Home Legal

Privacy Policy

Effective May 29, 2026 · Last reviewed May 29, 2026

This explains what ChairSlay does with personal information — yours and your clients’.

Three commitments up front. They shape everything below.

  1. We never sell your data. No advertising market, no data brokers, no “anonymized” hand-offs.
  2. We never hold your money. Payments your clients make to you flow through your own Stripe or Square account. We don’t touch the funds, so we don’t store card data either.
  3. Your clients are yours. You can export the full list — contacts, notes, color formulas, photos — in one click, any time. No premium gate, no waiting period.

1. Who we serve

ChairSlay is a tool for independent beauty pros (“you”) and the clients who book with them.

  • You create an account, set up services, and run your booking page. With respect to your account data, ChairSlay is the controller.
  • Your clients book appointments with you. With respect to client records, you are the controller — ChairSlay processes them on your instructions. We never share client data across pros, across accounts, or with anyone else.

Studio / operator features are forthcoming on the roadmap. When the operator product launches, this section will be updated to describe the additional party (studios) and how the privacy line is enforced between them and the pros who rent from them.

If you’re a client and want to access, correct, or delete your data: contact the pro you booked with. We’ll support them in responding, but we can’t act unilaterally on client data.

2. What we collect

From you (the pro)

  • Identity: name, business name, email, phone.
  • Authentication: magic-link tokens (short-lived, hashed), one-time codes (short-lived, throttled), session cookies, 2FA secrets (encrypted at rest), recovery codes (hashed). ChairSlay is passwordless — we don’t store passwords.
  • Billing: last-4 / brand / expiration of the card you pay us with (via Stripe). Full card numbers go to Stripe directly and never reach our servers.
  • Usage telemetry: device, browser, IP, referrer, request logs. Retained for 90 days for operational diagnostics.

From your clients (on your behalf)

  • Contact + booking: name, email, phone, appointment history, your notes about them.
  • Intake-form answers: whatever you ask them to provide. You agree (see the Acceptable Use Policy) not to use ChairSlay to collect protected health information (PHI), Social Security numbers, or government ID numbers.
  • Photos: before/after, color formulas, lash maps, etc. You’re responsible for getting their consent before uploading.
  • Card data: never collected or stored by ChairSlay. Card information goes from your client’s browser straight to Stripe or Square, who tokenize it. We store only the processor-issued token + last-4 + brand.

From third-party services you connect

If you connect a Google, Microsoft, or Apple calendar for two-way sync, we receive only what you authorize. The default is busy-only mode: we pull start/end times of your external events so we can block your booking slots, but the titles, attendees, locations, and descriptions stay on your phone. You can opt in to full event sync if you want title overlays on your calendar view — the default doesn’t surface that data to ChairSlay.

3. How we use what we collect

  • To operate the Service — accept bookings, accept payments, send confirmations and reminders, generate reports.
  • To authenticate you and detect abuse or security incidents.
  • To communicate with you about your account (billing, outages, product changes).
  • To produce a Schedule C tax packet for you each January (transaction records are retained for 7 years to match the IRS Schedule C audit window — see §7 retention).
  • To comply with legal obligations (tax, subpoena, court order, consumer-protection inquiries).
  • To enforce our Terms and protect ChairSlay, our users, and the public.

We don’t use client data to train machine-learning models. We don’t share client data across pros.

4. Legal bases (GDPR / UK GDPR)

  • Contract — to deliver the Service we agreed to.
  • Legitimate interests — security, abuse detection, product improvement.
  • Consent — for marketing SMS or email you send your clients through ChairSlay. You capture that consent; we don’t.
  • Legal obligation — tax records, law-enforcement requests.

5. Who we share data with

  • Subprocessors. Listed at /legal/subprocessors. Each is bound by a data-processing agreement and processes data only on our instructions.
  • Your processor (Stripe or Square). To move money from your clients to you, we share booking and line-item metadata. Card data goes directly from your client’s browser to the processor — not through us.
  • Calendar providers (Google / Microsoft / Apple), if you’ve connected them — only the data described in §2 above.
  • Business transfers. In a merger, acquisition, or asset sale, we may transfer data — the acquirer must honor this Policy or give you an opportunity to delete first.
  • Legal. When required by law, subpoena, or to protect our rights, users, or the public.

We don’t sell personal information. We don’t share for cross-context behavioral advertising. (These are CCPA / CPRA / VCDPA / CTDPA / UCPA / TDPSA / OCPA-specific disclosures.)

Mobile information (phone numbers and SMS opt-in data) is not shared with third parties or affiliates for marketing or promotional purposes. We use mobile information only to send transactional appointment reminders and cancellation notifications, and to process opt-out requests. For details on the SMS program, see SMS Terms.

6. Your rights

Depending on where you live, you may have rights to:

  • Access what we hold about you;
  • Correct what’s wrong;
  • Delete your data (subject to legal-hold exceptions);
  • Port it in machine-readable form;
  • Object to or restrict certain processing;
  • Withdraw consent where processing is consent-based;
  • Complain to your local data-protection authority (EU/UK) or state AG (US).

To exercise these: email privacy@chairslay.com. We’ll respond within 30 days (extendable by 60 for complex requests). If you’re a client of a pro on ChairSlay, contact the pro first; we’ll support them.

7. How long we keep things

  • Active accounts: as long as you’re a customer.
  • Cancelled accounts: 30-day export grace period, then we delete content within 90 days — except as below.
  • Transaction records (for tax): 7 years from the calendar year of the transaction, to match the IRS Schedule C audit window. After 7 years, deleted.
  • Handle forwarding records: if you reached the year-paid threshold before cancelling, we keep the handle → destination mapping indefinitely to honor the Yours-Forever Handle promise. Mapping fields are minimal — handle, destination URL, and contact email for forwarding updates — nothing about your past clients.
  • Telemetry logs: 90 days.
  • Backups: purged within 35 days.

8. International transfers

ChairSlay is US-hosted (Hetzner Cloud, Ashburn VA). If you access ChairSlay from outside the US, your data is transferred to and processed in the US. We rely on Standard Contractual Clauses where EEA/UK personal data is involved; a copy is available on request.

9. Security

Covered in detail in the Security Overview. The summary: TLS 1.2+ in transit, encryption at rest, role-based access, breach notification within 72 hours where GDPR applies and per state law in the US.

10. Children

ChairSlay is for users 18 and over. If you serve clients who are minors, you’re responsible for parental / guardian consent under COPPA (US, <13) and applicable state / EU law.

11. Cookies

  • Strictly necessary — session, CSRF, authentication. No consent needed; disabling breaks the Service.
  • Functional — preferences like locale and timezone.
  • Analytics on client booking pages: none. No third-party trackers run on the booking pages your clients see.
  • Advertising cookies: none.

12. State-specific disclosures (US)

  • Categories collected in the last 12 months: identifiers, commercial information, internet activity, inferences.
  • Categories sold or shared for cross-context behavioral advertising: none.
  • Sources: directly from you; from your browser/device; from subprocessors that deliver the Service.
  • Sensitive personal information: we collect 2FA secrets only to secure your account — never used for inferences about you.
  • Automated decision-making with legal effect: none.

13. Changes to this Policy

We may update it. Material changes take effect on 30 days’ notice to your account email. Prior versions live at chairslay.com/legal/privacy/archive.

14. Contact

Foocorp LLC · privacy@chairslay.com · DPO / EU rep: dpo@chairslay.com

← Back to ChairSlay