Privacy Policy

Last updated: 22 April 2026 · Effective: 22 April 2026

1. Who We Are

SAY ("we", "us", "our") is a salon and wellness management platform operated by Servicesforyou Ltd, a company registered in England and Wales (No. 11636155).

2. What Data We Collect

We collect different categories of personal data depending on whether you use SAY as a client (booking services) or a salon professional (managing your business).

2.1 Account Data

Name, email address, phone number, profile photo, authentication credentials (via Google or Apple sign-in, or email/password). We store a hashed user ID linked to your Supabase authentication account.

2.2 Booking & Service Data

Appointment history, service preferences, rebooking patterns, preferred staff members, service routines and frequencies, and reliability scores (calculated from booking history to optimise scheduling).

2.3 Health & Safety Data GDPR Art. 9

SAY collects health-related data to ensure your safety during beauty and wellness treatments. This is special category data under UK GDPR Article 9 and requires your explicit consent before collection. This data includes:

• Allergies — known allergies and sensitivities (e.g. PPD, latex, fragrances)
• Skin conditions — active conditions such as eczema, psoriasis, rosacea
• Life stages — pregnancy, breastfeeding, or other conditions affecting treatment safety
• Skin type — Fitzpatrick classification (types I–VI) determined via a self-assessment quiz
• Medical history — active infections, circulatory conditions, recent skin procedures, current medications
• Patch test records — test dates, substances tested, results, and expiry status
• Body preferences — waxing areas, massage pressure preferences, focus/avoidance zones
• Skincare routine — products used, ingredients, cleansing methods (used for ingredient conflict detection)
• Skin intelligence metrics — Barrier Load Index, Pigmentation Risk score, and travel mode protocol adjustments (calculated from your skin type, routine, and conditions)

Each health data item has granular privacy controls — you choose Always share, Share when relevant, or Hidden per condition in your Health Profile. These controls determine what salon professionals can see when they access your Beauty Passport or consultation record.

2.4 Style & Appearance Data

Hair, nail, and style preferences, reference photos you upload, manual service history entries, and your Beauty Passport profile for communicating preferences to salons when travelling.

2.5 Professional Profile Data

If you create a professional profile: specialisations, experience, portfolio, ratings, and view analytics.

2.6 Communication Data

Messages sent via WhatsApp or SMS through our platform, notification preferences (push, email, SMS), and voice commands processed through our voice assistant.

2.7 Payment Data

We do not store credit card numbers or bank details. All payment processing is handled by Stripe, which acts as an independent data controller for payment data. We store only your subscription status, plan type, and transaction references.

2.8 Technical Data

Device type, browser, IP address (hashed for passport view audit logs), app version, and usage analytics.

3. Lawful Basis for Processing

Data Category	Lawful Basis	GDPR Article
Account data	Contract performance	Art. 6(1)(b)
Booking & service data	Contract performance	Art. 6(1)(b)
Health & safety data	Explicit consent	Art. 9(2)(a)
Style & appearance data	Contract performance	Art. 6(1)(b)
Communication data	Legitimate interest	Art. 6(1)(f)
Payment data	Contract performance	Art. 6(1)(b)
Technical data	Legitimate interest	Art. 6(1)(f)

Health data consent: Before any health-related data is collected, we present a clear consent screen explaining what data will be stored, how it will be used, and who can see it. You can withdraw consent at any time through your Health Profile's Data Controls section. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. How We Use Your Data

• Treatment safety — flagging contraindications, ingredient conflicts, and cooling-off periods between procedures
• Booking management — scheduling, reminders, rebooking suggestions, and availability checks
• Beauty Passport — communicating your preferences and health summary to salons via a QR code you control
• Skin Intelligence — calculating your Barrier Load Index and Pigmentation Risk to provide personalised safety guidance
• Voice assistant — processing voice commands on-device (native app) or via secure server route (web) to handle bookings and queries
• Service reminders — notifying you when routine treatments are due, based on frequencies you set
• Platform improvement — anonymised, aggregated analytics to improve our services

We do not sell your personal data. We do not use your health data for marketing purposes. We do not use your data for automated decision-making that produces legal effects.

5. Who We Share Data With

5.1 Salon Professionals

When you book with a salon, they may see a summary of your active health conditions, allergies, and patch test status — but only data you have set to "always share" or "share when relevant" in your privacy controls. They cannot see data you have marked as "hidden".

When a salon professional scans your Beauty Passport QR code, they must provide their name and the treatment they intend to perform before viewing your health data. This access is logged and visible to you under "Who viewed your passport" (GDPR Article 15 right of access).

5.2 Third-Party Processors

We use the following services to operate SAY. Each acts as a data processor under a Data Processing Agreement:

Service	Purpose	Data Processed	Location
Supabase	Database & authentication	All account and application data	EU (Frankfurt)
Stripe	Payment processing	Payment details, subscription status	EU/US
Vercel	App hosting	Technical data, IP addresses	EU/US
Twilio	SMS & WhatsApp messaging	Phone numbers, message content	US
Brevo	Transactional email	Email addresses, notification content	EU (France)
Google (Gemini)	AI voice processing fallback	Voice command text (no health data)	US
Firebase (FCM/APNs)	Push notifications	Device tokens	US

Voice commands processed on-device (native app) use Apple's Speech framework or Android's SpeechRecognizer and do not leave your device. Only the Gemini fallback route transmits command text to a server, and it never includes health data.

6. International Data Transfers

Some of our processors are based in the United States. Where data is transferred outside the UK, we rely on:

• UK International Data Transfer Agreements (IDTAs)
• Standard Contractual Clauses (SCCs) approved by the ICO
• The processor's Data Processing Addendum incorporating appropriate safeguards

7. Data Retention

Data	Retention Period
Account data	Duration of account + 30 days after deletion
Booking history	Duration of account (needed for rebooking engine)
Health & safety data	Until you withdraw consent or delete your account
Patch test records	Until expiry + 12 months, or account deletion
Voice command text	Not stored — processed in real-time and discarded
Consultation exports	12 months (salon regulatory requirement)
Passport view logs	Duration of account (GDPR Art. 15 audit trail)
Payment records	6 years (UK tax/accounting obligations)

When you delete your account, all personal data is permanently deleted within 30 days except where we are legally required to retain it (e.g. payment records for tax purposes).

8. Your Rights

Under UK GDPR, you have the following rights:

• Access (Art. 15) — request a copy of all personal data we hold about you
• Rectification (Art. 16) — correct inaccurate data
• Erasure (Art. 17) — request deletion of your data ("right to be forgotten")
• Restriction (Art. 18) — limit how we process your data
• Portability (Art. 20) — receive your data in a machine-readable format
• Object (Art. 21) — object to processing based on legitimate interest
• Withdraw consent — for health data, withdraw at any time via Health Profile > Data Controls

How to Exercise Your Rights

9. Data Security

We implement appropriate technical and organisational measures to protect your data:

• All data is encrypted in transit (TLS 1.3) and at rest
• Row-Level Security (RLS) policies ensure users can only access their own data
• Health data consent is gated — the system requires explicit consent before storing any Art. 9 data
• Beauty Passport access requires consent (viewer name + intended treatment) and is logged
• API keys and secrets are stored server-side only, never in client bundles
• Authentication via Supabase Auth with OAuth 2.0 (Google, Apple) or secure email/password

10. Cookies & Local Storage

SAY uses minimal cookies and local storage:

• Authentication tokens — essential for keeping you signed in (session cookies via Supabase Auth)
• Voice analytics — stored locally on your device only, not transmitted to our servers
• App preferences — language, notification settings

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

11. Children

SAY is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@say-salon.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact Us