Privacy policy

1. Who we are

Turnwave ("we", "us") provides appointment booking and related communication tools for merchants and their customers. For the purposes of GDPR, we act as the controller of personal data described in this policy unless we state otherwise (for example where a merchant is controller of their own customer list and we process data only on their instructions as a processor — see section 4).

Contact for privacy matters: privacy@turn-wave.com.

2. What data we process

Depending on how you use Turnwave, this may include:

• Merchant data: business and contact details, account identifiers, billing-related information where applicable, and content you upload or configure in the service.
• Customer (end-user) data: for example name, phone number, and appointment details submitted through the booking flow on behalf of the merchant.
• Technical data: limited logs and diagnostics needed to operate, secure, and improve the service (such as IP address, device and browser type, timestamps, and error reports).

3. Purposes and legal bases (GDPR)

We process personal data for purposes such as:

• Providing the service to merchants and their customers — typically under Article 6(1)(b) GDPR (performance of a contract) or Article 6(1)(f) GDPR (legitimate interests in operating a reliable booking platform), as applicable.
• Security and abuse prevention — legitimate interests (Art. 6(1)(f)) in protecting accounts, detecting fraud, and maintaining integrity of the platform.
• Compliance with law — where required, Article 6(1)(c) GDPR.
• Marketing communications (if any) — only with appropriate consent or another valid basis under Art. 6 GDPR.

4. Merchants and their customers

When a customer books with a merchant through Turnwave, the merchant decides what information to collect and for what operational purposes they use it. In many cases the merchant will be an independent controller (or joint controller) for customer personal data, and we provide processing capacity under our agreement with the merchant. We assist merchants, where required, in responding to individuals' rights requests that relate to our role.

5. Storage location

We host persisted application and database data in the European Union (Frankfurt, Germany), as described on our Data, GDPR & pricing page. We use vetted infrastructure providers and put appropriate agreements in place (including, where relevant, standard contractual clauses or other transfer tools) if any processing occurs outside the EEA.

6. Retention

We keep personal data only as long as needed for the purposes above, including to meet legal, accounting, or reporting requirements. Retention periods may differ by data category; when data is no longer required we delete or anonymise it in line with our internal policies.

7. Your rights

Under GDPR, individuals in the EEA (and, where applicable, the UK equivalent regime) generally have rights including access, rectification, erasure, restriction of processing, objection, data portability, and the right to lodge a complaint with a supervisory authority. To exercise these rights, contact us at the email address above. We will respond within the timeframes required by law.

8. Cookies and similar technologies

We use only such cookies and similar technologies as are necessary to run the site, remember preferences where applicable, and understand aggregate usage. Any non-essential cookies will be described in a cookie notice or preference centre where we use them.

9. Changes

We may update this policy from time to time. We will post the revised version on this page and adjust the "Last updated" date. Where changes are material, we will provide additional notice as required by law.