Kansa

Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy applies to business users ("you", "your business") of the Kansa Business platform, including salon owners, clinic operators, spa managers, and authorized staff members who access the platform to manage bookings, clients, treatments, and business operations.

Kansa SRL ("Kansa", "we", "us", "our"), a company registered in Bucharest, Romania, operates the Kansa Business platform. We are committed to protecting the privacy and security of your personal data and the personal data of your clients that is processed through our platform.

This policy describes how we collect, use, store, and share personal data in the context of the Kansa Business platform. It should be read alongside our Terms of Service and Data Processing Agreement.

For any questions or concerns regarding this policy, please contact us at privacy@kansa.so.

2. Data Controller and Data Processor Roles

Under the General Data Protection Regulation (GDPR), different parties may assume different roles depending on the type of data being processed. It is important to understand the distinction between a data controller (the entity that determines the purposes and means of processing) and a data processor (the entity that processes data on behalf of the controller).

Kansa as Data Controller

For your business account data — including your account credentials, business profile information, staff records, financial configuration, and platform usage data — Kansa acts as the data controller. This means we determine why and how this data is processed, and we are directly responsible for complying with GDPR obligations in relation to this data.

Kansa as Data Processor

For client data processed through the platform — including bookings, client profiles, medical records, consent forms, treatment plans, clinical notes, and payment records — your business is the data controller and Kansa acts as the data processor under GDPR Article 28. This means your business determines the purposes and means of processing your clients' data, and Kansa processes this data strictly on your behalf and in accordance with your documented instructions.

This distinction is critical: as the data controller for client data, your business bears primary responsibility for ensuring lawful processing, obtaining appropriate consent (particularly for health data under Article 9), and responding to data subject requests from your clients. Kansa supports you in fulfilling these obligations through the tools and features provided on the platform.

3. Business User Data We Collect

As data controller, Kansa collects and processes the following categories of data about business users:

Account Data

  • Full name and display name
  • Email address
  • Password (stored as a cryptographic hash; we never store plaintext passwords)
  • Profile avatar/photo
  • Locale and language preferences
  • Account creation date and status

Business Profile Data

  • Business name, type (salon, clinic, spa, etc.), and description
  • URL slug for your public booking page
  • Business address (street, city, region, postal code, country)
  • Business phone number and email address
  • Website URL
  • VAT registration number
  • GPS coordinates (latitude/longitude) for location-based search
  • Operating hours and holiday schedules

Staff Data

  • Staff member names and contact information
  • Roles and permissions within the platform
  • Working hours and availability schedules
  • Service assignments and specializations

Financial Data

  • Stripe Connect account identifiers and onboarding status
  • Payout configuration (bank account details are held by Stripe, not by Kansa directly)
  • Transaction history and revenue summaries
  • Commission rates and billing information
  • Subscription plan and payment history

Authentication and Security Data

  • Session tokens and session metadata
  • IP addresses associated with login events
  • User agent strings (browser and device information)
  • OAuth tokens if using third-party login (Google, Apple, or Microsoft)
  • Two-factor authentication configuration

Platform Usage Data

  • Feature usage patterns and interactions
  • Login timestamps and session durations
  • Pages visited and actions performed within the dashboard
  • Error logs related to your account activity

4. Client Data We Process on Your Behalf

As data processor acting on your instructions, Kansa processes the following categories of data about your clients. Your business is the data controller for all of this data and is responsible for ensuring a valid legal basis for its processing.

