πŸ”’ Privacy Policy and Cookie Storage Policy

ℹ️ This is an English translation provided for convenience. The legally binding version of this Privacy Policy is the Polish one, available at gabinetonline.com.pl/polityka-prywatnosci.html. In the event of any discrepancy between the language versions, the Polish version prevails.
Table of contents

I General provisions

  1. This Privacy Policy of the GabinetOnline Application (hereinafter: the "Application" or "Platform") is informational in nature and sets out the rules for processing personal data by the Controller.
  2. The controller of personal data processed in connection with the use of the Application's website is Rybczak i WspΓ³lnicy Sp. z o.o., with its registered office in Jankowice (44-264) at ul. Przyjemna 4, entered in the register of entrepreneurs kept by the District Court in Gliwice, 10th Commercial Division of the National Court Register under number KRS 0000361541, VAT ID (NIP) 642-318-72-10, Regon 243640719, share capital: PLN 17,500.00, email address: biuro@gabinetonline.com.pl, hereinafter referred to as the "Controller".
  3. GabinetOnline is a SaaS platform (software as a service) intended for hair, beauty and cosmetics salons (hereinafter: "Platform Clients"). With regard to the personal data of end clients of salons, the Controller acts as a processor – details in section IV.
  4. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), the Personal Data Protection Act of 10 May 2018 and other applicable legal provisions.
  5. The Controller processes data in accordance with the principles of minimisation, purpose limitation, storage limitation, integrity and confidentiality.
  6. For matters concerning personal data protection you can get in touch at: biuro@gabinetonline.com.pl.

II Visitor status and type of data

  1. A Visitor is any person browsing the Application's websites at gabinetonline.com.pl.
  2. While browsing the Application's websites, data concerning the Visitor is collected automatically, in particular: IP address, domain name, browser type, operating system type. This data may be collected via Cookies.
  3. The Controller processes anonymised operational data for statistical and administrative purposes. This data is aggregate and anonymous, i.e. it does not contain features identifying individuals.
  4. A User is a person who has an account in the Application (a salon owner or employee). Data processed within the account includes: first and last name, email address, phone number, company name, billing data.

III Purpose and legal bases of processing

The Controller processes the personal data of Visitors and Users for the following purposes:

  1. Concluding and performing the service agreement, including enabling use of the Platform (Art. 6(1)(b) GDPR).
  2. Handling the user account and contact regarding the service (Art. 6(1)(b) GDPR).
  3. Issuing invoices and settlements (Art. 6(1)(c) GDPR – legal obligation).
  4. Archiving and securing information in case of a legal need to demonstrate facts (Art. 6(1)(f) GDPR – legitimate interest).
  5. Establishing, pursuing or defending against claims (Art. 6(1)(f) GDPR).
  6. Surveying Client satisfaction and improving service quality (Art. 6(1)(f) GDPR).
  7. Sending commercial and marketing information – only with separate consent (Art. 6(1)(a) GDPR).

IV GabinetOnline as a processor of salon data

  1. With regard to the personal data of salons' end clients (people booked for visits, stored in the salon's client database), GabinetOnline acts as a processor within the meaning of Art. 28 GDPR. The controller of this data remains the salon (Platform Client).
  2. Processing takes place solely on the documented instructions of the Platform Client, for the purpose of providing the Application's functionality (managing the calendar, clients, services, SMS/email communication, reports).
  3. The basis for processing is the personal data processing entrustment agreement concluded between GabinetOnline and each Platform Client. The agreement regulates, among other things, the scope, purpose and time of data processing and security obligations.
  4. GabinetOnline does not process salon clients' data for its own marketing purposes and does not share it with third parties except in the cases indicated in this Policy.
  5. The salon, as data controller, is obliged to have an appropriate legal basis for processing its clients' data and to fulfil the information obligation towards them under Art. 13–14 GDPR.

