PURO
PURO
Book Now

Privacy Policy

Privacy Policy — Puro Barbershop


Effective date: 3 July 2026 Version: 1.0 Document last reviewed: 3 July 2026


1. Who we are

This privacy policy describes how EXACTO Ltd (ЕКСАКТО ЕООД) ("we", "us", "our", or "Puro Barbershop"), the operator of the Puro Barbershop located at Бул. Христо Ботев 114, Plovdiv, Bulgaria, processes personal data about visitors to our website at purobarbershop.com and customers who use it to book appointments.

Data controller:

  • Legal name: EXACTO Ltd (ЕКСАКТО ЕООД)
  • Unique identification code (EIK): 208808320
  • VAT number (where applicable): not applicable (not registered for VAT)
  • Registered address: 19 Georgi Kondolov St., fl. 3, apt. 8, Yuzhen district, 4004 Plovdiv, Bulgaria
  • Trading address: Бул. Христо Ботев 114, Plovdiv, Bulgaria
  • Email: seneymurad111@gmail.com
  • Phone: +359 892 919 649

We are the data controller for all personal data described in this policy, meaning we determine why and how it is processed.

Data protection officer: Given the limited scale of our processing activities, we are not required by law to appoint a Data Protection Officer (Article 37 GDPR). For any privacy-related inquiry, please contact us at the email address above.


2. What this policy covers

This policy applies to personal data we collect when you:

  • visit the website at purobarbershop.com;
  • make, change, or cancel a booking through the website;
  • correspond with us by email or phone in connection with a booking;
  • if you are a barber working with us, when you use the admin area of the website.

This policy does not cover:

  • third-party websites linked from our site (Instagram, for example) — those are governed by their operators' own policies;
  • in-person interactions at the barbershop that do not involve the website (such as paying in cash and giving no contact details).

3. The personal data we process

3.1 When you make a booking

To accept and fulfil a booking, we collect:

Field Purpose Required?
Full name Identifying you on arrival; addressing you in correspondence Yes
Email address Sending booking confirmation, reminder, and cancellation messages Yes
Phone number Contacting you if there is an urgent issue with your appointment Yes
Notes (free text) Any preferences you choose to share (e.g., "please use clippers only") No
Selected service Identifying the appointment Yes
Selected barber (if any) Identifying the appointment Yes
Date and time Identifying the appointment Yes
Language preference Sending correspondence in the language you selected Yes

We do not collect any special categories of personal data (Article 9 GDPR) — for example, data revealing health, ethnicity, religion, or sexual orientation. Please do not provide such information in the free-text notes field.

We do not ask for payment information through the website. Payment is taken in person at the barbershop.

3.2 When you cancel a booking

When you click the cancellation link in your confirmation email, we record:

  • the fact that the booking was cancelled;
  • the time of cancellation.

We do not collect new personal data at this stage.

3.3 If you are a barber with an admin account

If you work with us and we have provided you with an account to manage your schedule, we process:

  • your email address (as your login identifier);
  • a salted hash of your password (we never store passwords in plain text);
  • the role assigned to your account (barber or super-administrator);
  • timestamps of when your account was created, last logged in, and last updated.

3.4 Technical data and security logs

When you visit the website, our hosting infrastructure automatically processes the following technical data to make the site work and to keep it secure:

  • your IP address;
  • the URL you requested and the time of the request;
  • your browser type and operating system, as reported by your browser;
  • the referring URL (if you clicked through from another site);
  • rate-limiting state — we keep a short-lived count of how many booking attempts a given IP address, email address, or phone number has made, to prevent abuse.

This technical data is processed transiently and is not combined with the booking data above to build a profile of you.

3.5 Cookies and similar technologies

We use a small number of cookies. None of them are used for advertising or tracking across sites.

Cookie Purpose Type Duration Set by
authjs.session-token (or similar) Keeps you logged in to the admin area Strictly necessary 8 hours Us
NEXT_LOCALE (or similar) Remembers your language choice Strictly necessary / functional 1 year Us

The cookies listed above are strictly necessary for the website to function in the way you have requested. Under the EU ePrivacy regime they are exempt from prior consent.

Gallery images: The photos in our gallery are hosted on our own website. Viewing them does not connect you to any third party and does not set any additional cookies. We also link to our Instagram and TikTok profiles — following those links takes you to those external services, which are governed by their own privacy policies.