Booking Records

  • Appointment details (date, time, duration, service booked)
  • Assigned staff member
  • Booking status (confirmed, completed, cancelled, no-show)
  • Cancellation reasons and timestamps
  • Appointment notes added by staff

Client Profiles

  • Client name, email address, and phone number
  • Communication preferences
  • Service and product preferences
  • Client notes and tags

Medical Profiles (Special Category Data)

The following constitutes special category data under GDPR Article 9 and requires explicit consent from the data subject:

  • Known allergies and sensitivities
  • Current medications
  • Medical conditions and health history
  • Prior surgical procedures relevant to treatments
  • Family medical history (where relevant to treatment)
  • Skin type, skin conditions, and sensitivities
  • Pregnancy or nursing status

Clinical Records (Special Category Data)

  • SOAP notes (Subjective, Objective, Assessment, Plan)
  • ICD-10 diagnostic codes
  • Prescriptions and treatment recommendations
  • Follow-up plans and referrals

Consent Forms

  • Procedure descriptions and explanations
  • Risk acknowledgments and informed consent statements
  • Client signatures (electronic)
  • Pre-care and post-care instructions provided
  • Date and time of consent

Treatment Plans

  • Diagnosis and treatment goals
  • Planned session protocols and schedules
  • Progress records and outcome assessments
  • Modifications to treatment plans over time

Body Measurements

  • Weight and body fat percentage
  • Circumference measurements (waist, hips, chest, arms, thighs)
  • Measurement dates and progression tracking

Treatment Photos

  • Before and after treatment photographs
  • Photo metadata (date, associated treatment, staff member)

Financial and Loyalty Data

  • Payment records and transaction history for services
  • Client reviews and ratings
  • Loyalty program points and redemption history
  • Membership plans and subscription status

5. Legal Basis for Processing

Under GDPR Article 6, we rely on the following legal bases for processing your business user data:

Performance of a Contract (Article 6(1)(b))

Processing your account data, business profile, staff data, and financial data is necessary for the performance of our contract with you — namely, providing the Kansa Business platform and its associated services. Without this data, we cannot deliver the services you have subscribed to.

Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests, including:

  • Platform improvement and feature development based on usage analytics
  • Fraud prevention and detection of unauthorized access
  • Ensuring platform security and integrity
  • Aggregated analytics and benchmarking (using anonymized data)

We have conducted legitimate interest assessments for each of these processing activities and have determined that they do not override your fundamental rights and freedoms.

Legal Obligation (Article 6(1)(c))

We are required to retain certain financial and transaction records for a period of 7 years under Romanian fiscal legislation. We may also process data to comply with court orders, regulatory requests, or other legal obligations.

Consent (Article 6(1)(a))

We rely on your consent for marketing communications, including product updates, feature announcements, and promotional offers. You may withdraw your consent at any time by using the unsubscribe link in any marketing email or by contacting us at privacy@kansa.so.

Special Category Data — Your Clients

Health and medical data about your clients constitutes special category data under GDPR Article 9. Processing of such data requires an additional legal basis beyond Article 6. As the data controller for your clients' data, your business must obtain explicit consent from each client under Article 9(2)(a) before entering their medical profiles, clinical records, body measurements, or treatment photos into the platform. Kansa provides consent form tools to assist you with this obligation, but the responsibility for obtaining valid consent rests with your business.

6. Data Processing Agreement Provisions

In accordance with GDPR Article 28, the following provisions govern Kansa's processing of client data on your behalf. These provisions form part of the contractual relationship between your business and Kansa.

Processing Instructions

Kansa processes client data solely on the basis of your documented instructions. These instructions are defined by the features and configurations you use within the platform. Kansa will not process client data for any purpose other than providing the contracted services, unless required to do so by EU or Member State law, in which case we will inform you of the legal requirement before processing (unless prohibited from doing so).

Confidentiality

All Kansa personnel who have access to client data are bound by confidentiality obligations, either through employment contracts or separate non-disclosure agreements. Access to client data is limited to personnel who require it for the provision of our services.

