Privacy Policy

1. Who We Are

Last updated: 24 March 2026

The Salon Suite ("we", "us", "our") operates The Salon Suite, a web-based salon management application available at thesalonsuite.uk.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we act as:

an independent data controller for Account Data, Payment Data, Usage Data and our own marketing and service administration activities; and
a data processor for Client Data that you enter into the Service about your salon clients, processing such data on your documented instructions, as set out in our Data Processing Agreement.

Our details:

The Salon Suite
Registered office: [Your Address]

ICO registration number: [Your ICO Number]

You can contact us about privacy or data protection matters at: hello@thesalonsuite.uk.

2. What Data We Collect

2.1. Account Data

When you register for the Service, we collect:

Your full name
Email address
Salon name, address and contact details
Phone number (optional, for SMS notifications)
Password (stored in hashed form; we never store or have access to plain-text passwords)
Role and team information (if you add staff members)

2.2. Client Data (Processed on Your Behalf)

You may enter personal data about your salon clients into the Service, including:

Client names, phone numbers and email addresses
Appointment history and booking records
Colour formulas, service notes, consultation records
Allergy and sensitivity information (special category data under UK GDPR Article 9)
Photographs (if uploaded)
Payment and transaction history within the salon

We process this data solely on your behalf and in accordance with our Data Processing Agreement. You are the data controller for Client Data and are responsible for ensuring you have a lawful basis to collect and process it.

2.3. Payment Data

Subscription payments are processed by Stripe, Inc. We do not collect, store or have access to your full credit or debit card numbers. Stripe provides us with:

Last four digits of your card number (for display purposes)
Card brand (e.g. Visa, Mastercard)
Billing address (if provided to Stripe)
Transaction and invoice records

Stripe's privacy policy is available at stripe.com/privacy.

2.4. Usage Data

We automatically collect certain information when you use the Service, including:

Pages and features accessed, and frequency of use
Device type, operating system, browser type and version
IP address (anonymised where possible)
Date and time of access
Referring URL
Error logs and performance data

2.5. Cookie Data

We use cookies and similar technologies as described in our Cookie Policy.

3. Lawful Basis for Processing

Under UK GDPR Article 6, we process personal data on the following lawful bases:

Data Type	Lawful Basis	Explanation
Account Data	Contract (Art. 6(1)(b))	Necessary to create and manage your Account and provide the Service under our Terms of Service.
Payment Data	Contract (Art. 6(1)(b))	Necessary to process subscription payments and manage billing.
Client Data	Contract (Art. 6(1)(b))	We process Client Data as a data processor under our contract with you (the data controller). Your own lawful basis for collecting Client Data is your responsibility.
Usage Data	Legitimate Interest (Art. 6(1)(f))	To improve the Service, ensure security, diagnose technical issues and understand feature usage. Our interest in improving the product does not override your privacy rights.
Cookie Data (Essential)	Legitimate Interest (Art. 6(1)(f))	Strictly necessary for the Service to function (authentication, security, preferences).
Cookie Data (Analytics)	Consent (Art. 6(1)(a))	Only set if you give consent via the cookie banner. You may withdraw consent at any time.
Marketing Communications	Consent (Art. 6(1)(a))	Only sent with your explicit opt-in consent. You may unsubscribe at any time.

Where Client Data includes allergy or health-related information (special category data under Article 9), you as the data controller must ensure you have obtained explicit consent from your clients or have another valid Article 9 condition for processing such data.

4. How We Use Your Data

We use the data we collect for the following purposes:

Providing the Service: Creating and managing your Account, processing bookings, storing client records, running calculator tools and generating reports.
Payment processing: Managing subscriptions, processing payments and issuing invoices via Stripe.
Communication: Sending service-related notifications (e.g. booking confirmations, appointment reminders, password resets), billing notifications and, with your consent, marketing communications.
Service improvement: Analysing usage patterns to improve features, user experience and performance.
Security: Detecting and preventing fraud, abuse and security incidents.
Legal compliance: Meeting our legal and regulatory obligations, including responding to lawful requests from authorities.
Support: Responding to your enquiries and providing technical assistance.

We will not use your data for any purpose that is incompatible with the purposes stated above without informing you and, where required, obtaining your consent.

5. Data Sharing & Sub-processors

We do not sell, rent or trade your personal data. We share data only with the following categories of recipients, and only to the extent necessary to provide the Service:

5.1. Sub-processors

Sub-processor	Purpose	Data Shared	Location
Supabase	Database hosting, authentication	Account Data, Client Data	EU (Frankfurt) / US
Vercel	Application hosting and delivery	Usage Data, IP addresses	Global CDN (US, EU)
Stripe, Inc.	Payment processing	Payment Data, billing details	US / EU
Resend	Transactional email delivery	Email addresses, email content	US
Twilio	SMS notifications (appointment reminders)	Phone numbers, SMS content	US

Each sub-processor is bound by data processing agreements that require them to process data only on our instructions and to implement appropriate security measures.

