end-customer data on behalf of studios — see DPA.

5. Sub-processors

To operate the platform we use carefully selected service providers ("sub-processors"). With each provider we have concluded a data processing agreement under Art. 28 GDPR that governs the data protection obligations.

The current list of sub-processors is also available as an annex to the DPA (section 8 of the T&C). We inform our studios of changes in advance.

Provider	Purpose	Location	Third country
Supabase Inc.	Database (PostgreSQL), authentication, file storage	San Francisco, USA — data stored in EU region (Frankfurt)	USA (SCC)
Cloudflare, Inc.	Hosting (Pages, Workers), edge network, R2 storage (EU jurisdiction), Hyperdrive, bot protection (Turnstile)	San Francisco, USA — EU data residency enabled for R2	USA (SCC + DPF)
Stripe Payments Europe Ltd / Stripe, Inc.	Billing of blushy subscriptions; payment processing for studios via Stripe Connect	Dublin, Ireland (EU) / San Francisco, USA	USA (SCC + DPF) for intra-group transfers
Resend, Inc.	Sending transactional emails (confirmations, reminders, reset links)	San Francisco, USA	USA (SCC + DPF)
Meta Platforms Ireland Ltd	WhatsApp Business Cloud API (sending messages to end customers)	Dublin, Ireland (EU)	Intra-group transfers to USA possible (SCC + DPF)
PostHog Inc.	Product analytics — configured to EU cloud	San Francisco, USA — processing in EU region	USA (SCC + DPF) for management
BetterStack s.r.o.	Server logging, monitoring, uptime checks	Prague, Czech Republic (EU)	—
Anthropic PBC	AI models for the assistant "Lars" (Claude API). Zero-data-retention agreed.	San Francisco, USA	USA (SCC + DPF)
Google LLC / Google Ireland Ltd	AI models (Gemini API), Google Calendar API for calendar synchronisation	Dublin, Ireland (EU) / Mountain View, USA	USA (SCC + DPF)
Langfuse GmbH	Observability for AI calls (prompt/response logs for quality assurance)	Berlin, Germany (EU)	—

SCC = EU Standard Contractual Clauses, DPF = EU-US Data Privacy Framework.

6. International data transfers

Some of the providers listed above are headquartered in or process data outside the European Economic Area (EEA), particularly in the USA. For such transfers we ensure an adequate level of protection by:

EU-US Data Privacy Framework (DPF): providers certified under the DPF guarantee a level of protection deemed adequate by the EU Commission decision of 10 July 2023 (Art. 45 GDPR).
Standard Contractual Clauses (SCC): for providers not certified under the DPF or as an additional safeguard, we conclude the EU SCC pursuant to Commission Implementing Decision (EU) 2021/914.
Additional safeguards: encryption of data in transit (TLS 1.2+), encryption at rest, data minimisation, pseudonymisation where possible.

Notwithstanding these measures, we note that following the ruling of the European Court of Justice in case C-311/18 ("Schrems II"), the USA in particular may be subject to access by state authorities not fully consistent with EU data protection standards. Transfers occur only where necessary for the contractual purpose or based on consent.

7. Retention periods

Personal data is only stored as long as necessary for the respective purpose or to comply with statutory retention requirements.

Data category	Retention
Studio account and login data	Duration of contract + 30-day grace period for data export
End-customer data processed on behalf of the studio	Until deleted by the studio or until the contract with the studio ends
Invoicing and accounting data	7 years (§ 132 BAO, § 212 UGB)
Backups	Rolling retention of up to 35 days
Server and security logs	30 days; security-relevant logs up to 90 days
Product analytics events	12 months
Newsletter data (email to studio customers)	Until consent is withdrawn
Dispatch logs (email, SMS, WhatsApp)	24 months
AI prompts and responses (Langfuse)	90 days

8. Your rights as a data subject

Regarding your personal data, you have the following rights:

Access (Art. 15 GDPR): information on whether and which data we process about you.
Rectification (Art. 16 GDPR): correction of inaccurate or completion of incomplete data.
Erasure (Art. 17 GDPR): deletion of your data, subject to statutory retention obligations.
Restriction (Art. 18 GDPR).
Data portability (Art. 20 GDPR): receipt of your data in a structured, machine-readable format. blushy offers an integrated export function.
Objection (Art. 21 GDPR): objection to processing based on legitimate interests, in particular for direct marketing.
Withdrawal of consent (Art. 7(3) GDPR): consent can be withdrawn at any time with effect for the future.

To exercise your rights, please contact: [email protected]

Note: If you are an end customer of a studio using blushy, the studio is primarily your contact as the controller. blushy supports the studio in handling your request.

9. Cookies and similar technologies

On blushy.at and within the platform we use cookies, similar storage mechanisms (e.g. local storage) and pixels. These divide into:

9.1 Strictly necessary (no consent required)

Authentication and session maintenance
CSRF protection
Cloudflare Turnstile (bot protection)
Cookie consent status

Legal basis: § 165(3) Austrian TKG 2021, Art. 6(1)(f) GDPR.

9.2 Cookies requiring consent

Product analytics (PostHog): pseudonymised usage statistics for product improvement.

Legal basis: Art. 6(1)(a) GDPR. You can withdraw your consent at any time via the "Manage cookies" link in the website footer.