Security Measures

Kansa implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
  • Strict access controls and role-based permissions
  • Support for two-factor authentication (2FA) on all accounts
  • Regular security assessments and vulnerability scanning
  • Automated monitoring and alerting for suspicious activity

Sub-processors

Kansa engages the following sub-processors to deliver the platform:

  • Microsoft Azure (West Europe region) — cloud infrastructure, hosting, database, and storage services
  • Stripe — payment processing, merchant onboarding, and payout services

We will notify you of any intended changes to the list of sub-processors, giving you the opportunity to object to such changes. Each sub-processor is bound by data protection obligations no less protective than those set out in this policy.

Assistance with Data Subject Requests

Kansa assists you in fulfilling your obligations to respond to data subject requests from your clients, including requests for access, rectification, erasure, restriction, portability, and objection. The platform provides tools to export, modify, and delete client data as needed.

Data Return and Deletion on Termination

Upon termination of your subscription, Kansa will, at your choice, either export your client data in a standard, machine-readable format or securely delete it. This is subject to any legal retention requirements (see Section 9). You will have 90 days after termination to request data export, after which remaining data will be securely deleted.

Audit Rights

You may request compliance documentation, including records of processing activities, security certifications, and the results of third-party security assessments, to verify Kansa's compliance with its data processing obligations. Such requests should be directed to dpo@kansa.so.

Data Breach Notification

In the event of a personal data breach affecting client data, Kansa will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

7. Your Obligations as Data Controller

As the data controller for client data processed through the Kansa platform, your business has the following obligations under GDPR:

  • Obtain a valid legal basis for processing your clients' data. In particular, you must obtain explicit consent under GDPR Article 9(2)(a) before processing any health or medical data (medical profiles, clinical records, body measurements, treatment photos).
  • Provide clear privacy notices to your clients, informing them of how their data will be processed, the purposes of processing, their rights, and the identity of the data controller and any processors.
  • Respond to data subject requests from your clients (access, rectification, erasure, restriction, portability, objection) within the timeframes required by GDPR. Kansa provides platform tools to assist you, but the obligation to respond rests with your business.
  • Ensure clinical data accuracy by maintaining up-to-date and correct records for all client medical profiles, treatment plans, and clinical notes.
  • Configure appropriate data retention settings within the platform to align with applicable healthcare regulations and your own data retention policies.
  • Report data breaches to the competent supervisory authority without undue delay and no later than 72 hours after becoming aware of a breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to the rights and freedoms of your clients, you must also notify the affected individuals without undue delay (Article 34).
  • Maintain records of processing activities as required by GDPR Article 30.

8. International Data Transfers

Kansa is committed to keeping personal data within the European Union and European Economic Area (EU/EEA) wherever possible.

Primary Data Storage

All primary data storage and processing occurs within Microsoft Azure's West Europe region (Netherlands), ensuring that your data and your clients' data remains within the EU.

Payment Processing

Stripe processes payment data primarily within the EU. Where Stripe transfers data outside the EU/EEA (for example, to the United States for fraud detection purposes), such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures.

No Unauthorized Transfers

Kansa does not transfer personal data outside the EU/EEA without appropriate safeguards in place. Any such transfer will only occur on the basis of an adequacy decision by the European Commission or Standard Contractual Clauses, and we will inform you of any such transfers and the safeguards applied.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

  • Business account data: Retained for the duration of your active subscription, plus 90 days after termination to allow for account reactivation or data export.
  • Client clinical and medical records: Retained according to your configured retention settings. The default retention period is 10 years, or as required by applicable healthcare regulations in your jurisdiction.
  • Consent forms: 10 years from the date of the procedure to which they relate, as required by applicable legal and regulatory requirements.
  • Financial and transaction records: 7 years, as required by Romanian fiscal legislation and EU financial record-keeping requirements.
  • Booking history: 3 years after the date of the appointment.
  • Analytics and platform usage data: 26 months from the date of collection.

After the applicable retention period expires, data is securely deleted or irreversibly anonymized. You may configure shorter retention periods for client data through the platform settings, subject to minimum retention periods required by law.

