Legal

Privacy Policy

Last updated: May 3, 2026

This Privacy Policy explains how Beauty Salis (“we”, “us”) handles personal information in two distinct contexts:

  • Information we collect and control directly — primarily when a salon owner contacts us, signs up, or visits this marketing site.
  • Information we process on a salon’s behalf — the customer and staff data each salon manages inside its own Beauty Salis workspace. The salon is the data controller of that information; we are the data processor and handle it strictly under the salon’s instructions.

We do not sell or rent personal information and we do not use it to train third-party AI models. We have no advertising business; the platform is funded entirely by subscription revenue from the salons who use it.

Part I

Information we collect and control

When you contact us

If you reach out for a demo, sales enquiry, or support, we collect the name, email address, mobile number, business name, and free-text message you submit. We use it to respond and to keep an ordinary business record of the conversation.

When you visit this site

Standard server logs are recorded at the CDN edge and the application server: IP address, user-agent, referrer, and timestamps. We use these only for security, abuse prevention, and capacity planning. The marketing site does not set tracking cookies and does not use third-party analytics on the homepage.

When you sign in to a tenant

When a salon administrator or staff member signs in via /staff-login, we set a session cookie that is scoped to the tenant’s domain after the redirect. The session expires when the user signs out or after the configured session lifetime.

Part II

Information we process on your behalf

Each salon (the “tenant”) operates its own Beauty Salis workspace. The salon decides what information to collect from its customers and staff; we hold and process it on the salon’s behalf. Each tenant’s data lives in its own isolated database schema, so one salon cannot see another’s records.

Customer data

For each customer of a salon, the platform is built to handle the following categories of personal data, as the salon collects them:

  • Identity — name, mobile, optional email and birth date, preferred language.
  • Authentication — a hashed PIN used for self-service sign-in to the customer mobile booking flow.
  • Booking history — services booked, the staff member who served, the branch, dates and times.
  • Invoices and payments — amounts, payment method, refund history, and the reference identifiers issued by our payment processor when a salon enables card payments. Card numbers themselves never reach our servers.
  • Loyalty — tier, point balance, and earn / redeem records.
  • Communication record — SMS, WhatsApp, push, and email messages sent by the salon, with delivery status.
  • Push notification tokens — the registration token issued by the customer’s device and / or push-notification provider, used solely for delivering notifications about the customer’s own appointments.
  • Ratings and feedback — star ratings and any free-text reviews left after a visit.

Staff data

For each staff member of a salon, the platform handles:

  • Identity — name, mobile, email, role, branch, profile photo.
  • Account credentials — a hashed password used to access the staff console and the staff mobile app.
  • Employment details — join date, role, branch, and salary components configured by the salon. These are visible only to authorised users on the tenant.
  • Schedules and leaves — per-staff calendars and time-off records.
  • Activity record — bookings handled, invoice items, commission, ratings received.
  • Push notification tokens — the registration token issued by the device platform for the staff mobile app, plus a separate token used by the staff console.

The Beauty Salis Staff App

The staff app is a thin native wrapper around the staff console for iOS and Android. It does not maintain its own account system — staff sign in with the same credentials they use in the web console.

The app collects only the push-notification registration token issued by the device and the platform indicator (iOS or Android), used solely to deliver work-related push notifications (customer arrivals, appointments starting, internal messages). The app does not request or collect location, contacts, photo library, microphone, or camera data, and does not run background telemetry.

How tenant data is used

We process tenant data only to operate the platform on the salon’s behalf: storing it, displaying it back to authorised users, transmitting messages, processing payments, and producing the audit and reporting features the salon uses. We do not repurpose tenant data for our own analytics, marketing, or AI training.

Data subject requests

If you are a salon’s customer or staff member and want to access, correct, or delete data held about you, please contact the salon directly — they are the data controller of their workspace. We support each salon in fulfilling such requests in line with applicable law.

Part III

General

Sub-processors

We rely on a small set of trusted infrastructure and service providers to operate the platform. Each is contractually bound to process information only on our instructions and to maintain security standards at least equal to ours. The categories of sub-processor we use are:

  • Cloud hosting — compute, database, object storage, content delivery, and transactional email.
  • Card payment processing — only for salons that enable card payments. Our payment processor is PCI-certified and card numbers never touch our servers.
  • SMS and WhatsApp messaging — for sending appointment reminders, PINs, and other transactional messages on the salon’s behalf.
  • Push notification delivery — for routing notifications to mobile and web clients.
  • AI services — for the optional natural-language booking feature, only when a salon explicitly opts in. The provider’s enterprise terms forbid retention or model training on the data.

A current named list of sub-processors, with the legal entity, processing location, and data category each handles, is available to enterprise customers and salons under a signed agreement on request via salissoft.com/contact.

Security

TLS in transit, encrypted storage at rest, scoped IAM roles, secrets managed in a hardened vault, audit logs on privileged actions, and a web application firewall at the public edge. Per-tenant data is logically isolated at the database schema level.

Retention

Marketing-site logs are retained for up to 90 days for security analysis and then purged. Sales-enquiry messages are kept for as long as the business relationship is active plus a reasonable record-keeping period. Tenant-side retention windows are configurable inside the platform and managed by each salon (for example, notification logs default to 90 days, audit / activity logs to 365 days).

AI and automation

Beauty Salis offers an optional natural-language booking feature. When a salon enables it, a customer’s free-text booking request is sent to our AI sub-processor to extract the structured intent (service, time, staff). The AI provider does not retain the data and does not use it to train its models, per its enterprise terms. The feature is disabled by default and can be turned on or off per branch.

Children

The platform is intended for adult business users. Salons may serve minor customers (for example, children of family-account customers); how that information is collected and used is governed by each salon’s own privacy notice.

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision; material changes will be highlighted on the marketing site.

Contact us

Questions, requests, or complaints about this Privacy Policy? Reach the team at salissoft.com/contact.