Your data, handled honestly.

Who we are

Salonomy Ltd (“Salonomy”, “we”, “us”) is the data controller for the personal data described in the “Visitors and prospective customers” section below, and a data processor for the client and salon data your business puts into the product. Where we act as a processor for your business’s data, our Data Processing Agreement governs that relationship and forms part of your terms.

We are a UK company and process data in line with the UK GDPR and the Data Protection Act 2018. You can reach our privacy team using the contact details at the foot of this page.

When we are a controller vs a processor

The distinction matters, so we state it up front:

• We are the controller for data about people who visit our website, join the waitlist, contact us, or run a Salonomy account as the business owner or a team member. We decide why and how that data is used, and this notice covers it.
• We are a processor for the client books, appointments, payments, comms history and other records your business creates inside Salonomy. Your business (and, where you run sealed chair-renter books, each renter) is the controller of that data. We only act on your documented instructions — see the DPA.

What we collect and why

Visitors and prospective customers

When you browse the marketing site, join the waitlist, start a trial, or get in touch, we collect what we need to respond and to run the business — your name, business name, email address, and the messages you send us. We do not buy in marketing lists or enrich your profile from third-party data brokers.

Account holders (owners and team members)

To give you a working account we hold your name, email, phone number, role, and login and security details (passwords are stored only as salted hashes; two-factor secrets are stored encrypted). We log security events such as sign-ins and password resets so we can keep accounts safe.

Client and salon data (we are the processor)

When your business uses Salonomy you put in client contact details, appointment and queue history, notes, payment records and comms history. We process this only to provide the service to you. We do not sell it, we do not mine it to build advertising profiles, and we do not use it to train models. Your DPA sets out the full terms, including how sealed per-renter books are isolated.

People who book or queue with a salon

If you book an appointment or take a place in a live walk-in queue through a Salonomy salon (for example at salonomy.com/q/<salon>), we process your name, contact details and booking on behalf of that salon, who is the controller. Contact the salon to exercise your rights over that booking; we will help them respond.

Our lawful bases

Under the UK GDPR we rely on the following lawful bases, depending on the activity:

Where we rely on legitimate interests, we have weighed them against your rights and freedoms. You can object to that processing — see your rights below.

Analytics — and what we refuse to do

We do not run an advertising-tracking stack. No Google Analytics, no Meta pixel, no cross-site tracking, no third-party ad-tech, and no cookies for analytics.

To understand which pages are useful we use privacy-respecting, self-hosted analytics (Plausible or Umami) running on our own infrastructure. It is cookieless, it does not fingerprint you, it does not follow you across other websites, and the data never leaves our servers for an ad network. Measurement is aggregate — visit counts and referrers — not a profile of you.

We use a small number of strictly-necessary cookies to keep you signed in and to remember settings such as the VAT pricing toggle. Because we set no analytics or advertising cookies, we do not show a cookie consent banner — there is nothing to consent to.

Sub-processors we rely on

We use a short, deliberately small list of vetted providers to run the service. Each is bound by a data processing agreement and processes data only to deliver their part of Salonomy. We publish the list and keep it current:

Self-hosted analytics (Plausible/Umami) runs on our own hosting and is not a third-party sub-processor. Where any provider processes data outside the UK, we rely on UK adequacy regulations or the UK International Data Transfer Agreement / Addendum to keep transfers lawful. We give notice before adding or changing a sub-processor that handles your business’s data, as set out in the DPA.

How long we keep data

We keep personal data only as long as we need it for the purpose we collected it, then delete or anonymise it:

Your rights

Under the UK GDPR you have the right to be informed, and to access, correct, delete, restrict, port and object to the use of your personal data, plus rights relating to automated decision-making (we do not make solely-automated decisions with legal effect about you). To exercise any of these, email us — we will respond within one month and we will not charge you.

If your request relates to data held inside a salon’s account (a booking, a client record, a sealed chair-renter book), the salon or renter is the controller. Contact them directly; we provide them the tools to find, export and erase that data, and we will help them meet your request.

Security

We encrypt data in transit and at rest, store passwords only as salted hashes, offer two-factor authentication, and enforce least-privilege access. Sealed per-renter client books are isolated at the database level using PostgreSQL row-level security — isolation by architecture, not by a toggle that can be flipped. Our full security and breach- notification commitments are in the DPA.

Changes to this notice

When we make a material change we will update the “in effect” date at the top and, for changes that affect you, tell you in-app or by email before they take effect. We will never quietly broaden how we use your data.