1. Who we are
This loyalty app is operated by the loyalty programme operator (“we”, “us”, “our”). We are the data controller responsible for your personal data collected through this loyalty rewards programme.
If you have questions about this policy or your data, please contact us in person at the salon or ask a team member for our contact details.
2. What data we collect
- Account data: your email address and first name (provided when you join).
- Contact details: your phone number (optional — provided to help us identify you at the counter).
- Birthday: month and day only. We do not collect your year of birth or full date of birth.
- Loyalty activity: stamp history, reward redemptions, and referral activity.
- Push notification consent: whether you have opted in to receive push notifications, and your device token used to deliver them.
- Technical data: basic session and cookie data required to keep you logged in.
3. How we use your data
- To operate and administer your loyalty account.
- To award stamps and rewards when you visit.
- To send you a birthday reward during your birthday month (if you have provided your birthday).
- To send push notifications about your rewards, stamps, and exclusive offers — only if you have opted in.
- To identify you at the point of sale when you show your QR code.
- To process referrals when you share your invite link.
4. Legal basis for processing (UK GDPR)
- Contract: processing your account data and loyalty activity is necessary to perform our loyalty programme agreement with you.
- Legitimate interests: keeping basic records of loyalty activity and detecting fraud.
- Consent: sending push notifications and marketing emails. You can withdraw consent at any time.
5. Push notifications (UK PECR)
We only send push notifications if you have explicitly opted in. You can withdraw your consent at any time by changing your notification settings on your device or by contacting us. We use OneSignal to deliver notifications; your device token is shared with OneSignal for this purpose only.
6. Data sharing
We share your data with the following third parties only where necessary:
- Supabase: our database and authentication provider. Data is stored on servers in the EU.
- OneSignal: push notification delivery. Only your device token and notification preferences are shared.
- Vercel: our hosting provider. No personal data is stored by Vercel beyond standard server logs.
We do not sell, rent, or share your data with third parties for their own marketing purposes.
7. Data retention
We keep your account and loyalty data for as long as your account is active. If you delete your account, all your personal data is permanently deleted from our systems within 30 days. Anonymised, aggregated statistics (e.g. total stamps issued across all members) may be retained indefinitely.
8. Your rights (UK GDPR)
You have the right to:
- Access a copy of the personal data we hold about you.
- Rectify inaccurate data — you can update your name, phone, and birthday in your profile.
- Erasure — you can delete your account at any time from your profile page. This permanently deletes all your data.
- Restrict or object to processing in certain circumstances.
- Data portability — request a copy of your data in a machine-readable format.
- Withdraw consent for marketing and push notifications at any time.
To exercise any of these rights, please contact us directly at the salon or speak to a team member.
9. Cookies and storage
We use essential cookies and browser storage (localStorage) to keep you logged in and remember your app preferences. We do not use advertising or tracking cookies. No third-party analytics tools are deployed on this app.
10. Complaints
If you have a concern about how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
11. Changes to this policy
We may update this policy from time to time. The “last updated” date at the top of this page will always reflect the most recent version.