Privacy Policy

Effective date: June 9, 2026 · Last updated: June 9, 2026

This Privacy Policy explains how SalonOS, Inc. (“SalonOne,” “we,” or “us”) collects, uses, shares, and safeguards personal information when you visit our websites, use the SalonOne platform, or interact with us (collectively, the “Service”).

1. Our role: controller vs. processor

SalonOne plays two distinct roles depending on whose data is involved:

• Controller — for personal information about our own business customers (salon owners, staff users who sign up, marketing prospects, and website visitors). This Policy describes that processing.
• Processor / service provider — for personal information that a salon (our customer) enters into the Service about its own clients, appointments, payments, and staff. We process that information on the salon’s behalf and under its instructions, subject to our agreement with the salon. If you are a client of a salon that uses SalonOne, please contact that salon directly to exercise your rights over data it controls.

2. Information we collect

We collect the following categories of personal information:

• Account information. Name, business name, email, phone number, password (hashed), profile photo, role, and tenant identifiers.
• Salon operational data (as processor). Client contact details, appointment history, services rendered, color formulas, notes, consent records, loyalty balances, staff schedules, payroll inputs, and inventory transactions entered by our customers.
• Payment information. Last four digits and brand of payment card, billing ZIP, Stripe customer and connected-account identifiers. Full card numbers are processed by Stripe and never stored on SalonOne servers.
• Communications metadata. Records of SMS and email messages sent through the Service, including delivery status, opt-in source and timestamp, and opt-out events.
• Device and usage data. IP address, browser type, operating system, pages viewed, referring URLs, timestamps, and interaction events collected through cookies and similar technologies.
• Diagnostics and error data. Crash reports, stack traces, and performance metrics through Sentry.
• Support and feedback. Messages you send to support, survey responses, and recorded calls (where lawful and disclosed).

We do not knowingly collect special-category data (such as health, biometric, or precise geolocation data) outside of routine fields a salon may choose to add to client notes; salons are responsible for ensuring any such data they enter has a lawful basis.

3. Sources

• Directly from you when you create an account or use the Service.
• From our customers (salons) when they enter client data.
• From sub-processors and service providers, such as Stripe (payment metadata) and Twilio (delivery receipts).
• Automatically through cookies, log files, and analytics.

4. How we use information

• To provide, secure, monitor, and improve the Service.
• To authenticate users, including multi-factor authentication and staff PIN flows.
• To process subscription payments and Stripe Connect onboarding.
• To send transactional messages (account, billing, security, and service notices).
• To send marketing communications about SalonOne, where permitted; you can opt out at any time.
• To detect, prevent, and investigate fraud, abuse, and security incidents.
• To comply with legal obligations and to establish, exercise, or defend legal claims.
• To produce aggregated or de-identified analytics that do not identify any individual.

5. Legal bases (EEA/UK users)

Where the GDPR or UK GDPR applies, we rely on the following legal bases: performance of a contract (providing the Service); legitimate interests (securing the Service, preventing fraud, direct marketing to business contacts); consent (cookies that are not strictly necessary, and certain marketing); and compliance with legal obligations.

6. How we share information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California law. We share information only as follows:

• With our customers. Staff users see data within their salon tenant according to their role.
• With sub-processors that help us run the Service:
  • Stripe, Inc. — payment processing and Stripe Connect (Privacy Policy).
  • Twilio Inc. — SMS delivery (Privacy Notice).
  • Resend, Inc. — transactional email (Privacy Policy).
  • Supabase, Inc. — database hosting and authentication (Privacy Policy).
  • Functional Software, Inc. d/b/a Sentry — error monitoring (Privacy Policy).
• Professional advisors (accountants, auditors, counsel) under confidentiality obligations.
• Authorities and others when required by law, valid legal process, or to protect rights, safety, and property.
• Corporate transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to continued protection of personal information.

A current list of sub-processors is available on request from privacy@salonos.com.

7. International transfers

We operate primarily in the United States. If you are outside the United States, your information will be transferred to and processed in the United States or other countries that may have different data protection laws than your jurisdiction. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

8. Retention

We retain personal information for as long as needed to provide the Service, comply with legal obligations (including tax and accounting), resolve disputes, and enforce our agreements. Customer Data is retained for the duration of the customer’s subscription and deleted in the ordinary course after termination, subject to the export window described in our Terms and to routine backup retention. Diagnostic data is typically retained for up to 90 days.

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS), encryption at rest for production databases, tenant-level row-level security, multi-factor authentication for privileged accounts, audit logging, and regular vulnerability monitoring. No method of transmission or storage is 100% secure.

10. Your privacy rights

Depending on where you live, you may have the right to access, correct, delete, port, restrict, or object to processing of your personal information, and to withdraw consent. To exercise rights about data SalonOne controls, contact privacy@salonos.com. We will verify your request and respond within the timeframe required by applicable law.

California residents (CCPA/CPRA). In the prior 12 months we have collected the categories of personal information described in Section 2 for the purposes in Section 4, and disclosed the categories in Section 6 to the recipients described there. We do not sell or share personal information for cross-context behavioral advertising. You may request access, deletion, correction, and to limit use of sensitive personal information. You may designate an authorized agent. We will not discriminate against you for exercising these rights.

EEA/UK residents. You may lodge a complaint with your local supervisory authority.

Salon clients. If you received a message from a salon that uses SalonOne or appear in a salon’s records, the salon is the controller of that data. Please contact the salon directly to exercise your rights.

11. Marketing choices and messaging

• Email. You can unsubscribe from marketing email using the link in any message. Transactional messages will continue.
• SMS. Reply STOP to opt out of further messages from a particular sender, or HELP for help. Standard message and data rates may apply.
• Cookies. Most browsers allow you to refuse or delete cookies. If you do, parts of the Service may not function properly.

12. Cookies and similar technologies

We use strictly necessary cookies for authentication and session management, and may use analytics cookies to understand usage. We do not use third-party advertising cookies. Where required by law, we will obtain consent before setting non-essential cookies.

13. Children

The Service is intended for business use by adults. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK). If you believe a child has provided personal information to us, contact privacy@salonos.com and we will delete it.

14. Automated decision-making

SalonOne does not make decisions producing legal or similarly significant effects about individuals based solely on automated processing.

15. Changes to this Policy

We may update this Policy from time to time. We will post the updated Policy with a new “Last updated” date and, for material changes, provide additional notice (such as email or an in-product banner) before they take effect.

16. Contact us

SalonOS, Inc.
Attn: Privacy
[INSERT REGISTERED ADDRESS]
Email: privacy@salonos.com