Privacy Policy

Last updated: April 2026

Nailto ("we", "us", "our") operates the nailto.eu website and booking platform. This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our service.

1. Information We Collect

We collect the following types of information:

• Account information: Name, email address, username, and password (stored as a bcrypt hash) when you register as a nail master.
• Booking information: Client name and phone number provided when booking an appointment.
• Payment information: Processed securely by LHV Paytech (EveryPay). We do not store credit card numbers.
• Google Calendar data: If you connect Google Calendar, we create and delete calendar events for your bookings. We do not read or access your existing calendar data.
• Usage data: We use PostHog analytics to track anonymized usage patterns (page views, feature usage) to improve our service.

2. How We Use Your Information

• To provide and maintain our booking service
• To send SMS confirmations and reminders to clients (via Messente)
• To send email notifications about bookings and account activity
• To process payments via LHV Paytech
• To sync bookings with Google Calendar (only when you opt in)
• To improve our service based on usage analytics

3. Data Storage and Security

Your data is stored on Supabase servers in the EU (Frankfurt, Germany). We use industry-standard security measures including:

• Bcrypt password hashing
• HTTPS encryption for all connections
• Row Level Security (RLS) on our database
• Secure, HttpOnly session cookies
• Rate limiting to prevent abuse

4. Data Sharing

We do not sell your personal data. We share data only with the following service providers necessary to operate our platform:

• Supabase — database hosting (EU)
• LHV Paytech / EveryPay — payment processing (Estonia)
• Messente — SMS delivery (Estonia)
• Google — Calendar integration (only when connected by you)
• PostHog — analytics (EU)

5. Google Calendar Integration

Nailto's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect Google Calendar, we:

• Create calendar events when clients book appointments with you
• Delete calendar events when bookings are cancelled
• Store your OAuth refresh token (encrypted) to maintain the connection

We do not read, modify, or delete your existing calendar events. You can disconnect Google Calendar at any time from your dashboard.

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your account and data
• Portability — export your data in a standard format
• Object — opt out of analytics tracking

To exercise these rights, contact us at support@nailto.eu.

7. Cookies

We use a single essential session cookie (nailto_session) to keep you logged in. We do not use advertising or third-party tracking cookies.

8. Data Retention

We retain your account data for as long as your account is active. Booking data is retained for up to 12 months after the appointment date. You can request deletion of your account and all associated data at any time.

9. Children's Privacy

Our service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or a notice on our website.

11. Contact Us

If you have any questions about this privacy policy, please contact us:

• Email: support@nailto.eu
• Website: nailto.eu