Prettie
Iniciar Sesión

Privacy Policy

Last updated: March 2026

1. Who We Are

Prettie SRL ("Prettie," "we," "our," or "us") is the data controller for the personal data processed through the Prettie platform, unless otherwise stated in this policy. We are registered in Bucharest, Romania, and operate an online marketplace that connects clients with beauty, wellness, and aesthetic service providers across Europe.

If you have any questions or concerns about how your data is handled, you can reach us at:

2. Information We Collect

We collect different categories of personal data depending on how you interact with the Prettie platform. Below is a detailed overview of the data we may collect.

Account Information

  • Full name
  • Email address
  • Phone number
  • Avatar or profile image
  • Locale and language preference
  • Account type (client or business)

Authentication Data

  • Session tokens
  • IP addresses
  • User agent and browser information
  • If you use social login (Google, Apple, Microsoft, or Facebook): authentication tokens from those providers. We store only what is strictly necessary to authenticate you.

Booking and Appointment Data

  • Appointment details (date, time, service, staff member)
  • Booking status and history
  • Cancellation reasons
  • Special notes or requests you provide
  • For guest bookings: name, email address, and phone number

Payment Information

Prettie does not store your full card details. All payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. The payment-related data we do store includes:

  • Stripe customer reference ID
  • Transaction records (amount, currency, status)
  • Tip amounts
  • Gift card purchases and redemptions

Health and Medical Data (Special Category — Article 9 GDPR)

When you receive beauty, wellness, or aesthetic services, the service provider may collect the following information through our platform:

  • Allergies and sensitivities
  • Current medications
  • Medical conditions
  • Previous surgeries
  • Family medical history
  • Skin type and classification
  • Pregnancy or nursing status
  • Clinical records (SOAP notes, ICD-10 codes, prescriptions)
  • Treatment plans and progress
  • Body measurements (weight, body fat percentage, waist, hips, chest, arms, thighs)
  • Before and after treatment photos
  • Consent form records (procedure details, risk acknowledgment, your signature)

Important: This data is collected by your service provider, who acts as the data controller for this information, with your explicit consent. Prettie processes this data on behalf of the service provider (as a data processor).

Beauty Profile

  • Hair type, texture, and color preferences
  • Skin type, tone, and concerns
  • Nail condition
  • Aesthetic preferences

Reviews and Content

  • Reviews you write
  • Star ratings
  • Photos you upload
  • Responses to surveys

Communications

Messages you exchange with businesses through the Prettie platform.

Loyalty and Membership Data

  • Loyalty points
  • Stamp card progress
  • Referral codes
  • Membership details
  • Gift card balances

Location Data

  • Search location: stored temporarily in your browser's session storage to improve search results. This data is not sent to our servers.
  • Business location data used for search proximity calculations.

Device and Technical Data

  • IP address
  • Browser type and version
  • Operating system
  • Device type
  • Referring URLs

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases to process your personal data:

Contract Performance (Article 6(1)(b))

Processing that is necessary to fulfil our contract with you, including:

  • Creating and managing your account
  • Processing bookings and managing appointments
  • Processing payments
  • Sending booking confirmations and reminders

Legitimate Interests (Article 6(1)(f))

Processing that is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms:

  • Platform improvement and analytics
  • Fraud prevention and security
  • Resolving disputes
  • Enforcing our Terms of Service

You can object to processing based on legitimate interests at any time by contacting us.

Consent (Article 6(1)(a))

Where we rely on your consent, you may withdraw it at any time. Consent-based processing includes:

  • Marketing emails and promotional communications
  • Newsletter subscriptions
  • Non-essential cookies and analytics

Legal Obligation (Article 6(1)(c))

Processing that is necessary to comply with a legal obligation, including:

  • Financial record keeping
  • Responding to lawful requests from public authorities

Special Category Data (Article 9(2)(a))

Health and medical data is processed only with your explicit consent, obtained through signed consent forms before procedures. You may withdraw this consent at any time, although withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. Please note that certain retention obligations may still apply even after consent is withdrawn.

