Privacy policy

1. Controllers (joint controllership, Art. 26 GDPR)

Two companies are joint controllers within the meaning of Art. 26 GDPR for the processing of personal data on this website:

Apropos Haare GmbH — Mönchhofstr. 3b (corner Lutherstraße), 69120 Heidelberg · Managing directors: Andrea Sladek and Stefanie Mohr · Amtsgericht Mannheim, HRB 724439

Apropos Haare Mannheim GmbH — Tattersallstraße 41, 68165 Mannheim · Managing director: Mathias Gramlich · Amtsgericht Mannheim, HRB 728061

Apropos Haare GmbH operates this website; both companies are joint controllers in respect of the data collected through it and both have access to that data. An arrangement pursuant to Art. 26(1) GDPR has been concluded to determine which company fulfils which GDPR obligations. In essence: Apropos Haare GmbH is the primary point of contact for data subject rights; requests may alternatively be directed to either company via the shared contact address. The internal allocation of responsibilities does not affect your rights — you may exercise them against either controller.

Shared data protection contact: datenschutz@aproposhaare.de

No data protection officer has been appointed (§ 38(1) BDSG (German Federal Data Protection Act); Art. 37 GDPR).

2. Categories of data processed

We do not actively collect special categories of personal data (Art. 9 GDPR). If you voluntarily provide health-related information (e.g. allergies) in the notes field of a booking, we process that information solely on the basis of your explicit consent (Art. 9(2)(a) GDPR); please share such information only if you wish to do so. Payment for your service takes place in the salon on site and does not form part of this online offering.

• Master data (e.g. name)
• Contact data (e.g. email address, telephone number)
• Content data (e.g. text entered in forms, profile photo, application documents)
• Treatment data (e.g. booked services, appointment history)
• Contractual data (e.g. booked service, assigned salon)
• Usage and access data (e.g. pages visited, IP address, timestamp)

3. Purposes of processing

Provision of the online offering, its content and functions · Online appointment booking and customer account management · Sending of appointment confirmations and reminders · Responding to contact and job-application enquiries · Security and abuse prevention · Internal analysis to improve the offering.

4. Legal bases (overview)

We process personal data only on a lawful basis:

• Art. 6(1)(a) (consent, in conjunction with Art. 7) — e.g. push notifications, profile photo, marketing communications;
• Art. 6(1)(b) (contract / pre-contractual measures) — e.g. booking, customer account, waiting list, job application;
• Art. 6(1)(c) (legal obligation) — e.g. statutory retention and documentation obligations;
• Art. 6(1)(f) (legitimate interests) — e.g. secure operation, reach measurement, internal analytics, abuse prevention.

5. Disclosure to third parties, processors and third-country transfers

Data is disclosed only on a lawful basis (performance of contract, consent, legal obligation or legitimate interest). Processors are engaged on the basis of a contract pursuant to Art. 28 GDPR:

Third-country transfers: For Cloudflare, on the basis of the EU–US Data Privacy Framework and additionally the Standard Contractual Clauses (EU) 2021/914; for Resend, on the basis of the Standard Contractual Clauses (EU) 2021/914 (USA). The email service provider used for email dispatch via Belbo (USA) is covered by Belbo's processor agreement and SCC chain. OpenStreetMap map tiles are provided by the OpenStreetMap Foundation in the United Kingdom; the transfer is based on the EU adequacy decision for the United Kingdom. The SMS service provider used via Belbo (Netherlands) processes within the EEA.

• Cloudflare, Inc. — hosting, database, file storage, reach measurement, bot protection — registered in: USA
• Belbo Business Software GmbH — booking system — registered in: Berlin, Germany
• Email service provider (sub-processor of Belbo) — email dispatch (confirmation/reminder) — registered in: USA
• SMS service provider (sub-processor of Belbo) — SMS dispatch — registered in: Netherlands (EU)
• Resend — transactional emails from our forms — registered in: USA
• OpenStreetMap Foundation — map tiles — registered in: United Kingdom (third country)

6. Performance of contractual services — booking and customer account

Online appointment booking (Belbo): When you make a booking, we process master data, contact data, treatment data and contractual data to carry out the appointment (Art. 6(1)(b) GDPR). The system of Belbo Business Software GmbH (Berlin) is used as a processor; Belbo's own privacy policy also applies. Belbo processes your data solely for the purpose of providing the service and does not contact you for its own promotional purposes.

Customer account: You may create an account. Login is passwordless — authentication runs through the Belbo booking system; we do not store a password. Accounts are not public and not indexable by search engines. Upon termination, account data will be deleted unless statutory retention obligations (Section 14) preclude deletion. At the time of registration we store, for the purpose of abuse protection and as evidence of consent, a hash of your IP address and browser fingerprint together with a timestamp; at login we record the timestamp of the last sign-in, and your IP address is processed only briefly and is not retained permanently (Art. 6(1)(f) GDPR).

Profile and profile photo: A profile photo uploaded optionally is stored, on the basis of your consent (Art. 6(1)(a) GDPR), with our hosting provider (Section 5). You may remove it at any time; it will not be retained longer than necessary for the stated purpose.

Waiting list: Name and contact details are processed for the purpose of notifying you of available appointments (Art. 6(1)(b) GDPR), until the slot is filled, you withdraw your registration, or the entry is deleted on request, and at the latest 12 months after entry.