10. Security Measures

In accordance with GDPR Article 32, Kansa implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

Technical Measures

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: All stored data, including databases, backups, and file storage, is encrypted using AES-256 encryption.
  • Role-based access controls: Access to data within the platform is governed by configurable roles and permissions, ensuring that staff members only have access to the data they need.
  • Two-factor authentication (2FA): Support for 2FA on all business accounts, adding an additional layer of protection beyond passwords.
  • Automated session expiry: Sessions automatically expire after a period of inactivity to prevent unauthorized access from unattended devices.
  • Regular security assessments: We conduct periodic penetration testing and vulnerability assessments of our platform.

Infrastructure Security

  • Hosted on Microsoft Azure, which maintains SOC 2 Type II and ISO 27001 certifications.
  • Network-level firewalls and intrusion detection systems.
  • Automated backup procedures with encrypted backup storage.
  • Disaster recovery capabilities with geographically separated backup locations within the EU.

Organizational Measures

  • Data protection training for all Kansa personnel with access to personal data.
  • Internal data access policies based on the principle of least privilege.
  • Incident response procedures for prompt detection and handling of security events.
  • Regular review and update of security policies and procedures.

11. Data Subject Rights

Under GDPR Articles 15–22, you have the following rights regarding your personal data as a business user:

Your Rights as a Business User

  • Right of access (Article 15): You have the right to obtain confirmation of whether your personal data is being processed and to access a copy of that data.
  • Right to rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (subject to legal retention obligations).
  • Right to restriction (Article 18): You have the right to request that we restrict the processing of your data in certain circumstances, such as while we verify the accuracy of contested data.
  • Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to object (Article 21): You have the right to object to processing based on legitimate interests. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Your Clients' Rights

Your clients have the same rights under GDPR with respect to their personal data that you process through the platform. As the data controller for client data, your business is responsible for facilitating these rights. Kansa assists you by providing platform tools for data export, modification, and deletion, and by cooperating with you in responding to data subject requests.

How to Exercise Your Rights

To exercise any of your rights as a business user, please contact us at privacy@kansa.so. We will respond to your request within 30 days of receipt. In complex cases or where we receive a large number of requests, this period may be extended by a further 60 days, in which case we will inform you of the extension and the reasons for it within the initial 30-day period.

We may request verification of your identity before processing your request to ensure the security of your personal data.

12. Data Breach Notification

Kansa maintains comprehensive data breach detection and response procedures. In the event of a personal data breach:

Kansa's Obligations

  • Kansa will notify you of any breach affecting your clients' data without undue delay and no later than 72 hours after becoming aware of the breach.
  • The notification will include: the nature and scope of the breach, categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
  • Kansa will provide all information and assistance necessary to support your notification obligations under GDPR Articles 33 and 34.

Your Obligations

  • As the data controller for client data, your business is responsible for notifying the competent supervisory authority of the breach without undue delay and no later than 72 hours after becoming aware of it (GDPR Article 33), unless the breach is unlikely to result in a risk to the rights and freedoms of the affected individuals.
  • Where the breach is likely to result in a high risk to the rights and freedoms of your clients, you must also notify the affected individuals without undue delay (GDPR Article 34).
  • You should maintain records of all breaches, including those that do not require notification to the supervisory authority (GDPR Article 33(5)).

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

For material changes that affect how we process your data or alter your rights, we will notify you via email at least 30 days in advance of the changes taking effect. We will also display a prominent notice within the Kansa Business dashboard.

For minor changes (such as clarifications or formatting improvements that do not affect the substance of the policy), we will update the "Last updated" date at the top of this page.

Your continued use of the Kansa Business platform after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with any changes, you may terminate your subscription and request deletion of your data in accordance with Section 6 of this policy.

14. Contact and Supervisory Authority

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Supervisory Authority

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The supervisory authority for Kansa is:

ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
Bucharest, Romania
www.dataprotection.ro

You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if different from the ANSPDCP.