Legal

Privacy Policy

Last updated: [DATE TO BE FILLED BY LEGAL]

This document is a placeholder template. The operator must replace every bracketed section with reviewed legal text before launch.

1. Who we are

Themis (“we”, “us”) is operated by [LEGAL ENTITY NAME], registered at [REGISTERED ADDRESS], company number [COMPANY NUMBER]. We act as a data controller for the information described below, and as a data processor on behalf of the businesses (“Operators”) that use our service.

2. What data we collect

2.1 Account data

  • Name, email address, phone number
  • Hashed password (never plaintext) and one-time codes
  • Tenant / business membership and role assignments

2.2 Booking data

  • Sessions reserved, services purchased, cancellations
  • Memberships and credit transactions
  • Payment status (handled by Stripe — we do not store card numbers)

2.3 Conversational data

  • WhatsApp messages exchanged with the booking agent
  • Web chat transcripts and dashboard agent interactions

2.4 Technical data

  • Device, browser and IP address (truncated where feasible)
  • Error reports and performance traces (Sentry) — only when the user has consented via the cookie banner

3. Legal basis under GDPR

  • Contract — to provide the booking service to the Operator that you interact with.
  • Legitimate interests — to secure the platform, prevent fraud and improve reliability.
  • Consent— for analytics, error reporting and non-essential cookies. You can withdraw consent at any time via the “Cookie preferences” link in the footer.
  • Legal obligation — to comply with tax, billing and law-enforcement obligations.

4. Subprocessors

  • Sentry (error reporting & performance) — triggered only with analytics consent.
  • WhatsApp Cloud API (Meta) — to deliver booking messages.
  • OpenAI — to power the AI booking agent.
  • Stripe — to process payments and subscriptions.
  • Google Cloud / Calendar — for two-way calendar sync when connected.
  • [ANY ADDITIONAL SUBPROCESSORS TO BE LISTED BY LEGAL]

5. Data retention

  • Booking history: [RETENTION PERIOD] after the Operator terminates their account.
  • Conversational transcripts: [RETENTION PERIOD] from the date of the last message, unless required for dispute resolution.
  • Error reports (Sentry): 90 days.
  • Audit logs: [RETENTION PERIOD], for security and compliance.

6. Your rights under GDPR and ePrivacy

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”), subject to legal-retention exceptions.
  • Restrict or object to processing.
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent for analytics cookies at any time.
  • Lodge a complaint with your national Data Protection Authority.

7. How to contact us / DPO

For any privacy request, please contact our Data Protection Officer at [DPO@OPERATOR.COM]. Postal: [POSTAL ADDRESS]. We respond to all verified requests within 30 days.

8. Changes to this policy

We will notify you of material changes via the dashboard banner or, where required, by email. The “Last updated” date at the top of this page always reflects the current version.