Pointr – Privacy Policy
Last updated: 6 April 2026
1. Who We Are
Pointr AG ("Pointr", "we", "us") is the controller of your personal data under the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection 2023 (FADP).
- Address: Pointr AG, Steinengraben 22, 4051 Basel, Switzerland
- Email (Data Protection Officer): privacy@pointr.org
2. Where Your Data Is Stored
Your data is processed only in Frankfurt am Main, Germany (EU) and the Zurich region, Switzerland. Germany is in the EEA; Switzerland enjoys an EU adequacy decision (Art. 45 GDPR). Back-ups are mirrored between the two sites; no routine transfers occur elsewhere.
3. What Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account Data | name, email, phone, password hash | you |
| Listing Data | service description, pricing, profile photo | you |
| Usage Data | IP address, device IDs, interaction logs, crash reports | automatically |
| Payment Metadata (listers) | Stripe customer ID, payment status, fee amount | Stripe API |
| Optional Device Data | contacts, camera, photos, location | you (permission-based) |
We never receive or store full card numbers or CVCs. Payments are handled directly by Stripe Payments Europe Ltd.
You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account. Please ensure the accuracy of data you provide, as we are not liable for errors resulting from inaccurate user-provided data.
4. Legal Bases for Processing (Art. 6 GDPR / Art. 31 FADP)
- Contract: Contract: provide marketplace, manage accounts, collect listing fees via Stripe.
- Legitimate interests: Legitimate interests: security, fraud prevention, analytics, marketing of similar Pointr services (opt-out any time).
- Consent: Consent: optional access to contacts, camera, photos, location (withdraw in device settings).
5. Retention Periods
- Account & listing history: 10 years after last activity.
- Payment metadata: 10 years (book-keeping laws).
- Usage logs: 12 months, then aggregated or deleted.
- Device content: deleted immediately when removed or permission withdrawn.
- Back-ups: overwritten on a 30-day rolling cycle.
6. Booking data exports (CSV)
Pointr lets you download CSV files of your bookings for personal use (for example calendar or spreadsheet) or, for business accounts, for accounting and reporting. These exports are designed to minimise personal data: they do not include customer names, contact details, or free-text booking notes.
Customer (personal): Exports cover bookings linked to your account in the selected date range. Use them for your own records or to import into your private calendar or tools.
Business owner: Exports cover bookings for the business you manage in the selected date range, for accounting and operational reporting. They are not intended to identify individual customers by name.
Typical columns include: internal event identifier, start and end time, service name, price, currency, category, and booking state. Exact content may evolve as the product changes.
Purpose: portability of your own booking data, bookkeeping, and reconciliation. The files are generated on demand when you request a download.
Generated CSV files are not stored on our servers as separate files; we build the response in memory and send it to your browser or app. Only the underlying booking data in your account is retained according to our general retention rules above.
You are responsible for any copy you keep or share.
If you ask us to correct or delete personal data, we can update or remove data in our systems. We cannot change or delete files you have already saved to your device or email. If you need a corrected export, delete the old file locally and generate a new export after the data in Pointr has been updated. Contact privacy@pointr.org for data subject requests.
7. International Transfers
If vendors outside the EEA/Switzerland are engaged, we rely on EU Standard Contractual Clauses with the Swiss addendum plus industry-standard technical safeguards. Copies are available on request.
8. Who Receives Your Data
- Stripe Payments Europe Ltd. (payment processor) – Ireland
- Hosting & cloud providers – Germany / Switzerland
- Analytics & crash-report tools – EU
- Pointr affiliates – EU / CH
- Public authorities when legally required
We do not sell personal data.
We are not responsible for the privacy practices of third-party services (e.g., Stripe, hosting providers, analytics tools). Please review their privacy policies separately. These third parties have their own privacy policies and data handling practices.
9. Your Rights
| Right | GDPR | FADP |
|---|---|---|
| Access | Art. 15 | Art. 25 |
| Rectification | Art. 16 | Art. 32 |
| Erasure | Art. 17 | Art. 32 |
| Restriction | Art. 18 | — |
| Portability | Art. 20 | Art. 28 |
| Object | Art. 21 | Art. 30 |
| Withdraw consent | Art. 7 (3) | Art. 6 (6) |
To exercise any right, email privacy@pointr.org. We reply within one month (GDPR) or 30 days (FADP).
10. Automated Decision-Making
No automated decisions with legal or similar effect are made.
11. Security
All data in transit is protected by industry-standard TLS encryption. Data at rest is encrypted using industry-standard encryption algorithms. We implement multi-factor authentication, role-based access controls, and conduct regular security assessments. No system is 100% secure.
While we implement industry-standard security measures, we cannot guarantee absolute security. You use the service at your own risk.
12. Data Breach Notification
In the event of a data breach affecting your personal data that is likely to result in a high risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Article 33 and 34. We will provide clear information about the nature of the breach, the categories of data affected, and the measures we are taking to address it.
13. Children
The service targets users 16 +. If we learn we hold data of a younger child, we delete it promptly.
14. Changes
Material changes are announced by email 30 days before they take effect and published here.
15. Contact
- Email (DPO): privacy@pointr.org
- EU representative (Art. 27 GDPR): Pointr GmbH, c/o PrivacyRep, Hanauer Landstr. 204, 60314 Frankfurt am Main, Germany
You may also contact your local EU data-protection authority or the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland.
© 2025 Pointr AG. All rights reserved.