Introduction

This Privacy Policy explains how Salon Whisper Ltd (“we”, “us”, “our”, “Salon Whisper”), a company registered in England & Wales (company number 17168341), handles personal data when you use our website, our platform, or interact with us in any other way.

This policy applies to three groups of people:

Customers — the salons, stylists and beauty professionals who subscribe to our platform.
End Clients — the customers of our Customers, whose personal data passes through our platform.
Visitors — anyone visiting our website or interacting with our marketing.

Our role under the UK GDPR depends on the relationship:

As controller: for personal data of our Customers, website Visitors, prospects and our own staff. This Privacy Policy describes that processing in full.
As processor: for End Client Data processed on a Customer’s behalf. The legal terms governing that processing are in our Data Processing Agreement (Schedule 1 of our Terms & Conditions). End Clients with questions about how their data is used should contact the salon they are a client of — the salon is the controller of that data.

1. Who We Are & How to Contact Us

Data Controller: Salon Whisper Ltd

Registered office: 66 Airfield Way, Nottingham, United Kingdom, NG15 6WZ

Privacy contact: support@salonwhisper.com

If you have any question about this policy, your data, or want to exercise any of your rights, contact us at the email above.

2. What Personal Data We Collect

2.1 Information you give us

Account information: name, business name, email address, phone number, password (hashed), profile photo if provided.
Billing information: billing address, VAT number, payment-method metadata. Full card details are handled directly by Stripe and never reach our servers.
Business information: services offered, pricing, business hours, team members, location.
Support communications: messages, tickets, screenshots and call recordings (where applicable) you send to our support team.
Marketing preferences: your opt-in/opt-out choices and engagement with our communications.

2.2 Information we collect automatically

Usage data: pages visited, features used, clicks, session length, search queries within the platform.
Device and connection data: IP address, browser type and version, operating system, device identifiers, time zone.
Log data: diagnostic logs, error reports, and security events generated when you use the platform.
Cookies and similar technologies: see our separate Cookie Policy for full details.

2.3 Information we receive from third parties

Connected Channels: when you connect Instagram, Facebook Messenger, WhatsApp, SMS or email accounts, we receive metadata and message content from those channels.
Stripe: transaction metadata, payout status, dispute notifications and identity-verification status.
Domain registrar (20i): domain ownership and DNS configuration data.
Analytics providers: aggregated and individual usage information about how you interact with our website and platform.
Public sources: for B2B prospecting, we may collect publicly available business information (company name, business email, business phone, public social profiles).

2.4 What we do not collect

We do not knowingly collect special category data (health, religion, sexual orientation, biometric data) from Customers. End Clients should not have such data uploaded to the platform unless the salon has a lawful basis under UK GDPR Article 9, and special category data must never be sent unsolicited to us.

Our platform is not intended for use by children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

3. How We Use Personal Data

We use personal data for the following purposes, on the lawful bases shown.

3.1 To provide and run the service

Lawful basis: contract. Account creation, authentication, billing, message routing, booking management, email infrastructure, customer support and service announcements.

3.2 To improve and develop the platform

Lawful basis: legitimate interests — our interest in building a better product, balanced against your reasonable expectations.
Analytics on feature usage, performance and reliability.
A/B testing of new features.
Bug fixing, capacity planning and infrastructure improvements.
Generating anonymised, aggregated insights — see Section 4 for what this means and how it is used.

3.3 To secure the service and prevent fraud

Lawful basis: legitimate interests and legal obligation. Detecting abuse, preventing fraudulent transactions, investigating security incidents, blocking malicious users, complying with anti-money-laundering checks performed by Stripe.

3.4 To market our services

Lawful basis: consent or legitimate interests (soft opt-in), depending on your status under PECR.
Sending product updates, newsletters, feature announcements and offers about Salon Whisper services.
Personalised content and recommendations within the platform.
Targeted advertising on third-party platforms (where permitted).
Re-engagement of lapsed Customers.

