Data Protection or Privacy Policy

Privacy Policy Laser Angel – Cosmetics Studio Hamburg As of: May 2026

With this privacy policy, we inform you transparently about which personal data we collect, how we process it, and which rights you are entitled to as a data subject. Personal data are all information that allow a reference to your person – e.g. name, address, e-mail or your usage behavior on our website. This declaration applies to all processing operations within the scope of our activity as a cosmetics studio as well as for our website and online communication.

§1 Responsible body

Responsible for the processing of your personal data within the meaning of the GDPR is:

Laser Angel Owner: Angila Nuristani
Address: An der Alster 83, 20099 Hamburg
Telephone: 040 88938438
E-Mail: laserangelhh@gmail.com

If you have any questions about data protection, we are available to you at any time by e-mail or telephone.

§2 Principles of data processing

We process your personal data only if one of the following legal bases exists:

Consent (Art. 6 para. 1 lit. a GDPR) – e.g., for review requests or optional services
Performance of a contract (Art. 6 para. 1 lit. b GDPR) – e.g., when booking and carrying out treatments
Legal obligation (Art. 6 para. 1 lit. c GDPR) – e.g., tax retention obligations.
Legitimate interest (Art. 6 para. 1 lit. f GDPR) – e.g., for the technical operation of our website

In principle, we do not pass your data on to third parties and use them exclusively for the specified purposes. Individual processors (e.g., hosting services) are contractually obligated to comply with the GDPR.

§3 Processing within the framework of our core activity

When you book a treatment with us, make an inquiry, or are active as a customer with us, we process the following data categories:

Master data (name, address)
Contact data (e-mail, telephone number).
Booking and contract data (type of treatment, appointment details).
Health-relevant information, insofar as necessary for the treatment (e.g., skin type, intolerances, pre-existing conditions) – based on your explicit consent according to Art. 9 para. 2 lit. a GDPR
Payment data (e.g., for down payments)

Legal basis: Art. 6 para. 1 lit. b GDPR. For health data: Art. 9 para. 2 lit. a GDPR. Storage period: Booking and treatment data are stored for up to 3 years after the last appointment; data relevant for accounting (payments, invoices) according to § 147 AO up to 10 years.

§4 Website & Webhosting

Our website is operated via the following provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA Privacy Policy: https://vercel.com/legal/privacy-policy When accessing our website, server log files are automatically recorded by the hosting provider. These contain:

IP address of the requesting device
Accessed URL, date and time of access
Transferred amount of data, browser type and operating system
Referrer URL (previously visited page)

These data serve exclusively the secure operation of the website and are not merged with other data. Legal basis: Art. 6 para. 1 lit. b GDPR. Storage period: usually 7–14 days.

§5 Analysis Tools

PostHog Analytics Our website uses PostHog, an analysis service for evaluating user behavior, to continuously improve our online offer. Dabei werden folgende Daten verarbeitet:

Page views, length of stay and click behavior
Browser and device information
Anonymized IP address
Referrer URL

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in website optimization). Storage period: maximum 12 months.
PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA Privacy Policy: https://posthog.com/privacy
Possibility of objection: You can object to the analysis by activating the Do-Not-Track function in your browser or adjusting our cookie settings.

§6 Services and third-party providers used

6.1 Supabase (Backend & Booking System) For processing booking requests, contact forms and our chatbot service, we use Supabase as a backend service. The following are processed:

Chat messages and contact inquiries
Booking and appointment details
Timestamps and session information

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in website optimization). Storage period: maximum 12 months. PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA Privacy Policy: https://posthog.com/privacy Possibility of objection: You can object to the analysis by activating the Do-Not-Track function in your browser or adjusting our cookie settings.

6.2 Google Services

Google Fonts: For the uniform display of fonts on our website, we use Google Fonts. When accessing the page, your browser loads the required fonts – in the process, your IP address is transmitted to Google. Legal basis: Art. 6 para. 1 lit. f GDPR. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Maps: To display our location, we use Google Maps. In the process, your IP address and, if applicable, your location are transmitted to Google. Legal basis: Art. 6 para. 1 lit. f GDPR.

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Parent company: Google LLC, Mountain View, CA 94043, USA Privacy Policy: https://policies.google.com/privacy

6.3 Mapbox

For advanced map displays, we use Mapbox. In the process, IP address, device information, and map interactions can be processed. Legal basis: Art. 6 para. 1 lit. f GDPR.
Mapbox Inc., 740 15th Street NW, 5th Floor, Washington, DC 20005, USA Privacy Policy: https://www.mapbox.com/legal/privacy

§7 Review requests

After completion of a treatment, we can – provided you have consented in advance – send you a one-time request to submit a review (e.g., on Google) by e-mail or SMS. The following are processed: first name, last name, e-mail address, mobile number as well as the time of your appointment.
Legal basis: Art. 6 para. 1 lit. a GDPR (consent). Consent is voluntary and can be revoked at any time with effect for the future – informally by e-mail to laserangelhh@gmail.com. Storage period: The data will be deleted at the latest 60 days after the request is sent.

§8 Social Media

Our website contains links to our profiles on Instagram and Facebook. When clicking on these links, you leave our website. For the data processing on the respective platforms, exclusively their operators are responsible. We recommend reading the privacy notices of the respective platforms.

Instagram / Facebook: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland
WhatsApp: WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

We do not operate so-called “social plugins” that automatically transmit data to social networks when visiting our website.

§9 Your rights as a data subject

According to the GDPR, you have the following rights, which you can assert against us at any time:

Information / Access (Art. 15 GDPR): You can request a copy of the data stored about you
Rectification (Art. 16 GDPR): Incorrect data will be corrected at your request.
Erasure / Deletion (Art. 17 GDPR): You can request the deletion of your data, provided that no legal retention periods conflict.
Restriction of processing (Art. 18 GDPR): In certain cases, you can request restricted processing.
Data portability (Art. 20 GDPR): You can request your data in a machine-readable format.
Objection (Art. 21 GDPR): You can object to the processing based on legitimate interests at any time.
Withdrawal of a consent (Art. 7 para. 3 GDPR): You can withdraw a given consent at any time with effect for the future – without giving reasons.

To exercise your rights, please contact: E-Mail: laserangelhh@gmail.com Telephone: +49 176 60841269
Right to lodge a complaint: You have the right to complain to the competent data protection supervisory authority. For Hamburg, this is:
The Hamburg Commissioner for Data Protection and Freedom of Information Ludwig-Erhard-Str. 22, 20459 Hamburg www.datenschutz.hamburg.de

§10 Data security

We use technical and organizational security measures to protect your data from unauthorized access, loss, or manipulation. These include:

Encrypted data transmission via SSL/TLS (recognizable by “https://” in the browser bar)
Access restrictions to personal data.
Regular review and updating of our security measures according to Art. 32 GDPR.

Despite all care, absolute security cannot be guaranteed for data transmission on the Internet – especially when communicating by e-mail.

§11 Validity and changes

This privacy policy is currently valid (as of: May 2026). Due to further developments of our website, new services, or changed legal requirements, we reserve the right to adapt this declaration. The current version can always be called up under the URL of this page. In the event of significant changes that affect your rights, we will – as far as possible – actively inform you.