F9.contact

Privacy Policy

Version: 1.0 · Effective date: 2026-06-03

DRAFT — pending legal-counsel review. This document describes F9.contact's intended data-protection practices. It has not yet been finalised by legal counsel and must not be relied upon as a definitive legal statement.

Who we are

F9.contact ("F9", "we", "us") provides booking, client-records, fiscal-compliance and staff-management software for personal-care businesses in the European Union. Where you are a business operating on the platform, you are the data controller for your customers' personal data and F9 acts as your data processor under a Data Processing Agreement. Where we process data about you directly — your account, billing and support history — F9 is the controller.

For legal-entity, registered-office and contact details, see our Imprint.

What we process and why

We process only the categories of personal data needed to operate the service:

  • Account and identity data — names, email addresses, phone numbers and login credentials of business operators and their staff.
  • Customer data — entered by businesses about their own clients: contact details, appointment history, preferences, optional profile photos and, for clinical verticals, intake-questionnaire answers.
  • Billing data — subscription tier, payment status and invoicing details. Card data is handled by our payment processor and never stored on F9 servers.
  • Technical data — IP address, device and browser information, and audit-log entries recording who accessed what and when.

We rely on the lawful bases of contract (to deliver the service you signed up for), legitimate interest (security, fraud prevention, product improvement) and legal obligation (Croatian fiscal and tax-retention law). Where consent is required — for non-essential cookies — we ask for it explicitly.

How we protect personal data

Personal data is encrypted at rest using AES-256-GCM envelope encryption. Every protected record has its own Data Encryption Key (DEK), which is itself encrypted by a Key Encryption Key (KEK). We operate a three-tier key hierarchy:

  • a platform-level key for business contact details,
  • a per-business key for staff and worker data,
  • an independent customer-level key for client personal data.

Searchable fields such as email are stored as a keyed HMAC for lookup and as a separately encrypted value for display — plaintext email is never written to disk. Personal data is held in EU-sovereign infrastructure, and profile images are re-encoded with metadata stripped and served only through short-lived signed URLs.

Retention and deletion

Businesses retain customer data for the duration of their subscription and a configurable cooling-off period afterwards. Records pass through soft-delete, then a post-termination window, then hard deletion. We honour Croatian statutory retention periods for fiscal records, which override deletion requests for the data those laws cover.

When a record is erased, we perform cryptographic erasure: the relevant Data Encryption Key is destroyed, rendering the encrypted personal data permanently irrecoverable while the structural booking and audit history a business is legally required to keep is preserved without readable personal content.

Your rights

Under the GDPR you can exercise the following rights, several of which are self-service:

  • Access and portability (Art. 15 / Art. 20) — customers can request a downloadable ZIP archive of their personal data from the My Exports page in the portal; the archive is built asynchronously and made available through a time-limited download link.
  • Erasure (Art. 17) — customers can request email-confirmed account closure, after which personal data is cryptographically erased following a 30-day cooling-off period.
  • Rectification, restriction and objection — contact the business that holds your record, or us where we are the controller.

You also have the right to lodge a complaint with your national supervisory authority.

Sub-processors

We use a limited set of vetted sub-processors — including our cloud-infrastructure, object-storage, email-delivery and payment providers — selected for EU data residency where personal data is involved. Our payment processing is handled by Stripe and Revolut. A current list is maintained as part of the Data Processing Agreement.

Cookies

We use strictly-necessary cookies to run the site and, only with your consent, analytics cookies to understand usage. See the Cookie Policy for the full inventory and how to change your choice.

Changes to this policy

We will update this policy as the service evolves and will revise the version and effective date shown above. Material changes will be communicated to account holders.