Privacy Policy
Last updated: 07.07.2026
This Privacy Policy explains how Taimli, operated by IiroMan OÜ (“Taimli”, “we”, “us”), processes personal data when you use our services. We are committed to protecting the privacy of salon owners, salon staff, and individuals who book appointments through salon pages hosted by Taimli.
We comply with the EU General Data Protection Regulation (GDPR) and applicable Estonian data protection laws.
1. Who We Are
IiroMan OÜ
Sepapaja tn 6
Tallinn 15551, Estonia
Email: [email protected]
For data protection matters, you can contact us at the same email address.
2. Roles Under GDPR
Taimli processes different categories of data under different GDPR roles:
Taimli as Data Controller
We are the Data Controller for:
- Salon owner account data
- Business information (email, address, registration number)
- Platform usage data
- Communication sent by us (e.g., transactional emails)
- Billing and subscription information (processed via Stripe)
Taimli as Data Processor
Salon owners are independent Data Controllers for data about their clients.
We process salon client data on behalf of the salon, including:
- Client name
- Phone number
- Booking information (services, staff, time)
- Waitlist preferences, if the client joins a waitlist (requested services, preferred dates and time ranges, worker preference, name, and email)
- Notes added by the client or the salon
A separate Data Processing Agreement (DPA) is available to salon owners.
3. Personal Data We Collect
3.1 Salon Owners
We collect:
- Name
- Email address
- Business details (name, address, registration code)
- Bank account details / payout details (if applicable)
- Subscription & billing information (via Stripe)
- Support communications
We do not collect IP addresses or device fingerprints.
3.2 Salon Clients (on behalf of each salon)
When clients make a booking, we collect:
- Name
- Phone number
- Appointment details
- Waitlist preferences, if the client joins a waitlist
- Optional notes (e.g., preferences)
- Optional treatment-progress photos attached to internal salon notes, if the salon chooses to use this feature
This data belongs to the salon. Taimli processes it only as instructed by the salon. Treatment-progress photos may include health information or other special-category personal data. The salon is responsible for deciding whether to collect such photos and for having an appropriate GDPR Article 6 lawful basis and, where special-category data is involved, a GDPR Article 9 condition for processing.
3.3 Automatically Collected Data
- Minimal operational logs required for service reliability
- Privacy-friendly analytics on Taimli-controlled pages via Plausible (cookie-free analytics provider)
- Product analytics in the authenticated salon admin interface via PostHog EU only
These analytics are configured without analytics cookies. Depending on the page, limited technical and usage data such as page path, referrer, approximate location derived from the request, browser/device information, language, and similar visit metadata may be processed for aggregated traffic statistics and product improvement. PostHog is loaded only in the authenticated salon admin interface, uses PostHog's EU endpoint, and is not used on public marketing pages or hosted booking pages. We do not use these analytics for advertising or cross-site profiling.
4. How We Use Personal Data
4.1 Purposes as Data Controller
We use salon owner data to:
- Provide and operate the Taimli platform
- Create and manage user accounts
- Provide hosted booking pages
- Process subscription payments
- Send necessary notifications (e.g., booking confirmations for salons, service updates)
- Maintain security and prevent misuse
4.2 Purposes as Data Processor
For salon clients, we process data to:
- Create and manage bookings
- Notify the salon of upcoming appointments
- Send email and SMS booking confirmations and reminders through our providers, Mailgun and Prelude
- Send waitlist notification emails if the client joins a waitlist and matching appointment times become available
- Allow salons to manage their customer relationships, including internal salon notes and optional treatment-progress photos if the salon chooses to use that feature
We do not use client data for our own marketing or analytics.
4.3 Optional Google Calendar Integration
If a salon worker chooses to connect their Google account, Taimli can sync that worker's bookings from Taimli to a Google Calendar created or used for that integration.
For this feature, Taimli may process:
- the connected Google account email address
- OAuth tokens required to maintain the connection
- the worker identifier and salon identifier linked to the connection
- booking data needed to create calendar events, such as booking time, service names, salon location, and a Taimli manage link
This integration is:
- optional and initiated by the user
- one-way only from Taimli to Google Calendar
- limited to bookings assigned to the connected worker
Changes made in Google Calendar do not sync back into Taimli.
We use Google Calendar data only to provide and maintain this integration. We do not use it for advertising, profiling, or unrelated purposes.
