Privacy Policy

Last updated: July 4, 2026

Your privacy matters to us. This Privacy Policy describes how we collect, use, and protect your personal data when you use Kairoo.

Data Controller

The data controller for your personal data is Kairoo, contactable via the contact form available on the platform (on the homepage or in the application sidebar). Data processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national legislation. Full identification of the data controller is available upon request through the contact form.

1. Information We Collect

We collect information you provide directly, namely when you create an account, configure an establishment, create or receive an appointment, or communicate with us. Data categories include: name, email address, phone number (optional), appointment history, and configuration preferences.

When you use Google Sign-In, we receive your name, email address, and profile picture from Google, in accordance with the permissions you grant.

We use essential cookies to operate the Service and, with your consent, analytics cookies (Google Analytics 4) to improve the platform. You can manage your cookie preferences at any time through the settings panel in the Service or by consulting our Cookie Policy.

2. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 of the GDPR:

  • Performance of a contract (Art. 6(1)(b)): processing necessary to provide the Service, manage accounts, appointments, and related communications.
  • Legitimate interest (Art. 6(1)(f)): improving the Service, fraud prevention, and platform security.
  • Consent (Art. 6(1)(a)): analytics cookies. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): compliance with applicable legal obligations, including tax requirements.

3. How We Use Your Information

We use the information collected to:

  • Provide, operate, and maintain the Service;
  • Process and manage appointments and accounts;
  • Send transactional communications (appointment confirmations, reminders, system notifications);
  • Improve and personalise the platform experience;
  • Prevent fraud and ensure the security of the Service.

4. Sharing of Information and Sub-processors

Your data (name, email, and appointment details) is shared with the establishment where you book an appointment, to enable the delivery of the service. The establishment owner is responsible for the appropriate handling of such data. We do not sell or share personal data with third parties for commercial or advertising purposes.

Kairoo uses the following sub-processors to deliver the Service:

  • Google Firebase (Google LLC) — database, authentication, and hosting.
  • Stripe, Inc. — payment processing and subscription management.
  • Resend Inc. — transactional email delivery.
  • Google Analytics 4 (Google LLC) — aggregated and anonymous usage analysis, only with your consent.

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

  • Account and establishment data: retained while the account is active and for 30 days after cancellation, after which it is permanently deleted.
  • Appointment data: the most recent appointment for each client is retained while the account is active; all previous appointments are automatically deleted 8 days after the appointment date.
  • Billing data: retained for the period required by Portuguese tax law (10 years).
  • Consent records (Terms acceptance, cookie preferences): retained for 5 years after the end of the contractual relationship.

6. Security

We adopt appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. No electronic transmission or storage system is completely secure. In the event of a data breach affecting your rights, we will notify the relevant authorities and, where applicable, affected users, within the timeframes required by the GDPR.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access: obtain confirmation that your data is being processed and receive a copy.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request the deletion of your data ("right to be forgotten"), in cases provided for by law.
  • Restriction: request suspension of processing in certain circumstances.
  • Portability: receive your data in a structured format and transfer it to another controller.
  • Objection: object to processing based on legitimate interest or for direct marketing purposes.
  • Withdrawal of consent: withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, please use the contact form available on the platform. We will respond within 30 days. You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) at www.cnpd.pt.

Contact

For questions about this Privacy Policy, please use the contact form available on our homepage or in the application sidebar.