Privacy Policy
Wersja / Version: 2026-06-23
This document is provided in several language versions. The Polish version is legally binding; in case of any discrepancy, the Polish text prevails.
1. Data Controller
The controller of your personal data is:
ISO STUDIO Spółka z ograniczoną odpowiedzialnością (sp. z o.o.)
- KRS: 0000954033
- NIP: 7011075011
- REGON: 521263680
- Address: ul. Nowogrodzka 7/9, 00-500 Warszawa
Contact regarding personal data:
- Email: Isostudio1602@gmail.com
2. Data Protection Officer
The controller has not appointed a Data Protection Officer (DPO). For all matters concerning the processing of personal data, you can contact us at: Isostudio1602@gmail.com.
3. Purposes and Legal Bases of Processing
| Purpose of processing | Legal basis |
|---|---|
| (a) Creating and operating a client account | Art. 6(1)(b) GDPR (performance of a contract) |
| (b) Making, managing and fulfilling appointment bookings | Art. 6(1)(b) GDPR (performance of a contract) |
| (c) Sending transactional emails (booking confirmation, 24 h and 2 h reminders) | Art. 6(1)(b) GDPR (performance of a contract) |
| (d) Notifying the studio administrator of bookings | Art. 6(1)(f) GDPR (legitimate interest) |
| (e) No-show tracking and automatic account ban (abuse prevention) | Art. 6(1)(f) GDPR (legitimate interest) |
| (f) Issuing invoices and keeping accounting records | Art. 6(1)(c) GDPR (legal obligation) |
| (g) Handling complaints and pursuing or defending against claims | Art. 6(1)(f) and Art. 6(1)(c) GDPR |
| (h) Error monitoring and application security | Art. 6(1)(f) GDPR (legitimate interest) |
4. Legitimate Interests of the Controller
Where we process data on the basis of Art. 6(1)(f) GDPR, our legitimate interests are:
- preventing repeat no-shows and abuse of the booking system,
- securing and maintaining the proper operation of the application,
- keeping studio staff informed of bookings made.
5. Recipients / Processors
Your data may be entrusted to the following processors acting on our behalf:
- Supabase — application hosting, database and user authentication (EU region).
- Resend — delivery of email messages (transactional notifications).
- Sentry — application error and security monitoring (EU region).
- Telegram — notifications to the studio administrator. Only the client's first name is transmitted, without contact details or other identifying data.
6. Transfers Outside the European Economic Area (EEA)
Some processors may process data outside the EEA:
- Resend — transfer to the USA based on the EU–US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCC) as a supplementary safeguard.
- Sentry — data stored in the EU region; in the event of any transfer, the DPF and SCC apply.
- Telegram — the operator is based in Dubai and the transfer safeguards in place are limited. We therefore limit the scope of transmitted data to the necessary minimum (the client's first name only).
7. Retention Periods
- Bookings — for a period of 5 years.
- Invoices and accounting documents — for a period of 5 years, in accordance with tax law.
- Account bans due to no-shows — until the ban is manually lifted by the administrator (no automatic expiry).
- Account data — until the account is deleted, except for data subject to a statutory retention obligation.
- Error monitoring data (Sentry) — for a short retention period.
8. Rights of the Data Subject
You have the following rights:
- the right of access (Art. 15 GDPR),
- the right to rectification (Art. 16 GDPR),
- the right to erasure (Art. 17 GDPR),
- the right to restriction of processing (Art. 18 GDPR),
- the right to data portability (Art. 20 GDPR),
- the right to object to processing (Art. 21 GDPR),
- the right to withdraw consent at any time where processing is based on consent — without affecting the lawfulness of processing carried out before its withdrawal (Art. 7(3) GDPR).
To exercise these rights, contact us at: Isostudio1602@gmail.com.
9. Right to Lodge a Complaint
You have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warszawa.
10. Voluntariness of Providing Data
Providing data is voluntary; however, your email address and phone number are necessary to conclude and perform the contract and to log in using a one-time code (OTP). Without them, it is not possible to create an account or make a booking.
11. Automated Decision-Making
We apply an automatic account ban after three no-shows. This process involves a human in the loop — the administrator marks each no-show and may lift the ban at any time. If you wish to appeal a ban, contact us at: Isostudio1602@gmail.com.
12. Cookies and Device Storage
The application stores on your device only data strictly necessary to provide the service:
- the authentication session (Supabase),
- the working draft of a booking (application state,
useState), - the language selection.
These are strictly necessary data, which is why we do not display a cookie consent banner. A separate cookie policy may be introduced in the future.
13. Third-Party Data (Walk-in Clients)
If your data (first name, phone number) was entered into the system by the administrator in connection with a visit without a prior booking (walk-in client), we inform you, in accordance with Art. 14 GDPR, that the controller is ISO STUDIO sp. z o.o., and the data is processed for the purpose of fulfilling the visit and keeping accounting records, on the legal bases set out in this policy. The source of the data in such a case is the studio staff. You are entitled to all the rights described in section 8.