Privacy Policy

Effective date: 28 May 2026

This Privacy Policy explains how Eremin Roman (“Pointy”, “we”, “our”, “us”) collects, uses, shares, and protects personal data when you use the Pointy booking service at pointy.me, app.pointy.me, and related subdomains (the “Service”).

We act as the data controller for the personal data described below. Pointy is operated by an individual sole proprietor based in Israel. If you are in the European Economic Area, the United Kingdom, or Israel, this notice describes your rights under the General Data Protection Regulation (GDPR), the UK GDPR, and the Israeli Protection of Privacy Law (PPL) as applicable.

1. Who this Policy applies to

The Service has two kinds of users:

  • Masters — service providers who create an account, publish a profile, and accept bookings.
  • Clients — people who book appointments with a Master, with or without creating an account.

This Policy applies to both groups. Where a section is role-specific, we say so.

2. Data we collect

2.1 Account data (Masters)

  • Email address and password (managed by Amazon Cognito; we never see plaintext passwords).
  • Full name, public handle, display name, phone number with country, time zone.
  • Avatar image, services you offer, prices, durations, availability schedule.
  • Optional Google account identifier if you sign in with Google.

2.2 Booking data (Clients)

  • Name and phone number you provide when booking.
  • Email address, if you provide one.
  • The service you booked, the time, and any notes you add.

2.3 Google Calendar integration (Masters, optional)

If you connect your Google Calendar, we receive and store a long-lived OAuth refresh token, encrypted at rest with AWS Key Management Service (KMS). We use it to create, update, and delete calendar events that mirror your Pointy bookings. We request only the scopes needed to manage events on the calendar you connect, and we never read calendar entries we did not create. The token is deleted from our database the moment you disconnect, or when Google indicates the grant has been revoked.

2.4 Authentication and session data

We use Auth.js to manage signed-in sessions. This sets first-party cookies on your browser (session token, CSRF token, OAuth state) that are strictly necessary for the Service to work.

2.5 Technical and log data

Our hosting provider (Amazon Web Services) records standard request metadata: IP address, user agent, timestamps, and URL paths. We use these logs for security and debugging.

3. How we use your data (purposes and legal bases)

  • Operate the Service — store profiles, manage bookings, send booking confirmations. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
  • Sync to Google Calendar — only if a Master opts in. Legal basis: consent (GDPR Art. 6(1)(a)), which can be withdrawn at any time by disconnecting.
  • Communicate with users — operational and transactional messages (account verification, booking confirmations, password resets). Legal basis: contract.
  • Security and abuse prevention — rate limiting, fraud detection, session integrity. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
  • Comply with legal obligations — tax records, lawful requests. Legal basis: legal obligation (GDPR Art. 6(1)(c)).

We do not sell personal data, do not use it for behavioural advertising, and do not profile users for automated decisions with legal or similarly significant effects.

4. Sub-processors and sharing

We share personal data only with the service providers we need to run Pointy:

  • Amazon Web Services, Inc. — hosting, authentication (Cognito), database (RDS PostgreSQL), object storage (S3), serverless compute (Lambda), queues (SQS), encryption (KMS), DNS (Route 53), CDN (CloudFront). Processing regions currently include the European Union and the United States.
  • Google LLC— only if a Master enables Calendar sync. We send the event title (“Appointment” plus the service name), start and end time, and an internal Pointy reference. Google processes calendar data under their own privacy policy.

We will update this section, and notify Masters, before adding any new sub-processor that handles personal data.

5. International data transfers

Some of our sub-processors operate outside your country, including in the United States. Where data is transferred out of the EEA, the UK, or Israel, we rely on Standard Contractual Clauses, the EU-US Data Privacy Framework where the recipient is certified, or an applicable adequacy decision.

6. How long we keep your data

  • Account data — for as long as the account exists. Deleted within 30 days after you request account deletion, except where law requires longer retention.
  • Booking records — kept for up to 7 years to meet tax and accounting obligations, then deleted.
  • Google Calendar refresh token — deleted immediately on disconnect or when Google reports the grant is no longer valid.
  • Server logs — up to 30 days, then rotated and deleted.

7. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Ask us to correct inaccurate data.
  • Ask us to delete your data (subject to legal retention requirements).
  • Ask us to restrict or object to certain processing.
  • Receive a copy of your data in a portable, machine-readable format.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local supervisory authority — for example, the Israeli Privacy Protection Authority, or the data protection authority of your EU member state.

To exercise any of these rights, email us at privacy@pointy.me. We respond within 30 days.

8. Cookies and similar technologies

Pointy uses only strictly necessary first-party cookies for authentication and security. We do not use advertising cookies, analytics cookies, or third-party trackers. If this changes, we will update this Policy and request your consent where required.

9. Security

We protect your data with TLS in transit, AWS-managed encryption at rest, KMS-encrypted OAuth tokens, and role-based access controls. No system is perfectly secure; if we ever become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant authority and affected users in line with GDPR Articles 33 and 34.

10. Children

The Service is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this Policy

We may update this Policy as the Service evolves. The effective date at the top reflects the latest version. For material changes we will notify Masters by email or via an in-product notice before the change takes effect.

12. Contact

For any privacy question or request, email privacy@pointy.me. We are based in Israel and operate under Israeli law in addition to applicable EU/UK data protection rules.