5. Legal Bases (GDPR)
We process personal data under the following legal bases:
For salon owners:
- Performance of contract — providing the Taimli platform
- Legal obligation — invoicing, accounting
- Legitimate interest — security, fraud prevention, service improvement
For salon clients (on behalf of salons):
- Performance of contract (between client and salon)
- Consent, where required by the salon (e.g., marketing)
Where salons use Taimli to store treatment-progress photos or other information that may reveal health data, the salon must also identify and document the applicable GDPR Article 9 condition for processing that special-category data.
6. Cookies & Tracking
- We do not use analytics cookies on the website or on hosted booking pages.
- Taimli uses Plausible Analytics for privacy-friendly, cookie-free traffic measurement on Taimli-controlled pages.
- Taimli uses PostHog EU for product analytics in the authenticated salon admin interface only. PostHog is not loaded on public marketing pages or hosted booking pages.
- Cloudflare may temporarily process IPs to provide security and performance services.
- Cloudflare Turnstile is used on booking pages for bot protection. It does not use cookies and processes minimal data (such as browser characteristics and interaction patterns) to distinguish humans from bots. This processing is based on legitimate interest (GDPR Article 6(1)(f)) for security purposes.
7. Data Sharing
We share data only with essential service providers, all of whom operate in the EU or provide GDPR-compliant safeguards:
- Stripe — payment processing
- Hetzner & Servinga — VPS hosting (EU)
- PlanetScale — managed PostgreSQL database (EU region)
- Cloudflare — DNS and security; some routing may occur outside the EU under Standard Contractual Clauses
- Cloudflare R2 — storage for salon images (EU region)
- Cloudflare Turnstile — bot protection on booking pages (no cookies, minimal data processing)
- Mailgun — transactional email (EU region)
- Prelude — SMS delivery for booking confirmations and reminders (EU region)
- Plausible — privacy-friendly website analytics (cookie-free)
- PostHog EU — product analytics for the authenticated salon admin interface only
If a salon worker enables the optional Google Calendar integration, relevant booking data is also sent to Google to create, update, and delete calendar events for that worker.
We do not sell personal data.
8. International Data Transfers
Taimli stores and processes data primarily within the EU.
Some providers (such as Cloudflare or Mailgun, depending on configuration) may transfer data outside the EU.
In these cases, transfers are protected by Standard Contractual Clauses (SCCs) and other GDPR-compliant safeguards.
We aim to keep all data processing within the EU whenever technically possible.
9. Data Retention
We follow a minimal retention policy:
Salon Owner Data
- Retained only while the account is active
- Deleted immediately upon account deletion, except where retention is required by law (e.g., accounting records)
Salon Client Data
- Retained only while the salon’s account is active
- Deleted immediately when:
- the salon deletes it, or
- the salon’s account is deleted
Waitlist entries and notification history are treated as salon client data and are retained only while the salon's account is active, unless deleted earlier.
Salon owners can use Taimli's self-service export tools to download exportable salon data before canceling or deleting their account. These exports are intended to support backups, reporting, GDPR portability requests, and migration to another provider.
Backups
Service provider backups (e.g., PlanetScale database backups) may retain deleted data for 30–90 days, after which it is automatically purged.
We do not retain additional internal backups.
10. Your Rights (GDPR)
You have the right to:
- Access your data
- Correct inaccurate data
- Request deletion
- Request data export
- Object to processing
- Withdraw consent (if processing is based on consent)
For salon clients:
- Requests should be made to the salon, as the data controller.
- Taimli will assist salons in fulfilling these requests.
To exercise your rights, contact [email protected].
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate.
11. Children’s Data
Taimli may process data about children only when submitted by a parent/guardian or by a salon in the context of providing services to the child (e.g., a haircut).
We do not knowingly allow account registration by minors.
12. Security Measures
We use modern security practices to protect data, including:
- HTTPS encryption
- Encryption at rest where supported by providers (e.g., PlanetScale, Cloudflare R2)
- Access control and authentication
- Password hashing (e.g., Argon2) for future password features
- Regular monitoring and security updates
No system is perfectly secure, but we continuously work to protect personal data.
13. Automated Decision-Making
Taimli does not use automated decision-making or AI for user profiling.
Simple automated operations (such as round-robin staff assignment) are performed solely to fulfill booking functionality.
14. Changes to This Policy
We may update this Privacy Policy when needed.
We will post updates on our website and update the “Last Updated” date.
15. Contact
For questions, concerns, or data requests, contact: