Privacy policy

Last updated: June 2026

1. Joint controllers (Art. 26 GDPR)

The following entities are jointly responsible for the processing of personal data on this website:

  • aproposHaare GmbH, Mönchhofstr. 3b, 69120 Heidelberg, Germany
  • apropos Haare Mannheim GmbH, [address], [postcode] Mannheim, Germany

The companies have agreed internally pursuant to Art. 26 GDPR on who fulfils which data protection obligations. Enquiries regarding data processing may be directed to info@aproposhaare.de.

2. Processed data and purposes

2.1 Hosting (Cloudflare Pages)

This website is hosted via Cloudflare Pages. Cloudflare processes technically necessary connection data (IP address, timestamp, accessed URL). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation). Data processing agreement concluded with Cloudflare.

2.2 Online booking (Belbo)

When booking an appointment, name, email address and other booking-related data are transmitted to Belbo. Legal basis: Art. 6(1)(b) GDPR (contract performance). Data processing agreement concluded with Belbo.

2.3 Web analytics (Cloudflare Web Analytics)

We use Cloudflare Web Analytics — cookie-free and without personal data. No consent required under TDDDG §25.

2.4 Contact and application forms (Resend)

Messages from our contact form and online job applications are delivered to our salon and HR mailboxes via the transactional email service Resend. Name, email address, message content and uploaded application documents (PDF/JPEG/PNG) are processed. Application PDFs are also temporarily stored in a European Cloudflare R2 bucket and deleted after the application process has been completed. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or (f) (legitimate interest in efficient communication). Data processing agreement concluded with Resend.

2.5 Bot protection (Belbo Turnstile)

A Cloudflare Turnstile token issued by Belbo is sent with the "forgot password" function. No cookies are set and no personal data is transmitted to Cloudflare. Legal basis: Art. 6(1)(f) GDPR (protection against abuse).

3. Cookies and consent (TDDDG §25)

Session cookies (for appointment booking) are technically necessary and do not require consent. Additional cookies are only set with your consent.

4. Your rights

You have the right to information (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). Complaints can be filed with the State Commissioner for Data Protection of Baden-Württemberg: www.baden-wuerttemberg.datenschutz.de

To exercise your rights, please use our privacy request form.

5. Third-country transfers

Cloudflare has offices in the USA. The transfer is based on the EU-US Data Privacy Framework (adequacy decision of the EU Commission of July 10, 2023).

6. Data Retention and Deletion

We store personal data only as long as necessary for the respective purpose (Art. 5(1)(e) GDPR):

  • Booking and analytics data (name, email, customer ID): 12 months after collection, then automatic anonymization. Anonymized, non-personal data (service, date, city) is retained for statistical analysis.
  • Data protection requests: 36 months after submission, then complete deletion (aligned with the standard limitation period under §195 BGB).
  • Session tokens (booking login): Short-lived, automatic deletion after session ends.
  • Appointments at Belbo: Retention period is governed by Belbo's privacy policy.
  • Contact form messages: Delivered transiently via email, no long-term storage on our servers.

Cleanup runs automatically on the 1st of each month. Only personal data fields are removed — anonymized records are retained for internal statistics.