For questions regarding data protection, please reach out via the email address above.
2. Overview of Processing
blushy processes personal data in the following contexts:
Website Visit: Technical data (IP address, browser type, access times) for providing and securing the website.
Account Creation & Usage: Name, email address, studio data and payment information for providing the service.
Client Data: Client data entered by users (name, contact details, appointment history, treatment notes) under data processing agreement.
Payment Processing: Payment data is forwarded to our payment processor Stripe.
3. Legal Basis
The processing of personal data is based on the following legal grounds:
Art. 6(1)(a) GDPR (Consent): Where you have given us consent, e.g. for non-essential cookies.
Art. 6(1)(b) GDPR (Contract Performance): To fulfill our contract with you, in particular to provide the blushy platform.
Art. 6(1)(c) GDPR (Legal Obligation): To comply with legal requirements, e.g. tax and commercial record-keeping obligations.
Art. 6(1)(f) GDPR (Legitimate Interest): To protect our legitimate interests, e.g. IT security and fraud prevention.
4. Processing of Client Data
blushy enables beauty and wellness professionals to manage client data including appointment histories, treatment notes and personal preferences. blushy acts as a data processor pursuant to Art. 28 GDPR. The studio owner or operator remains the data controller for client data.
Security Measures
Encryption: All client data is stored with AES-256 encryption at rest and transmitted exclusively via TLS 1.2+.
Access Control: Role-based permission system — users only see data they are authorized for.
Audit Trail: Changes to client data are logged.
Data Isolation: Data from different studios is strictly separated.
EU Data Location: All data is stored exclusively in data centers within the European Union.
5. Web Hosting & Infrastructure
The blushy platform is hosted by Scaleway (Scaleway SAS, 8 rue de la Ville l'Evêque, 75008 Paris, France). Scaleway operates data centers exclusively within the EU (Paris, Amsterdam, Warsaw).
Scaleway is certified according to:
ISO/IEC 27001:2022 — Information Security Management System
HDS (Health Data Hosting) — Certification for hosting health-related data
We implement comprehensive technical and organizational measures to protect your data:
Transport Encryption: All connections to blushy are encrypted with TLS 1.2 or higher. Unencrypted transmission is not possible.
Storage Encryption: All stored data — including databases, files and backups — is encrypted with AES-256 (Encryption at Rest).
Access Protection: Passwords are stored exclusively as salted, hashed values and are not visible to anyone — including blushy — in plain text.
DDoS Protection: Infrastructure protection provided by the hosting provider.
Regular Backups: Automated, encrypted backups ensure data availability and recoverability.
7. Payment Processing
We use Stripe (Stripe Technology Europe Ltd, 1 Grand Canal Street Lower, Dublin 2, Ireland) for payment processing.
During a payment transaction, the following data is transmitted to Stripe:
Account holder name
Email address
Payment information (credit card or SEPA details)
Invoice amount
Stripe processes this data as an independent controller pursuant to Art. 6(1)(b) GDPR. Credit card data is processed exclusively by Stripe — blushy never has access to full card numbers.
This website uses Google Fonts (Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland) for font rendering. When loading the page, a connection to Google servers is established, during which your IP address is transmitted to Google.
Usage is based on Art. 6(1)(f) GDPR (legitimate interest in consistent visual presentation).
blushy exclusively uses technically necessary cookies required for the functioning of the website and application:
Session Cookies: To maintain your login session.
CSRF Token: For protection against cross-site request forgery attacks.
Preference Cookies: To store your settings (e.g. language, workspace).
We use no tracking cookies, no advertising cookies and no third-party analytics tools. No data is transmitted to advertising networks or social media platforms.
10. Data Retention & Deletion
Personal data is only stored as long as necessary for the respective purpose or as required by statutory retention obligations:
Data Category
Retention Period
Account data
Duration of use + 90 days after cancellation
Client data
Until deleted by user (data controller)
Billing data
7 years (statutory retention obligation)
Server log files
14 days
Payment data at Stripe
Duration of business relationship + statutory obligations
After the retention period expires, data is deleted or anonymized. You can request deletion of your data at any time via the data export function in blushy or by email.
11. Your Rights
As a data subject, you have the following rights under the GDPR:
Right of Access (Art. 15 GDPR): You have the right to know what personal data we process about you.
Right to Rectification (Art. 16 GDPR): You can request correction of inaccurate data.
Right to Erasure (Art. 17 GDPR): You can request deletion of your data, provided no statutory retention obligations apply.
Right to Restriction (Art. 18 GDPR): You can request restriction of processing.
Right to Data Portability (Art. 20 GDPR): You can receive your data in a machine-readable format. blushy provides an integrated export function for this purpose.
Right to Object (Art. 21 GDPR): You can object to the processing of your data where it is based on legitimate interest.
Right to Withdraw Consent (Art. 7(3) GDPR): You can withdraw any consent given at any time with effect for the future.