01.1. Introduction
This Privacy Policy describes how WezBook (hereinafter "WezBook", "we", "our") collects, uses, stores and protects the personal data of users of the WezBook platform, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the amended French Data Protection Act of January 6, 1978.
02.2. Data Controller
The data controller is:
- Company name : WezBook
- Registered office : [TO BE COMPLETED]
- SIRET : [TO BE COMPLETED]
- DPO / Personal data contact email : dpo@wezbook.com
03.3. Data Collected
3.1 Data provided directly by the User
| Data | Purpose | Legal basis |
|---|---|---|
| First name, Last name | Identification, personalization | Contract performance |
| Email address | Authentication, communications | Contract performance |
| Password (BCrypt hashed) | Authentication | Contract performance |
| Phone number | Verification, appointment reminders | Contract performance |
| Reviews and comments | Rating system | Legitimate interest |
3.2 Professionals' data
| Data | Purpose | Legal basis |
|---|---|---|
| Salon name, address | Listing, geolocation | Contract performance |
| Salon contact info (email, phone) | Communication, management | Contract performance |
| Employee information (names, schedules) | Appointment management | Contract performance |
| Service catalog and prices | Platform operation | Contract performance |
3.3 Automatically collected data
| Data | Purpose | Legal basis |
|---|---|---|
| IP address | Security, fraud prevention | Legitimate interest |
| User-Agent (browser, device) | Technical compatibility | Legitimate interest |
| Date and time of connection | Security, audit | Legitimate interest |
| Firebase identifier (UID) | Authentication | Contract performance |
3.4 Data relating to End Customers (processed on behalf of the Professional)
When a Professional registers End Customers (including temporary customers), the following data is processed:
| Data | Purpose |
|---|---|
| First name, Last name | Customer identification |
| Phone number | SMS reminders |
| Communications, confirmations | |
| Appointment history | Follow-up, statistics |
| Notes | Customer preferences (added by Professional) |
Important: For this data, the Professional is the data controller and WezBook acts as a data processor (article 28 of the GDPR).
3.5 Payment and cash register data (WezPay)
WezBook does not store sensitive banking data (card numbers, CVV, IBAN). Card payments are processed by our PCI-DSS certified providers.
However, the WezPay module (optional supplement — cash register software compliant with art. 286-I-3°bis of the French CGI) records and retains transaction data in accordance with tax obligations:
| Data | Storage | Purpose | Retention period |
|---|---|---|---|
| Transaction amounts | WezBook | Cash register recording (art. 286-I-3°bis of the French CGI) | 6 years (tax obligation) |
| Details of services/products sold | WezBook | Tax traceability | 6 years (tax obligation) |
| Payment method used (type only) | WezBook | Cash register traceability | 6 years (tax obligation) |
| Receipts | WezBook | Compliance art. 286-I-3°bis of the French CGI | 6 years (tax obligation) |
| Cash closures (Z receipts) | WezBook | Tax compliance | 6 years (tax obligation) |
| Refunds and credits | WezBook | Tax traceability | 6 years (tax obligation) |
| Stripe customer identifier | WezBook | Link to payment account | Subscription duration |
| Stripe subscription identifier | WezBook | Subscription management | Subscription duration |
| Provider transaction reference | WezBook | Reconciliation with provider | 6 years |
| Banking data (card, IBAN) | Stripe/SumUp only | Payment processing | According to provider |
Important: Cash register data recorded via WezPay is unalterable in accordance with the requirements of article 286-I-3°bis of the French CGI. It cannot be modified or deleted, including in the context of exercising the right to erasure (see section 9).
04.4. Processing Purposes
We process your data for the following purposes:
1. Contract performance:
- Account management and authentication
- Provision of booking and salon management services
- Operation of the WezPay module (transaction recording, receipt issuance, cash closures)
- Subscription and billing management
2. Legitimate interest:
- Platform security (fraud prevention, intrusion detection)
- Service improvement and usage analysis
- Customer support
- Management of reviews and ratings
3. Consent:
- Marketing communications by email and SMS
- Non-essential cookies (where applicable)
4. Legal obligation:
- Retention of billing data
- Retention of cash register data for 6 years (article L.102 B of the Book of Tax Procedures)
- Unalterability of cash register data (article 286, I, 3° bis of the French General Tax Code)
- Response to judicial requisitions
05.5. Sharing Data with Third Parties
We share your data with the following providers, all located in countries ensuring an adequate level of protection or framed by appropriate safeguards:
| Provider | Role | Data shared | Location |
|---|---|---|---|
| Firebase (Google) | Authentication | Email, name, UID | USA (Standard Contractual Clauses) |
| Stripe | Payments and subscriptions | Customer identifiers, payment data | USA (Standard Contractual Clauses) |
| Twilio | SMS sending | Phone numbers, SMS content | USA (Standard Contractual Clauses) |
| Resend | Email sending | Email addresses, email content | USA (Standard Contractual Clauses) |
| SumUp | Payment terminal payments | Transaction references | Europe (Ireland) |
| Amazon Web Services (AWS) | Hosting, storage | All data (encrypted) | Europe (Ireland / Frankfurt) |
| Google Places | Salon geolocation | Addresses, GPS coordinates | USA (Standard Contractual Clauses) |
We never sell your personal data to third parties. We do not share your data for advertising purposes.
