Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide when using our services:

Account Information:

• Name (first and last)
• Email address
• Phone number
• Password (encrypted)
• Account type (client, staff, manager, admin)

Business Information (for business accounts):

• Business name
• Business address
• Business phone number
• Business hours
• Business description
• Business logo and images

Client Data (information you input about your clients):

• Client names
• Client contact information (email, phone)
• Appointment history
• Service preferences
• Notes and custom fields

Service and Product Information:

• Service names, descriptions, and pricing
• Product details (Business plan)
• Categories and tags

Payment Information:

• Billing address
• Payment method details (processed securely by Stripe - we do not store full credit card numbers)
• Transaction history

1.2 Information Collected Automatically

When you access our services, we automatically collect certain information:

Usage Data:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and time spent
• Referral source
• Date and time of access
• Clickstream data

Cookies and Tracking Technologies:

• Session cookies (essential for functionality)
• Analytics cookies (with your consent)
• Preference cookies (to remember your settings)

For more details, see our Cookie Policy.

1.3 Information from Third Parties

We may receive information from third-party services you connect:

• Google Workspace / Microsoft 365: Email address, name, profile picture (when you connect OAuth email)
• Stripe: Payment processing information
• WhatsApp Business API: Message delivery status

2. How We Use Your Information

We use the collected information for the following purposes:

2.1 To Provide and Maintain Our Services

• Create and manage your account
• Process appointments and bookings
• Send appointment confirmations, reminders, and notifications
• Enable communication between you and your clients
• Provide customer support
• Process payments and subscriptions

2.2 To Improve Our Services

• Analyze usage patterns and trends
• Develop new features and functionality
• Fix bugs and technical issues
• Conduct research and development

2.3 To Communicate With You

• Send service updates and announcements
• Respond to your inquiries and requests
• Send marketing communications (with your consent)
• Notify you of changes to our policies

2.4 For Security and Fraud Prevention

• Detect and prevent fraud and abuse
• Protect against security threats
• Verify identity and prevent unauthorized access
• Comply with legal obligations

2.5 For Legal and Compliance Purposes

• Comply with applicable laws and regulations
• Respond to legal requests and court orders
• Enforce our Terms of Service
• Protect our rights and property

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

3.1 Contractual Necessity

Processing is necessary to provide the services you've requested (creating appointments, managing your business, etc.).

3.2 Legitimate Interests

We process data to improve our services, prevent fraud, and ensure security, provided your rights and freedoms are not overridden.

3.3 Consent

For analytics cookies, marketing communications, and optional features, we obtain your explicit consent.

3.4 Legal Obligation

We process data to comply with legal requirements, such as tax reporting and responding to lawful requests.

4. How We Share Your Information

We do NOT sell your personal data to third parties.

We may share your information in the following circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who assist us in operating our platform:

• Stripe: Payment processing (PCI-DSS compliant)
• SendGrid / Resend: Email delivery
• Google Cloud / Microsoft Azure: Email OAuth integration
• WhatsApp Business API: Message delivery
• Google Analytics: Usage analytics (anonymized, with consent)

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Business Transfers

If Tugest is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas).

4.4 Protection of Rights

We may disclose information to:

• Enforce our Terms of Service
• Protect the rights, property, or safety of Tugest, our users, or others
• Detect, prevent, or address fraud, security, or technical issues

4.5 With Your Consent

We may share information for any other purpose with your explicit consent.

5. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights:

5.1 Right to Access

You have the right to request a copy of the personal data we hold about you.

How to exercise: Email [email protected] or use the "Export Data" feature in your account settings.

5.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal data.

How to exercise: Update your information directly in your account settings or contact support.

5.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data under certain circumstances.

How to exercise: Use the "Delete Account" feature in settings or contact [email protected].

Note: We may retain certain information for legal obligations or legitimate business purposes (e.g., fraud prevention, financial records).

5.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

How to exercise: Use the "Export Data" feature to download your data as JSON.

