Privacy policy

SalonBird is responsible for processing personal data as described in this privacy policy. If you have questions about this policy or how we handle your data, please contact us at [email protected].

We process personal data that you provide to us, that we collect automatically when you use our services, and that we receive from third parties. The categories include:

Account data (salon owners and staff)

• Name, email address, phone number
• Salon name, address, Chamber of Commerce number
• Password (stored encrypted)
• Billing information (billing address, subscription details, VAT number)
• Language preference and settings

End-customer data (customers of salons)

• Name, email address, phone number
• Appointment data and treatment history
• Payment data and transaction history
• Customer notes and preferences (entered by the salon)
• Communications data (booking confirmations, reminders)
• Ratings and reviews

Technical data

• IP address
• Browser type and operating system
• Device data
• Date, time and duration of visits
• Pages visited
• Referring URL

We process personal data exclusively on a lawful basis under the GDPR. Below is an overview of our processing purposes and the corresponding legal bases:

• Performance of the agreement (article 6(1)(b) GDPR): delivery of the SalonBird SaaS services, account management, appointment management, booking processing, point-of-sale and customer management.
• Performance of the agreement (article 6(1)(b) GDPR): payment processing via SalonBird Pay (Stripe), invoicing and subscription management.
• Legitimate interest (article 6(1)(f) GDPR): improving and optimising the services, product analytics, bug fixing and technical support.
• Legitimate interest (article 6(1)(f) GDPR): securing the services, fraud prevention and abuse detection.
• Consent (article 6(1)(a) GDPR): sending marketing communications and newsletters (you can withdraw your consent at any time).
• Legal obligation (article 6(1)(c) GDPR): tax and accounting obligations, retention of invoice data.

When a salon owner uses SalonBird to manage data of their end customers, SalonBird acts as a processor within the meaning of the GDPR. The salon owner is then the data controller.

The Data Processing Agreement that forms part of our Terms of service (Part II) applies to this processing. It contains agreements about security measures, sub-processors, breach procedures and data subject rights, among other things.

SalonBird applies appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration and destruction. Our measures include:

• Encryption: all data transfer takes place over SSL/TLS. Passwords are stored using industry-standard hashing (bcrypt).
• Access control: role-based access control (RBAC) for the SalonBird dashboard. Staff only access data needed for their role.
• Infrastructure: zero-trust architecture, firewalls at every layer, automatic security updates.
• Monitoring: protection against SQL injection, XSS, CSRF and session hijacking.
• Backups: automatic daily backups with encrypted storage.
• Data storage: all personal data is stored on servers within the European Union.
• Code reviews: regular internal audits and code reviews of security-sensitive components.

A complete overview of our security measures is available in annex 2 of the Data Processing Agreement.

We never sell or rent your personal data to third parties. We share personal data only with parties that are necessary to deliver our services, and only under strict conditions. An overview of our sub-processors:

• Hetzner Online GmbH: VPS hosting of the application, database and backups (data centre in Germany, EU).
• Cloudflare, Inc.: DNS, CDN, SSL/TLS certificates and DDoS protection.
• Stripe Payments Europe, Limited: processing of online payments (SalonBird Pay). Stripe is established in Ireland and falls under the EU privacy regime.

Email delivery (booking confirmations, reminders and other transactional messages) is handled via our own self-hosted mail server (Mailcow) on EU infrastructure. No external email provider acts as a sub-processor.

We have entered into data processing agreements with all our sub-processors in line with the GDPR. An up-to-date overview is available in annex 3 of the Data Processing Agreement.

We aim to process and store all personal data within the European Union. In some cases a transfer to a country outside the European Economic Area (EEA) may be necessary, for example when a sub-processor is established in the United States.

In that case we ensure an appropriate level of protection, for example through:

• The EU-US Data Privacy Framework (adequacy decision of the European Commission)
• Standard contractual clauses (SCCs) of the European Commission
• Additional technical and organisational measures where needed

We retain personal data no longer than necessary for the purpose for which it was collected, unless a longer retention period is required by law:

• Account data: for the duration of the agreement. After termination, data is deleted within 30 days unless the customer requests earlier deletion.
• End-customer data: for the duration of the agreement with the salon owner. After termination of the agreement, data is deleted in line with the Data Processing Agreement.
• Invoice data: 7 years after the end of the financial year, in line with statutory retention requirements.
• Trial account data: deleted after the trial period (30 days) ends if no subscription is taken out.
• Technical log files: up to 90 days, then anonymised or deleted.

Under the General Data Protection Regulation (GDPR) you have the following rights regarding your personal data:

• Right of access (article 15 GDPR): you have the right to know what personal data we process about you and to request a copy.
• Right to rectification (article 16 GDPR): you have the right to have inaccurate or incomplete personal data corrected.
• Right to erasure (article 17 GDPR): you have the right to ask us to erase your personal data, provided no statutory retention obligation applies.
• Right to restriction of processing (article 18 GDPR): you have the right to have the processing of your data restricted in certain circumstances.
• Right to data portability (article 20 GDPR): you have the right to receive your data in a structured, commonly used and machine-readable format.
• Right to object (article 21 GDPR): you have the right to object to the processing of your personal data based on our legitimate interest.
• Right to withdraw consent (article 7(3) GDPR): when processing is based on your consent, you can withdraw it at any time. This does not have retroactive effect.

You can submit a request by emailing [email protected]. We respond to your request within 30 days at the latest. We may ask you to verify your identity before we process your request.

SalonBird uses cookies and similar technologies to improve the operation of the website and services. We distinguish the following types:

• Necessary cookies: these cookies are essential for the operation of the website and the platform. They handle session management, authentication and security. These cookies are placed without consent.
• Functional cookies: these cookies remember your preferences such as language settings. They improve your user experience.
• Analytical cookies: where applicable, we use analytical cookies to understand how our services are used. We use this data only in anonymised or pseudonymised form.

We do not place tracking or marketing cookies from third parties without your explicit consent.

SalonBird does not use any fully automated decision-making that has legal effect or otherwise significantly affects data subjects, as referred to in article 22 of the GDPR.

Do you have a complaint about how we handle your personal data? First contact us at [email protected] so we can find a solution together.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), the Dutch supervisor for privacy protection.

SalonBird reserves the right to amend this privacy policy from time to time. We recommend reviewing this policy regularly. We will notify you by email of substantial changes.

For questions about this privacy policy, requests regarding your rights, or other privacy-related matters, you can contact us via:

• Email: [email protected]