Privacy Policy

Last updated: May 22, 2026

1. Data Controller

Kristaps Mudurs (hereinafter — "we" or "RINDIQ"), Jelgava, Latvia. Contact email: [email protected].

We are the data controller with respect to platform users' data (business owners and staff members). With respect to business clients' data, we act as a data processor — your business is the data controller.

2. What Data We Collect

2.1. Business Owners and Staff Members

  • First name, last name, email address
  • Password (securely encrypted with bcrypt)
  • Google account ID (if using Google authentication)
  • Business information: name, address, phone number, logo
  • Login times and IP addresses (for system security)

2.2. Business Clients

  • First name, email address, phone number
  • Booking history
  • Reliability score (visit statistics)
  • Client notes (entered by business staff members)

3. Purposes & Legal Basis for Processing

PurposeLegal Basis
Account creation and managementContract performance
Booking processingContract performance
Reminder and notification emailsLegitimate interests
Analytics for business ownersLegitimate interests
Security monitoring (login, audit)Legitimate interests
Client win-back emailsConsent

4. Data Storage & Security

  • All data is securely stored within the EU (Garmtech, Latvia)
  • Passwords are encrypted with bcrypt (never stored in plain text)
  • All data transmission occurs over secure HTTPS/TLS connections
  • Access to data is strictly limited by role (administrator, staff member, client)
  • Each business can only see its own data (complete data isolation)

5. Data Retention

  • Account data: while the account is active, plus 90 days after deletion
  • Booking history: while the business account is active
  • Audit log records: 2 years
  • Login logs: 90 days

6. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Access — request information about your processed data
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — request restriction of data processing
  • Portability — receive your data in a structured, machine-readable format (CSV export)
  • Objection — object to certain types of data processing
  • Withdraw consent — withdraw consent at any time (e.g., opt out of reminder emails). Withdrawal does not affect the lawfulness of processing carried out before withdrawal
  • Lodge a complaint — file a complaint with the supervisory authority. In Latvia this is the Data State Inspectorate (Datu valsts inspekcija, Elijas iela 17, Riga LV-1050, email: [email protected]). You may also lodge a complaint with the supervisory authority in your country of residence

To exercise your rights, please contact us: [email protected]. We will respond within 30 days.

7. Cookies

We only use functionally necessary cookies to ensure the platform operates correctly:

  • session — maintains a secure login session for businesses and staff members
  • client_session — maintains a secure client session (e.g., when logging in with Google)
  • admin_location_id — remembers your selected active location
  • lang — remembers your selected interface language (LV or EN)
  • rindiq_lr_* — fraud-prevention cookie (scoped per business, one cookie per business). Set only when your reliability rating at that business is below the threshold and the business has enabled the prepayment requirement. Purpose: prevent threshold evasion by switching email addresses on the same device. The cookie contains a cryptographically signed token with the email address that triggered the requirement and expires after 30 days or once a successful prepayment is completed. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — prevention of fraud and financial loss to the business
  • Cloudflare Turnstile — sign-up forms use Cloudflare's security check (a CAPTCHA alternative), which may set short-lived cookies for bot protection. These cookies are strictly necessary for security and are not used for tracking

We do not use analytics or marketing cookies. No third-party tracking tools are embedded in the platform.

8. Third-Party Services

  • Resend (email delivery) — data processor
  • Google OAuth (login) — used for authentication only (profile email and name)
  • Stripe (payment processing) — direct connection between the business and Stripe; all client payments are held in the business's own Stripe account, not in a RINDIQ account; we do not store card data and we are not a contractual party to the transaction between the client and the business
  • Twilio Inc. (USA) — SMS reminder delivery. We send only the phone number, business name, and appointment time. The message log is retained for 12 months. SMS and email reminder consent is unified — you can opt out at any time by contacting the business or following the link in the email.
  • Garmtech (hosting) — servers located in Latvia, EU, fully GDPR compliant

9. International Data Transfers

Most data processing takes place within the European Union (Garmtech servers in Latvia). However, some sub-processors (Resend, Stripe, Google, Twilio) are located in or process data outside the European Economic Area (primarily the United States).

For such transfers, we apply safeguards under Chapter V of the GDPR:

  • European Commission-approved Standard Contractual Clauses (SCCs) with each non-EU sub-processor
  • The EU–U.S. Data Privacy Framework where applicable (e.g., Google LLC is certified)
  • Technical safeguards: TLS encryption in transit, encrypted storage at rest

A complete list of sub-processors and their locations is available in our Data Processing Agreement.

10. Automated Decision-Making (GDPR Article 22)

The platform uses automated processing to calculate a client reliability score— the ratio between attended and missed appointments. This score may affect a client's future booking experience at the specific business.

Logic involved

The score is calculated as: completed appointments divided by total appointments, multiplied by 100. The calculation includes only late cancellations (less than 24 hours before the appointment, or the deadline set by the business) and no-shows. On-time cancellations and business-initiated cancellations do not affect the score.

Possible consequences

If the reliability score falls below the threshold set by the business, the business may:

  • Require mandatory prepayment before confirming a booking
  • Require manual booking approval (a real person decides, not an automated process)
  • Decline the booking (at the business's discretion)

Your rights

You have the following rights under Article 22(3) of the GDPR:

  • Request human intervention (contact the business directly — manual approval is itself a human-intervention mechanism)
  • Express your point of view and contest the decision
  • Request an explanation of how the specific decision was reached

The reliability score is not visible to the client, affects only the experience at the specific business, and does not involve cross-business profiling. Each business can enable or disable the feature independently.

11. Source of Personal Data (GDPR Article 14)

We primarily receive client personal data directly from the client (when the client makes a booking through the public booking page).

In some cases, however, client personal data may enter our system from the business (rather than from the client directly), for example:

  • Manual bookings created by business staff on behalf of a client (e.g., phone bookings)
  • Client list imports from CSV (when the business migrates from another booking tool or a paper notebook)
  • Client notes added by business staff to a client profile

In such cases, the business(as the data controller) is responsible for the existence of a legal basis and for informing the data subject. RINDIQ, as data processor, relies on the business's representation that it is entitled to provide the data for processing.

12. Data Breach Notification

In the event of a personal data breach, we commit to:

  • Notify the affected business (data controller) without undue delay and no later than 72 hours after becoming aware of the breach (GDPR Article 33)
  • Provide the business with all information needed to assess the breach and to file a notification with the Data State Inspectorate
  • In high-risk cases, support direct notification to data subjects (GDPR Article 34)
  • Take the necessary steps to mitigate the breach and limit its impact

13. Data Protection Officer (DPO)

Given the scale and nature of our service (we do not process special categories of personal data within the meaning of Article 9 of the GDPR, and we do not carry out large-scale systematic monitoring), we have not formally appointed a Data Protection Officer under Article 37 of the GDPR.

All data protection, data subject rights, and GDPR compliance matters are personally handled by:

Kristaps Mudurs — RINDIQ data controller
Email: [email protected]

14. Marketing and Communications

  • Booking confirmations and reminders (transactional emails) — sent on a contractual / legitimate interest basis; you can opt out by contacting the business
  • Win-back emails — sent only if the client has consented to reminders. Every message contains a clear unsubscribe link
  • Platform announcements to businesses (system updates, new features) — sent on a legitimate interest basis as part of the business relationship
  • We do not send marketing emails on behalf of third parties, and we do not sell your contact data

15. Contact Information

If you have questions about how we process your personal data, please contact us:

Email: [email protected]