5.5 Right to Object

You have the right to object to processing of your personal data for direct marketing or based on legitimate interests.

How to exercise: Unsubscribe from marketing emails or contact [email protected].

5.6 Right to Restriction of Processing

You have the right to request limitation of how we use your data in certain situations.

5.7 Right to Withdraw Consent

Where we rely on your consent, you can withdraw it at any time (e.g., cookie consent, marketing emails).

5.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with GDPR.

Portuguese Data Protection Authority: www.cnpd.pt

6. Data Retention

We retain your personal data only for as long as necessary for the purposes outlined in this policy:

6.1 Active Accounts

We retain your data for as long as your account is active and you continue to use our services.

6.2 After Account Deletion

• 30-day grace period: Data is retained for account recovery
• After 30 days: All personal data is permanently deleted
• Exceptions: We may retain certain data for legal, tax, or fraud prevention purposes (anonymized where possible)

6.3 Specific Retention Periods

• Financial records: 7 years (legal requirement)
• Server logs: 90 days
• Analytics data: 26 months (anonymized)
• Marketing communications: Until you unsubscribe

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

7.1 Technical Measures

• Encryption: SSL/TLS encryption for data in transit
• Hashing: Passwords are hashed using bcrypt (never stored in plain text)
• Access Controls: Role-based access control (RBAC) and multi-factor authentication
• Firewalls: Network-level protection
• Regular Backups: Encrypted backups stored securely

7.2 Organizational Measures

• Employee Training: Regular security and privacy training
• Access Limitations: Only authorized personnel can access personal data
• Security Audits: Regular security assessments and penetration testing
• Incident Response: Procedures for detecting and responding to data breaches

7.3 Data Breach Notification

In the event of a data breach that affects your personal data, we will:

• Notify you within 72 hours (as required by GDPR)
• Inform relevant data protection authorities
• Describe the nature of the breach and steps taken to address it
• Provide recommendations to protect yourself

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA):

8.1 Data Locations

• Primary servers: European Union (GDPR-compliant)
• Backup servers: United States (adequacy decision or Standard Contractual Clauses)
• Service providers: May be located in various countries

8.2 Safeguards

We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-U.S. Data Privacy Framework (where applicable)
• Binding Corporate Rules

9. Children's Privacy

Our services are not intended for individuals under 16 years of age.

We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected], and we will delete such information.

10. Cookies and Tracking Technologies

We use cookies and similar technologies. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

10.1 Cookie Categories

• Essential Cookies: Required for the site to function (no consent needed)
• Analytics Cookies: Help us understand usage patterns (requires consent)
• Marketing Cookies: Used for advertising (requires consent)

10.2 Managing Cookies

You can manage your cookie preferences at any time through:

• Cookie consent banner (on first visit)
• Cookie Settings page (Settings, GDPR Compliance tab)
• Your browser settings

11. Third-Party Links

Our services may contain links to third-party websites or services (e.g., payment processors, social media). We are not responsible for the privacy practices of these third parties.

We encourage you to review the privacy policies of any third-party services you access.

12. Marketing Communications

12.1 Opt-In

We will only send you marketing communications if you have consented to receive them.

12.2 Opt-Out

You can unsubscribe from marketing emails at any time by:

• Clicking "Unsubscribe" in any marketing email
• Updating your preferences in account settings
• Contacting [email protected]

12.3 Transactional Emails

You will continue to receive essential service emails (appointment confirmations, account notifications) even if you opt out of marketing.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

13.1 Notification of Changes

• Material changes: We will notify you via email or prominent notice on our platform at least 30 days before the changes take effect
• Minor changes: We will update the "Last Updated" date and post the new policy

13.2 Your Acceptance

Continued use of our services after changes become effective constitutes acceptance of the updated policy.

14. Contact Us & Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

15. Additional Information for Specific Regions

15.1 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your rights

15.2 United Kingdom Residents

UK residents have rights under the UK GDPR and Data Protection Act 2018, similar to EU rights outlined above.