Legal

Privacy Policy

Last updated: 27 February 2026

Data Protection at a Glance

The following notices provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data with which you could be personally identified. Detailed information on data protection can be found in our full privacy policy below.

Controller

The controller responsible for data processing on this website is a private individual operating Tiapla as a non-commercial project. Contact:

A controller is a natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

Server Log Files

The website hosting provider automatically collects and stores information in server log files, which your browser transmits automatically. This includes: browser type and version, operating system, referrer URL, hostname of the accessing device, date and time of the request, and IP address.

This data is not merged with other data sources. The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest in the technically secure and error-free operation of the website).

Fonts

This website uses the "Inter" typeface, which is served directly from our own server. No connection to external font services (such as Google Fonts) is established. No personal data is transmitted to third parties for font delivery.

Cookies and Local Storage

This website does not use cookies. No cookies are placed on your device.

To remember your chosen language, we store a single entry in your browser's local storage under the key tiapla_lang. Local storage is a browser-based mechanism that stores data exclusively on your device and never transmits it to any server. It is used solely for this technical purpose and does not enable any tracking or profiling. You can clear it at any time via your browser settings.

Tiapla Booking Platform

When you use the Tiapla booking service – via the embeddable widget or the console at console.tiapla.de – personal data you enter (such as name, email address, phone number, and appointment details) is collected and stored for the purpose of providing the booking functionality.

This processing is based on Art. 6(1)(b) GDPR (performance of a contract or pre-contractual steps at your request). Data is retained only as long as necessary to fulfil the appointment purpose and any applicable legal retention obligations.

Service Providers (Sub-processors)

To deliver the Tiapla service, we engage the following sub-processors. A Data Processing Agreement (Art. 28 GDPR) has been concluded with each. Optional integrations (calendar sync, SMS) are only activated if a business explicitly enables them.

  • Amazon Web Services EMEA SARL, Luxembourg – Cloud infrastructure for all Tiapla data (servers, database, storage). Data center: Frankfurt, Germany (eu-central-1). Transfer basis: AWS GDPR Data Processing Addendum.
  • Google LLC, USA – Google Calendar API, used when a business user connects their Google Calendar to prevent double-bookings. Data transmitted: calendar availability data and OAuth tokens. Transfer basis: Google Cloud DPA with EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
  • Microsoft Ireland Operations Ltd, Ireland – Microsoft 365 / Outlook Calendar API, used when a business user connects their Outlook calendar to prevent double-bookings. Data transmitted: calendar availability data and OAuth tokens. Transfer basis: Microsoft Online Services DPA.
  • seven.io GmbH, Germany – SMS gateway for appointment confirmations and reminders, used only when a business has enabled SMS notifications. Data transmitted: customer phone number and appointment details. Legal basis: Art. 6(1)(b) GDPR.
  • STRATO AG, Germany – Transactional email delivery for booking confirmations, appointment reminders, GDPR verification emails, and system notifications. Data transmitted: recipient email address and appointment details. Location: EU – Berlin, Germany. Transfer basis: STRATO Data Processing Agreement.

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

  • Appointment records (name, email, phone, notes): deleted 30 days after the appointment date.
  • Appointment audit log (including IP addresses logged at booking): deleted 30 days after the appointment date.
  • Blocked-user records: deleted 1 day after being deactivated.
  • Staff and user accounts: deleted when the associated business account is closed.
  • Business accounts: deleted when the account is closed.
  • OAuth tokens (Google Calendar, Outlook): deleted immediately when the calendar sync is disconnected.
  • Server log files: retained for 7 days.

Automated Decision-Making and Profiling

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR. No decisions with legal or similarly significant effect on you are made solely on the basis of automated processing.

Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access – Art. 15 GDPR
  • Right to rectification – Art. 16 GDPR
  • Right to erasure ("right to be forgotten") – Art. 17 GDPR
  • Right to restriction of processing – Art. 18 GDPR
  • Right to data portability – Art. 20 GDPR
  • Right to object – Art. 21 GDPR

To exercise any of these rights, please contact us at .

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority with jurisdiction is that of your habitual residence, your place of work, or the place of the alleged infringement.

The supervisory authority responsible for the operator of this service is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

www.lda.bayern.de

Data Breach Notification

In the event of a personal data breach, we are required to notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it (Art. 33 GDPR). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR).

Data Security

This website uses HTTPS encryption to protect data in transit. An encrypted connection can be recognised by the "https://" prefix and the padlock symbol in your browser's address bar. If HTTPS is active, any data you transmit cannot be read by third parties.

Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in law or in our services. The current version is always available at this URL. We encourage you to review it periodically.