Privacy Policy

Introduction

Strand HQ is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and otherwise process personal data in connection with the Strand salon management platform.

Data Controller: Strand HQ, London, United Kingdom

Contact: privacy@strandhq.ai

What Data We Collect

Strand collects personal data in the following categories:

Salon Business Data

Salon name, location, contact information
Business registration details
Operating hours and service offerings
Staff member information and access roles

Client Information

Client names, phone numbers, email addresses
Appointment history and preferences
Service records and notes

Payment Information

Billing address and contact information
Payment method details (processed and stored by Stripe)
Subscription tier and billing history

Usage Data

Login times and access patterns
Features used and interaction data
Device information and browser type
IP address and general location

Communications

Email addresses for service notifications
Support requests and correspondence
Feedback and survey responses

How We Use Your Data

Provide the Service: Operating and maintaining the Strand platform, processing bookings, managing payments
Intelligence Features: Generating insights, recommendations, and analytics specific to your salon
Analytics & Improvement: Understanding usage patterns to improve features and user experience
Communications: Sending transactional emails, service updates, billing notifications, and marketing (with consent)
Legal & Compliance: Fulfilling legal obligations, detecting fraud, and enforcing terms
Customer Support: Responding to inquiries and resolving issues

Legal Basis for Processing

We process personal data under the following lawful bases:

Contract Performance: To provide the service you've subscribed to and fulfill our contractual obligations
Legitimate Interest: To improve our service, prevent fraud, and conduct analytics
Consent: For marketing communications and optional features (you may withdraw consent anytime)
Legal Obligation: To comply with applicable laws and regulations

Data Sharing & Third Parties

We share personal data with the following processors and partners:

Supabase: Cloud database provider (data stored in EU/UK regions)
Stripe: Payment processing (payment information only)
Resend: Email delivery service
Twilio: SMS communications (optional features)
Anthropic: AI-powered intelligence features
Service Providers: Analytics, customer support, and hosting partners

Important: We do not sell, rent, or trade your personal data to third parties. We do not use your data for purposes other than those specified in this policy without your explicit consent.

Data Retention

Active Accounts: We retain data while your account is active, plus 90 days after account closure for compliance and recovery purposes
Deleted Accounts: Personal data is anonymised within 30 days of account deletion, except where required by law
Legal Holds: Data may be retained longer if required by legal proceedings or regulatory obligations

Your Rights

Under GDPR and similar regulations, you have the right to:

Right to Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of your data ("Right to Be Forgotten")
Right to Data Portability: Receive your data in a structured, portable format
Right to Restrict Processing: Limit how we use your data
Right to Object: Object to certain processing activities
Right to Withdraw Consent: Withdraw consent for optional processing at any time
Right to Lodge a Complaint: File a complaint with your data protection authority

To exercise any of these rights, contact us at privacy@strandhq.ai with details of your request. We will respond within 30 days (or as required by law).

Cookies & Tracking

Strand uses only essential cookies necessary for the platform to function:

Session Cookies: Maintain your login session
Authentication Tokens: Secure your access

We do not use tracking cookies, analytics pixels, or third-party cookies for advertising or behavioral tracking. You can manage cookies through your browser settings.

International Data Transfers

Strand is based in the UK and operates under GDPR and UK data protection law. Your data is primarily stored in EU/UK Supabase regions. Where data is transferred internationally, we ensure appropriate safeguards such as Standard Contractual Clauses are in place.

Security Measures

We implement industry-standard security practices:

Encryption of data in transit (TLS/SSL) and at rest
Access controls and authentication mechanisms
Regular security audits and penetration testing
Secure password policies for staff
Incident response procedures

However, no system is completely secure. We encourage you to use strong passwords and protect your login credentials.

Children's Privacy

The Strand platform is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will delete it promptly.

Changes to This Policy

Strand may update this Privacy Policy from time to time. We will notify you of material changes via email and update the Effective Date below. Your continued use of the platform constitutes acceptance of updated terms.