DRAFT — pending owner review and finalization. This is a template, not legal advice. Have a qualified attorney review this document before publishing.
English is the authoritative version. 中文 and Tiếng Việt translations below are provided for accessibility only and carry no independent legal weight.
Privacy Policy
Effective Date: [EFFECTIVE DATE]
Last Updated: [EFFECTIVE DATE]
1. Introduction and Roles
This Privacy Policy describes how [LEGAL ENTITY NAME](“Axervice,” “we,” “us,” or “our”) handles personal information in connection with our appointment scheduling software platform (“Platform”) used by salon, spa, and beauty businesses (“Merchants”).
We are a data processor, not a data controller, with respect to consumer personal information.Each Merchant that uses our Platform is the data controller responsible for how personal information about that Merchant’s clients (“Consumers”) is collected, used, and disclosed. If you are a Consumer and have questions about how a specific salon handles your personal information, please contact that salon directly.
2. Information We Collect
We collect and process the following categories of personal information on behalf of Merchants:
- Identifiers: Name, phone number, email address, date of birth.
- Health and intake information: Allergy information, health conditions, and other information provided on service intake forms (collected and controlled by the Merchant).
- Photos: Images uploaded by or for a Consumer (controlled by the Merchant).
- Commercial information: Appointment history, service records, and payment metadata (we never store raw card numbers; payment instruments are tokenized by our sub-processors).
- Payment tokens: Tokenized payment references provided by Square, Clover, or Stripe; we hold tokens and last-four / card type metadata only.
- Communications preferences: Preferred reminder channel (SMS or email), opt-in/opt-out status for marketing communications.
- Anonymous analytics: An anonymous, session-scoped identifier used to measure booking funnel performance. This identifier is not linked to any personal information and can be self-erased (see Section 7).
We do not knowingly collect personal information from children under 13.
3. How We Use Personal Information
We use personal information solely to provide the Platform services to Merchants, including:
- Scheduling and managing appointments.
- Sending booking confirmations and reminders to Consumers.
- Processing payments on behalf of Merchants (through Merchant-selected POS providers).
- Enabling Merchants to fulfill consumer data-subject requests (access, deletion) as required by applicable law.
- Maintaining security, preventing fraud, and meeting our legal obligations.
- Improving the Platform through anonymous, aggregated analytics.
4. Sub-Processors
We share personal information only with the following sub-processors as necessary to operate the Platform:
| Sub-processor | Purpose |
|---|---|
| Supabase | Database hosting and file storage |
| Vercel | Application hosting and delivery |
| Clerk | Staff and owner authentication (not used for Consumers) |
| Resend | Transactional email delivery |
| Stripe | Platform subscription billing; Stripe Connect for Consumer payments via participating Merchants |
| Square | Point-of-sale bridge for participating Merchants |
| Clover | Point-of-sale bridge for participating Merchants |
| Calendar sync for Merchants who enable the integration |
We do not sell personal information to third parties, and we do not share personal information with third parties for their own marketing purposes.
5. Retention
We retain personal information as follows:
- Consumer PII (name, phone, email, health data, photos): Retained until a data-subject deletion request is fulfilled by the Merchant. Upon erasure, PII is anonymized in place; the de-identified financial record is retained for compliance purposes.
- Financial and transactional records: The de-identified skeleton of financial transactions is retained for approximately 7 years as required by U.S. tax law.
- Compliance audit log: Retained for approximately 7 years; records are append-only.
- Anonymous funnel/analytics data: Not linked to personal information. Self-erasable by the Consumer on request (see Section 7).
6. Your Rights (CCPA/CPRA)
Because we are a data processor, consumer data-subject rights are fulfilled by the Merchant (the salon or spa you booked with), not by us directly. Your rights include:
- Right to Know / Access: You may request that the Merchant provide you with a copy of the personal information they hold about you.
- Right to Delete: You may request that the Merchant delete your personal information. Certain information (de-identified financial records) is retained as required by law.
- Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.
- We do not sell personal information. No opt-out of sale is required.
- Right to Correct (CPRA): You may request correction of inaccurate personal information; the Merchant fulfills this request.
How to exercise your rights: Contact the Merchant (salon, spa, or nail studio) directly. The Merchant uses our administrative tools to fulfill your request. If you need help identifying the correct Merchant contact, you may also reach us at [CONTACT EMAIL].
7. Anonymous Analytics Erasure
If you have interacted with a booking page, you may erase your anonymous analytics session ID by visiting /api/funnel/erasure?sid=<your-session-id>. Your session ID is displayed on the booking page if you have not opted out of analytics.
8. Cookies and Tracking
Our booking pages use a single, first-party anonymous session identifier (stored in localStorage) to measure how visitors move through the booking steps. This identifier is not linked to any personal information and is subject to visitor consent. No third-party advertising or cross-site tracking technologies are used.
9. Security
We implement industry-standard technical and organizational measures to protect personal information, including encryption at rest and in transit, access controls, and regular security reviews. If you believe your information has been compromised, please notify the relevant Merchant and contact us at [CONTACT EMAIL].
10. GDPR / International Transfers
Our Platform is primarily designed for U.S.-based Merchants. If personal information is transferred outside the country of collection, we rely on sub-processor agreements that include appropriate safeguards. Consumers in the European Economic Area may contact the Merchant (data controller) or the relevant supervisory authority.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Merchants of material changes. Continued use of the Platform after the effective date of any change constitutes acceptance of the updated policy.
12. Contact
[LEGAL ENTITY NAME]
[BUSINESS ADDRESS]
Email: [CONTACT EMAIL]