Salonnare is a SaaS platform for beauty salons, delivered by VanIersel Development (a Dutch sole proprietorship based in Waalwijk, the Netherlands). This policy explains what personal data we process when you visit salonnare.com, create an account or use the Salonnare software. We are GDPR compliant and host data on servers within the European Union.
VanIersel Development, trading as Salonnare, registered office: Pieter Vreedestraat 2, 5142 SE Waalwijk, the Netherlands. Contact: [email protected]. Phone: +31 6 36035292.
Dutch Chamber of Commerce (KvK) number: 42050725. VAT ID: NL005457538B24.
Salonnare has a dual role under the GDPR. For our own customers (salon owners with a Salonnare subscription), we act as controller - we determine the purposes for which their account, billing and usage data are used.
For the client data a salon owner enters into Salonnare (their own salon clients, appointments, invoices, messages, photos), we act solely as processor. The salon owner remains the owner and controller of that data. We process it only in accordance with the instructions in the data processing agreement (see section 10).
Visitor data (all visitors to salonnare.com): pseudonymised IP address, user agent, referring page, click path and device category via Google Analytics 4 and - after consent - Microsoft Clarity (heatmaps and session replay).
Account and billing data (salon owners): name, email, phone number, salon name, business address, Chamber of Commerce number, VAT ID, chosen plan, invoice history and payment details (processed by Stripe; we never see full card/IBAN numbers).
Usage data (salon owners): login times, login IP, action logs for audit (create/update/delete records), feature flag activity.
Content data: everything you create in Salonnare - clients, appointments, services, products, inventory, invoices, payments, messages and reviews. This data is owned by your salon; we only process it to make Salonnare function.
Client photos (regular): visual content your salon captures or uploads, such as hairstyle results, product showcases or event photos. Stored in the standard uploads volume with TLS in transit and AES-256 at rest. See section 17 for the full camera and photo flow.
Client photos (health context): visual content with medical context, such as skin analysis, allergy reaction or treatment progress for a skin condition. Deliberately marked by the salon as a health note and stored in the Article 9 encrypted vault (section 12).
Optional communication data: if you enable WhatsApp integration or email campaigns, we process phone numbers / email addresses of your salon clients solely to deliver the messages you send.
Delivering the Salonnare software (account creation, authentication, multi-tenant isolation, backups).
Billing and collection of subscriptions (statutory retention: 7 years for tax records).
Transactional communication (registration confirmation, invoices, security alerts).
Improving the application based on aggregated product metrics and (with consent) heatmaps.
Fraud prevention and security (rate limiting, IP blocking, anomaly detection).
Complying with legal obligations (tax filings, regulator requests).
Performance of a contract (Article 6(1)(b)) - for account management, billing and service delivery.
Legitimate interest (Article 6(1)(f)) - for security, fraud prevention and aggregated product improvement. This balancing test is documented and available on request.
Consent (Article 6(1)(a)) - for analytical and UX cookies (GA4, Microsoft Clarity). You may withdraw consent at any time without any negative impact on service delivery.
Legal obligation (Article 6(1)(c)) - for statutory tax retention and bookkeeping.
Salonnare.com uses three categories of cookies and storage technologies, in accordance with Article 11.7a of the Dutch Telecommunications Act and the ePrivacy Directive:
Strictly necessary (no consent required): login session cookie, CSRF token, language and theme preference, cookie consent status (salonnare_cookie_consent in localStorage).
Analytics (only after consent): _ga and _gid from Google Analytics 4 - anonymised site statistics, 14-month retention, IP anonymisation enabled, ad_storage default denied via Google Consent Mode v2.
UX / product experience (only after consent): _clck, _clsk and MUID from Microsoft Clarity - heatmaps and session replay with automatic PII masking (text inputs and payment details are obfuscated by default), 1-year retention. Details: learn.microsoft.com/clarity/setup-and-installation/privacy-disclosure.
No advertising, retargeting, Meta, LinkedIn, TikTok or affiliate pixels are placed.
You can revise your choice at any time via the cookie settings at the bottom of the page or by clearing the cookies for salonnare.com in your browser.