06.6. International Transfers
Some of our providers are located in the United States. Data transfers outside the EU are framed by:
- The Standard Contractual Clauses (SCC) approved by the European Commission
- The EU-US Data Privacy Framework (DPF), where applicable
07.7. Retention Period
| Type of data | Retention period |
|---|---|
| Account data (active user) | Duration of Account life |
| Account data (after deletion) | 30 days then final deletion |
| Billing data | 10 years (legal accounting obligation) |
| WezPay cash register data (transactions, receipts, closures, refunds) | Minimum 6 years (tax obligation — article L.102 B of the LPF) |
| WezPay tax archives | Minimum 6 years (unalterable, art. 286-I-3°bis of the French CGI) |
| Connection logs | 12 months |
| Stripe events (webhooks) | 180 days |
| Appointment history | Duration of contractual relationship with the Professional, then 1 year after the end of the relationship |
| Reviews and ratings | Duration of publication on the Platform, deleted 1 year after Account deletion |
| Temporary customer data | Duration of relationship with the Professional, then 1 year after last appointment |
| Data after termination (excluding cash register data) | 30 days (reversibility period) then deletion |
08.8. Data Security
We implement the following technical and organizational measures:
- Encryption: Communications encrypted in transit (TLS/HTTPS). Sensitive data encrypted at rest (AWS)
- Password hashing: BCrypt algorithm
- Authentication: Firebase Authentication with JWT tokens
- Access control: Role system (user, employee, admin)
- Input validation: Sanitization and validation of all incoming data
- Rate limiting: Protection against brute force attacks
- Webhook verification: Verification of webhook signatures (Stripe, Twilio, Resend)
- Logging: Audit trail of sensitive actions
- Data separation: Multi-tenant architecture with data isolation per salon
09.9. Your Rights
In accordance with the GDPR, you have the following rights:
| Right | Description | How to exercise |
|---|---|---|
| Right of access | Obtain a copy of your personal data | Email to DPO |
| Right to rectification | Correct inaccurate or incomplete data | Via your Account or email to DPO |
| Right to erasure | Request deletion of your data (except cash register data subject to legal retention obligation — see below) | Email to DPO |
| Right to portability | Receive your data in a structured format (JSON, CSV) | Email to DPO |
| Right to object | Object to the processing of your data | Email to DPO |
| Right to restriction | Request restriction of processing | Email to DPO |
| Right to withdraw consent | Withdraw your consent at any time | Via your Account, unsubscribe link, or email to DPO |
How to exercise your rights
- By email : dpo@wezbook.com
- By mail : [TO BE COMPLETED - Postal address]
We will respond to your request within 1 month of receipt (article 12.3 of the GDPR). This period may be extended by 2 months for complex requests, provided we inform you within one month of receipt.
We may ask you to justify your identity to process your request.
Limitation of the right to erasure — Cash register data (WezPay)
In accordance with article 17.3(b) of the GDPR, the right to erasure does not apply to cash register data recorded via the WezPay module. This data is subject to a legal retention obligation of 6 years (article L.102 B of the Book of Tax Procedures) and an unalterability obligation (article 286, I, 3° bis of the CGI). It cannot be modified or deleted before the expiration of the legal period.
Complaint to the CNIL
If you believe your rights are not respected, you may file a complaint with the French Data Protection Authority (CNIL):
- Website : https://www.cnil.fr
- Address : CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
11.11. Marketing Communications
11.1 Consent
We only send marketing communications by email with your prior consent.
11.2 Unsubscription
You may unsubscribe at any time:
- Via the unsubscribe link present in each marketing email
- Via the settings of your Account
- By contacting our DPO
Unsubscription from marketing communications does not affect transactional emails (appointment confirmations, invoices, security notifications).
12.12. Minor Data
The Platform is not intended for children under 16. We do not knowingly collect personal data from minors under 16. If we discover that data from a minor under 16 has been collected without legal guardian consent, we will delete it as soon as possible.
13.13. Sub-processing (Professionals)
In the context of Platform use by Professionals, WezBook acts as a data processor within the meaning of article 28 of the GDPR for end customer data of the Professional.
The Professional, as data controller, undertakes to:
- Inform their end customers of the processing of their data
- Obtain necessary consent where applicable
- Respect the rights of data subjects
- Comply with applicable regulations
A Data Processing Agreement (DPA) is available upon request.
14.14. Notification of Data Breach
In case of personal data breach likely to cause a risk to your rights and freedoms, we commit to:
- Notify the CNIL within 72 hours
- Inform you as soon as possible if the breach presents a high risk
15.15. Modifications to the Policy
We reserve the right to modify this Privacy Policy. In case of substantial modification, we will inform you by email or via a notification on the Platform, at least 15 days before modifications take effect.
16.16. Contact
For any question regarding the protection of your personal data:
- Email : contact@wezbook.com
- Mail : [TO BE COMPLETED - Postal address]
- DPO : dpo@wezbook.com
WezBook is committed to protecting your personal data and respecting your privacy.
Other legal pages
Have questions about our terms?
Our team is here to help you understand your rights and our responsibilities.