PRIVACY POLICY

BarberBoost Ltd ("BarberBoost", "we", "us", or "our") is the data controller for personal data collected through our platform at barberboost.app. We are registered in England & Wales.

For data protection enquiries, contact us at legal@barberboost.app.

Where BarberBoost processes personal data on behalf of a barbershop (for example, a shop's client booking records), the barbershop is the data controller and BarberBoost acts as a data processor. Our obligations as a processor are set out in our Data Processing Agreement, which forms part of these terms.

Account holders (barbershop owners and staff):

• Identity data: name, email address, hashed password
• Business data: shop name, address, phone number, logo, services, pricing, working hours
• Billing data: name, billing address, card type and last four digits (full card data is held by Stripe, not us)
• Usage data: pages visited, features used, actions taken, session timestamps, IP address, browser type, and device information
• Communications: emails and messages you send to our support team or via the contact form

End clients (clients of barbershops using BarberBoost):

Client data — including names, phone numbers, email addresses, and booking history — is entered into BarberBoost by barbershop operators. We process this data as a data processor on behalf of the barbershop. If you are a client of a barbershop and wish to exercise your data rights, you should contact that barbershop directly. We will assist barbershops in fulfilling their data obligations.

We use the personal data we collect to:

• Create and manage your account and provide the BarberBoost service
• Process subscription payments and issue VAT invoices
• Send booking confirmations, reminders, and cancellation notifications on behalf of barbershops
• Respond to support requests and troubleshoot issues
• Monitor platform security, detect fraud, and prevent misuse
• Analyse usage patterns to improve the platform and fix bugs
• Send product updates, new feature announcements, and newsletters (only where you have given consent or we have a legitimate interest)
• Comply with legal and regulatory obligations, including tax record-keeping

We process your personal data on the following legal bases under UK GDPR Article 6:

We do not sell your personal data. We do not share it with third parties for their own marketing purposes. We share data only with the following categories of recipient, each acting as a data processor under our instructions:

We may also disclose personal data where required by law, a court order, or a lawful request from a regulatory authority.

Some of our processors are based outside the UK, including in the United States. We ensure that any transfer of personal data outside the UK is subject to appropriate safeguards in accordance with UK GDPR Chapter V, including:

• UK International Data Transfer Agreements (IDTA) with processors where applicable
• Adequacy regulations in respect of countries recognised by the UK Secretary of State
• UK addendum to the EU Standard Contractual Clauses where applicable

We have conducted transfer impact assessments for each international processor. Copies of applicable transfer mechanisms are available on request by contacting legal@barberboost.app.

We retain personal data only for as long as necessary for the purposes set out in this policy:

After the applicable retention period, data is securely and permanently deleted. You may request early deletion of your data — see Your Rights below.

Under UK GDPR, you have the following rights regarding your personal data. To exercise any of these rights, see the GDPR Rights page or contact us at legal@barberboost.app.

We respond to all requests within one calendar month. For complex or numerous requests, we may extend this to three months and will notify you accordingly. There is no fee for exercising your rights unless a request is manifestly unfounded or excessive.

We take the security of your personal data seriously. Our technical and organisational measures include:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Bcrypt hashing for passwords (never stored in plain text)
• Row-level security (RLS) policies on our database to prevent unauthorised data access
• Role-based access controls for staff accounts
• Regular security updates and dependency patching
• Infrastructure hosted on Supabase, which maintains SOC 2 Type II certification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33–34.

BarberBoost is a business-to-business service intended for use by adults aged 18 and over. We do not knowingly collect personal data from children under 18. If you believe a child has provided personal data to us, please contact legal@barberboost.app and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Sending an email to the address associated with your account
• Displaying a prominent notice within the BarberBoost dashboard

Changes take effect 30 days after notification. Your continued use of BarberBoost after that date constitutes acceptance of the revised policy. The "Last updated" date at the top of this page reflects when the most recent changes were made.

For any privacy-related questions, subject access requests, or to exercise your rights, contact our data protection team:

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• Website: ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We ask that you contact us first so we can try to resolve your concern before you contact the ICO.