You can opt out of marketing at any time by clicking unsubscribe in any marketing email, updating your preferences in your account, or emailing our privacy contact. Opting out of marketing does not stop service-related communications, which we will continue to send for as long as you have an account.

3.5 To comply with legal obligations

Lawful basis: legal obligation. Tax and accounting records, responding to lawful requests from regulators, courts or law enforcement, fulfilling our obligations as a data processor and controller.

3.6 To enforce our rights and resolve disputes

Lawful basis: legitimate interests. Investigating breaches of our Terms, recovering unpaid Fees, defending legal claims.

4. Aggregated and Anonymised Data

This section is important and we want to be transparent about it.

4.1 What we mean by anonymised and aggregated

“Aggregated” means combined with data from many other Customers and End Clients so that no individual record is visible.

“Anonymised” means stripped of all identifiers to a standard at which a person or specific salon cannot reasonably be re-identified, taking into account the means likely to be used and any other information available. We follow ICO guidance on the threshold for anonymisation, including k-anonymity techniques, suppression of small groups and removal of direct and indirect identifiers.

Once data has been anonymised and aggregated to this standard, it is no longer personal data under UK GDPR.

4.2 What we use it for

We use anonymised, aggregated data to:

calculate industry benchmarks (for example, average response time to a client message, typical booking conversion rates, no-show rates by region or service type);
produce trend reports and insights about the salon and beauty industry, including reports we may publish or sell to industry bodies, publishers and other businesses;
share with academic, research or commercial partners for the purposes of industry research and analysis;
train, test, evaluate and improve machine-learning models that power features of the platform, including our AI Agents and analytics;
design and build new products and features.

Because anonymised aggregated data is not personal data, we do not need consent to use it. By using the platform you acknowledge this use. If you would prefer your data not to be included in this aggregated processing, please contact us — although we cannot always honour this where the data has already been irreversibly aggregated. Individual conversations, messages, contact lists, booking histories or other identifiable Customer Content are never sold or shared with third parties for these purposes.

4.3 What we do not do

We do not sell identifiable personal data.
We do not share your or your End Clients’ message content with advertisers or data brokers.
We do not use End Client conversations to train general-purpose AI models that we make available outside the platform.
We do not use Customer Content to compete with you or to solicit your End Clients on our own behalf.

5. AI Features

Our platform includes AI-powered features, including AI Agents on the Scale tier. These features may use third-party AI models, including those provided by Anthropic (Claude).

Where AI Agents respond to End Clients on a Customer’s behalf, the platform discloses to the End Client that they are interacting with an automated system.
Channel differences: AI Agents may operate autonomously on Instagram, Messenger, SMS and email. On WhatsApp, AI Agents operate in assist-only mode — they may draft replies and surface information to the salon, but no message is sent on WhatsApp without human review and approval. This reflects the WhatsApp Business Solution Terms.
AI processing of message content for the purpose of generating a response, classifying intent or routing a conversation is processing carried out on the Customer’s behalf and is governed by the DPA.
We contractually require AI providers not to retain Customer Content for their own training purposes.
We may use anonymised, aggregated data (Section 4) to fine-tune our own models or evaluate model performance.

We share personal data only with the following categories of recipient:

6.1 Sub-processors

Service providers who process personal data on our behalf to help us run the platform. Our current list is published at salonwhisper.com/sub-processors and reproduced in Schedule 2 of our Terms & Conditions. We carry out due diligence on every sub-processor and have written contracts in place that meet UK GDPR requirements.

6.2 Connected Channels

When you send a message through the platform, it is delivered to the relevant Connected Channel (Meta, WhatsApp, SMS carrier, email recipient). Those providers operate as independent controllers in respect of their own services and have their own privacy policies.

