Last updated
May 11, 2026
Privacy Policy
We keep privacy simple, clear, and business-ready.
PointMintz respects the information shared by visitors, trial users, and customers. This page explains what we collect, why we collect it, who else handles it on our behalf, and the choices available to you under US, EU/UK, and California law.
What we collect
We may collect contact details, account information, business profile data, booking details, messages you send to us, support requests, device and browser details, and content you choose to upload or submit through the site or related services.
In plain language: we collect the information needed to run your account, keep the service secure, and support the booking experience.
How we use it
We use information to provide the service, process bookings, respond to requests, support onboarding, improve the experience, send important notices, and meet legal or security obligations.
We do not use your information to make the public site feel less trustworthy.
When information is shared
We may share information with service providers that help us run hosting, messaging, analytics, payments, and customer support (see the Sub-processors panel below for the full list). We may also share information when required by law, to protect our rights, or to prevent abuse or fraud.
- Service providers only receive data needed to perform their work.
- We do not sell or share customer personal information for cross-context behavioral advertising.
- We may disclose information to protect users, customers, and the service.
My PointMintz dashboard: the customer dashboard at /me is a private PointMintz-wide view for the customer only. Each business sees only that customer's activity with that business, not bookings, favorites, receipts, notes, or preferences from other businesses.
Sub-processors and payment processing
PointMintz never stores full card numbers. Stripe handles all payment data directly through Stripe Elements; PointMintz only receives non-sensitive metadata such as the last 4 digits of the card, card brand, charge ID, charge amount, currency, and authorization status.
A complete, dated list of sub-processors with DPA links is maintained at /subprocessors. Tenants can review the Data Processing Addendum summary at /dpa.
| Provider | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Stripe, Inc. | Payment processing (PCI SAQ-A scope) | Cardholder name, billing address, full PAN entered directly into Stripe Elements; PointMintz receives only last 4, card brand, charge ID, amount, currency, status | stripe.com/privacy |
| Microsoft Azure (US-East) | Application hosting, per-tenant database isolation, file storage | All customer data at rest, encrypted | privacy.microsoft.com |
| Microsoft Azure Communication Services (ACS) | Transactional SMS and email delivery | Recipient phone or email, message body, delivery receipts | privacy.microsoft.com |
| QuickBooks Online (Intuit) | Optional accounting export when a tenant connects QuickBooks | Invoice + payment metadata only when explicitly enabled by tenant | intuit.com/privacy |
Cookies and similar technologies
PointMintz uses cookies and equivalent storage to keep you signed in, remember preferences, and protect the service. Non-essential cookies are not set until you give consent through the in-page banner shown to EU/UK visitors. You may withdraw consent at any time by clearing site data in your browser, by clicking the "Cookie preferences" link in the footer (where shown), or by emailing privacy@pointmintz.com.
| Category | Purpose | Examples | Retention | Consent required (EU/UK) |
|---|---|---|---|---|
| Strictly necessary | Session, CSRF protection, tenant routing, login state | pm_session, pm_csrf, pm_tenant (first-party) | Session or up to 30 days | No (exempt under ePrivacy Directive) |
| Functional | Saved preferences (theme, language, last-used view) | pm_prefs (first-party) | Up to 12 months | Yes |
| Analytics | Aggregate usage to improve the product (only loaded after consent) | Application Insights (first-party proxy); no third-party trackers loaded by default | Up to 90 days at row level, then aggregated | Yes |
| Marketing | Not used. PointMintz does not load advertising or cross-site tracking cookies. | None | n/a | n/a |
A live per-cookie inventory is maintained at /cookies.
GDPR — lawful basis, retention, and international transfers (EU / UK)
For visitors and customers in the European Economic Area, the United Kingdom, and Switzerland, the controller of personal data collected through PointMintz websites and the platform admin is PointMintz. The lawful basis for each processing purpose, and the corresponding retention period, are listed below.
| Processing purpose | Lawful basis (GDPR Art. 6) | Retention |
|---|---|---|
| Provide booking, account, and tenant-management services to subscribers and their customers | Contract performance (Art. 6(1)(b)) | 2 years after the last booking or account activity, then deleted or anonymized |
| Send transactional SMS and email (booking confirmations, reminders, receipts) | Contract performance (Art. 6(1)(b)) | 548 days from send, then aggregated or anonymized |
| Send marketing SMS or email | Consent (Art. 6(1)(a)); withdraw any time via STOP / unsubscribe | Until consent is withdrawn, then suppressed permanently |
| Send browser push notifications | Contract performance for transactional booking notices; consent for marketing push | Until the browser subscription is removed or consent is withdrawn |
| Process payments through Stripe | Contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax/accounting records | 7 years for invoice and payment records (tax retention), then deleted |
| Detect fraud, abuse, and security incidents | Legitimate interests (Art. 6(1)(f)) | 400 days live, then moved to redacted audit archive; 7 years in redacted archive, then purged |
| Comply with legal obligations (subpoenas, audits, regulator requests) | Legal obligation (Art. 6(1)(c)) | As required by the applicable law |
International transfers. Customer data is hosted in Microsoft Azure US-East. Transfers from the EEA / UK / Switzerland to the United States rely on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, signed with each sub-processor named above, plus supplementary technical measures (encryption in transit and at rest, per-tenant database isolation). The tenant-facing DPA summary is available at /dpa.
