Privacy Policy
This Privacy Policy explains how EasyWeek GmbH ("EasyWeek", "we", "us") processes personal data about visitors and users of the EasyWeek website, marketplace, and EasyWeek client app (the "Green App"). It is written for end users — the people who discover and book services through EasyWeek. For the EasyWeek Business platform, please see the separate Business Privacy Policy.
Last updated: 15 May 2026
1. Who is responsible
The data controller is:
EasyWeek GmbH Hördtweg 65, 40470 Düsseldorf, Germany Email: [email protected] Data protection contact: [email protected] Phone: +49 211 97532711
You can reach our data protection contact for any UK GDPR-related question or to exercise your rights. We respond within one month, free of charge, unless your request is manifestly unfounded or excessive.
For the booking itself, the service Provider you book with is a separate controller of the personal data it processes about you (for example, your appointment notes in its CRM). Please refer to the Provider's own privacy notice for that processing.
2. What data we collect
Depending on how you use the Service, we may collect the following categories of personal data about you:
| Category | Examples |
|---|---|
| Identification | First and last name, date of birth, profile photo, gender, preferred salutation |
| Contact | Email address, mobile and other phone numbers, postal address, country, language |
| Account | Username, hashed password, single-sign-on identifiers (Google, Apple, Facebook where used), authentication tokens, login history |
| Booking | Booked services, Providers, locations, dates, prices, history of cancellations, no-shows, and reviews; notes attached to the booking |
| Payment | Billing address, last four digits of payment card, transaction status. Full card data is processed directly by Stripe and is never stored on EasyWeek servers |
| Communications | Messages, calls, support tickets, marketing engagement (open and click events), notification preferences |
| Device and log data | IP address, browser and device identifiers, operating system, screen size, language, referrer URL, timestamps, performance metrics, crash logs |
| Location | Approximate location based on IP and, with your permission on mobile, precise device location to help you find nearby Providers |
| User content | Reviews, ratings, photos, comments, and other content you submit |
| Marketing audience data | Whether you opened or clicked an email, attended a webinar, or interacted with an ad — used only with your consent where required |
| Friends and family contacts | If you use the contact-import feature to invite a friend, only the contacts you select; we do not bulk-harvest your address book |
| Cookie and similar identifiers | See the Cookie Policy for the full list and categories |
We do not knowingly collect special-category data within the meaning of UK GDPR Art. 9 (as supplemented by the Data Protection Act 2018, Schedule 1) (such as health data). Where a Provider's booking flow collects such data (for example, a beauty, wellness, medical, or dental clinic asking about allergies), that data is collected on behalf of the Provider as the controller, under the Provider's own privacy notice.
3. Where we get your data from
- Directly from you — when you register, fill in a form, book a service, message a Provider, leave a review, contact our support team, or take any other action on the Service.
- From the Provider you book with — for example, when a Provider invites you to manage your bookings through EasyWeek.
- From third-party platforms — for example, Google or Apple identity when you choose to sign in with those services.
- Automatically — server logs, cookies, SDKs in the Green App, and similar technologies whenever you visit the Service.
- From publicly available sources — limited cases, such as verifying business information of a Provider.
4. Why we use your data
| Purpose | Legal basis (UK GDPR Art. 6 / 9) |
|---|---|
| Creating and operating your account, transmitting bookings to Providers, sending you booking confirmations and reminders | Performance of a contract — Art. 6(1)(b) |
| Letting you browse the marketplace, search for Providers, see prices and availability | Performance of a contract / pre-contractual measures — Art. 6(1)(b) |
| Processing payments via Stripe and handling refunds on Providers' behalf | Performance of a contract — Art. 6(1)(b); legal obligation — Art. 6(1)(c) for tax/accounting |
| Communicating with you about your account, security alerts, terms changes, and service-related matters | Performance of a contract — Art. 6(1)(b); legitimate interest — Art. 6(1)(f) |
| Improving the Service, debugging, security monitoring, fraud and abuse prevention | Legitimate interest — Art. 6(1)(f) |
| Marketing communications about EasyWeek and ecosystem services through the channels you have an account on (email, SMS, WhatsApp, push, in-app) | Legitimate interest under Regulation 22(3) PECR (soft opt-in rule) and Art. 6(1)(f) for similar products and services, subject to your right to object; otherwise, your consent — Art. 6(1)(a) |
| Personalised content and ads on third-party platforms | Your consent — Art. 6(1)(a), through the cookie banner |
| Reviews and ratings — display, moderation, fraud detection | Performance of a contract — Art. 6(1)(b); legitimate interest — Art. 6(1)(f) |
| Friends and family contact import | Your consent — Art. 6(1)(a) |
| Compliance with legal obligations and lawful requests from authorities | Legal obligation — Art. 6(1)(c) |
| Defence against, exercise of, or establishment of legal claims | Legitimate interest — Art. 6(1)(f); Art. 9(2)(f) where special-category data is involved |
We do not carry out any automated decision-making that produces legal or similarly significant effects on you within the meaning of UK GDPR Art. 22.
5. Who we share your data with
We share your personal data only in ways consistent with this Policy and applicable law:
- The Provider you book with — name, contact details, booking details, and any notes you attach to the booking are shared with the Provider as needed to deliver the service. The Provider becomes a separate controller for that data.
- Sub-processors who help us run the Service — hosting, payments, email and SMS delivery, support tooling, analytics, error monitoring, AI services. The current list is at /business/subprocessors. Each sub-processor is bound by a written contract with UK GDPR-equivalent obligations.
