Legal
Privacy Policy
Last updated: 1 July 2026 · Effective: 1 July 2026
1. Who we are
Kogora ApS ("Kogora", "we", "us") operates the Kogora platform at kogora.com — a marketplace that connects consumers with barbers, salons, and wellness businesses ("Vendors") for the purpose of discovering and booking appointments.
Kogora ApS is the data controller responsible for your personal data. Our registered office is in Copenhagen, Denmark. For all privacy-related enquiries, contact us at privacy@kogora.com.
As a Danish company operating within the EU, we are subject to Regulation (EU) 2016/679 (GDPR) and the Danish Data Protection Act (databeskyttelsesloven).
2. Who this policy applies to
This policy applies to all individuals who interact with Kogora, including:
- Consumers — people who browse, book, and review services on Kogora.
- Vendors — barbers, salons, and wellness businesses who list their services and manage bookings through Kogora.
- Visitors — anyone who accesses kogora.com without creating an account.
3. What personal data we collect
3.1 Data you provide directly
When you register or use Kogora, we collect:
- Full name, email address, and password (hashed — we never store plaintext passwords)
- Phone number (optional, used for booking confirmations)
- Profile photo (optional)
- Business name, address, opening hours, service descriptions, and pricing (Vendors only)
- Staff member names and working hours (Vendors only)
- Payment information — we do not store card details; payments are processed by our payment provider
- Review text and ratings you submit
- Communications you send us via email or support channels
3.2 Data collected automatically
When you use our platform, we collect:
- IP address and approximate location (country/city level)
- Device type, browser, and operating system
- Pages visited, search terms used, and features interacted with
- Date and time of access
- Referral source (how you arrived at Kogora)
3.3 Location data
When you search for nearby vendors, we request your browser's geolocation with your explicit permission. This is used only to show relevant results and is not stored persistently. Vendor business addresses are stored as part of their listing and are displayed publicly on the platform.
3.4 Data from third parties
If you use Google sign-in (where available), we receive your name and email address from Google. We also receive limited technical data from our infrastructure providers (see Section 7).
4. Legal basis for processing (GDPR Article 6)
We process your personal data on the following legal grounds:
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Art. 6(1)(b) — Performance of contract |
| Processing bookings and sending confirmations | Art. 6(1)(b) — Performance of contract |
| Displaying vendor listings to consumers | Art. 6(1)(b) — Performance of contract |
| Detecting and preventing fraud or abuse | Art. 6(1)(f) — Legitimate interests |
| Improving platform functionality and performance | Art. 6(1)(f) — Legitimate interests |
| Sending transactional emails (booking receipts, reminders) | Art. 6(1)(b) — Performance of contract |
| Sending marketing emails (new features, promotions) | Art. 6(1)(a) — Consent (opt-in) |
| Analytics to understand platform usage | Art. 6(1)(f) — Legitimate interests |
| Cookies — essential | Art. 6(1)(b) — Necessary for service |
| Cookies — analytics / preferences | Art. 6(1)(a) — Consent (cookie banner) |
| Complying with legal obligations | Art. 6(1)(c) — Legal obligation |
5. How we use your data
We use your data to:
- Provide the Kogora booking platform and all related features
- Enable Vendors to manage their listings, calendars, and customer relationships
- Enable Consumers to search, book, and review services
- Send booking confirmations, reminders, and receipts
- Resolve disputes between Consumers and Vendors
- Detect and prevent fraud, abuse, or violation of our Terms of Service
- Improve, test, and develop new features on the platform
- Comply with applicable laws and respond to legal requests
- Communicate with you about your account or our services
We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
6. Who we share your data with
6.1 Vendors (for bookings you make)
When you book an appointment as a Consumer, the Vendor receives your name, contact details, and booking details. This is necessary to deliver the service you requested. Vendors are bound by our Terms of Service to handle this data appropriately and may not use it for purposes unrelated to fulfilling your booking.
6.2 Consumers (for reviews)
If you submit a review as a Consumer, your display name and review content will be shown publicly on the Vendor's profile page.
6.3 Service providers (data processors)
We use the following sub-processors who act on our instructions only:
- Supabase (database and authentication) — EU data region
- Cloudflare (hosting and content delivery) — processes data globally; Kogora Workers run within the EU where available
- Google Maps Platform (location search and maps)
- Payment processor (details to be added when payments are enabled)
Each processor is bound by GDPR-compliant data processing agreements (DPAs). Cloudflare and Google rely on Standard Contractual Clauses (SCCs) for international transfers.
