Legal · Data Processing

Sealed means sealed — in law and in the database.

The chair-renter model is a data-protection boundary, not a feature flag. This agreement sets out who controls what, and how we keep each book isolated.

In effect 13 June 2026 · UK English · GBP

This Data Processing Agreement (the “DPA”) forms part of your terms and governs how Salonomy Ltd (“Salonomy”, the processor) handles personal data on behalf of your business and your chair renters (the controllers) under the UK GDPR and the Data Protection Act 2018. It sits alongside our privacy notice.

Who controls what

Getting the roles right is the whole point of this document, so we are explicit:

The salon — controller of its own client book
Where a salon uses a shared book, the salon business is the controller of those client records. It decides why and how that data is used. Salonomy is its processor.
Each chair renter — controller of their sealed book
Where a salon runs sealed per-renter books, each renter is an independent controller of their own client book — their clients, their notes, their history. The salon has no access to a renter’s sealed book, and vice versa. Salonomy is each renter’s processor for their own book.
Salonomy — processor
For all client/salon data in the product, Salonomy is the processor. We act only on the documented instructions of the relevant controller, and never use the data for our own purposes — no selling, no advertising profiles, no model training.

In a mixed salon, these roles can sit side by side: the salon controls the shared book and the employed-staff records, while individual renters independently control their sealed books — all within the same account, kept apart by the architecture described next.

The sealed-book boundary, enforced by RLS

A sealed book is not a setting we promise to respect. It is an isolation boundary enforced by PostgreSQL row-level security, beneath the application.

When a salon chooses sealed or mixed books at setup, each renter’s client data is fenced off at the database layer. Every query runs under a security context tied to the owning controller, and the database itself refuses to return rows that belong to another renter or to the salon. There is no application code path, no admin screen and no “just this once” that crosses the boundary — because the enforcement lives below the application, not inside it.

Isolation by architecture, not by a toggle that can be flipped. That is what makes the chair-renter model GDPR-clean: a renter’s clients are theirs, provably, and the salon never becomes an accidental joint controller of data it cannot see.

This matters because it removes the messy joint-controller grey area that chair rental usually creates. With sealed books, the salon and each renter are separate, independent controllers of separate books — clean lines of responsibility, and a clean answer when a client asks “who holds my data?”

Scope and instructions

We process personal data only to provide and support Salonomy, and only on the controller’s documented instructions — which include the settings you choose in the product (such as the book model) and these legal terms. If we ever believe an instruction breaks data-protection law, we will tell you. The categories of data and data subjects are set out below.

Data subjectsCategories of personal data
A salon’s clientsName, contact details, appointment and queue history, notes, payment records, comms history
A chair renter’s clientsThe same categories, within the renter’s sealed book and controlled by the renter
Team members and rentersName, contact details, role, schedule
People who book or queue onlineName, contact details, the booking or ticket itself

What we commit to as processor

  • Process personal data only on the relevant controller’s documented instructions, including for international transfers.
  • Ensure everyone we authorise to process the data is bound by confidentiality.
  • Apply appropriate technical and organisational security measures (set out below).
  • Respect the sealed-book boundary absolutely — we will not, and architecturally cannot, expose one controller’s sealed book to another.
  • Help you respond to data-subject requests and meet your security, breach-notification and impact-assessment duties, using the export and erasure tools we build into the product.
  • Use sub-processors only under the conditions below, and delete or return all personal data on termination.
  • Make available the information you need to demonstrate compliance, and allow for audits as described under “Audit”.

Security measures

Our technical and organisational measures include:

  • Encryption of personal data in transit and at rest.
  • Row-level isolation of sealed per-renter books in PostgreSQL, so tenancy and book boundaries are enforced by the database.
  • Passwords stored only as salted hashes; optional two-factor authentication; encrypted 2FA secrets.
  • Least-privilege access controls and audit logging of security-relevant events.
  • Regular, encrypted backups with tested restoration.
  • Ongoing review of measures to keep them appropriate to the risk.

Sub-processors

We use a short list of vetted sub-processors, each under a written contract with data- protection terms no less protective than this DPA. Self-hosted analytics runs on our own infrastructure and is not a third party.

Sub-processorPurposeRegion
StripeCard payments and payouts (Stripe Connect)UK / EU
SMS & WhatsApp providersSending the client comms a salon chooses to sendUK / EU
Email providerTransactional and opted-in emailUK / EU
Hosting & infrastructureRunning the apps, database and backupsUK

We will give you advance notice before adding or replacing a sub-processor that handles your data, so you have a chance to object on reasonable data-protection grounds. Where a sub-processor processes data outside the UK, transfers are covered by UK adequacy regulations or the UK International Data Transfer Agreement / Addendum.

Personal data breach notification

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in any case within 72 hours of becoming aware. Our notice will describe the nature of the breach, the likely consequences, the data and people affected so far as known, and the steps we are taking to address it and limit harm — so you can meet your own duty to notify the ICO and, where required, affected individuals.

Helping you meet data-subject rights

We build the tools to find, export, correct and erase personal data into the product, so you can answer access, rectification, erasure and portability requests yourself — and we will help where you need us. For sealed books, only the renter (as controller) can action requests over their own book; we provide each controller the tools for their own data, and never cross the boundary to do it for them.

Audit

We will make available the information reasonably needed to demonstrate compliance with this DPA, and will contribute to audits, including inspections, conducted by you or an auditor you mandate — on reasonable notice, during business hours, and without compromising the security or confidentiality of other customers’ data.

Deletion on termination

When your account ends, you choose whether we return or delete the personal data we hold as your processor. We make it available to export for 30 days, then delete it within 90 days, including from backups within the normal backup cycle — unless the law requires us to keep a specific record (for example, invoices for tax). We do not hold your data hostage and we do not charge a release fee.

Data protection contact: privacy@salonomy.com. For a countersigned copy of this DPA for your records, just ask.