Skip to content
BUKMI Knowledge base

Privacy Policy

Last updated: 9 April 2026

This Privacy Policy explains how Bitfinity Jakub Sura (CEIDG) (“we”, “us”, “Operator”), processes personal data when you use the BUKMI service (web application, booking pages for guests, and related features), in our capacity as controller within the meaning of Article 4(7) GDPR, unless we act as processor on behalf of your organisation (see Section 8).

Business address: ul. Przedmieście Dubieckie 114a, 37-750 Dubiecko, Poland · CEIDG (sole proprietorship) · NIP: 7952459123 · REGON: 369696518
Contact (general and privacy): help@bukmi.pl
Data Protection Officer: not appointed — contact help@bukmi.pl for privacy matters.

1. Scope

Section titled “1. Scope”

1.1. This Policy applies to:

  • Account users (business owners and team members) who log in to BUKMI;
  • Guests who book or interact with a Business through public BUKMI pages without creating a full account (e.g. name, email, phone for a booking);
  • Visitors of our marketing or documentation sites, where cookies or analytics may apply.

1.2. When a Business (salon, clinic, studio, etc.) uses BUKMI to manage its clients, that Business often acts as an independent controller for its clients’ data. We explain both roles in Section 8.

2. Data we process

Section titled “2. Data we process”

Depending on how you use BUKMI, we may process:

CategoryExamples
Identity & contactName, email, phone, business name, address, VAT (NIP) where provided
Account & securityEncrypted password, 2FA settings, session tokens, IP address, device/browser metadata
Bookings & operationsServices, times, staff assignment, notes you enter, guest contact data for a reservation
Booking consents & contact preferencesAcknowledgement timestamps for operational processing where implemented; optional marketing preferences for communications from a Business (stored on bookings and, where applicable, on Contact records); optional snapshot of service-specific terms accepted at booking time
Payments (platform)Limited billing data via Stripe — we do not store full card numbers
Guest payments (Connect)Payment status and references processed by Stripe on behalf of the Business
Calendar integrationsWith your consent/OAuth: tokens and event busy metadata needed to avoid double-booking
CommunicationsSupport tickets, emails you send us, service notifications
Technical logsServer logs, error reports, abuse prevention signals

We do not require special categories of data under Article 9 GDPR (health, biometrics, etc.) for operating the platform. Do not upload such data unless you have a lawful basis and appropriate safeguards.

Guest booking flows. When someone books through a Business’s public page or when staff create a booking in BUKMI, we may process the items in the “Booking consents & contact preferences” row above: an operational confirmation (with a timestamp) that providing personal data is necessary to perform the booking; an optional marketing preference for messages from that Business (stored for audit on the booking and, where applicable, on a Contact keyed by business and email); and an optional snapshot of service-specific terms if the Business configured such terms. Guests may withdraw marketing consent for messages from that Business using a link in the booking confirmation email (technical feature). Marketing e-mails sent by a Business to its clients are the Business’s responsibility (lawful basis, content, unsubscribe). The Operator provides software features only.

3. Purposes and legal bases (Article 6 GDPR)

Section titled “3. Purposes and legal bases (Article 6 GDPR)”
PurposeLegal basis
Providing the Service, accounts, bookings, payments integrationContract (Art. 6(1)(b))
Security, abuse prevention, troubleshootingLegitimate interests (Art. 6(1)(f)) — securing the platform
Invoicing, accounting, legal claimsLegal obligation / legitimate interests (Art. 6(1)(c)/(f)) as applicable
Product analytics and improvement (non-marketing where possible)Legitimate interests (Art. 6(1)(f))
Marketing emails about BUKMI (if you opt in)Consent (Art. 6(1)(a))
Cookies not strictly necessaryConsent (Art. 6(1)(a)), where required by ePrivacy / Polish Telecommunications Law

Where we rely on consent, you may withdraw it at any time without affecting prior processing.