We work with carefully selected sub-processors. A data processing agreement (DPA) with EU Standard Contractual Clauses (SCCs) is in place with each sub-processor where applicable. The current list:
Cloudflare, Inc. (USA) - CDN, WAF, DDoS protection. Processes IP addresses and request metadata. DPA with SCCs; certified under the EU-US Data Privacy Framework (DPF). Cloudflare EU data localization suite enabled where active.
Stripe Payments Europe Ltd. (Ireland) - subscription payments, card processing and Stripe Connect (salon payments). PCI-DSS Level 1 certified. Processes payment details under its own privacy policy; Salonnare never sees full card numbers.
Mollie B.V. (Netherlands) - alternative payment provider for salon payments via Mollie Connect (iDEAL, Bancontact, SEPA). Processor under Dutch law.
Resend, Inc. (USA) - transactional email (confirmations, invoices, password reset). DPA with SCCs; sending servers in the EU where possible.
Microsoft Ireland Operations Ltd. (Ireland) - Microsoft Clarity for optional UX analytics. DPA via the Microsoft Online Services Terms; Microsoft Corporation (USA) certified under DPF. Only loads after consent.
Google Ireland Ltd. (Ireland) - Google Analytics 4 with anonymised IPs; Google Ads conversion tracking (only after marketing consent, default ad_storage=denied via Consent Mode v2); Google Places API for salon address lookup; Google Reserve (optional, for bookings via Google Maps). Google LLC (USA) certified under DPF.
Meta Platforms Ireland Ltd. (Ireland) - WhatsApp Business Cloud API, optionally enabled per salon tenant for WhatsApp notifications to salon clients. Meta Platforms, Inc. (USA) certified under DPF.
MJML.io (France) - server-side rendering of HTML for email campaigns. Processes template markup only, no personal data.
Backblaze, Inc. (USA) and/or Amazon Web Services EMEA SÃ rl (Luxembourg) - optional encrypted backups of your data. Only enabled on explicit request; DPA with SCCs.
Self-hosted infrastructure - our primary database (MariaDB) and application servers run on our own hardware in a Dutch datacentre.
We never sell personal data to third parties and do not send data to advertisers, data brokers or governments, except as required by law.
Primary storage and processing takes place within the EU/EEA. Transfers to the United States only take place via sub-processors certified under the EU-US Data Privacy Framework (Cloudflare, Google, Microsoft, Meta, Resend where applicable) that have additionally signed EU Standard Contractual Clauses.
Where relevant, we perform a Transfer Impact Assessment (TIA) in line with the Schrems II guidance of the European Data Protection Board.
Account data: for the duration of the subscription, plus 90 days for reactivation. Then fully deleted, except data subject to statutory tax retention.
Billing and bookkeeping data: 7 years (statutory tax retention).
Backups: encrypted, 30-day rolling retention.
Audit logs (login and mutation history): 12 months.
Analytics data (GA4): 14 months (GA4 default).
Microsoft Clarity session replays: 1 year.
On subscription end, the salon has 30 days to export data (Article 20 GDPR), after which all tenant data is removed from production and rotated out of backups within a further 30 days.
For the salon client data where Salonnare acts as processor, we enter into a standard data processing agreement (DPA) with every customer, in accordance with Article 28 GDPR. The DPA is an integral part of our terms of service - the stand-alone version is available free of charge at [email protected].
The DPA covers: (a) subject, duration, nature and purpose of the processing; (b) categories of data subjects and personal data; (c) rights and obligations of the controller; (d) our obligations on confidentiality, security, breach notification and assistance with GDPR requests; (e) authorisation procedure for sub-processors; (f) audit rights; (g) return or deletion of data at contract end.
Sub-processors are announced at least 30 days before they are engaged; you have the right to object on reasonable grounds.
Technical measures: TLS 1.3 for all traffic, AES-256 encryption at rest, HSTS preload, least-privilege production access via encrypted SSH keys and 2FA, row-level tenant isolation at database level, automatic rate limiting, IP geofencing for admin endpoints, shielded audit logs.
