MySalon25 ("we", "us", "our") is committed to protecting the privacy of salon owners, their team members, and their customers who use our platform. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Belgian Data Protection Act of 30 July 2018, and other applicable legislation. By using MySalon25, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

The data controller responsible for your personal data is MySalon25, operated from Belgium. For any questions regarding data processing, you may contact us at privacy@mysalon25.com. When a salon owner uses MySalon25 to manage their customer data, the salon owner acts as the data controller for their customers' personal data, and MySalon25 acts as the data processor on their behalf under a Data Processing Agreement.

2. Data We Collect

Account Data

When you register, we collect your first name, last name, email address, phone number, and password (stored in hashed form). For salon registration, we also collect your salon name, address, and business information necessary to provide our services.

Usage Data

We automatically collect technical data such as your IP address, browser type, operating system, pages visited, session duration, and referral source. This data is collected through server logs and analytics to improve our service and ensure security.

Salon Customer Data

When salon customers book appointments through MySalon25, we process their name, email address, phone number, appointment history, and any notes entered by the salon. This data is processed on behalf of the salon owner who is the controller of their customers' data.

3. Purpose of Processing

We process your personal data for the following purposes: (a) providing, maintaining, and improving the MySalon25 platform and its features; (b) managing your account and authenticating your identity; (c) processing payments and managing subscriptions through our payment provider Mollie; (d) sending transactional emails such as appointment confirmations, magic login links, and account notifications; (e) providing customer support; (f) complying with legal and regulatory obligations, including tax and accounting requirements; (g) detecting, preventing, and addressing fraud, abuse, or security issues; and (h) generating aggregated, anonymized analytics to improve our services.

4. Legal Basis for Processing

We process your personal data on the following legal grounds under Article 6 GDPR: (a) Contract performance — processing necessary to provide you with our services as agreed upon registration (Art. 6(1)(b)); (b) Legal obligation — processing required to comply with Belgian and EU legal obligations, including tax law and the Belgian Code of Economic Law (Art. 6(1)(c)); (c) Legitimate interest — processing necessary for our legitimate interests, including fraud prevention, platform security, and service improvement, provided these do not override your fundamental rights (Art. 6(1)(f)); and (d) Consent — where we rely on your consent (e.g., marketing communications), you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal (Art. 6(1)(a)).

5. Data Sharing & Sub-processors

We do not sell your personal data. We share your data only with trusted third-party service providers who are strictly necessary for operating our platform: (a) Microsoft Azure — cloud hosting and infrastructure (EU data centers); (b) Microsoft Entra ID — identity and authentication services; (c) Mollie B.V. — payment processing (Netherlands, PCI DSS compliant); (d) Azure Communication Services — transactional email delivery. All sub-processors are bound by Data Processing Agreements and are required to comply with GDPR. We may also disclose your data when required by law, court order, or governmental authority.

6. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure adequate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission, in compliance with Chapter V of the GDPR.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy. Account data is retained for the duration of your active subscription and for up to 12 months after account closure to allow for reactivation and to comply with legal retention obligations. Payment and invoicing records are retained for 7 years as required by Belgian tax law (Article 60 of the Belgian VAT Code). Salon customer appointment data is retained for the duration of the salon's active subscription and deleted upon request or account closure. Usage and analytics data is retained in anonymized form indefinitely.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data: (a) Right of access — you may request a copy of the personal data we hold about you (Art. 15); (b) Right to rectification — you may request correction of inaccurate data (Art. 16); (c) Right to erasure ("right to be forgotten") — you may request deletion of your data where there is no compelling reason for continued processing (Art. 17); (d) Right to restriction — you may request limitation of processing in certain circumstances (Art. 18); (e) Right to data portability — you may request your data in a structured, machine-readable format (Art. 20); (f) Right to object — you may object to processing based on legitimate interest (Art. 21); (g) Right to withdraw consent — where processing is based on consent, you may withdraw it at any time (Art. 7(3)). To exercise any of these rights, contact us at privacy@mysalon25.com. We will respond within 30 days as required by law.

9. Cookies

MySalon25 uses strictly necessary cookies for authentication, session management, and language preference. These cookies are essential for the functioning of the platform and do not require consent under Article 5(3) of the ePrivacy Directive as transposed into Belgian law. We do not use advertising or third-party tracking cookies. Authentication cookies are used to maintain your logged-in session. Language preference cookies remember your selected language across visits.

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include: encryption of data in transit (TLS 1.2+) and at rest; hashed password storage; role-based access controls; regular security assessments; and hosting on Microsoft Azure with enterprise-grade security certifications (ISO 27001, SOC 2). However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security and shall not be liable for breaches resulting from sophisticated attacks beyond our reasonable control.

11. Children's Privacy

MySalon25 is a business-to-business service intended for salon professionals. Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email or through a prominent notice on our platform at least 30 days before the changes take effect. Your continued use of MySalon25 after the effective date constitutes your acceptance of the updated policy. We recommend reviewing this policy periodically.

13. Contact & Complaints

For any questions, requests, or complaints regarding this Privacy Policy or our data processing practices, please contact us at: privacy@mysalon25.com. If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données): Rue de la Presse 35, 1000 Brussels, Belgium — contact@apd-gba.be — www.dataprotectionauthority.be.