Privacy Policy

Last updated: May 3, 2026

1. Data Controller

The data controller for data processing on this website and in the mobile app 'Massage Finder' is:

Frye.tech Co., Ltd.

436/3 Moo 4, Tambon Si Suttho

Amphoe Ban Dung, Udon Thani 41190

Thailand

Email: info@frye.tech

Website: https://frye.tech/en/

GDPR Contact

Contact person: Mirco Frye

Phone: +49 1514 1391294

2. General Information

We process personal data exclusively within the framework of the GDPR. massage-finder.de is a free discovery portal for massage studios in Germany, available as a website and mobile app (Android). End users can use the site without registration. Studio owners can list and manage their entry for free.

3. Purposes of Processing

We process personal data for the following purposes:

Provision and security of the website
Display and management of studio listings
Sending magic link emails for studio owner authentication
Sending notifications as part of the claim process
Storing favorites and booking history for logged-in users (Cognito)
Forwarding booking requests to the respective studio system
Seeding and synchronizing studio data from the Khun Nuad system
Fulfilling legal obligations

Legal bases:

Art. 6 para. 1 lit. b GDPR (contract / pre-contractual measures)
Art. 6 para. 1 lit. f GDPR (legitimate interests)
Art. 6 para. 1 lit. a GDPR (consent, where separately obtained)

4. Server Log Files

When accessing the website, technical data is automatically collected:

IP address
Date and time
Page accessed
Referrer URL
Browser type and operating system

This data is technically required for operation, stability and security.

Legal basis: Art. 6 para. 1 lit. f GDPR.

5. Studio Registration and Magic Link Auth

When you register your studio or log in via magic link, we process:

Studio name, address, phone, email
Google Place ID (if registered via Google search)
Opening hours, description, website (from Google Places or manually entered)
Magic link token (TTL 48h, stored in DynamoDB)
Session token (TTL 7 days, stored in localStorage)

Legal basis: Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR (legitimate interest in secure authentication of studio owners and protection against unauthorized access).

6. User Accounts (Cognito) and Favorites

When you sign in with Google via Amazon Cognito, we process:

Name, email address, profile picture (provided by Google)
Cognito User Sub (unique ID)
Favorited studios (stored in DynamoDB, TTL 2 years)
Booking history (stored in DynamoDB)
Phone number (optional, stored in localStorage only)

Displaying favorites and booking history
Personalizing the user experience

Legal basis: Art. 6 para. 1 lit. b GDPR. Third-party providers: Amazon Cognito (AWS eu-central-1), Google OAuth.

7. Bookings and Booking Forwarding

Massage Finder processes booking data in two ways:

MF-native bookings

When you make a booking directly via massage-finder.de, we store the booking data in our system.

Name, email, phone number
Selected service, date, time
Number of persons

Massage Finder sends confirmation and cancellation emails to the customer.
Booking status and history are stored in our system.
The studio receives the booking request via email with magic-link actions (confirm/decline).

KN-synced bookings

Bookings made on a Khun Nuad studio website while logged in with your Massage Finder account are automatically synced back to your Massage Finder profile.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance) for both booking paths.

7. Bookings and Booking Forwarding

Massage Finder processes booking data in two ways:

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance) for both booking paths.

8. Cross-Domain Login and Booking Synchronization

You can log in with your Massage Finder account on participating studio websites (e.g. Khun Nuad studios). After your explicit consent on a consent screen, the following personal data is transmitted to the respective studio:

Name
Email address
Phone number

The transmission is carried out via a signed token (JWT) stored in your browser (localStorage, valid for 180 days). The token is used exclusively on the respective studio website.
If you make a booking on a studio website while logged in, this booking is automatically displayed in your Massage Finder profile under 'My Appointments'. Synchronization takes place via an encrypted message queue (SNS/SQS) within the AWS infrastructure in the EU.
You can cancel bookings made while logged in on a studio website via Massage Finder. The cancellation request is forwarded to the studio.
The studio processes the received data as an independent data controller in accordance with its own privacy policy. Frye.tech has no influence on further processing by the studio.

Legal bases: • Art. 6 para. 1 lit. a GDPR (consent) for the transmission of personal data to the studio • Art. 6 para. 1 lit. b GDPR (contract performance) for booking synchronization • Art. 6 para. 1 lit. f GDPR (legitimate interest) for checking whether your account is still active (introspect)

9. Claim Process

When you claim an existing studio listing, we process:

Your email address
Anonymized display of your email to the current owner
Claim token and status (TTL 14 days in DynamoDB)
If rejected: blocking period of 3 months

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in preventing fraudulent takeovers of studio listings and protecting existing owners).

