• Geo-Coding & Search: We map 5-digit PLZ codes to regions (Ort/Bundesland) to provide highly accurate, location-based search results.
• Authentication: We store cryptographic TOTP secrets to mathematically verify 6-digit MFA tokens.
• Billing Data: We process Stripe IDs and PayPal tokens. We do not store raw credit card numbers on our servers.

• Google Calendar (OAuth 2.0): If a Business Owner or Staff member voluntarily enables Google Calendar Synchronization, we request strict offline read/write access. We dynamically pull "busy" slots to prevent double-booking and push new appointments directly to Google. We do NOT share, sell, or parse this calendar data for any other purpose.
• Payment Gateways: Financial processing is handled via Stripe and PayPal under strict PCI compliance.

• Session Management: We use secure cookies to manage stateful session locks during registration and checkout.
• MFA Bypass: A cryptographic `trusted_device_token` is stored locally for 30 days if you select "Remember this device."
• Embedded Widgets: Our iframe booking widgets do not track cross-site behavior but utilize essential storage for cart and date/time selection.