In particular:

Meta (Instagram and Facebook Messenger): see https://www.facebook.com/privacy/policy and the Meta Platform Terms.
WhatsApp: see https://www.whatsapp.com/legal/privacy-policy, the WhatsApp Business Solution Terms and the WhatsApp Business Messaging Policy.
Stripe: see https://stripe.com/privacy.
Mailgun (Sinch): see https://www.mailgun.com/privacy-policy/.
20i: see the privacy policy at https://www.20i.com.

WhatsApp — 30-day deletion. Meta’s WhatsApp Cloud API automatically deletes message content and user identifiers from Meta’s servers approximately 30 days after delivery. This is a Meta policy and is independent of how long Salon Whisper retains the same conversations within our Platform (see Section 8). As a result, conversations visible in your unified inbox may be older than copies held on Meta’s servers.

6.3 Stripe

Payment processing is handled by Stripe as an independent controller in respect of payment data, regulatory compliance and fraud prevention. See Stripe’s privacy policy for details.

6.4 Professional advisers

We share data with our lawyers, accountants, auditors and insurers where strictly necessary, under duties of confidentiality.

6.5 Authorities

We disclose data to regulators, courts, law enforcement and tax authorities where we are legally required to do so or where disclosure is necessary to protect our rights, property or safety, or the rights of others.

6.6 Business transfers

If we sell, merge, restructure or transfer all or part of our business, personal data may be transferred to the buyer or successor entity. We will notify you and ensure the new owner is bound by terms at least as protective as this policy.

7. International Transfers

Some of our sub-processors are based outside the UK, including in the US and the EEA. Where we transfer personal data outside the UK, we do so under one or more of the following safeguards:

an adequacy decision recognised by the UK government;
the UK International Data Transfer Agreement;
the UK Addendum to the EU Standard Contractual Clauses;
other lawful transfer mechanisms under UK GDPR Article 46.

You can request a copy of the safeguards in place by contacting our privacy team.

8. How Long We Keep Personal Data

We keep personal data only for as long as necessary for the purposes for which it was collected.

Customer account data: for the duration of your subscription, plus a 90-day grace period after cancellation. After that, we delete account data and Customer Content from active systems, with deletion from backups completing within a further 30 days as backups cycle out.
End Client Data: held while it is in your account, then handled in line with the retention timeline above when your account is closed.
Billing and tax records: six years from the end of the relevant tax year, in line with HMRC requirements.
Marketing data: until you opt out, plus a short suppression-list retention period to make sure we honour your opt-out.
Support tickets: three years after the ticket is closed.
Anonymised aggregated data: indefinitely, as it is no longer personal data.

You may request earlier deletion at any time by emailing support@salonwhisper.com. We will action verified deletion requests within 30 days, except where we are required to retain certain records by law.

9. Your Rights

Under UK GDPR you have the following rights in relation to personal data we hold about you:

Access — receive a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — ask us to delete data, subject to certain exceptions.
Restriction — ask us to limit how we process your data.
Portability — receive your data in a structured, commonly used format.
Objection — object to processing based on legitimate interests, including direct marketing.
Automated decisions — ask for human review of decisions made solely by automated means with legal or similarly significant effects (we do not currently make such decisions).
Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at support@salonwhisper.com. We will respond within one month. There is no fee for exercising your rights, but we may charge a reasonable fee or refuse manifestly unfounded or excessive requests.

If we cannot resolve your concern, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or 0303 123 1113.

10. Security

We take security seriously. Our measures include:

encryption of data in transit (TLS) and at rest;
access controls based on least-privilege, with multi-factor authentication for staff access to production systems;
regular security review, dependency monitoring and patching;
logging and monitoring of access to personal data;
vendor due diligence for sub-processors;
written security policies and staff training.

No system is completely secure. If you believe your account has been compromised, contact us immediately.

11. Cookies

Our website and platform use cookies and similar technologies. Full details, including how to manage your preferences, are in our separate Cookie Policy, available at salonwhisper.com/cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email of material changes at least 30 days before they take effect, and we will always show the effective date at the top of the policy. Continued use of the platform after the change takes effect constitutes acceptance.

13. Contact

Salon Whisper Ltd