10. Marketing communication and newsletter

10.1 Newsletter to studios (sent by blushy)

If you subscribe to our newsletter, we use a double opt-in procedure. We only send newsletters to email addresses whose owners have verified the subscription via a confirmation link.

You can unsubscribe at any time via the unsubscribe link in every newsletter. Legal basis: Art. 6(1)(a) GDPR.

10.2 Marketing from studios to their end customers

Studios can use blushy to send marketing messages (email, SMS, WhatsApp) to their end customers. The lawfulness of such dispatch — especially the existence of the required consent (§ 174 Austrian TKG 2021, Art. 6(1)(a) GDPR or Art. 21 GDPR) — is the studio's responsibility as controller. blushy provides the technical tool and acts as processor; see DPA.

Every marketing message sent via blushy contains a clearly recognisable unsubscribe link (opt-out) protected by a signed token.

11. Online booking (public booking widget)

Studios can operate an online booking page on their own website or via a URL hosted by blushy. When you, as an end customer, make a booking, your details (name, contact, desired time slot, optional notes) are transmitted to the platform and processed on behalf of the studio.

The controller for processing this data is the respective studio. blushy is the processor. The studio's own privacy notice is therefore also relevant and linked on the booking page.

To protect against fraudulent bookings, we use Cloudflare Turnstile (bot detection) in invisible mode. Technical data (e.g. browser behaviour, device and interaction signals, token) is processed. The provider is Cloudflare, Inc. In addition, Cloudflare's Turnstile Privacy Addendum and Privacy Policy apply. The legal basis is our legitimate interest in preventing spam and automated abuse (Art. 6(1)(f) GDPR).

12. WhatsApp communication

Via Meta's WhatsApp Business Cloud API, studios can communicate with their end customers via WhatsApp — for confirmations, reminders, or responses. Processing takes place on behalf of the studio.

Prior explicit consent (opt-in) from the end customer is a prerequisite; the studio is responsible for ensuring this. Processed data includes phone number, message content, send time and delivery status. Note: Meta may transfer data within the Meta group and to the USA as part of its technical processing (SCC + DPF).

End customers can stop receiving messages at any time by replying "STOP".

13. AI assistant "Lars"

Studios can activate the AI assistant "Lars" to handle incoming booking and information requests more efficiently. Lars draws on a knowledge base maintained by the studio (treatments, prices, opening hours).

13.1 What data is processed?

Studio knowledge base content
Incoming messages (email or WhatsApp) for classification and response preparation
Conversation context (conversation ID, timestamps)

13.2 Which providers are used?

Anthropic PBC (Claude API): primary AI provider. We have agreed with Anthropic that input data is not used for model training (zero-data-retention).
Google LLC (Gemini API): fallback provider. We have agreed that input data is not used for model training.
Langfuse GmbH (EU): observability — prompt/response logs for quality assurance retained for 90 days.

13.3 No solely automated decision

Lars produces suggestions only. The final decision (e.g. booking confirmation, response to a customer) is taken by the studio. There is no solely automated decision within the meaning of Art. 22 GDPR.

13.4 Legal basis

Art. 6(1)(f) GDPR (legitimate interest in efficient handling of inquiries). End customers may object to processing of their data by Lars at any time vis-à-vis the studio.

14. Special categories of personal data (Art. 9 GDPR)

blushy is designed as software for beauty and wellness studios. Depending on the constellation (e.g. medical cosmetics, skin analyses, allergy information), treatment notes and customer profiles may contain special categories of personal data within the meaning of Art. 9 GDPR.

Responsibility for lawful processing of such data — particularly obtaining the explicit consent of the data subject (Art. 9(2)(a) GDPR) or another suitable legal basis — lies with the respective studio as controller.

blushy provides appropriate technical and organisational measures to protect such data (encryption, role-based permissions, strict tenant isolation; see section 15 of this Privacy Policy and the TOM Annex to the DPA (section 8.13 of the T&C)).

15. Security of processing

We implement technical and organisational measures pursuant to Art. 32 GDPR to protect your data against loss, manipulation and unauthorised access, including:

Encryption in transit: all connections over TLS 1.2 or higher.
Encryption at rest: database and file storage encrypted by the respective providers (Supabase, Cloudflare R2).
Authentication: passwords stored only as hashed and salted values (via Supabase Auth). Multi-factor authentication available.
Permission system: role- and workspace-based access controls, strict tenant isolation.
Audit trail: logging of sensitive actions (e.g. role changes, data exports, deletions).
Bot protection: Cloudflare Turnstile on public inputs.
Backups: automated, encrypted backups in EU data centres.
Incident response: documented process for data protection incidents, notification chain within 72 hours pursuant to Art. 33 GDPR.

A detailed overview of technical and organisational measures is provided in the TOM Annex to the DPA (section 8.13 of the T&C).

16. Right to lodge a complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority in Austria is:

Austrian Data Protection Authority (Datenschutzbehörde)

Barichgasse 40–42

1030 Vienna, Austria

Phone: +43 1 52 152-0

Email: [email protected]

Web: www.dsb.gv.at

17. Changes to this privacy policy

We reserve the right to update this privacy policy when legal frameworks change or we expand our processing activities. For material changes affecting our studios, we will inform you by email or via the dashboard. The current version is always available on this page.

Date: June 2026. This English version is provided for convenience. In case of inconsistencies, the German version shall prevail.