5.2. Other Disclosures

We may also disclose personal data:

To comply with a legal obligation, court order or request from a regulatory authority;
To protect and defend our rights, property or safety, or that of our Users;
In connection with a merger, acquisition, restructuring or sale of assets (in which case data will remain subject to this Privacy Policy);
With your explicit consent.

6. International Transfers

Some of our sub-processors (including Vercel, Stripe, Resend and Twilio) may process data outside the United Kingdom and the European Economic Area, including in the United States.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR Article 46. These safeguards include the use of the Information Commissioner's Office (ICO) International Data Transfer Agreement (IDTA), or the ICO's UK Addendum to the European Commission's Standard Contractual Clauses, together with additional technical and organisational measures where necessary. We also carry out transfer impact assessments for such transfers to assess the level of protection in the destination country.

You may request a copy of the relevant transfer safeguards by contacting us at hello@thesalonsuite.uk.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

Data Type	Retention Period	Trigger for Deletion
Account Data	Duration of subscription + 30 days	Account cancellation or termination
Client Data	Duration of subscription + 30 days	Account cancellation or termination; or earlier deletion by the User
Payment Data	6 years from date of transaction	Required by UK tax and accounting regulations (Limitation Act 1980)
Usage Data	24 months	Automatically purged on a rolling basis
Cookie Data	See Cookie Policy	Cookie expiry or user deletion via browser
Support Correspondence	24 months after resolution	Automatic deletion

After the retention period expires, data is permanently and irreversibly deleted from our systems and sub-processor systems. Backup copies are purged within thirty (30) days of the primary deletion.

8. Your Rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

Right of access (Article 15): You have the right to request a copy of the personal data we hold about you. We will respond within one calendar month.
Right to rectification (Article 16): You may request correction of any inaccurate or incomplete personal data. You can update most Account Data directly through the Service settings.
Right to erasure (Article 17): You may request deletion of your personal data where there is no compelling reason for us to continue processing it. Note: we may need to retain certain data for legal or regulatory reasons.
Right to data portability (Article 20): You may request that we provide your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON). Export functions are available within the Service.
Right to restriction of processing (Article 18): You may request that we restrict processing of your personal data in certain circumstances (e.g. while we verify its accuracy).
Right to object (Article 21): You may object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent (e.g. marketing communications, analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed.

To exercise any of these rights, please contact us at hello@thesalonsuite.uk. We will respond within one calendar month. In exceptional cases (complex or numerous requests), we may extend this by a further two months, but we will inform you within the first month if this is necessary.

There is no fee for exercising your rights, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

Salon Client Rights

If you are a client of a salon that uses The Salon Suite, the salon is the data controller for your personal data. Please direct any data subject access requests or other rights requests to the salon directly. We will assist the salon in fulfilling such requests in accordance with our Data Processing Agreement.

9. Children's Data

The Salon Suite is a business-to-business service designed for salon professionals. It is not directed at children, and we do not knowingly collect personal data from individuals under the age of 18 for Account registration purposes.

Salon operators may store Client Data relating to minors (e.g. children who are salon clients). As the data controller for Client Data, you are responsible for ensuring you have appropriate lawful authority to process the personal data of minors, including obtaining parental or guardian consent where required.

If we become aware that we have inadvertently collected personal data from a child under 13 for Account registration, we will take steps to delete that data as soon as reasonably practicable.

10. Data Security

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, loss or destruction. These measures include:

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
Encryption at rest: Sensitive data stored in our database is encrypted at rest using AES-256 encryption.
Authentication security: Passwords are hashed using bcrypt with appropriate salt rounds. We support and encourage the use of strong, unique passwords.
Access controls: Access to personal data within our organisation is restricted to authorised personnel on a need-to-know basis, with role-based access controls enforced.
Infrastructure security: Our application is hosted on Vercel and our database on Supabase, both of which maintain SOC 2 Type II compliance and implement industry-standard security controls.
Regular updates: We keep our software dependencies up to date and monitor for known security vulnerabilities.
Secure development practices: We follow secure coding practices and conduct regular reviews of our codebase.

While we take all reasonable steps to protect your data, no system is entirely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any vulnerabilities or incidents that may arise.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.
Notify affected Users (data controllers) without undue delay where the breach relates to Client Data, providing sufficient detail for you to fulfil your own notification obligations.
Notify affected individuals directly where the breach is likely to result in a high risk to their rights and freedoms and we are the data controller, as required by UK GDPR Article 34.

Our breach notification will include:

A description of the nature of the breach, including (where possible) the categories and approximate number of individuals and records affected;
The name and contact details of our data protection contact;
A description of the likely consequences of the breach;
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors.

If we make material changes, we will notify you by email at least thirty (30) days before the changes take effect and update the "Last updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acknowledgement of the updated policy.

13. Contact Details

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about how we handle your data, please contact us:

Data Protection Contact: hello@thesalonsuite.uk
Company: [Company Name]
Address: [Company Address]
ICO Registration: [ICO Number]

Information Commissioner's Office

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Contents