Business Privacy Policy
This Privacy Policy describes how EasyWeek GmbH processes personal data about business owners, employees, and other authorised users of the EasyWeek Business platform ("you", "Business User"). For personal data that you, as a business, process about your own clients through EasyWeek, EasyWeek acts as a data processor under our Data Processing Addendum.
Last updated: 15 May 2026
1. Who we are
The controller responsible for the processing of personal data about Business Users described in this Policy is:
EasyWeek GmbH Hördtweg 65, 40470 Düsseldorf, Germany Email: privacy@easyweek.io Data protection contact: dpo@easyweek.io
For matters relating to data we process on your behalf (your customers' data stored in EasyWeek), please see Section 2 below and our Data Processing Addendum.
2. Scope and the controller-processor split
EasyWeek Business is a Software-as-a-Service platform that helps service businesses ("Customers") manage their bookings, clients, staff, finances, and marketing. This split matters for data protection:
- EasyWeek is the controller for personal data about Business Users — the business owners, employees, and authorised users who sign up, log in to, and use EasyWeek Business. This Policy describes that processing.
- EasyWeek is the processor for personal data that Business Users (their Customer) upload to EasyWeek to run their business — for example, end-customer contact details, booking history, notes, photos. That processing is governed by the Data Processing Addendum, where the Customer is the controller.
This Policy covers only the first case. For end-customer data, the Customer's own privacy notice applies.
3. Data we collect about Business Users
| Category | Examples |
|---|---|
| Identification | First and last name, business name, position, profile photo |
| Contact | Email address, phone number, business address, country |
| Account | Username, hashed password, two-factor authentication tokens, login history, IP address, device and browser identifiers |
| Billing | VAT ID, billing address, last 4 digits of payment card, invoice history. Full card data is collected directly by Stripe and never reaches our servers |
| Communications | Support tickets, in-app chat history, call recordings (with your consent), survey responses |
| Usage telemetry | Pages and features used, clicks, performance metrics, crash reports, error logs |
| Marketing engagement | Email open and click events, newsletter preferences, webinar attendance, demo bookings |
| Public listing data | Where you opt in to the EasyWeek marketplace, the business name, logo, services, hours, location, photos, and aggregated ratings you publish |
We collect this data directly from you (when you register, fill in forms, contact support, configure your account) and automatically (logs, telemetry, cookies on our marketing sites — see Cookie Policy).
4. Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and operating your account, providing the EasyWeek Business platform you subscribed to | Performance of a contract — Art. 6(1)(b) |
| Billing, accounting, tax records | Legal obligation — Art. 6(1)(c); contract — Art. 6(1)(b) |
| Customer support and incident response | Performance of a contract — Art. 6(1)(b); legitimate interest — Art. 6(1)(f) |
| Product analytics, debugging, capacity planning, security monitoring | Legitimate interest in operating a secure and reliable platform — Art. 6(1)(f) |
| Marketing communications to existing Business Users about the EasyWeek ecosystem, new features, and partner offers | Legitimate interest under § 7(3) UWG / Art. 6(1)(f) — limited to similar products and services and subject to your right to object |
| Marketing communications where you have explicitly opted in (newsletters, webinars) | Your consent — Art. 6(1)(a) |
| Publishing your business on the EasyWeek marketplace, where you opt in | Performance of the marketplace addendum to your subscription — Art. 6(1)(b) |
| Compliance with legal obligations and lawful requests from authorities | Legal obligation — Art. 6(1)(c) |
| Defence against, exercise of, or establishment of legal claims | Legitimate interest — Art. 6(1)(f); Art. 9(2)(f) where special-category data is involved |
We do not carry out any automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Art. 22.
5. Marketing communications
By creating a Business User account, you agree that EasyWeek may send you transactional and marketing communications about EasyWeek and our ecosystem through email, SMS, WhatsApp, push notifications, and in-app messages. We may also use your business contact data to invite you to events, webinars, beta features, partner offerings, and to inform you about new EasyWeek mobile apps (such as the EasyWeek client app), provided this is compatible with the legal basis described in Section 4.
You can opt out of marketing communications at any time:
- Email — unsubscribe link at the bottom of every marketing email
- SMS / WhatsApp — reply "STOP" to any marketing message
- Push notifications — turn off in your device or app settings
- In-app — Profile → Notification preferences
Withdrawal does not affect the lawfulness of processing carried out before the withdrawal and does not prevent us from sending you transactional messages required to operate the Service.
6. Sharing and sub-processors
We share Business User data only with:
- Sub-processors we engage to deliver the Service (hosting, email, SMS, support tooling, analytics, payment processing, AI features). The current list is available at /business/subprocessors. All sub-processors are bound by contract to confidentiality and GDPR-equivalent obligations.
- Stripe, our payment processor, for handling subscription billing.
- Auditors, accountants, legal advisors acting under professional confidentiality.
- Public authorities when we are legally compelled to do so, after verifying the legal basis of the request and, where lawful, notifying you.
- Successor entities in the event of a merger, acquisition, or sale of all or part of EasyWeek, in which case the acquirer becomes bound by an equivalent privacy commitment.
We do not sell your personal data and do not share it with third-party advertisers for cross-context behavioural advertising.
7. International transfers
EasyWeek primarily processes Business User data on infrastructure located in the European Union (Hetzner data centres in Germany; Google Cloud Storage EU multi-region; Cloudflare edge with EU routing for EEA traffic). Where a limited number of sub-processors are located outside the EEA (for example, certain AI providers under a Zero Data Retention agreement), the transfer is protected by the European Commission's Standard Contractual Clauses (Decision 2021/914) and supplementary measures based on a transfer impact assessment, available on request from privacy@easyweek.io.
8. Retention
| Data | Retention period |
|---|---|
| Account profile and configuration | While your account is active + 6 months after deletion request, then deletion or anonymisation |
| Invoices and accounting records | 10 years (HGB § 257, AO § 147) |
| Support tickets | 3 years from closure |
| Login and access logs | 90 days, with security-incident-related entries retained as long as legally necessary |
| Backups | Up to 35 days rolling, after which they are overwritten |
| Marketing engagement | Until you unsubscribe + 6 months for proof of compliance |
When the retention period expires, data is securely deleted or irreversibly anonymised, except where a longer period is required by law.
9. Your rights
You have the following rights with respect to your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21) — in particular, to direct marketing
- Right to withdraw consent at any time (Art. 7(3))
- Right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of alleged infringement. In Germany, the competent authority for EasyWeek GmbH is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, https://www.ldi.nrw.de/.
To exercise any of these rights, write to privacy@easyweek.io. We will respond within one month and free of charge, except where the request is manifestly unfounded or excessive.
10. Security
We apply technical and organisational measures appropriate to the risk, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication and least-privilege access for our staff
- Network segregation, audit logging, intrusion detection
- Secure software development lifecycle, regular dependency scanning, penetration testing
- Documented incident response and breach notification process
- Personnel under written confidentiality obligations
Full details are described in the Technical and Organisational Measures annex to the Data Processing Addendum.
11. Changes and contact
We may update this Policy from time to time. Material changes will be announced through the in-app notification centre or by email at least 14 days before they take effect. The "Last updated" date above always reflects the current version.
For questions or to exercise your rights:
EasyWeek GmbH Hördtweg 65, 40470 Düsseldorf, Germany Email: privacy@easyweek.io Data protection: dpo@easyweek.io
See also: Client Privacy Policy · Cookie Policy · Data Processing Addendum · Sub-processors · Imprint.
