Legal
GDPR RIGHTS
BarberBoost is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains your rights as a data subject and how to exercise them. For the full detail of how we process your data, see our Privacy Policy.
Last updated: 26 April 2026
1. Overview
The UK GDPR gives individuals significant rights over their personal data. These rights apply to data we hold about you as an account holder, user of the platform, or contact who has communicated with us.
If you are a client of a barbershop that uses BarberBoost, the barbershop is the data controller for your booking data. You should direct your data rights requests to them. However, if the barbershop requests our assistance in fulfilling a data rights request, we will co-operate fully and promptly.
Our full Privacy Policy is available at barberboost.app/privacy.
2. Data Controller
For personal data processed in connection with your BarberBoost account and use of the platform, the data controller is:
BarberBoost Ltd
Registered in England & Wales
Data enquiries: legal@barberboost.app
General: hello@barberboost.app
We have registered with the Information Commissioner's Office (ICO) as required by the Data Protection (Charges and Information) Regulations 2018. Our ICO registration number is available on request.
3. Lawful Bases for Processing
Every processing activity we carry out has a lawful basis under UK GDPR Article 6. The bases we rely on are:
Account creation, billing, service delivery, sending booking notifications on behalf of shops.
Platform security, fraud prevention, usage analytics, product improvement, and account-related communications.
Retaining VAT and billing records for 7 years as required by HMRC; responding to lawful authority requests.
Marketing emails and product newsletters. You may withdraw consent at any time without detriment.
Where we process special category data (we do not currently do so), we would also identify an appropriate condition under UK GDPR Article 9.
4. Your Rights
Under UK GDPR, you have the following rights. These are not absolute — exemptions may apply in limited circumstances, which we will explain if we need to rely on one.
Right of Access (Subject Access Request)
You have the right to obtain a copy of the personal data we hold about you, along with information about how we process it, who we share it with, and how long we keep it.
We will provide your data in a commonly used electronic format. For large or complex requests, we may extend our response time to three months.
Right to Rectification
If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected.
You can update most of your account data directly within Settings → Account without needing to contact us.
Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal data where: it is no longer necessary for the purpose it was collected; you withdraw consent (where consent was the basis); you successfully object to the processing; or the data was unlawfully processed.
This right is not absolute. We may be unable to delete data that we are legally required to retain (e.g. billing records required by HMRC for 7 years).
Right to Restriction of Processing
You have the right to request that we restrict (pause) the processing of your data while: you contest its accuracy; the processing is unlawful but you prefer restriction to erasure; we no longer need it but you need it for a legal claim; or you've objected and we're assessing the grounds.
During a restriction, we will continue to store your data but not otherwise process it.
Right to Data Portability
Where processing is based on your consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to have it transferred to another controller.
You can export your data at any time from your BarberBoost dashboard (Clients, Bookings, and Finances pages). For a full account export, contact us.
Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing at any time. Where you object to direct marketing, we will cease processing immediately. Where you object to legitimate interests processing, we will stop unless we can demonstrate compelling legitimate grounds.
To unsubscribe from marketing emails, use the unsubscribe link in any email or contact legal@barberboost.app.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions made solely by automated processing that produce legal or similarly significant effects on you.
BarberBoost does not make decisions about individuals through solely automated means that produce legal or significant effects.
Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To withdraw marketing consent, click "Unsubscribe" in any marketing email or contact legal@barberboost.app.
5. How to Submit a Request
To exercise any of your rights, contact us using one of the following methods:
To help us process your request efficiently, please include:
- Your full name
- The email address associated with your BarberBoost account
- A clear description of the right you wish to exercise
- Any relevant detail that helps us identify the specific data (e.g. date range for a SAR, data to be rectified)
We may need to verify your identity before fulfilling the request. For high-risk requests (such as erasure or full data exports), we may request additional proof of identity to protect your data from unauthorised requests.
6. Our Response Process
Acknowledgement
We will acknowledge receipt of your request within 3 business days.
Identity verification
Where required, we will request proof of identity. The 1-month clock does not start until we have verified your identity.
Response
We will respond fully within 1 calendar month of receiving your verified request. For complex or multiple requests, we may extend this to 3 months and will notify you within the first month.
No charge
We will not charge a fee unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request.
7. Data Retention Periods
We retain personal data for the following periods:
| Data Category | Period | Legal Basis for Retention |
|---|---|---|
| Account & profile data | Subscription duration + 90 days | Contract / post-termination export window |
| Billing & invoice records | 7 years | Legal obligation (HMRC / VAT Act 1994) |
| Booking & client records | Subscription duration + 90 days | Contract (processor on behalf of shop) |
| Support & communications | 3 years | Legitimate interests (dispute resolution) |
| Usage & analytics data | 2 years | Legitimate interests (service improvement) |
| Marketing consent records | 3 years from last interaction | Legal obligation (ICO guidance on consent records) |
| Security & fraud prevention logs | 12 months | Legitimate interests (security) |
After the applicable period, data is permanently and securely deleted from all systems, including backups (which are overwritten on a rolling 30-day cycle).
8. International Data Transfers
We use service providers based in the United States and the European Union. All international transfers of personal data from the UK are conducted under appropriate safeguards as required by UK GDPR Chapter V:
| Processor | Country | Transfer Mechanism |
|---|---|---|
| Supabase Inc. | EU (primary) / USA | EU adequacy decision; UK-EU Bridge IDTA |
| Stripe Inc. | USA / EU | UK IDTA; Stripe DPA with SCCs |
| Resend Inc. | USA | UK IDTA |
| Anthropic PBC | USA | UK IDTA; transfer impact assessment completed |
| Vercel Inc. | USA / EU | UK IDTA; EU data residency options used where possible |
Transfer impact assessments (TIAs) have been conducted for each processor. Copies of applicable transfer agreements are available on request from legal@barberboost.app.
9. Automated Processing & Profiling
BarberBoost does not make decisions about individuals using solely automated processing that produce legal or similarly significant effects under UK GDPR Article 22.
We do use automated processes for operational purposes — such as automatically assigning client tags (New, Regular, VIP, At-risk) based on visit frequency. These tags are informational, visible to the barbershop, and do not prevent you from receiving services or produce any legal effect. You may ask the barbershop to correct or remove any tag at any time.
AI-assisted marketing copy generation (via Anthropic Claude) is a tool to assist barbershop owners in drafting content — all final decisions and approvals remain with the human user.
10. Data Breach Notification
In the event of a personal data breach, we follow this process:
Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) as required by UK GDPR Article 33.
Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals directly, describing the nature of the breach, what data was involved, likely consequences, and steps we are taking to address it.
We maintain an internal breach register as required by UK GDPR Article 33(5). We will co-operate fully with any ICO investigation.
If you believe your personal data has been involved in a breach, contact us immediately at legal@barberboost.app.
11. Complaints to the ICO
If you are not satisfied with how we have handled your personal data or a data rights request, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We ask that you contact us first at legal@barberboost.app so that we have the opportunity to resolve your concern before you escalate to the ICO. We aim to resolve all data-related complaints within 30 days.