10. Billing and Payment Data (Marketplace)

When marketplace billing is active for a studio, Massage Finder charges a fee per confirmed booking. In this context, we process the following data:

Studio name and address
Tax ID / VAT number
Billing period
Invoice amounts
Payment status

Legal bases: • Art. 6 para. 1 lit. b GDPR (contract performance) • Art. 6 para. 1 lit. c GDPR (legal retention obligations)

11. Studio Data from Third-Party Sources

We partially collect studio data not directly from the studios concerned, but from the connected Khun Nuad system. In accordance with Art. 14 GDPR, we inform as follows:

Studio name, address, coordinates
Opening hours, services, prices
Studio contact details (no customer data)

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in providing up-to-date studio information for end users).

12. Cookies, Local Storage and Similar Technologies

Our website uses only technically necessary cookies and local storage for basic functions, security, language settings, session management and login states. Insofar as exclusively technically necessary technologies are used, this is done on the basis of our legitimate interest in a functional and secure provision of the website. The cross-domain token (JWT, localStorage, valid for 180 days) is stored only after explicit consent on the consent screen and therefore falls under § 25 para. 1 TDDDG (consent-required storage). Insofar as non-necessary cookies or similar technologies are used, in particular for tracking, analysis or marketing, this is only done after separate consent.

Legal bases: • Art. 6 para. 1 lit. f GDPR for necessary functions • Art. 6 para. 1 lit. a GDPR for processing requiring consent • Supplementary § 25 TDDDG for storing information in terminal equipment

13. Mobile App (Android)

The 'Massage Finder' app (Android) is a native wrapper providing mobile access to the online service at https://massage-finder.de. The app uses Apache Capacitor and loads the website in an embedded WebView. In addition to the processing described in sections 4–10, the following data may be processed when using the app:

Location data (GPS) – only after explicit permission by the user, for nearby studio search. The position is cached locally in the app for up to 5 minutes to avoid repeated GPS queries.
Device information (user agent, operating system, app version) – technically required for content delivery
Language setting – stored locally on the device (SharedPreferences)
Login data – identical to the website (Amazon Cognito OAuth, see section 6)

Legal basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(f) GDPR (legitimate interest in the technical provision of the app and detection of misuse), Art. 6(1)(a) GDPR (consent for location and tracking).

14. Service Providers / Recipients

To provide our services, we use service providers who may process personal data on our behalf. These include in particular providers in the areas of:

Cloud hosting / infrastructure (AWS eu-central-1)
Email communication (SMTP)
Amazon Cognito (authentication)
Google OAuth / Maps API
DNS and domain management

We conclude data processing agreements with these service providers where necessary.

15. Hosting and Processing in the EU

The primary productive data processing components are operated in AWS eu-central-1 (Frankfurt am Main, Germany). Public content may be delivered via caching or content delivery technologies for performance and security reasons. Technical connection data such as IP addresses may be processed in the process.

16. Third Country Reference / Access from Thailand

Our company is based in Thailand. Personal data is primarily processed in the EU. However, it may happen in individual cases that authorized persons in Thailand access data stored in the EU as part of support, maintenance, error analysis or technical administration. Where this constitutes a third-country transfer under GDPR, it is based on appropriate safeguards, in particular the EU standard contractual clauses pursuant to Art. 46 GDPR and supplementary technical and organizational measures, including access restrictions, role-based permissions, encryption, logging and case-by-case access. A copy of the relevant safeguards can be requested upon request, insofar as this is not prevented by legal or contractual confidentiality obligations.

17. Storage Period

We only store personal data for as long as necessary for the respective purposes or as required by law.

Duration of the contractual relationship
Processing of inquiries
Legal retention periods
Proof and defense interests
Technical backup and recovery cycles

Data no longer required after the end of the contract will be deleted or blocked, provided that no legal obligations prevent this.

18. Obligation to Provide Data

The provision of personal data is sometimes legally or contractually required. Without the required data, we may not be able to provide certain services such as registration, booking, support or contract performance.

19. Automated Decisions / Profiling

Exclusively automated decision-making within the meaning of Art. 22 GDPR does not take place, unless we expressly state otherwise.

20. Rights of Data Subjects

Within the framework of the legal requirements, you have the following rights:

Right to information
Right to rectification
Right to erasure
Right to restriction of processing
Right to data portability
Right to object to processing based on legitimate interests
Right to revoke consent at any time with effect for the future

To exercise your rights, a notification to the contact details mentioned above is sufficient. For data portability (Art. 20 GDPR), you can request an export of your data (profile, booking history, favorites) in a machine-readable format by emailing info@frye.tech.

21. Right to Complain to a Supervisory Authority

You have the right to complain to a data protection supervisory authority if you believe that the processing of your personal data violates data protection law. This right arises from Art. 77 GDPR.

22. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy if necessary due to legal, technical or organizational changes. The version published on this website applies in each case.