Privacy Policy

1. Controller

The entity responsible for processing personal data within the meaning of the revised Swiss Federal Act on Data Protection (revFADP) and — where applicable — the EU General Data Protection Regulation (GDPR) is:

2. General information

We treat your personal data confidentially and in accordance with applicable data-protection law. When you use our platform, various personal data are collected; this policy explains the scope and purposes.

3. Data we process

Depending on usage, we process the following categories of data:

– Account data: name, email address, encrypted password, language. – Business data: company name, address, contact number, staff and services (only for registered businesses). – Booking data: appointments, assigned staff, customer notes, loyalty points. – Technical data: IP address, browser type, access time, URLs visited. – Communications data: emails and SMS sent through our platform.

4. Purposes

– Provision and operation of our services (booking management, confirmations, reminders). – Handling of subscription payments. – Communication with you regarding inquiries and support. – Improvement of our services and ensuring platform security. – Fulfilment of legal obligations.

5. Legal bases

Where the GDPR applies, we rely on: contract (Art. 6(1)(b) GDPR), legitimate interests (lit. f), consent (lit. a) and legal obligations (lit. c). Under the revFADP, processing is permitted on the basis of contract performance and legitimate interests.

6. Processors

We use the following external service providers who process personal data on our behalf:

– Amazon Web Services (region eu-central-2, Zurich) — hosting and database. – Resend (Dublin, IE) — transactional email delivery. – Twilio (Dublin, IE) — SMS notifications. – Stripe Payments Europe (Dublin, IE) — payment processing, where activated.

All providers are contractually bound to comply with applicable data-protection law.

7. International transfers

Some providers are based outside Switzerland. For transfers to third countries we use the EU Standard Contractual Clauses or rely on adequacy decisions pursuant to Art. 16 revFADP.

8. Retention

Personal data are retained only for as long as necessary for the stated purposes or as required by law (e.g., Art. 958f CO — 10 years for business records). Account data are deleted within 30 days of contract termination upon request.

9. Your rights

You have the right to:

– information about the data processed (Art. 25 revFADP). – correction of inaccurate data. – deletion of your data, unless retention is legally required. – data portability in a common electronic format. – withdraw consent previously given. – lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch).

To exercise these rights, please contact info@buchflow.ch.

10. Cookies

We use only technically necessary cookies (e.g., login session, language preference). They are required to operate the platform and do not require consent. We currently do not use analytics or marketing cookies.

11. Security

We apply state-of-the-art technical and organisational measures to protect your data against unauthorised access, loss or misuse. Connections to the platform are TLS-encrypted; passwords are stored using bcrypt.

12. Changes

We reserve the right to adapt this Privacy Policy as necessary. The current version is always available on this page.