4. Lawful basis for processing

Under Article 6 of the GDPR, we rely on the following lawful bases:

Processing activity Lawful basis
Creating, managing, and fulfilling your booking Performance of a contract (Art. 6(1)(b) GDPR) — we cannot deliver the booked service without this data
Sending booking confirmation, reminder, and cancellation emails Performance of a contract (Art. 6(1)(b) GDPR)
Preventing abuse, fraud, and double-bookings (rate limiting, technical logs) Legitimate interest (Art. 6(1)(f) GDPR) — to keep the booking system reliable and available for everyone
Operating admin accounts for our staff Performance of a contract (Art. 6(1)(b) GDPR) — the employment or service relationship with our barbers
Complying with tax and accounting law (where booking records overlap with invoicing) Legal obligation (Art. 6(1)(c) GDPR)
Loading third-party content (Instagram) when you click to load it Consent (Art. 6(1)(a) GDPR), given by the affirmative act of clicking the load button

We do not rely on consent for booking-related processing. By making a booking, you are entering into a contract with us; the data is necessary to perform that contract. You can choose not to book; you cannot book and then refuse to provide the data.


5. How long we keep your data

Data Retention period Why
Booking records (name, email, phone, notes, service, time) 12 months after the appointment date To handle disputes, refunds, and customer queries that may arise after the appointment
Cancelled bookings 12 months after the originally scheduled date Same as above
Admin account data Duration of your relationship with us, plus 30 days after termination To restore access if termination is reversed and to comply with employment record-keeping obligations
Technical logs (IP, request timestamps) 30 days Security investigation and abuse prevention
Rate-limiting state Up to 24 hours To enforce the abuse-prevention rules in §3.4
Email blacklist entries (if introduced) Indefinitely, until removed by us To prevent repeated abuse of the booking system
Accounting records that reference personal data 5 years from the end of the financial year in which they were created Bulgarian Accountancy Act (Закон за счетоводството) and tax-law obligations

After the retention period, the records are deleted automatically by a scheduled job, or anonymised where the underlying data is needed for aggregate analysis (such as understanding how many bookings happened in a given month).


6. Who we share your data with

We do not sell or rent your personal data. We share it only with the following categories of processors who help us run the service. Each operates under a Data Processing Agreement that requires them to process the data only on our instructions and to apply appropriate security measures.

Recipient Role What they see Location of processing
Neon, Inc. (USA) Database hosting (Postgres) All booking and account data, stored at rest EU region (eu-central-1 (Frankfurt))
Vercel Inc. (USA) Website hosting and request routing All website traffic; processes data in memory during request handling EU region (fra1 (Frankfurt))
Resend (USA) Transactional email delivery Recipient email address, subject line, and email body (name, booking details, cancellation link) EU region where available (EU)
Upstash, Inc. (USA) Rate-limiting state (Redis) Hashed identifiers of recent booking attempts (IP, email, phone) — short-lived EU region (EU)
Google Ireland Ltd. (Ireland) Map embed in the "Find us" section The visitor's IP and browser metadata when the map loads (as they scroll to that section) EU / global
Cloudflare, Inc. (USA) Domain registrar and DNS DNS resolution traffic only (not customer data) Global

If a court or competent authority in Bulgaria orders us to disclose data (for example, in connection with a criminal investigation), we may have to do so. Such requests are rare and we will challenge any that we consider unlawful or disproportionate.


7. International transfers

Several of the processors listed in §6 are established in countries outside the European Economic Area (EEA), notably the United States and Israel.

  • United States: Where a processor is certified under the EU–U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), transfers rely on that adequacy decision. Where a processor is not certified, we rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) included in our Data Processing Agreement with them.
  • Israel: The European Commission has determined that Israel ensures an adequate level of data protection (Commission Decision 2011/61/EU as currently in force), so transfers to processors established there require no additional safeguards.
  • All other transfers rely on Standard Contractual Clauses or applicable Article 49 derogations.

For each processor we use, we have evaluated whether its country's laws on government access to personal data are compatible with EU requirements. We will update this policy if our assessment changes.

You can request a copy of the safeguards in place for any specific transfer by contacting us at seneymurad111@gmail.com.


