CamaráTerms of Service

Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how we handle personal data when you use Camará (camar.app). We have written it to be readable. If anything is unclear, email us at contact@camara.dev and we will explain.

Who we are

Camará is operated by URKRAFT Oy, a company registered in Finland. URKRAFT Oy is the data controller for the information described in this policy, except where we act as a data processor on behalf of an organizer (see "Our role" below).

Contact: contact@camara.dev

What Camará does

Camará is a booking platform for fitness and wellness instructors, coaches, and group-activity facilitators (yoga, pilates, dance, and similar). Organizers use Camará to manage their classes and events, sell tickets, and accept payments from their own students and participants. Camará is not a marketplace. Organizers bring their own audience.

Our role under GDPR

We act in two different roles depending on whose data we are processing.

  • For organizer accounts (the people running their business on Camará), URKRAFT Oy is the data controller.
  • For participant data that an organizer collects through Camará (the people booking classes with that organizer), the organizer is the controller and URKRAFT Oy is the processor acting on the organizer's behalf.

If you are a participant and want to exercise your rights over your booking data, you can contact either us or the organizer. We will help route the request.

What data we collect

For organizers:

  • Identity and contact details: name, email address.
  • Business information: business or trading name, country, and any information needed to set up payouts.
  • Payout and tax details: collected and verified by Stripe through Stripe Connect Express. We do not store payout bank details on our servers.
  • Account activity: classes and events created, bookings received, settings, and logs needed to operate the service.

For participants:

  • Identity and contact details: name, email address.
  • Booking information: which class or event you booked, with which organizer, and when.
  • Payment information: handled by Stripe. We receive a confirmation and metadata (amount, currency, status, last four digits of the card where Stripe provides it). We do not see or store full card numbers.

We also process basic technical data such as IP address and browser information in our server logs to keep the service secure and reliable.

Legal bases

We rely on the following legal bases under the GDPR:

  • Contract: to provide the booking platform to organizers and to fulfill bookings made by participants.
  • Legal obligation: to keep accounting and tax records as required by Finnish law.
  • Legitimate interest: to keep the service secure, prevent fraud and abuse, and improve the product.
  • Consent: where we ask for it explicitly, for example for any optional communications. You can withdraw consent at any time.

How we use data

We use personal data to:

  • Operate the platform and the features organizers and participants use.
  • Send transactional emails such as booking confirmations, receipts, and one-time login codes.
  • Process payments and pay out funds to organizers.
  • Meet legal obligations, including Finnish accounting and tax law.
  • Detect and prevent fraud, abuse, and security incidents.

We do not sell personal data, and we do not use it for behavioural advertising.

Authentication

We use email one-time codes (OTP) for sign-in. We do not store passwords. The session is maintained through a single session cookie. We do not use analytics or tracking cookies.

Sub-processors

We use a small number of carefully chosen sub-processors:

  • Stripe — payment processing, including Stripe Payments for end-customer charges and Stripe Connect Express for organizer onboarding and payouts. Stripe handles all card data; we never store it. See Stripe's privacy policy.
  • Resend — transactional email delivery (booking confirmations, receipts, sign-in codes). See Resend's privacy policy.

Each sub-processor is bound by a data processing agreement with us and only processes data on our instructions, or as required by law.

International transfers

Stripe and Resend may transfer personal data outside the European Economic Area. When that happens, the transfers are covered by appropriate safeguards, including the European Commission's Standard Contractual Clauses, as described in each provider's own privacy policy linked above.

Retention

  • Account data: kept while the account is active. If you close your account, we delete or anonymise personal data within a reasonable period.
  • Booking and financial records: kept for seven years after the end of the financial year in which they were created, as required by the Finnish Accounting Act.
  • Server logs and security data: kept for a limited period needed to operate and secure the service.
  • Sub-processor retention: as described in Stripe's and Resend's own privacy policies linked above.

If you ask us to delete your data, we will do so unless a legal hold (typically accounting law) requires us to keep specific records longer. In that case we will restrict the data and delete it when the hold expires.

Your rights

If the GDPR applies to you, you have the right to:

  • Access your data and get a copy.
  • Have inaccurate data corrected.
  • Have your data erased, subject to legal retention rules.
  • Receive your data in a portable format.
  • Restrict or object to certain processing.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with the Finnish Data Protection Ombudsman, Tietosuojavaltuutetun toimisto. More information at tietosuoja.fi/en.

To exercise any of these rights, email contact@camara.dev. We respond within one month, and faster when we can.

Security

We take security seriously. Traffic to camar.app is served over TLS. Data at rest is encrypted. Card data is handled by Stripe under PCI DSS, not by us. Access to production systems is limited and logged. No system is perfectly secure, but we work to reduce risk and to respond quickly when something goes wrong.

Cookies

We use one cookie: a session cookie that keeps you signed in after entering an email OTP code. We do not use analytics, advertising, or tracking cookies.

Children

Camará is not intended for use by people under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.

Changes to this policy

We may update this policy as the service evolves or as the law changes. When we make a material change, we will update the "Last updated" date at the top and, where appropriate, notify account holders by email.

Effective date

This policy is effective from 11 May 2026.