TajmingTajming

Privacy Policy

Effective date: April 3, 2026 (version 2.0)

1. Data Controller

Opus KM Studio, obrt za usluge, Croatia

Email: hello@opus-studio.xyz

Website: tajming.app

2. Data We Collect

a) Clients making bookings

  • Full name: to identify the appointment
  • Email address: to send confirmation and communicate
  • Phone number: for contact by the business if needed

Providing your name, email address, and phone number is required to complete a booking (contractual necessity). Without this data we cannot process your appointment.

b) Business owners

  • Email and password: for login (stored by Supabase)
  • Business data: name, address, phone, description, logo, brand color
  • Operational data: services, staff, working hours, appointments

Providing business data is required to use the platform as a service provider. Without this data the platform cannot function.

c) Technical data

  • Authentication cookies (sb-*): required for session management (Supabase)
  • Language preference cookie (NEXT_LOCALE): stores your selected language preference
  • Browser local storage: stores theme preference (tajming-dashboard-theme), cookie consent choice (tajming-cookie-consent), and banner status (tajming-early-bird-dismissed)

3. Purpose and Legal Basis

PurposeLegal basis (GDPR Art. 6)
Managing appointments and bookingsContract performance (Art. 6(1)(b))
Account access and authenticationLegitimate interest (Art. 6(1)(f))
Sharing client data with the businessContract performance (Art. 6(1)(b))
Sending appointment remindersLegitimate interest (Art. 6(1)(f))
Storing theme preferenceLegitimate interest (Art. 6(1)(f))
Recording consent preferencesLegal obligation (Art. 6(1)(c))

4. Data Sharing and Processors

We share your personal data only with:

  • The business you are booking with: your name, email, and phone to manage your appointment
  • Supabase Inc.: data storage and authentication provider (data processor, US-based)
  • Resend Inc.: transactional email service for sending confirmations and reminders (data processor, US-based)
  • Vercel Inc.: hosting and serverless functions provider (data processor, US-based)
  • Cloudflare, Inc.: bot protection (Turnstile CAPTCHA), data processor, USA
  • Upstash, Inc.: rate limiting, data processor, USA

We have Data Processing Agreements (DPAs) in place with all third-party processors listed above.

We do not sell, rent, or share your data with third parties for advertising purposes.

5. International Data Transfers

Some of our data processors (Supabase, Resend, Vercel, Cloudflare, Upstash) are based in the United States. For transfers of personal data outside the European Economic Area (EEA), we rely on the following safeguards:

  • EU-U.S. Data Privacy Framework: our processors are certified under this framework
  • Standard Contractual Clauses (SCCs): additional safeguard in accordance with European Commission decisions

These measures ensure your personal data receives a level of protection equivalent to that within the EU/EEA.

6. Data Retention

  • Booking data: 2 years from the appointment date
  • Consent records: 12 months from the date of consent
  • Business account data: until account deletion
  • Authentication cookies: until logout or session expiry
  • Browser local storage: until manually cleared by the user

7. Your Rights

Under GDPR you have the right to:

  • Access: request a copy of your data
  • Rectification: correct inaccurate data
  • Erasure: request deletion of your data
  • Portability: receive your data in machine-readable format
  • Object: object to processing based on legitimate interests
  • Restriction: request temporary restriction of processing
  • Withdraw consent: if processing is based on consent, you may withdraw it at any time

How to exercise your rights

  • Clients can submit a request via the self-service form at /data-request
  • Business owners can export their data and request account deletion in Settings
  • For all other requests, contact us at hello@opus-studio.xyz

We respond within 30 days. You also have the right to lodge a complaint with AZOP (Agencija za zastitu osobnih podataka), the Croatian supervisory authority for data protection, or with the supervisory authority in your country of residence.

8. Cookies and Local Storage

  • Strictly necessary cookies (sb-*): for session management, no consent required
  • Language preference cookie (NEXT_LOCALE): stores your selected language, functional, no consent required
  • Browser local storage: tajming-dashboard-theme (theme), tajming-cookie-consent (cookie consent choice), tajming-early-bird-dismissed (banner status)

We do not use analytics, marketing, or third-party tracking cookies.

You can change your cookie preferences at any time using the "Cookie settings" link in the footer.

For detailed information about all cookies, see our Cookie Policy.

9. Data Security

We apply technical and organisational measures including HTTPS/TLS encryption, access controls, encryption at rest, and regular security reviews. Data storage and authentication are provided via the Supabase platform. Hosting is provided by Vercel with automatic HTTPS certificates.

10. Policy Changes

We will notify you of significant changes via email or an in-platform notice. Continued use of the service constitutes acceptance of the updated policy. Previous versions are available upon request.

11. Contact

For all privacy-related enquiries: hello@opus-studio.xyz

Opus KM Studio, obrt za usluge, Croatia