V AI Assistant – data processing

The Application includes a built-in AI Assistant based on an external language model (LLM). This section explains how data is processed within this feature.
  1. What is sent to the AI model: Content entered by the user in the AI Assistant chat window may contain personal data (e.g. client names, phone numbers, visit information). This data is transferred to the external language-model provider solely to generate the assistant's response.
  2. AI model provider: The Application uses the API of Anthropic PBC (Claude) and OpenAI (GPT). Data is processed by these providers as sub-processors on the basis of concluded agreements (DPAs). Details in sections VIII and IX.
  3. Data minimisation: Only the information necessary to provide a response is passed to the AI model. The system does not send passwords, payment data or special categories of data (Art. 9 GDPR).
  4. Conversation history: The content of conversations with the AI Assistant is stored in the Platform's database on a server in Poland and may be analysed by an internal supervision system (AI Supervisor) to improve the quality of the assistant's responses. Only authorised Controller staff have access to the history.
  5. Legal basis: Data processing within the AI Assistant takes place on the basis of Art. 6(1)(b) GDPR (performance of the agreement) and Art. 6(1)(f) GDPR (legitimate interest consisting in improving the service).
  6. How to disable it: Use of the AI Assistant is voluntary. The user may choose not to use the assistant chat window – this does not affect access to the other functions of the Application.

VI Google Calendar integration

The Application offers an optional integration with the Google Calendar service, enabling the synchronisation of visits to a salon employee's private Google calendar. The integration is voluntary and activated only after the employee knowingly connects their Google account.
  1. What data is transferred: Once the calendar is connected, in order to synchronise the work schedule, information about the visits handled by a given employee is transferred to the Google Calendar service: the date, start time and duration of the visit and the name of the service. Optionally – only if the salon owner has enabled this option in the settings (disabled by default) – the client's first and last name is also transferred.
  2. What we do not transfer: Phone numbers, email addresses, payment data and other client data beyond those listed above are not transferred to Google.
  3. Scope of access: The Application uses the Google calendar.events permission, which only allows creating, updating and deleting events corresponding to visits in the connected user's calendar. The Application does not read other events from the user's calendar and does not manage calendar lists.
  4. Legal basis: Processing within the integration takes place on the basis of the employee's consent (Art. 6(1)(a) GDPR) given when connecting the calendar and for the purpose of performing the service agreement (Art. 6(1)(b) GDPR).
  5. Transfer outside the EEA: The controller of the Google Calendar service is Google Ireland Ltd., and data may also be processed by Google LLC on servers in the United States, outside the European Economic Area – details in sections IX and X.
  6. Consent and its withdrawal: Connecting the calendar requires the employee's informed consent, recorded together with the date and IP address. The user may disconnect the calendar at any time in their profile settings – from that moment new visits are no longer sent to Google. Events created earlier remain in the user's Google calendar and may be deleted by them manually.
  7. Compliance with Google policies: The use of information received from Google API interfaces complies with the Google API Services User Data Policy, including the Limited Use requirements. Data obtained from Google Calendar is used solely to provide the described visit-synchronisation function and is not used for other purposes.
  8. How to disable it: Use of the integration is voluntary. The employee may choose not to connect the calendar at all – this does not affect access to the other functions of the Application.

VII Voluntary provision of data

  1. Providing data is voluntary, but may prove necessary to conclude the agreement and use the Platform (e.g. an email address to create an account).
  2. Failure to provide the data required for registration will make it impossible to use the Application.
  3. Providing data in order to receive commercial information is entirely voluntary and may be withdrawn at any time.

VIII Transfer of personal data

  1. The Controller may transfer personal data to the following categories of entities:
  2. Data is not sold or shared with third parties for marketing purposes without the consent of the data subject.

IX Sub-processors and third parties

GabinetOnline uses the services of the following sub-processors, to which it may entrust personal data:

Entity Role / service Location Transfer safeguards
Hosting (application server)
OVH Sp. z o.o.
Server infrastructure, database Poland / EEA No transfer outside the EEA
Anthropic PBC Claude language model (AI Assistant) USA DPA + Standard Contractual Clauses (SCCs)
OpenAI LLC GPT model (AI Assistant – auxiliary queries) USA DPA + Standard Contractual Clauses (SCCs)
Google Ireland Ltd. / Google LLC Google Calendar – synchronising visits to the employee's calendar (optional, after connecting the account) Ireland / USA EU-U.S. Data Privacy Framework
SMS operator - JustSend Sending SMS messages to salon clients Poland No transfer outside the EEA

The Controller obliges sub-processors to process data solely in accordance with instructions and for the purposes of providing the specified service, applying appropriate security measures.

