1. Who we are

Coiffr (“we”, “us”, “our”) is an appointment-scheduling platform for barbershops, operated at coiffr.app. We are the data controller for the personal information described in this policy.

Questions or requests relating to this policy should be directed to support@coiffr.app.

2. Information we collect

We collect information in two ways: information you provide to us, and information collected automatically.

Information you provide

Account data — email address and password when you create a barbershop account.
Shop profile — shop name, address, phone number, and URL slug entered during onboarding.
Staff data — barber names and bios you add to your shop profile.
Service catalogue — service names, durations, and prices you configure.
Billing information — bank transfer references used to match subscription payments. We do not store card numbers or bank account details.
Appointment data — client name, phone number, and appointment details submitted through your booking page.
Contact enquiries — name, email, and message submitted via our contact form.

Information collected automatically

Usage data — pages visited, features used, and timestamps, collected via server logs.
Device data — browser type, operating system, and IP address for security and debugging.
Cookies — session cookies required for authentication. We do not use advertising or tracking cookies.

3. How we use your information

We use the data we collect to:

Create and maintain your account and shop profile.
Deliver the appointment-scheduling and reminder services you subscribed to.
Send WhatsApp and/or SMS appointment reminders to your clients on your behalf.
Process and match subscription payments via bank transfer.
Respond to support and contact enquiries.
Detect and prevent fraud, abuse, and security incidents.
Comply with applicable legal obligations.

We do not sell your personal data. We do not use your data for advertising or share it with third parties for their own marketing purposes.

4. Legal basis for processing (GDPR)

Where the GDPR applies, we rely on the following legal bases:

Contract performance — processing necessary to provide the services you signed up for (Art. 6(1)(b)).
Legitimate interests — security monitoring, fraud prevention, and service improvement (Art. 6(1)(f)).
Legal obligation — retaining records required by applicable law (Art. 6(1)(c)).
Consent — sending marketing communications, where you have opted in (Art. 6(1)(a)).

5. How we share your information

We share personal data only with the following categories of recipients:

Infrastructure providers — Supabase (database and authentication) and Vercel (hosting). Both are bound by data processing agreements and operate under appropriate safeguards.
WhatsApp messaging — appointment reminder content is transmitted through the WhatsApp Business API or a self-hosted Baileys session to deliver messages to your clients.
Law enforcement — where required by a valid legal order or to protect the rights and safety of Coiffr, our users, or the public.

All sub-processors are contractually required to protect data to at least the same standard as this policy.

6. International data transfers

Our infrastructure providers may process data in the United States or other countries outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data retention

Account data — retained for the duration of your subscription and deleted within 30 days of account closure, unless a longer retention period is required by law.
Appointment records — retained for 12 months after the appointment date, then deleted.
Billing records — retained for 7 years to comply with accounting and tax obligations.
Server logs — retained for 90 days, then purged.

8. Your rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your data (“right to erasure”), subject to legal retention obligations.
Restrict or object to certain processing activities.
Port your data to another service in a machine-readable format.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with your local data protection authority.

To exercise any of these rights, email us at support@coiffr.app. We will respond within 30 days.

9. Security

We implement industry-standard technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, row-level security policies in our database, and access controls limiting who can view production data. No system is perfectly secure; in the event of a breach we will notify affected users and relevant authorities as required by law.

10. Children's privacy

Coiffr is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, contact us and we will delete it promptly.

11. Cookies

We use only strictly necessary cookies required to keep you logged in to your account. We do not use analytics, advertising, or tracking cookies. You can disable cookies in your browser settings, but doing so will prevent you from signing in.

12. Changes to this policy

We may update this policy from time to time. When we do, we will update the effective date at the top of this page and, for material changes, notify account holders by email at least 14 days in advance. Continued use of Coiffr after the effective date constitutes acceptance of the revised policy.

13. Contact us

For privacy-related questions, data subject requests, or complaints:

Email: support@coiffr.app
Website: coiffr.app/contact

Privacy Policy