Data Protection Officer / EU representative. You may contact our DPO and EU representative at dpo@pointmintz.com. Privacy notices and data-subject requests may be sent to the contact addresses below.
Your California Privacy Rights (CCPA / CPRA)
This section applies to California residents and is provided under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
Categories of personal information collected in the last 12 months: identifiers (name, email, phone, IP), commercial information (booking records, payment metadata), internet or other electronic network activity (pages viewed, device type), geolocation (approximate, from IP), professional or employment-related information (when provided by a tenant about its staff), and inferences drawn from the above to provide and improve the service.
Sources: directly from you when you create an account, book an appointment, or contact support; automatically from your device when you visit our sites; and from sub-processors named in the Sub-processors panel.
Business or commercial purposes for collection: performing the booking and account services, processing payments through Stripe, securing the service, communicating with you, and complying with legal obligations.
Sale or sharing in the last 12 months: PointMintz has not sold personal information and has not shared personal information for cross-context behavioral advertising in the last 12 months and does not intend to do so.
Your rights as a California resident:
- Right to know what personal information we collect, use, disclose, and (if applicable) sell or share.
- Right to delete personal information that we collected from you, subject to legal exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information.
- Right to limit use and disclosure of sensitive personal information.
- Right to non-discrimination for exercising any of these rights.
How to submit a verifiable consumer request. Email privacy@pointmintz.com with the subject line "California Privacy Request" and tell us which right you are exercising. We verify identity by matching at least two pieces of personal information you previously provided (for example, account email plus phone number on file). We respond within 45 days and may extend by 45 more if needed under CCPA.
Do Not Sell or Share My Personal Information. Submit a request through the same email above with the subject line "Do Not Sell or Share". PointMintz also honors Global Privacy Control (GPC) signals sent by your browser as a valid opt-out request.
Authorized agents. An authorized agent may submit a request on your behalf with written, signed permission from you and proof of the agent's identity. We may still ask you to confirm directly that you authorized the request.
Children's privacy (COPPA)
PointMintz is a business booking platform. The service is not directed to children under 13 years of age (or the higher age of digital consent in your jurisdiction, such as 16 in parts of the European Union). PointMintz does not knowingly collect personal information from anyone under 13. 13+ only — accounts created by under-13 users will be deleted on report.
If you are a parent or guardian and you believe a child under 13 has provided us with personal information, contact privacy@pointmintz.com and we will promptly investigate and delete the information.
Your choices and rights
You may review or update account details, manage communication preferences, request access to your data, request correction or deletion where applicable, or contact us with privacy questions.
Browser push preferences are split between transactional appointment notices and marketing offers. You can keep booking-related push enabled while turning marketing push off, and each push consent change is retained in the tenant audit trail.
EU / UK users: in addition to the rights described above, you may also have rights to access, correct, erase, restrict, object, withdraw consent, lodge a complaint with your supervisory authority, and receive portable copies of your personal data under GDPR / UK GDPR.
Submit a privacy request
Use this form to request access to, correction of, deletion of, or limitation on the use of your personal information, or to opt out of the sale or sharing of personal information. Under GDPR Article 12(3), we respond within 30 days of receipt; under California law, within 45 days (we meet the tighter GDPR deadline for every request).
SMS / text messages
When customers provide a mobile number on a booking form, PointMintz sends transactional SMS (booking confirmations, reminders, cancellations, check-in instructions) on behalf of the booking business over toll-free 866-682-7234. The booking business is the first-party sender; PointMintz is the messaging facilitator. Marketing/promotional messages are sent only when the customer separately opts in via a second checkbox.
- Customers consent to transactional SMS at the time of phone-number collection on the booking form.
- Reply STOP to opt out, HELP for help, START to opt back in. Msg & data rates may apply.
- We do not share customer phone numbers with third parties for marketing.
Full disclosure of the opt-in flow, sample messages, and frequency caps is published at SMS policy.
Contact for privacy questions
For requests related to privacy, data access, deletion, California rights, GDPR rights, or account records, use the contact addresses below.
- Privacy & data requests: privacy@pointmintz.com
- General support: support@pointmintz.com
- Data Protection Officer / EU representative: dpo@pointmintz.com
Data controller contact:
PointMintzprivacy@pointmintz.com