Privacy

1. Controller (Art. 4(7) GDPR)

Oleksandr Chornous
Drewerstraße 5
59602 Rüthen, Deutschland
Email: sahajaret@gmail.com · Phone: +49 179 2013363

2. Roles: platform vs. businesses

boncard.app is operated as Software-as-a-Service. The platform is controller for operator accounts (business owners). For end-customer data (loyalty card holders) the business itself is the controller and the platform acts as a processor under Art. 28 GDPR. A data processing agreement is concluded with every business.

3. Purposes and legal bases

• Account management for businesses — Art. 6(1)(b) GDPR (contract)
• Loyalty program management — Art. 6(1)(b) GDPR
• Marketing / birthday emails (currently disabled) — Art. 6(1)(a) GDPR (consent) + UWG § 7 (double opt-in)
• IT security and audit logs — Art. 6(1)(f) GDPR (legitimate interest)

4. Processed data

• Business owners (user account): name, email, role, active status, login timestamps
• Session data: per active login we store IP, user agent and an optional device label. The session cookie is valid for up to 30 days; the session record (incl. IP and user agent) is kept for up to ~120 days (30-day validity plus a 90-day grace period) and then deleted automatically (see §6). Used for new-device security warnings (Art. 6(1)(f) GDPR — legitimate interest in account security)
• Business data (barbershop record, captured by owner at registration): company name, address, phone, email, optionally website/logo
• End customers: first name (required), optional last name, phone, email, birthday, notes
• Consents: timestamp, IP, user agent, source (Art. 7(1) proof)
• Loyalty data: card code, status, point transactions, redeemed rewards
• Audit logs: action, actor, timestamp, IP, user agent

Public business profile

For each business, Boncard renders a public profile page (/b/…) showing business data entered by the operator (name, address, phone, contact email, social links, opening hours, description). The operator controls the visibility of each block via settings toggles (visible by default) and can hide any block at any time. Legal basis: Art. 6(1)(b) GDPR (contract performance — the profile page is part of the booked service). The data stays published until the block is hidden or the account is deleted.

5. Subprocessors

• Railway Corp. (USA, US-West/Oregon) — application hosting; transfer based solely on EU Standard Contractual Clauses under Art. 46 GDPR (EU SCC 2021/914, provider DPA)
• MongoDB Atlas (US-West, Oregon) — database hosting; transfer primarily under Art. 45 GDPR (EU-US Data Privacy Framework self-certification), EU SCC 2021/914 as fallback; DPA in place
• Resend, Inc. (USA/AWS) — transactional email delivery; transfer primarily under Art. 45 GDPR (DPF self-certification of 13.03.2025), EU SCC 2021/914 as fallback
• Cloudflare R2 (USA / EU edge) — optional S3-compatible object storage for operator-uploaded images (logos, reward icons, card-design photos). End-customer PII is not stored here. Transfer primarily under Art. 45 GDPR (DPF self-certification), EU SCC 2021/914 as fallback.

6. Retention

• Account data: while account is active. After termination, a 30-day grace period for restore, then automatic hard-delete. Deletion log retained for 3 years as proof (Art. 28(3)(g) GDPR).
• End-customer data: until anonymized by business or on data-subject withdrawal
• Audit logs: 90 days, then auto-deleted
• Security and proof logs: login attempts 90 days; PII access log (Art. 32 GDPR) 90 days; email delivery proofs 90 days to 3 years by category (marketing 90 days, transactional 1 year, legal notices 3 years); login sessions 30 days (purged 90 days after expiry). The email suppression list (unsubscribes/bounces) is kept permanently to honour your objection.
• Consent tokens: pending double-opt-in tokens 7 days; after confirmation the token is kept for another 90 days, then deleted (the consent proof remains in the customer record)
• Operator card messages: 90 days, deleted by a weekly cleanup cron

7. Cookies

Only strictly necessary cookies (session, locale). No tracking, no profiling, no third-party analytics. § 25(2)(2) TDDDG exemption applies. No cookie banner is required because only strictly necessary cookies are processed.

8. Transfers to third countries

Personal data may be transferred to the USA through our hosting providers. For MongoDB Atlas, Resend and Cloudflare the transfer is primarily based on the EU-US Data Privacy Framework adequacy decision (Art. 45 GDPR), with EU Standard Contractual Clauses (EU SCC 2021/914, Art. 46(2)(c) GDPR) as fallback. For Railway Corp. the transfer is based solely on EU Standard Contractual Clauses under Art. 46(2)(c) GDPR.

9. Data subject rights

Rights to access (Art. 15), rectification (Art. 16), erasure / anonymization (Art. 17), restriction (Art. 18), portability (Art. 20), and withdrawal of consent (Art. 7(3)). Business accounts: contact sahajaret@gmail.com. End customers (card holders): please contact your business first — it is the controller of your data; the platform supports it as processor under the DPA.

10. Right to complain

Supervisory authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, ldi.nrw.de.

Note on Art. 18 GDPR (restriction of processing): submit requests by email to sahajaret@gmail.com with subject "Art. 18 GDPR Request". We confirm receipt within 7 days and implement the restriction through partial or full anonymization of the affected records in the platform UI.

11. Security measures

TLS 1.2+, bcrypt password hashing (cost ≥ 12), role-based access control, session invalidation on password change, recursive audit-log redaction of sensitive fields, HMAC-verified webhooks, and signed cookies.

12. Automated decisions

No automated decisions in the sense of Art. 22 GDPR are made. Bonus point calculation is rule-based and reversible at any time by the business owner.