7. Contact and job-application forms

When you get in touch or submit a job application, we process your name, email address, message content and, where applicable, uploaded application documents (PDF/JPEG/PNG) to handle your enquiry (Art. 6(1)(b) or (f) GDPR). Dispatch is handled via the transactional email service Resend; application documents are additionally stored with our hosting provider (Section 5) and retained for as long as required for the application process.

8. Server log files

When the website is accessed, access data is processed in server log files (page/file requested, date/time, data volume transferred, browser type and version, operating system, referrer URL, IP address) on the basis of our legitimate interest in security and stability (Art. 6(1)(f) GDPR). Data is retained only briefly for delivery and abuse prevention; data required for evidentiary purposes is exempt from deletion until the incident has been resolved.

9. Cookies, device storage (§ 25 TDDDG) and reach measurement

• Technically necessary (no consent required): Your login session is stored under the identifier "apropos_session" — as a technically necessary HttpOnly cookie (maximum lifetime 1 hour) and additionally in your browser's local storage (localStorage) as a credential for cross-domain authentication. The booking flow may set further technically necessary session cookies. These are deleted at the end of the session or upon sign-out.
• Reach measurement: We use Cloudflare Web Analytics — cookieless and without personal data. Consent under § 25 TDDDG is therefore not required (Art. 6(1)(f) GDPR). We do not set advertising or tracking cookies.
• Requiring consent: Activating push notifications (Section 10) requires device storage via a service worker and takes place only with your consent.

10. Appointment confirmations, reminders and push notifications

Confirmation and reminder messages (via Belbo): In connection with your booking, we send appointment confirmations and reminders by email and/or SMS. Dispatch is handled by Belbo's sub-processors: an email service provider (USA) for email and an SMS service provider (Netherlands/EU) for SMS. The legal basis is the performance of the booking relationship (Art. 6(1)(b) GDPR). Further promotional contact (offers, promotions) takes place only if you give explicit consent during the booking process (Art. 6(1)(a) GDPR); you may withdraw that consent at any time with effect for the future.

Push notifications (web push): When you activate push notifications, we store a technical push subscription (endpoint and cryptographic keys of your browser), linked to your account. Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG; consent is given via your browser's notification permission. Technical delivery is handled by the push service of your browser vendor; data may be transferred to third countries (including the USA) in this process. You may withdraw consent at any time by unsubscribing or revoking the browser permission. Storage until withdrawal or account deletion.

11. Embedded third-party services and content

• Map display — OpenStreetMap: When a map is loaded, your browser retrieves map tiles directly from the OpenStreetMap Foundation (United Kingdom, third country); your IP address is transmitted in the process (Art. 6(1)(f) GDPR; transfer based on the EU adequacy decision for the United Kingdom). We do not use Google Maps.
• Fonts: Fonts used are served locally from our own server; no external request is made to Google Fonts or any third party.
• Bot protection — Cloudflare Turnstile: For security-sensitive functions (e.g. "forgot password") a Turnstile token is processed; no cookies are set and no personal data is transmitted to Cloudflare (Art. 6(1)(f) GDPR).

12. Internal analytics and consent records

Internal analytics / profiling: From booking and usage data we derive metrics (e.g. visit frequency, customer retention, lifetime value, demographics by postcode/age) for internal business management (Art. 6(1)(f) GDPR). You may object to this processing at any time on grounds relating to your particular situation (Art. 21(1) GDPR). No automated decision-making with legal effect or similarly significant impact (Art. 22 GDPR) takes place. Retention: booking and analytics data are anonymised no later than 12 months after the appointment; internal analytics, re-engagement and log data are anonymised or deleted no later than 24 months.

Consent records: Consents given via our forms (in particular at registration) are logged (purpose, timestamp, version) together with a hash of the email address and IP/browser data in order to fulfil the burden of proof under Art. 7(1) GDPR (Art. 6(1)(f) GDPR). IP, browser and email-hash data are removed as soon as they are no longer required for evidential purposes (typically after 12 months); the purely anonymous consent record is retained for evidential purposes. For consent-based processing (push notifications, profile photo), the consent record is retained in full until you withdraw your consent.

13. Your rights

You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). You may withdraw any consent given at any time with effect for the future (Art. 7(3) GDPR) without affecting the lawfulness of processing carried out prior to withdrawal. To exercise your rights, please contact datenschutz@aproposhaare.de.

14. Deletion of data

Data is deleted as soon as it is no longer required for its purpose and no statutory retention obligations preclude deletion; otherwise its processing is restricted to the retention purpose. Statutory retention periods: 6 years under § 257 HGB (German Commercial Code) or 10 years under § 147 AO (German Fiscal Code) (Art. 6(1)(c) GDPR). Data protection requests are retained for 36 months and then deleted. Automated deletion runs daily; only personal data fields are removed — anonymised records are retained for internal statistics.

15. Right to object and right to lodge a complaint

You may object to the future processing of your data at any time, in particular to processing for direct marketing purposes. You also have the right to lodge a complaint with a supervisory authority, in particular with the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (www.baden-wuerttemberg.datenschutz.de).

16. Currency and amendments

Last updated: 23 June 2026 (Version 2). We update this policy when our data processing practices or the legal framework change. Where consent is required or contractual provisions are affected, amendments will be made only with your agreement.