4. How We Use Your Information

We use the personal data we collect for the following purposes:

  • Providing and managing the booking service
  • Processing payments and issuing receipts
  • Facilitating clinical record keeping for your service providers
  • Sending appointment confirmations, reminders, and follow-up communications
  • Enabling reviews and ratings
  • Managing loyalty programs, referrals, and gift cards
  • Personalizing your experience, including search results and recommendations
  • Improving the platform through analytics
  • Preventing fraud, abuse, and unauthorized access
  • Responding to your support requests
  • Sending marketing communications (only with your consent)

5. Who We Share Your Data With

We share your data only when necessary to operate the platform and provide our services. We do not sell your personal data to any third party.

Service Provider Businesses

When you book an appointment, your relevant details — including your name, contact information, and booking details — are shared with the business providing the service. If you have given your consent, your medical information and beauty profile may also be shared with that business.

Stripe (Payment Processor)

Payment data is processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. Stripe processes your payment information under its own privacy policy, available at stripe.com/privacy.

Microsoft Azure (Cloud Infrastructure)

Our platform is hosted on Microsoft Azure's West Europe data centers. Azure processes data under our instructions as a sub-processor, in accordance with a data processing agreement.

OAuth Providers

If you sign in via Google, Apple, Microsoft, or Facebook, authentication tokens are exchanged to verify your identity. We do not share your Prettie data back to these providers.

Law Enforcement

We may disclose your personal data if required to do so by law, court order, or regulatory obligation.

6. International Data Transfers

  • Our primary data storage is in the European Union (Microsoft Azure, West Europe region).
  • Stripe processes payments primarily within the EU/EEA. For any transfers outside the EU, Stripe relies on Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.
  • OAuth providers may process authentication tokens outside the EU. These transfers are covered by adequacy decisions, Standard Contractual Clauses, or other approved transfer mechanisms under the GDPR.
  • We do not transfer your personal data to countries without adequate data protection unless appropriate safeguards are in place, as required by Chapter V of the GDPR.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are as follows:

  • Account data: Retained for the duration of your account. After you request account deletion, your data is kept for 30 days (to allow recovery) and then permanently deleted.
  • Booking history: 3 years after the appointment date.
  • Payment and transaction records: 7 years, as required by Romanian fiscal law.
  • Medical and clinical records: 10 years (or longer if required by applicable healthcare regulations). This reflects the retention period set by your service provider.
  • Consent forms: 10 years from the date of the procedure.
  • Treatment photos: Duration of the treatment plan plus 10 years.
  • Reviews: Retained for the duration of your account. Anonymized upon account deletion.
  • Marketing consent records: 3 years after consent withdrawal.
  • Session and authentication data: Until session expiry (typically 7 days).
  • Analytics data: 26 months.

8. Your Rights Under the GDPR

Under the General Data Protection Regulation (Articles 15–22), you have the following rights with respect to your personal data:

  • Right of access (Article 15): You may request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): You may request that we correct inaccurate or incomplete personal data.
  • Right to erasure (Article 17): You may request the deletion of your personal data ("right to be forgotten"). Please note that medical records may be exempt under Article 17(3)(c) where processing is necessary for healthcare purposes, or where retention is required by law.
  • Right to restriction of processing (Article 18): You may request that we limit how we process your data in certain circumstances.
  • Right to data portability (Article 20): You may request to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller.
  • Right to object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Rights related to automated decision-making (Article 22): See Section 9 below.

How to Exercise Your Rights

To exercise any of these rights, please email privacy@prettie.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request. These rights are provided free of charge; however, excessive or manifestly unfounded requests may be subject to a reasonable administrative fee.

9. Automated Decision-Making and Profiling

Prettie uses AI-powered features in certain areas of the platform, including:

  • Personalized search results and recommendations
  • Beauty advisor suggestions
  • Review sentiment analysis

These features are advisory and informational only — they do not produce legal effects or similarly significantly affect you. No automated decisions are made that would affect your ability to book services or access the platform.

You have the right to request human review of any automated decision. To do so, please contact us at privacy@prettie.com.

10. Children's Data

Prettie is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@prettie.com.

11. Cookies

We use cookies and similar technologies for authentication, preferences, and analytics. For detailed information, please see our Cookie Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be communicated to you via email or through a prominent notice on the platform. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.

13. Contact Us and Supervisory Authority

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us:

Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. In Romania, the competent authority is:

ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
anspdcp@dataprotection.ro

You may also contact the supervisory authority in your country of residence.