This Privacy Policy describes how SmoothBooking processes personal data at app.smoothbooking.fiand in our iOS and Android applications (together, the "Service"). The Service is a booking and queue management system where customers can book appointments or join queues at our partner businesses, and where service businesses can manage bookings, customers and campaigns for their own business.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (1050/2018).
1. Data controller
SmoothBooking
Business ID: Y-tunnus rekisteröidään pian
Osoite ilmoitetaan rekisteröinnin jälkeen
2. Contact for privacy matters
For privacy matters, please contact us by email: smoothbooking.app@gmail.com. General contact: smoothbooking.app@gmail.com.
We have not appointed a dedicated Data Protection Officer because our operations do not meet the thresholds set by GDPR Article 37. We will reassess this if the scale of our operations changes materially.
3. Register name
SmoothBooking user and booking register.
4. What data we collect
We only collect data that is necessary for providing the Service.
From customers (end users)
- Name, email address and phone number
- Password in hashed form (we never store passwords in readable form)
- Profile picture, if you upload one
- Language and notification settings, including marketing consent
- Bookings, queue entries and any free-text notes you add
- Redeemed coupons and discounts
From service businesses (Pro users)
- In addition to the above, the business name, Finnish Business ID and business details
- Branch addresses, opening hours and service descriptions
- Employee names and contact details
- Your own customer data and customer history (visit frequency, recent services)
Automatically
- IP address and basic browser information, used briefly to prevent abuse
- Session cookies required for the Service to function (see our Cookie Policy)
- In the mobile app, a device-specific identifier for push notifications (optional)
- Error and security logs with user identifiers masked
Sensitive data
We do not request health-related or other special-category data under GDPR Article 9. We recommend keeping free-text notes at a general level.
5. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Creating and maintaining user accounts, sign-in | Performance of a contract |
| Managing bookings, queues and coupons | Performance of a contract |
| Direct marketing via email or push notification | User consent |
| Invoicing and accounting | Legal obligation (Finnish Accounting Act 1336/1997) |
| Service security and prevention of abuse | Legitimate interest |
| Improving the service and fixing bugs | Legitimate interest |
6. Retention periods
- User account data: until the user deletes the account. After deletion, identifiers (name, email, phone) are erased without undue delay.
- Accounting records: if the user has made paid transactions, we retain only the receipt fields required by Finnish accounting law (transaction date, amount, invoice reference, counterparty name) in restricted form for 6 years from the end of the fiscal year.
- Marketing delivery logs: up to 90 days, then deleted automatically.
- Session cookies: up to 14 days or until you sign out.
- IP addresses for security use: up to 15 minutes.
- Error and security logs: up to 30 days.
7. Recipients of data
We do not sell personal data. Data may be disclosed to the following parties:
- To the service business a customer books with or joins a queue at. The Pro user receives the customer's name, contact details and booking information, as needed to provide the service. The Pro user acts as an independent controller for their own customer data. The customer may direct privacy requests to the Pro user directly.
- To subcontractors providing technical services. These include cloud infrastructure providers and email and push notification delivery services. Subcontractors process data on our behalf under written agreements.
- To public authorities when required by mandatory law, or if we are a party in legal proceedings or similar processes.
- To parties in a corporate transaction, if we are involved in a business sale, merger or reorganisation. We will ensure that the recipient commits to comply with this Privacy Policy.
Key subcontractors
| Subcontractor | Role | Location |
|---|---|---|
| Google Ireland Ltd. (Firebase) | Authentication, database, storage, backend services | EU and USA |
| Upstash Inc. | Rate limiting for security (brief IP processing) | EU (Frankfurt) |
| 650 Industries Inc. (Expo) | Push notifications in mobile applications | USA |
| OpenStreetMap Foundation | Geocoding of addresses (no personal data transferred) | EU |
8. Transfers outside the EU and EEA
Some of our subcontractors are located in the United States. We transfer data outside the EU and EEA only when a transfer mechanism required by data protection law is in place: the EU–US Data Privacy Framework approved by the European Commission, or standard contractual clauses approved by the Commission. Additional information is available from the contact listed in section 2.
9. Cookies
We only use cookies that are strictly necessary for the Service to function: a sign-in session cookie, a security cookie, and a language-preference cookie. We do not use advertising or tracking cookies, and we do not share data with analytics or ad networks. For details, see our Cookie Policy.
10. Your rights
You have the right to:
- Know what data we process about you and receive a copy.
- Request the correction of inaccurate or incomplete data.
- Request the deletion of your data, or restriction of processing, within the limits set by law.
- Receive the data you have provided in a portable format.
- Object to processing based on legitimate interest.
- Withdraw marketing consent at any time — every marketing message contains a one-click unsubscribe link.
You can exercise your rights by emailing smoothbooking.app@gmail.com, or by downloading your data and deleting your account from the profile page. We respond without undue delay and within one month at the latest.
11. Right to lodge a complaint
If you believe we process your data contrary to data protection law, you may lodge a complaint with the Finnish Data Protection Ombudsman:
Office of the Data Protection Ombudsman
PO Box 800, FI-00521 Helsinki, Finland
Phone: +358 29 566 6700
tietosuoja@om.fi · tietosuoja.fi/en
12. Data security
We protect personal data with appropriate technical and organisational measures. Connections are encrypted, passwords are stored as hashes, and access to data is restricted by role. We process data using only as many personnel as is necessary for the tasks, and all our personnel are bound by confidentiality.
If we detect a personal data breach likely to create a risk to data subjects, we notify the Data Protection Ombudsman within 72 hours and the affected users as the situation requires.
13. Automated decision-making
We do not carry out automated decision-making that produces legal effects concerning the user or similarly significantly affects the user. Automatic limitations relating to service security (such as temporary blocks on abusive use) can always be reviewed by a human by contacting our support.
14. Minors
The Service is intended for users aged at least 18. We do not knowingly collect data from anyone younger. If you become aware that a minor has created an account, please notify us so we can remove it.
15. Changes to this policy
We may update this Privacy Policy as the Service evolves or the law changes. We will notify you of material changes via the Service or by email at least 30 days before they take effect.