Zum Hauptinhalt springen
Hebelki

Privacy Policy

Last updated: February 2026

1. Introduction

Hebelki ("we", "us", or "our") operates the booking platform available at book.gy and hebelki.de. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our services.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address when you create an account
  • Booking data: Name, email, phone number, appointment details when you make a booking
  • Communication data: Messages sent through our chatbot or live chat
  • Usage data: IP address, browser type, pages visited, collected automatically
  • Cookies: Essential cookies for functionality and locale preferences

3. How We Use Your Data

  • To provide and maintain our booking services
  • To send booking confirmations and reminders
  • To respond to your inquiries via chatbot or live chat
  • To improve our services and user experience
  • To comply with legal obligations

4. Legal Basis (GDPR)

We process your data based on:

  • Contract performance: Processing necessary to fulfill bookings (Art. 6(1)(b) GDPR)
  • Legitimate interest: Service improvement and fraud prevention (Art. 6(1)(f) GDPR)
  • Consent: Marketing communications, where applicable (Art. 6(1)(a) GDPR)
  • Legal obligation: Tax and accounting requirements (Art. 6(1)(c) GDPR)

5. Data Sharing

We share your data only with service providers necessary for our operations:

  • Clerk: Authentication services (US, EU Standard Contractual Clauses)
  • Hetzner: Self-hosted PostgreSQL database (Germany)
  • Hetzner: VPS hosting (Nuremberg, Germany)
  • Hetzner: Object Storage (Germany)
  • Google Vertex AI EU (Niederlande): AI chatbot processing
  • Stripe: Payment processing (where applicable)
  • Twilio: WhatsApp/SMS/Voice (US, SCCs)
  • Meta Platforms Ireland Ltd: WhatsApp Cloud API (EU/US, DPF + SCCs)

5a. WhatsApp Communication

When you communicate via WhatsApp, messages are processed through one of the following providers depending on the business configuration:

  • Twilio Inc. (US) — WhatsApp Business API via Twilio infrastructure (SCCs)
  • Meta Platforms Ireland Ltd (EU/US) — WhatsApp Cloud API, EU-US Data Privacy Framework certified

Data categories processed:

  • Phone number
  • Message content (text, images, voice messages)
  • Timestamps and delivery receipts
  • Read receipts
  • Opt-in/opt-out status

Legal basis: Art. 6(1)(b) GDPR (contract performance — appointment confirmations, service communication) or Art. 6(1)(a) GDPR (consent — for business-initiated first contact).

Opt-in: Explicit consent is required before the first business-initiated message. For customer-initiated inquiries, the legal basis is pre-contractual measures.

Opt-out: Reply "STOP" at any time to unsubscribe. Reply "START" to re-subscribe.

Retention: WhatsApp messages are stored on our self-hosted servers in Germany (Hetzner, Nuremberg) for a maximum of 90 days. Messages are end-to-end encrypted in transit (WhatsApp Signal protocol). WhatsApp data is not used by Meta for advertising or model training.

AI processing: WhatsApp messages may be processed by our AI assistant (Google Vertex AI, EU — europe-west4 (Niederlande)). The chatbot identifies itself as AI per EU AI Act (Art. 50).

See also: WhatsApp Privacy Policy

5b. Voice Calls

When you interact via phone, calls are handled by an AI voice agent hosted on our own infrastructure (Hetzner, Germany).

Data categories processed:

  • Phone number
  • Voice audio (call recording)
  • Call transcript
  • Call duration and timestamps
  • Booking data (if a booking is made)

Legal basis: Art. 6(1)(b) GDPR (contract performance — phone booking) and Art. 6(1)(f) GDPR (legitimate interest — efficient customer service).

AI disclosure (EU AI Act Art. 50): Callers are informed at the start of the call that they are speaking with an AI voice assistant. A transfer to a human agent is available on request.

Retention: Call transcripts and data are stored on our self-hosted servers in Germany (Hetzner, Nuremberg) for a maximum of 90 days.

6. Your Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time

To exercise these rights, contact us at privacy@hebelki.de or use our data deletion request form.

7. Data Retention

We retain your data only as long as necessary for the purposes described above, or as required by law. Booking data is retained according to each business's data retention policy. You can request deletion at any time.

8. Cookies

We use essential cookies for authentication and locale detection. We do not use tracking cookies or third-party advertising cookies.

9. Contact

For privacy-related inquiries, please contact:
Email: privacy@hebelki.de