Privacy Policy
Last updated: April 13, 2026
The privacy of your data is important to us. In this policy, we explain what data we collect and why, how it is handled, who we share it with, and your rights. We never sell your personal data.
This policy applies to all Ofinly products and services, including the Business App, Client App, and website (ofinly.com).
1. Data Controller
The controller of your personal data is Damian Masior, ul. Oswiecimska 51, Gorzow, Poland, NIP: 5492377002. Contact: contact@ofinly.com.
Ofinly acts as the data controller for your account data, usage data, and any data you provide directly to us. When Business Users manage their salon clients' data through the platform, Ofinly acts as a data processor on behalf of the Business User (who is the controller for that data). See our Terms of Service, Section 10 for the Data Processing Agreement.
2. Data We Collect and Why
We collect only what we need to provide the service. Here is what that means in practice:
2.1 Account and Identity Data
When you sign up, we collect your name, email address, and account role (client or business). If you sign in via Google or Apple, we receive your name, email address, and a unique account identifier from the provider. We use this data to create and manage your account.
2.2 Phone Number and Verification
You may provide a phone number for account verification or contact purposes. During phone verification, we send a one-time code (OTP) via SMS. OTP codes are transient and deleted immediately after verification. Your verified phone number is stored with your account.
2.3 Client User Profile Data
If you use the Client App (to book appointments), we store your name, email, phone number, avatar, notification preferences, and email/phone verification status. This data is needed to provide you with the booking service and send appointment-related communications.
2.4 Business User and Salon Data
If you use the Business App (to manage a salon), we store your salon profile: name, category, description, address, phone, email, timezone, geographic coordinates (for salon discovery), and salon photos you upload. We also store your subscription status and trial dates. This data is needed to list your salon on the platform and provide management features.
2.5 Staff and Worker Data
Business Users may add staff members to their salon account. Staff data includes: name, role, phone, email, bio, specialties, working hours, schedule changes, and invitation status. This data is entered and managed by the Business User. Ofinly processes it on behalf of the Business User to provide the team management feature.
2.6 Appointment and Booking Data
When appointments are booked (by Client Users or Business Users), we store the service name, salon, date, times, price, status, and any notes. This data is needed to manage the appointment lifecycle and send reminders.
2.7 Salon Client Data (CRM)
Business Users may enter and manage data about their salon clients: names, phone numbers, email addresses, visit history, spending records, tags, notes, and favorite services. This data is entered by the Business User, who is the data controller for it. Ofinly processes this data solely on the Business User's behalf as a data processor. If you are a salon client and have questions about how your data is used, please contact the salon directly.
2.8 Location Data
The Client App may request your device location to show nearby salons. This location data is sent to our server for the search query only and is not stored permanently. You can use the app without granting location access.
2.9 Device and Technical Data
We collect your device type, operating system, and app version for compatibility and troubleshooting. We store your Firebase Cloud Messaging (FCM) token to deliver push notifications. Server logs may contain your IP address for security purposes.
2.10 Usage Data
We collect aggregated usage data such as features used and session duration. This helps us understand how the app is used and improve it. We do not build individual behavioral profiles.
2.11 Communication Data
When you contact us for support or submit feedback, we keep the correspondence (including your email address) so we can reference it if you reach out again.
2.12 Salon Photos
Business Users may upload photos of their salon. Photos are stored on our servers and displayed on the salon's public profile. We recommend removing EXIF metadata (which may contain GPS coordinates or device information) from images before uploading.
3. Purposes and Legal Basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the service: account management, bookings, salon management | Contract performance (Art. 6(1)(b)) |
| Processing subscription payments (via Paddle) | Contract performance (Art. 6(1)(b)) |
| Sending appointment reminders and service notifications | Contract performance (Art. 6(1)(b)) |
| Phone number verification | Contract performance (Art. 6(1)(b)) |
| Salon discovery (location-based search) | Consent (Art. 6(1)(a)) - you choose to share location |
| Improving the app and user experience | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention, and abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Tax and accounting records | Legal obligation (Art. 6(1)(c)) |
| Handling complaints and support requests | Legal obligation (Art. 6(1)(c)) and contract performance (Art. 6(1)(b)) |
| Processing salon client data (as processor for Business Users) | Business User's responsibility as controller; Ofinly processes under DPA |
4. Data Sharing and Third Parties
We do not sell your personal data. We never have and never will. We share data only as described below:
4.1 Service Providers (Sub-processors)
We use the following third-party service providers to operate Ofinly:
| Provider | Purpose | Location |
|---|---|---|
| Google LLC (Firebase) | Push notifications (FCM), Google Sign-In authentication | USA |
| Apple Inc. | Sign in with Apple authentication | USA |
| Paddle.com Market Limited | Payment processing (Merchant of Record) | UK |
| Cloudflare Inc. | Website hosting, CDN, security | USA |
Each provider processes data under a data processing agreement and only for the purposes described above.