Organisational measures: dedicated security reviews before each deployment, single-owner access control, encrypted off-site backups, incident response plan with runbook, annual penetration test (from 2027).
Breach procedure: incidents are reported to the Dutch Data Protection Authority within 72 hours in accordance with Article 33 GDPR; where there is high risk to data subjects they are informed within the same window (Article 34 GDPR).
For the safety of a treatment, salons may record health-related notes against a client profile, such as allergies (for example to hair-colour or nail products), medication that may affect the result, skin conditions, pregnancy or contra-indications. These qualify as special-category personal data under Article 9 GDPR and may only be processed under a specific exemption. Salonnare relies on Article 9(2)(a) GDPR: explicit, documented consent from the client to the salon. Without recorded consent the salon cannot create health notes; consent withdrawal is captured in the audit trail.
How it is stored - Health data lives in a dedicated encrypted "vault", physically and logically separated from regular client notes. We use AES-256-GCM in an envelope architecture: a platform master key (HEALTH_DATA_MASTER_KEY) wraps a per-tenant data key (tenants.health_data_key_enc), which in turn encrypts every individual note and attachment with a random 12-byte IV and 16-byte authentication tag. Attachment filenames are also stored encrypted to prevent directory-listing leaks. The master key lives only in the production environment and is double-backed-up outside production infrastructure (1Password vault + sealed envelope in a physical safe); the server refuses to start without a valid master key.
Attachments include both uploaded documents and photos you capture via the camera or file picker on a health note; they follow the same encryption, retention and access rules. See section 17 for the camera and photo flow details.
Access control - Only tenant users with the explicit RBAC permission can_view_health_notes can decrypt and read notes. Platform-admin impersonation of a tenant is hard-blocked at endpoint level: even Salonnare staff with super-admin privileges cannot view health notes after impersonation. Every read, write and download event is recorded in client_health_notes_access_log with user id, IP, timestamp and note id, and is provably traceable.
Retention - Health notes are automatically deleted 12 months after the client's last appointment, with a 30-day grace period. The prune job runs daily at 02:00 UTC (worker/prune_health_notes.py). When a client withdraws consent the notes and attachments are hard-deleted on the next prune cycle and made logically inaccessible immediately on withdrawal. Encrypted backup tarballs of the vault rotate on the same 30-day schedule and are unreadable without the master key.
Withdrawing consent & data export - You can withdraw consent at any time via the salon you are a client of (for health data, the salon is the controller; Salonnare acts solely as processor). A GDPR Article 15 access request or Article 20 portability request runs through the salon, which can use our GDPR export API to generate a structured JSON export including health notes. For complaints about Salonnare's processing as a processor, you may email [email protected] directly.
See also our sub-processors section (above, 7), the general retention periods (9) and the security chapter (11) for the broader context. The full technical runbook for the vault - including key rotation and disaster recovery - is available at docs.vaniersel.dev/docs/compliance/art9-health-data-vault.
You have the right to: (a) access your personal data (Article 15), (b) rectification (Article 16), (c) erasure / right to be forgotten (Article 17), (d) restriction of processing (Article 18), (e) data portability (Article 20), (f) object to processing based on legitimate interest (Article 21), (g) withdraw previously given consent (Article 7(3)), and (h) not be subject to fully automated decision-making (Article 22).
Salonnare does not use automated decision-making or profiling with legal effects for data subjects.
Requests can be sent to [email protected]. We respond within 30 days (extendable by 2 months for complex cases, with reasoning). If you disagree with our response, you may lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).
Salonnare is not directed at children. We do not knowingly process personal data of persons under 16 years (GDPR Article 8(1), Dutch implementation: age 16) without parental consent. If a salon owner records contact details of minor salon clients, the salon owner is responsible for obtaining appropriate consent.
We update this privacy policy when our services or applicable law require it. The date of the most recent change is shown at the top of this page. Material changes are announced at least 30 days before they take effect via email and an in-app banner.
In addition to email/password, Salonnare offers three optional single sign-on (SSO) methods: Sign in with Google, Sign in with Apple and Microsoft Entra ID. You choose whether to use SSO. When you do, we request only the basic OpenID Connect scopes: openid, email and profile. We do not request access to Gmail, Google Calendar, Google Drive, iCloud, Outlook mailboxes, OneDrive or any other service of these providers.