X Transfer of data outside the European Economic Area

  1. In connection with the use of the services of Anthropic PBC and OpenAI LLC, the content of conversations with the AI Assistant may be transferred to the United States.
  2. The transfer of data to the USA takes place on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, which constitute an appropriate safeguard within the meaning of Art. 46 GDPR.
  3. The DPAs (Data Processing Addenda) concluded with Anthropic and OpenAI regulate the scope, purpose and conditions of data processing and oblige the providers to delete it after the agreement ends.
  4. If the optional Google Calendar integration (section VI) is used, visit data may be transferred to Google LLC in the United States. The basis for the transfer is Google LLC's participation in the EU-U.S. Data Privacy Framework, recognised by the European Commission as ensuring an adequate level of data protection within the meaning of Art. 45 GDPR.
  5. The User has the right to obtain a copy of the safeguards applied – for this purpose please get in touch at biuro@gabinetonline.com.pl.

XI Data retention period

Data category Retention period
User account data (salon owner/employee) For the duration of the agreement + 3 years after it ends (claims)
Billing data and invoices 5 years from the end of the tax year (legal obligation)
Salon clients' data (client database) Until deleted by the salon or termination of the agreement with the salon
AI Assistant conversation history 12 months from the date of the conversation, then automatic deletion
Google Calendar connection data (access tokens, status, consent) Until the calendar is disconnected by the employee or the agreement is terminated; tokens are stored in encrypted form
System and security logs 90 days
Statistical data (anonymised) Indefinitely (no possibility of identifying an individual)
Data processed on the basis of consent Until consent is withdrawn

XII Rights of the data subject

  1. Every person whose data is processed by the Controller has the following rights:
  2. To exercise the above rights, please contact the Controller: in writing to the registered address or by email at biuro@gabinetonline.com.pl.
  3. The Controller examines requests without undue delay, no later than within 30 days. In exceptional cases the deadline may be extended by a further 60 days, of which the Controller will inform the applicant.
  4. Salon clients (people who are clients of a salon using GabinetOnline) should first direct their requests to the salon as the controller of their data. GabinetOnline, as a processor, will promptly forward such a request to the relevant salon.

XIII Cookie Policy

  1. Cookies are IT data, in particular text files, stored on the Visitor's end device and intended for use with the Application's websites.
  2. Cookies usually contain the name of the website they come from, the time they are stored on the end device and a unique number. They are safe for the device and have no harmful effect.
  3. Consent to storing Cookies is voluntary. The lack of it may restrict access to some functionalities of the Application.
  4. The Controller uses Cookies for the following purposes:
  5. The Visitor may specify the conditions for using Cookies via their own web browser settings or the consent management panel available on the Application's website.
  6. Restricting or disabling Cookies may affect the operation of some functions of the Application, in particular make it impossible to log in.

XIV Cookies used

The Application uses two main types of cookies: session cookies (temporary, deleted when the browser is closed) and persistent cookies (stored for a specified time or until deleted by the user).

Name Type Expiry time Purpose
PHPSESSID Session Until the browser is closed Native PHP file – maintaining the user session, authentication.
cookies-accepted Persistent 1 year Remembering the decision to accept or reject the cookie policy.

Detailed information on managing cookies in popular browsers:

XV Data security

  1. The Controller applies appropriate technical and organisational measures to protect the processed personal data against unauthorised access, loss, destruction or disclosure, in particular:
  2. Any changes to the Application's code that could affect data processing are subject to an internal verification and approval process before deployment to the production environment.
  3. In the event of a personal data breach, the Controller will promptly take action in accordance with Art. 33–34 GDPR, including, where necessary, notifying the President of the Personal Data Protection Office and the data subjects.

XVI Final provisions

  1. This Privacy Policy is governed by Polish substantive and procedural law.
  2. The Controller reserves the right to make changes to this Privacy Policy. Users will be informed of significant changes at least 14 days in advance by email or by a notification in the Application.
  3. The date of the last update of this Policy: May 2026.
  4. For any matters concerning personal data protection, please get in touch: biuro@gabinetonline.com.pl.
← Back to the home page