8. Your rights

Under the GDPR you have the following rights in respect of personal data we hold about you:

  1. Right of access (Art. 15 GDPR): You can ask us for a copy of the personal data we hold about you and information about how we process it.
  2. Right to rectification (Art. 16 GDPR): You can ask us to correct inaccurate data or complete incomplete data.
  3. Right to erasure / "right to be forgotten" (Art. 17 GDPR): You can ask us to delete your data. This right is not absolute; for example, we may need to keep some records to meet legal obligations (see §5).
  4. Right to restriction of processing (Art. 18 GDPR): You can ask us to stop using your data while a dispute about its accuracy or our use of it is being resolved.
  5. Right to data portability (Art. 20 GDPR): Where we process your data based on a contract or your consent and by automated means, you can ask us to give you a copy in a structured, commonly used, machine-readable format, or to send it directly to another controller.
  6. Right to object (Art. 21 GDPR): Where we process your data based on legitimate interest, you can object on grounds relating to your particular situation.
  7. Right to withdraw consent (Art. 7(3) GDPR): Where we rely on consent (in practice, only for loading third-party Instagram content), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To withdraw consent for Instagram loading, simply reload the page.
  8. Right not to be subject to automated decision-making (Art. 22 GDPR): We do not make any automated decisions with legal or similarly significant effects about you (see §12).

Exercising these rights is free. We will respond within one month of receiving your request, unless the request is particularly complex, in which case we may extend by up to two further months and will inform you of the extension.


9. How to exercise your rights

To exercise any of the rights in §8, email us at seneymurad111@gmail.com with:

  • a clear description of the right you are exercising and what you would like us to do;
  • enough information for us to identify the booking or account you are referring to (typically the email address you used to book and the approximate date of the appointment).

We may ask for additional information to verify your identity before acting on your request. This is to protect you — we do not want to disclose data about you to someone pretending to be you.

If we refuse a request (for example, because the data is no longer held, or because an exemption applies), we will explain why and inform you of your right to complain to the supervisory authority (§10).


10. Complaints

If you believe we have not handled your personal data in accordance with the law, please contact us first at seneymurad111@gmail.com — we take complaints seriously and would like the opportunity to resolve the matter.

You also have the right to lodge a complaint with the Bulgarian supervisory authority:

Commission for Personal Data Protection (Комисия за защита на личните данни — КЗЛД) 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria Phone: +359 2 91 53 518 Email: kzld@cpdp.bg Website: https://www.cpdp.bg

If you are based in another EU/EEA country, you may also contact your local supervisory authority.


11. Children

Our service is not directed at children. We do not knowingly accept bookings made by, or process the personal data of, children under the age of 14 (the age of digital consent in Bulgaria under §25c of the Bulgarian Personal Data Protection Act).

A parent or legal guardian may book an appointment on behalf of a child. In that case, the personal data we process is the parent's or guardian's, with the child's first name optionally provided in the notes field for the barber's reference.

If we become aware that we have inadvertently received personal data from a child under 14, we will delete it promptly.


12. Automated decision-making and profiling

We do not use your personal data for automated decision-making that produces legal effects or significantly affects you. The booking system uses simple availability rules (whether a slot is free) — it does not make decisions about you based on a profile.


13. Security

We take appropriate technical and organisational measures to protect your personal data, including:

  • transport encryption (HTTPS / TLS) for all traffic between your browser and our servers;
  • encryption at rest by our database provider;
  • hashed passwords for admin accounts using a modern, salted hashing algorithm;
  • the principle of least privilege for staff access to data;
  • rate limiting and other abuse-prevention measures on public endpoints;
  • regular software updates and dependency monitoring;
  • restricted access to administrative interfaces, protected by authentication.

No system is perfectly secure, however. We will notify you and the supervisory authority where required by Articles 33 and 34 GDPR in the unlikely event of a personal data breach that is likely to affect your rights and freedoms.


14. Changes to this policy

We may update this policy from time to time — for example, when we add a new processor, change a retention period, or are required to do so by a change in the law.

The version number and effective date at the top of this policy will be updated when changes are made. If the change is significant, we will take reasonable steps to inform you in advance (for example, by including a notice with a booking confirmation email).

Previous versions of this policy are kept on file and available on request.


15. Contact

For any question about this policy or about how we handle your personal data:

  • Email: seneymurad111@gmail.com
  • Phone: +359 892 919 649
  • Address: 19 Georgi Kondolov St., fl. 3, apt. 8, Yuzhen district, 4004 Plovdiv, Bulgaria