- Identity providers if you sign in with Google, Apple, or another social login — only the information you authorise.
- Public authorities when we are legally compelled to do so, after verifying the legal basis of the request.
- Professional advisors — auditors, accountants, lawyers — under professional confidentiality.
- Successor entities in the event of a merger, acquisition, or sale of all or part of EasyWeek.
We do not sell your personal data and we do not share it with third-party advertisers for cross-context behavioural advertising.
6. International transfers
EasyWeek primarily processes your data on infrastructure located in the European Union (Hetzner data centres in Germany; Google Cloud Storage EU multi-region; Cloudflare edge with EU routing for EEA traffic). A small number of sub-processors are located outside the EEA (for example, certain AI providers under a Zero Data Retention agreement). For those transfers we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and supplementary technical and organisational measures based on a transfer impact assessment, available on request from [email protected]. Please note that, following the United Kingdom's departure from the European Union, the United Kingdom is treated as a third country for the purposes of EU data-protection law; transfers of personal data from the EEA to the United Kingdom are accordingly subject to the European Commission's adequacy decision in respect of the United Kingdom, and your data processed on EasyWeek's EU infrastructure therefore benefits from that adequacy finding.
7. How long we keep your data
| Data | Retention period |
|---|---|
| Account profile and booking history while your account is active | Until you delete your account |
| After account deletion | Up to 6 months for fraud prevention, dispute resolution, and platform integrity, then deletion or anonymisation |
| Invoices and payment records | 10 years (German Commercial Code § 257, Fiscal Code § 147) |
| Support tickets | 3 years from closure |
| Server access and security logs | 90 days; security-incident-related entries longer where legally necessary |
| Backups | Up to 35 days rolling, after which they are overwritten |
| Marketing engagement | Until you unsubscribe + 6 months for proof of compliance |
| Reviews and public user content | Until you delete them, except for copies retained where required to comply with legal obligations |
After the retention period, data is securely deleted or irreversibly anonymised.
8. Your rights
Under the UK GDPR (Regulation (EU) 2016/679 as retained in UK law via the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018, you have the right to:
- Access your personal data and receive a copy (Art. 15)
- Rectify inaccurate or incomplete data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing in certain situations (Art. 18)
- Receive your data in a portable format and transmit it to another controller (Art. 20)
- Object to processing based on legitimate interest, including direct marketing (Art. 21)
- Withdraw consent at any time without affecting prior processing (Art. 7(3))
- Lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of alleged infringement. In the United Kingdom, the competent authority is the Information Commissioner's Office (ICO), https://ico.org.uk/.
To exercise any of these rights, write to [email protected]. Many of these actions you can also take directly in the Green App or on the website (Profile → Account → Data).
9. Cookies
We and our partners use cookies and similar technologies to operate the Service, remember your preferences, analyse use, and (with your consent) deliver personalised advertising. See the Cookie Policy for the full list of categories and vendors, and use the cookie settings in our consent banner to change your choices at any time.
10. Children
The Service is intended for users aged 18 and over. We do not knowingly process personal data of children under 18. If you believe a child has provided personal data to us, please contact [email protected] and we will delete it promptly.
11. Marketing and profiling
We may send you marketing messages about EasyWeek and our ecosystem (the marketplace, the Green App, partner offers) by email, SMS, WhatsApp, push, and in-app notifications, in accordance with Section 7 of our Terms of Service. We may segment our user base to make these messages more relevant (for example, by language, country, booking history). We do not carry out profiling that produces legal or similarly significant effects on you within the meaning of UK GDPR Art. 22 (as retained in UK law via the European Union (Withdrawal) Act 2018).
You can opt out of all marketing channels at any time from your profile settings or as described in Section 7 of the Terms of Service.
12. AI features
EasyWeek offers AI-assisted features — for example, an in-app assistant that helps you find a Provider, AI summaries of reviews, and suggested time slots. We are transparent about these features as required by the EU AI Act (where applicable to cross-border processing of EEA data subjects):
- Your inputs to AI features are sent to the AI provider (currently Anthropic Claude, see Sub-processors) under a Zero Data Retention agreement: the provider does not retain your prompts or use them for training.
- AI summaries of reviews are clearly labelled.
- The AI assistant is a tool, not a replacement for the Provider or for professional advice; do not rely on it for medical, legal, financial, or safety-critical decisions.
You can disable AI features for your account in Profile → Preferences.
13. Security
We apply technical and organisational measures appropriate to the risk, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication and least-privilege access controls for our staff
- Network segregation, audit logging, intrusion detection
- Secure software development lifecycle, regular dependency scanning, penetration testing
- Documented incident-response and breach-notification process
- All personnel under written confidentiality obligations
No method of transmission or storage is completely secure. You also play a role: keep your password confidential, use a strong unique password, and enable two-factor authentication if available.
14. Changes and contact
We may update this Privacy Policy from time to time. Material changes will be announced through the Service (in-app notification, email, or banner) at least fourteen (14) days before they take effect. The "Last updated" date above always reflects the current version.
For any question or to exercise your rights:
EasyWeek GmbH Hördtweg 65, 40470 Düsseldorf, Germany Email: [email protected] Data protection: [email protected]
If you are based in the United Kingdom and wish to lodge a complaint, you may contact the Information Commissioner's Office (ICO) at https://ico.org.uk/.
See also: Terms of Service · Cookie Policy · Legal Notice.