4.2 Salon-Client Data Sharing
When a Client User books an appointment with a salon, the salon (Business User) sees the Client User's booking details (name, contact information, appointment details). This sharing is necessary to fulfill the booking.
4.3 Payment Data
Subscription payments are processed by Paddle as the Merchant of Record. Ofinly does not collect or store your credit card or payment details. Paddle handles billing, invoicing, and VAT. See Paddle's Privacy Policy for details on how they handle payment data.
4.4 Legal Requirements
We may disclose data when required by law, court order, or a binding request from a competent authority (e.g., UODO, law enforcement). We will notify you before disclosure unless legally prohibited from doing so.
4.5 Business Transfers
If Ofinly is acquired by or merged with another entity, your data may be transferred. We will notify you before any transfer and before your data becomes subject to a different privacy policy.
5. International Data Transfers
Ofinly is operated from Poland. Some of our service providers are located outside the European Economic Area (EEA):
- USA (Google, Apple, Cloudflare): Transfers are protected by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
- UK (Paddle): The UK has an adequacy decision from the European Commission, meaning data transfers to the UK are treated as equivalent to transfers within the EEA.
6. Data Retention
We keep your data only as long as necessary for the purposes described in this policy:
| Data category | Retention period |
|---|---|
| Account data | Duration of your account + 30 days after deletion |
| Appointment data | Duration of your account + 30 days after deletion |
| Salon client data (CRM) | Duration of Business User's account + 30 days |
| Billing and tax records | 5 years (required by Polish tax law) |
| Usage and analytics data | 12 months |
| Server logs (IP addresses) | 90 days |
| OTP verification codes | Deleted immediately after use |
| FCM device tokens | Until device is unregistered or account deleted |
| Support correspondence | 2 years after resolution |
| Backups | Purged within 60 days of data deletion |
7. Your Rights
Under the General Data Protection Regulation (GDPR) and the Polish Data Protection Act, you have the following rights:
- Right of access - request a copy of the personal data we hold about you.
- Right to rectification - request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") - request deletion of your personal data. See our data deletion page for details.
- Right to restrict processing - request that we limit how we use your data.
- Right to data portability - receive your data in a structured, machine-readable format (JSON). Business Users can export their data from the app.
- Right to object - object to processing based on legitimate interest. We will stop unless we have compelling legitimate grounds.
- Right to withdraw consent - where processing is based on consent (e.g., location data), you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint - with the supervisory authority (see below).
To exercise any of these rights, email contact@ofinly.com. We will respond within 30 days. In complex cases, this may be extended by a further 60 days, and we will inform you of any extension.
You have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warszawa, Poland. Website: uodo.gov.pl.
8. Cookies and Device Storage
8.1 Website
The Ofinly website uses localStorage to store your theme preference (light/dark mode). This is strictly functional and does not track you. We do not use analytics cookies, advertising cookies, or third-party tracking scripts on our website. Cloudflare (our hosting provider) may set functional cookies for security purposes (e.g., bot protection).
8.2 Mobile Apps
The Ofinly apps store authentication tokens securely on your device to keep you signed in. FCM tokens are stored for push notification delivery. Cached data may be stored locally for performance. No third-party tracking or advertising SDKs are used in the apps.
Since we only use strictly necessary and functional storage, no cookie consent banner is required under the ePrivacy Directive.
9. How We Secure Your Data
We take appropriate technical and organizational measures to protect your data:
- All data in transit is encrypted via HTTPS/TLS.
- Database storage uses encryption at rest.
- Authentication uses JWT tokens with regular rotation.
- Access to user data is restricted through role-based access control.
- We conduct regular security reviews of our systems.
No system is 100% secure. If you discover a security vulnerability, please report it to contact@ofinly.com.
10. What Happens When You Delete Data
When you delete individual content (photos, clients, appointments) within the app, it is removed from the active system. Backups containing deleted content are purged within 60 days.
When you delete your account:
- Your data becomes inaccessible immediately.
- Active systems are purged within 30 days.
- Backups are purged within 60 days.
- Data required by law (billing/tax records) is retained for up to 5 years.
For full details, see our data deletion page.
11. Children
Our service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Automated Decision-Making
We do not make automated decisions that produce legal or similarly significant effects on you. No profiling is used to make decisions about your access to the service or the terms offered to you.
13. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. For material changes, we will provide at least 30 days' notice via email or in-app notification. Non-material changes (clarifications, formatting) may take effect immediately. Previous versions are available upon request.
14. Contact
For questions about this privacy policy or to exercise your data rights: contact@ofinly.com.
Supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warszawa, Poland. uodo.gov.pl.