Privacy Policy
SalonPay, Inc. ("SalonPay", "we", "us") provides a software platform that salons and stylists use to run their businesses. This Privacy Policy explains the personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you have over it. We aim to be plain and specific. Where we act on behalf of a salon, the salon is the controller and we are the processor; the Data Processing Addendum sets out that relationship in more detail.
1. Data we collect
1.1 Account data
When you create an account we collect your name, email address, and authentication credentials. If you sign in through a third-party identity provider, we receive the identifiers and basic profile information that provider exposes. We collect the salon name, slug, timezone, and currency you choose during onboarding.
1.2 Salon operational data
As you use the Service we store the operational data your team produces: appointments, services, schedules, pricing, commissions, rent settings, internal notes, and message history. We also store the OAuth connections you authorize between SalonPay and third-party services such as Square.
1.3 Customer personal data
Your salon's customer records (names, phone numbers, email addresses, visit history, preferences, and free-text notes you write about them) are processed by SalonPay on your behalf. We treat this data as belonging to you. We do not use it to market to your customers, sell it, or train models on it.
1.4 Payment metadata
SalonPay does not store full card numbers or CVCs. When you take a payment through Square, Square handles cardholder data and returns metadata such as transaction identifier, amount, currency, brand, last four digits, status, and timestamps. We store that metadata to reconcile orders, build reports, and respond to disputes.
1.5 Technical and usage data
We collect IP address, browser type, operating system, device identifiers, referring URL, request timestamps, and pages viewed. We use cookies and similar technologies for authentication, security, and product analytics. Where required by law we ask for your consent before non-essential cookies are set.
2. How we use data
- To provide and operate the Service, including authentication, multi-tenant access control, scheduling, payments reconciliation, and notifications.
- To send transactional messages (booking confirmations, reminders, password resets, account alerts).
- To detect, investigate, and prevent fraud, abuse, and security incidents.
- To analyze product usage in aggregate so we can improve the Service.
- To communicate with you about your account, including service announcements and updates to legal terms.
- To comply with legal obligations and respond to lawful requests from authorities.
We do not sell personal data. We do not use your salon's customer records to train machine learning models, and we do not share them with third parties except the sub-processors listed below.
3. Legal bases (EEA and UK users)
Where the EU or UK General Data Protection Regulation applies, we process personal data on the following legal bases: performance of a contract with you; our legitimate interests in operating and securing the Service (balanced against your rights); compliance with legal obligations; and your consent where required (for example, for non-essential cookies). You may withdraw consent at any time without affecting the lawfulness of prior processing.
4. Sub-processors
We use the following sub-processors to deliver the Service. Each is bound by a written agreement requiring confidentiality and protection of personal data consistent with this policy.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Supabase | Postgres database, authentication, storage | United States |
| Vercel | Application hosting, edge network | United States, global edge |
| Resend | Transactional and notification email | United States |
| Twilio | SMS for booking reminders and notifications (where enabled) | United States |
| Square | Card processing, merchant onboarding, OAuth | United States |
| Inngest | Background workflows and scheduled jobs | United States |
| Sentry | Error and performance monitoring | United States |
| Stripe | SalonPay subscription billing (not customer card data) | United States |
We will give reasonable advance notice of new sub-processors via in-product notice or email so you have an opportunity to object.
5. International transfers
Our infrastructure is hosted in the United States. When personal data is transferred from the EEA, UK, or Switzerland to the US, we rely on Standard Contractual Clauses and supplementary measures including encryption in transit and at rest.
6. Retention
We keep account and operational data for as long as the salon's account is active. After account closure, we retain data for ninety days to allow account recovery and export, then delete it from active systems within thirty days and from backups within a further ninety days.
Some records (financial transactions, billing invoices, audit logs, and security events) are retained for up to seven years where required by tax, accounting, or regulatory law. Aggregated and de-identified data may be retained indefinitely.
7. Security
We protect personal data with administrative, technical, and physical safeguards. Tokens for third-party integrations (such as Square access and refresh tokens) are encrypted at rest with AES-256-GCM using a key managed by SalonPay. All traffic to the Service is encrypted in transit with TLS 1.2 or higher. Database access is controlled by Postgres row-level security so each tenant can only read its own data, and audit logs record administrative actions. Despite these measures, no system is perfectly secure; report any suspected vulnerability to security@salonpay.io.
8. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to processing based on legitimate interests. EEA, UK, and Swiss residents may lodge a complaint with their data protection authority. California residents have rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of any sale or sharing of personal information; we do not sell personal information.
To exercise any of these rights, email privacy@salonpay.io from the email registered to your account, or use the in-product export and deletion tools where available. We will respond within the timeframes required by applicable law, typically thirty days.
If you are a customer of a salon that uses SalonPay and you want to exercise rights over your data, please contact the salon directly. We will support the salon in responding to your request, but the salon controls the data and decides how to act on it.
9. Children
The Service is not directed to children under sixteen. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@salonpay.io and we will delete it.
10. Cookies and tracking
We use first-party cookies for authentication and security. We use limited first-party analytics to understand how the Service is used. We do not use third-party advertising cookies on the SalonPay application.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced by email or an in-product notice at least thirty days before they take effect. The "Last updated" date at the top reflects the current version.
12. Contact
Privacy questions and requests can be sent to privacy@salonpay.io. Postal mail can be addressed to SalonPay, Inc., Attn: Privacy, 1209 Orange Street, Wilmington, DE 19801, USA.