6.4 Legal and regulatory disclosures
We may disclose personal data if required by law, court order, or a competent regulatory authority, or where necessary to protect the rights, property, or safety of Kogora, our users, or the public.
7. Business transfers and acquisitions
If Kogora ApS undergoes a merger, acquisition, restructuring, sale of assets, or any similar transaction (in whole or in part), personal data held by Kogora may be transferred to the acquiring entity as part of that transaction. This is a legitimate interest under Art. 6(1)(f) GDPR, as continuity of the platform and its services directly benefits users.
In such circumstances:
- We will notify affected users by email and/or a prominent notice on the platform no later than 30 days before the transfer takes effect, where reasonably practicable.
- The acquiring entity will be required to honour the commitments made in this Privacy Policy or provide users with a materially equivalent level of protection.
- Where the acquiring entity intends to process data in a materially different way, they will seek fresh consent or provide a new legal basis before doing so.
- Users retain all rights under GDPR (see Section 9) throughout and after any such transition.
By using Kogora, you acknowledge that your personal data may be transferred under these circumstances as part of the ordinary operation of the business.
8. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data (name, email, profile) | Until account deletion, then 30 days |
| Booking history | 3 years after the booking date |
| Payment records | 7 years (Danish bookkeeping law requirement) |
| Reviews | Until deleted by the user or removed by Kogora |
| Server logs and access data | 90 days |
| Waitlist email addresses | Until the platform launches or you unsubscribe |
| Marketing consent records | 3 years from the date consent was given |
When your account is deleted, we pseudonymise or permanently delete your personal data within 30 days, except where we are required by law to retain it for longer.
9. Your rights under GDPR
Under EU GDPR, you have the following rights. You can exercise any of them by contacting us at privacy@kogora.com. We will respond within 30 days.
Right of access (Art. 15)
Request a copy of the personal data we hold about you.
Right to rectification (Art. 16)
Ask us to correct inaccurate or incomplete data.
Right to erasure (Art. 17)
Request deletion of your data ('right to be forgotten'), subject to legal retention obligations.
Right to restriction (Art. 18)
Ask us to pause processing your data in certain circumstances.
Right to data portability (Art. 20)
Receive your data in a structured, machine-readable format (e.g., JSON or CSV) and transfer it to another service.
Right to object (Art. 21)
Object to processing based on legitimate interests, including for direct marketing purposes.
Right to withdraw consent
Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint
You have the right to complain to the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk, or to the supervisory authority in your EU country of residence.
10. Cookies
Kogora uses cookies and similar technologies. We categorise them as:
- Essential cookies — required for the platform to function (login sessions, security). Cannot be disabled.
- Preference cookies — remember your settings (e.g., language, cookie consent choice).
- Analytics cookies — help us understand how the platform is used, so we can improve it. Only set with your consent.
You can manage your cookie preferences at any time via the cookie settings banner. Most browsers also allow you to control cookies through their settings.
11. International data transfers
Kogora's primary data storage is within the EU (Supabase EU region). Some of our service providers (Cloudflare, Google) may process data outside the EU/EEA. In all such cases, transfers are protected by:
- EU Standard Contractual Clauses (SCCs) as approved by the European Commission
- Adequacy decisions where applicable
We do not transfer data to countries that lack adequate protections without putting appropriate safeguards in place.
12. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include TLS encryption for all data in transit, hashed passwords, row-level security on our database, and access controls that limit who within Kogora can view personal data.
Despite these measures, no online platform can guarantee absolute security. If you suspect a security incident, contact us immediately at privacy@kogora.com. In the event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33–34.
13. Children's data
Kogora is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@kogora.com and we will delete it promptly.
14. Changes to this policy
We may update this Privacy Policy from time to time. If changes are material, we will notify you by email or a prominent in-app notice at least 14 days before the new policy takes effect. The "last updated" date at the top of this page reflects the most recent version. Continued use of Kogora after changes take effect constitutes acceptance of the updated policy.
15. Contact us
For any questions, rights requests, or privacy concerns:
You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk, or with the supervisory authority in the EU member state where you reside.