4. Recipients and subprocessors

Section titled “4. Recipients and subprocessors”

We use trusted providers who process data on our instructions or theirs, including:

  • Stripe (payments, subscriptions, Connect) — Stripe Privacy Center
  • Hosting / cloud infrastructure (e.g. servers within the EEA or with appropriate safeguards)
  • Email / transactional messaging providers
  • Calendar providers (Google, Microsoft, Apple) — only when you connect them

A current list of key subprocessors is available on request at help@bukmi.pl. We impose data processing agreements where required by Article 28 GDPR.

5. Transfers outside the European Economic Area (EEA)

Section titled “5. Transfers outside the European Economic Area (EEA)”

If any provider processes data outside the EEA, we ensure appropriate safeguards under Chapter V GDPR (e.g. Standard Contractual Clauses and supplementary measures where required). Stripe entities and documentation describe their mechanisms (see their privacy notice).

6. Retention

Section titled “6. Retention”

We retain personal data no longer than necessary for the purposes above:

  • Account data — for the life of the Account and a short period after closure (e.g. 30–90 days) unless law requires longer;
  • Bookings & business records — as configured by the Business or as required for tax/accounting (often 5 years for Polish businesses — confirm with your accountant);
  • Logs — typically days to months;
  • Marketing consents — until withdrawn.

Exact periods may be refined in your Records of processing and product settings.

7. Your rights

Section titled “7. Your rights”

Under GDPR (and Polish Ustawa o ochronie danych osobowych), you have the right to:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (“right to be forgotten”) (Art. 17)
  • Restriction (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Withdraw consent where processing was consent-based
  • Lodge a complaint with a supervisory authority

Polish supervisory authority: President of the Personal Data Protection Office (UODO)uodo.gov.pl.

To exercise rights, contact help@bukmi.pl. We respond within one month (extendable in complex cases).

8. Businesses, Guests, and controller vs processor

Section titled “8. Businesses, Guests, and controller vs processor”

8.1. Operator as controller: we decide how platform accounts, billing with us, security logs, and core service operations are processed.

8.2. Business as controller: the Business typically decides why client (Guest) data is collected on booking pages and which services are offered. The Business must have its own privacy notice for Guests where required.

8.3. Processor relationship: where we process Guest or staff data only on documented instructions from the Business, we act as processor; an Article 28 agreement (often the Terms + DPA) applies.

8.4. Guests should contact the Business first for access or deletion of booking data; we may assist the Business technically.

9. Cookies and similar technologies

Section titled “9. Cookies and similar technologies”

9.1. We use cookies and similar technologies for session management, security, preferences, and (with consent) analytics or marketing on our sites.

9.2. Strictly necessary cookies may be placed on the basis of legitimate interest / service necessity under applicable ePrivacy implementation. Non-essential cookies require consent where required by law (e.g. Polish law implementing the ePrivacy Directive).

9.3. You can manage cookies through your browser settings and any cookie banner we provide.

10. Automated decision-making

Section titled “10. Automated decision-making”

We do not use solely automated decision-making, including profiling, which produces legal or similarly significant effects for you, unless we explicitly notify you and provide a legal basis.

11. Children

Section titled “11. Children”

The Service is aimed at businesses and adults. We do not knowingly offer the Service to children under 16 (or lower age if national law sets a different digital consent threshold). If you believe we have processed a child’s data in error, contact us.

12. Security

Section titled “12. Security”

We implement technical and organisational measures (encryption in transit, access controls, backups, vendor review) appropriate to the risk. No system is 100% secure; please use strong passwords and 2FA where available.

13. Changes to this Policy

Section titled “13. Changes to this Policy”

We may update this Policy. Material changes will be communicated (e.g. email or in-app notice) where appropriate. The “Last updated” date reflects the latest revision.

14. Contact

Section titled “14. Contact”

For privacy questions: help@bukmi.pl
Postal address: Bitfinity Jakub Sura, ul. Przedmieście Dubieckie 114a, 37-750 Dubiecko, Poland

This Privacy Policy is published in the BUKMI help centre as the reference version for users.