Privacy Policy

Last updated: 10.12.2025

This Privacy Policy explains how Taimli, operated by IiroMan OÜ (“Taimli”, “we”, “us”), processes personal data when you use our services. We are committed to protecting the privacy of salon owners, salon staff, and individuals who book appointments through salon pages hosted by Taimli.

We comply with the EU General Data Protection Regulation (GDPR) and applicable Estonian data protection laws.

1. Who We Are

IiroMan OÜ
Sepapaja tn 6
Tallinn 15551, Estonia
Email: [email protected]

For data protection matters, you can contact us at the same email address.

2. Roles Under GDPR

Taimli processes different categories of data under different GDPR roles:

Taimli as Data Controller

We are the Data Controller for:

• Salon owner account data
• Business information (email, address, registration number)
• Platform usage data
• Communication sent by us (e.g., transactional emails)
• Billing and subscription information (processed via Stripe)

Taimli as Data Processor

Salon owners are independent Data Controllers for data about their clients.

We process salon client data on behalf of the salon, including:

• Client name
• Email
• Phone number
• Booking information (services, staff, time)
• Notes added by the client or the salon

A separate Data Processing Agreement (DPA) is available to salon owners.

3. Personal Data We Collect

3.1 Salon Owners

We collect:

• Name
• Email address
• Business details (name, address, registration code)
• Bank account details / payout details (if applicable)
• Subscription & billing information (via Stripe)
• Support communications

We do not collect IP addresses or device fingerprints.

3.2 Salon Clients (on behalf of each salon)

When clients make a booking, we collect:

• Name
• Email
• Phone number
• Appointment details
• Optional notes (e.g., preferences)

This data belongs to the salon. Taimli processes it only as instructed by the salon.

3.3 Automatically Collected Data

• Minimal operational logs required for service reliability
• Analytics on our landing page via Plausible (EU-based, cookie-free)

No cookies or analytics are used on booking pages.

4. How We Use Personal Data

4.1 Purposes as Data Controller

We use salon owner data to:

• Provide and operate the Taimli platform
• Create and manage user accounts
• Provide hosted booking pages
• Process subscription payments
• Send necessary notifications (e.g., booking confirmations for salons, service updates)
• Maintain security and prevent misuse

4.2 Purposes as Data Processor

For salon clients, we process data to:

• Create and manage bookings
• Notify the salon of upcoming appointments
• Send email and SMS booking confirmations and reminders through our providers, Mailgun and Prelude
• Allow salons to manage their customer relationships

We do not use client data for our own marketing or analytics.

5. Legal Bases (GDPR)

We process personal data under the following legal bases:

For salon owners:

• Performance of contract — providing the Taimli platform
• Legal obligation — invoicing, accounting
• Legitimate interest — security, fraud prevention, service improvement

For salon clients (on behalf of salons):

• Performance of contract (between client and salon)
• Consent, where required by the salon (e.g., marketing)

6. Cookies & Tracking

• No cookies are used on booking pages.
• The main landing site uses Plausible Analytics (EU-based, no cookies, GDPR compliant).
• Cloudflare may temporarily process IPs to provide security and performance services.

7. Data Sharing

We share data only with essential service providers, all of whom operate in the EU or provide GDPR-compliant safeguards:

• Stripe — payment processing
• Hetzner & Servinga — VPS hosting (EU)
• PlanetScale — managed PostgreSQL database (EU region)
• Cloudflare — DNS and security; some routing may occur outside the EU under Standard Contractual Clauses
• Cloudflare R2 — storage for salon images (EU region)
• Mailgun — transactional email (EU region)
• Prelude — SMS delivery for booking confirmations and reminders (EU region)

We do not sell personal data.

8. International Data Transfers

Taimli stores and processes data primarily within the EU.

Some providers (such as Cloudflare or Mailgun, depending on configuration) may transfer data outside the EU.
In these cases, transfers are protected by Standard Contractual Clauses (SCCs) and other GDPR-compliant safeguards.

We aim to keep all data processing within the EU whenever technically possible.

9. Data Retention

We follow a minimal retention policy:

Salon Owner Data

• Retained only while the account is active
• Deleted immediately upon account deletion, except where retention is required by law (e.g., accounting records)

Salon Client Data

• Retained only while the salon’s account is active
• Deleted immediately when:
  • the salon deletes it, or
  • the salon’s account is deleted

Backups

Service provider backups (e.g., PlanetScale database backups) may retain deleted data for 30–90 days, after which it is automatically purged.

We do not retain additional internal backups.

10. Your Rights (GDPR)

You have the right to:

• Access your data
• Correct inaccurate data
• Request deletion
• Request data export
• Object to processing
• Withdraw consent (if processing is based on consent)

For salon clients:

• Requests should be made to the salon, as the data controller.
• Taimli will assist salons in fulfilling these requests.

To exercise your rights, contact [email protected].

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate.

11. Children’s Data

Taimli may process data about children only when submitted by a parent/guardian or by a salon in the context of providing services to the child (e.g., a haircut).

We do not knowingly allow account registration by minors.

12. Security Measures

We use modern security practices to protect data, including:

• HTTPS encryption
• Encryption at rest where supported by providers (e.g., PlanetScale, Cloudflare R2)
• Access control and authentication
• Password hashing (e.g., Argon2) for future password features
• Regular monitoring and security updates

No system is perfectly secure, but we continuously work to protect personal data.

13. Automated Decision-Making

Taimli does not use automated decision-making or AI for user profiling.
Simple automated operations (such as round-robin staff assignment) are performed solely to fulfill booking functionality.

14. Changes to This Policy

We may update this Privacy Policy when needed.
We will post updates on our website and update the “Last Updated” date.

15. Contact

For questions, concerns, or data requests, contact:

[email protected]