From these scopes we receive and store only: (a) your email address - to identify your account and send transactional notifications; (b) your name and (optional) profile picture - to personalize your dashboard; (c) a unique account identifier (the OIDC sub claim) - so we can recognize you on return sign-ins without storing a password. We do not retain long-lived access tokens or refresh tokens after authentication completes.
Salonnare's use of information received from Google APIs adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. We do not sell, rent or share Google user data with third parties for advertising, marketing or any other purpose, and we do not use this data to train AI or machine-learning models. The same principle applies to data we receive via Apple and Microsoft SSO.
Retention: SSO data is retained for as long as your Salonnare account exists. When you delete your account (or your salon administrator removes you), the email address, name, profile picture and SSO account ID are deleted within 30 days, except where Dutch tax law requires us to retain billing-related records.
Revoking access: you can disconnect Salonnare from your Google account at any time at myaccount.google.com/permissions, from your Apple ID at appleid.apple.com (under "Sign in with Apple") or from Microsoft at myapps.microsoft.com. To fully delete your Salonnare account, open Settings → Account inside app.salonnare.com and choose Delete account, or email [email protected].
Salonnare uses your device camera for two clearly scoped purposes: (a) scanning QR codes on physical gift cards at the point of sale (POS), and (b) capturing a single photo to attach to a client profile or treatment note. We only request permission at the moment you tap the "Scan QR" or "Take photo" button - never in the background or when a page loads.
What we do and do not do - We request video access only, never audio (the microphone is never accessed). We do not store the video stream or any live frames: for QR scanning we only use the decoded text string and discard the imagery immediately; for photo capture you consciously save a single still image. As soon as you close the scanner or photo dialog, Salonnare stops the camera stream and the device indicator light turns off. We do not perform face recognition, biometric identification, automated skin analysis, or AI/machine-learning training on your photos.
What happens to your photo - Before upload, two privacy steps run inside your browser: (1) if your photo is in HEIC format (the default on recent iPhones) we convert it locally to JPEG for universal readability; (2) we strip all EXIF metadata, including GPS coordinates, camera model and exact capture time. The image is then resized to a maximum width of 2048 pixels and compressed. Only then does your browser upload the photo to our servers in the Netherlands over an encrypted TLS connection. The original HEIC/EXIF version never leaves your device.
Storage routing - When you attach a photo to a regular client profile (e.g. a hairstyle result or product showcase), it is stored in our standard uploads volume, protected by TLS in transit and AES-256 disk encryption at rest. When you deliberately choose a health note (see section 12 - Article 9 health-data vault) and attach a photo inside it - for example skin analysis, allergy reaction, or treatment progress with medical context - the photo lands in the encrypted vault with per-object AES-256-GCM envelope encryption and strict RBAC. The salon staff member chooses the correct context; Salonnare cannot infer this from the image content.
Libraries that run inside your browser - We use @zxing/browser (BSD-3 license) for QR decoding and heic2any for HEIC conversion. Both run entirely inside your browser and do not transmit imagery or metadata to any external party. No new sub-processor is introduced for the camera feature - all uploads follow the existing routes (see section 7).
Cookies and consent - Camera access falls outside the cookie consent banner (section 6). The browser itself asks at the operating-system level via a native permission popup the moment you tap "Scan QR" or "Take photo". No tracking cookies are set and no local storage is used for camera purposes beyond a short-lived session flag that remembers your permission choice during your work session.
Revoking permission - You can revoke camera access for salonnare.com at any time via your browser settings: tap the padlock icon in the address bar -> Site settings -> Camera -> Block. On iOS Safari: Settings -> Safari -> Camera -> "Ask" or "Deny". After revocation, previously captured photos remain in the client file until your salon deletes them; only future scans/captures become impossible.
No camera or denied permission - On a laptop without a webcam or after a denied permission prompt, Salonnare always offers a fallback: manually type the gift-card code, or pick an existing photo from your device library via the standard file picker.
