Privacy & GDPR

iPaha Ltd ("Barber OS", "we", "us", "our") is committed to protecting the personal data of all individuals who interact with our platform — including barbershop owners, individual barbers, and the end customers who book appointments.

This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have. We are registered as a data controller with the Information Commissioner's Office (ICO) in the United Kingdom.

Our platform is built and operated in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: iPaha Ltd Registered in England and Wales Email: privacy@ipaha.co.uk ICO Registration Number: [ICO-REG-NUMBER]

If you have any questions about how we handle your personal data, you can contact our Data Protection Officer at dpo@ipaha.co.uk.

We collect different categories of data depending on your relationship with us.

Account holders (barbershop owners and managers): Full name, business name and address, email address, phone number, payment and banking information (via Stripe — we do not store card numbers), subscription and billing history, login credentials (stored as hashed passwords), platform usage logs and analytics.

Individual barbers: Name, email address, phone number, employment or self-employment details, earnings and commission data, schedule and availability, performance metrics, and profile information including biography and photo.

End customers (barbershop clients): Name, email address, phone number, booking history and appointment records, hair notes and service preferences added by barbers, loyalty points and membership status, payment method tokens (held by Stripe), and communication preferences.

Technical data collected automatically: IP address, browser type, device type, session duration, pages visited, referral source, and error logs. This data is used for platform security and performance monitoring only.

We rely on the following lawful bases under UK GDPR:

Contract performance: Processing necessary to deliver the Barber OS service to you — including account management, booking processing, payment handling, and support.

Legitimate interests: Platform security, fraud prevention, product improvement, and usage analytics where these do not override your rights.

Legal obligation: Retaining financial records as required by HMRC and applicable UK law (typically 6 years).

Consent: Marketing communications and non-essential cookies. You can withdraw consent at any time.

We use personal data strictly for the purposes it was collected:

— To create and manage your account and provide platform features — To process bookings, payments, and refunds — To send transactional communications (booking confirmations, reminders, receipts) — To calculate and report commission and payroll — To operate the loyalty programme and membership subscriptions — To provide customer support and respond to enquiries — To detect, investigate, and prevent fraud and security incidents — To comply with our legal obligations — To improve the platform through aggregated, anonymised usage analytics — To send marketing communications where you have opted in

We do not use personal data for automated decision-making that produces legal or similarly significant effects.

We share personal data only with third parties who are necessary to operate the platform, and only under strict data processing agreements:

Stripe, Inc: Payment processing, Stripe Connect for barbershop payouts, and subscription billing. Stripe is PCI-DSS Level 1 certified. We do not store card numbers or bank account details on our servers.

Amazon Web Services (AWS): Cloud infrastructure and data storage. All data is stored on UK/EU servers. AWS is certified under ISO 27001 and SOC 2.

Twilio: SMS notification delivery for booking reminders and queue notifications.

Postmark: Transactional email delivery (booking confirmations, receipts, account notifications).

We do not sell personal data. We do not share personal data with advertisers. We do not use personal data for behavioural profiling for advertising purposes.

We retain personal data only as long as necessary for the purposes described in this policy or as required by law.

Active accounts: Data is retained for the duration of the subscription and for 90 days after cancellation, during which you can request a full export.

Financial records: Transaction and billing records are retained for 6 years in compliance with HMRC requirements.

Backup data: Encrypted backups are retained for 30 days and then permanently deleted.

Marketing data: Email marketing consent records are retained until withdrawn, plus 12 months.

After retention periods expire, data is securely deleted or anonymised.

You have the following rights in relation to your personal data:

Right of access: Request a copy of all personal data we hold about you (Subject Access Request). We respond within 30 days at no cost.

Right to rectification: Request correction of inaccurate or incomplete data.

Right to erasure ("right to be forgotten"): Request deletion of your personal data where we have no lawful basis to retain it.

Right to restriction: Request that we restrict processing of your data in certain circumstances.

Right to data portability: Receive your data in a structured, machine-readable format (CSV or JSON).

Right to object: Object to processing based on legitimate interests or for direct marketing purposes.

To exercise any of these rights, contact us at privacy@ipaha.co.uk. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the ICO at ico.org.uk.

We use the following categories of cookies:

Strictly necessary: Session authentication, CSRF protection, and core platform functionality. These cannot be disabled without breaking the platform.

Functional: Remembering your preferences (language, timezone, dashboard layout).

Analytics: We use privacy-respecting analytics to understand how the platform is used. Analytics data is aggregated and anonymised. You can opt out via our cookie banner.

We do not use advertising cookies or share tracking data with advertising platforms.

We implement appropriate technical and organisational measures to protect personal data:

— All data in transit is encrypted via TLS 1.3 — All data at rest is encrypted using AES-256 — Passwords are hashed using bcrypt with a minimum cost factor of 12 — Access to production data is restricted to authorised personnel only — We conduct regular security reviews and penetration testing — We maintain an incident response plan and will notify you and the ICO within 72 hours of a confirmed data breach

No system is completely secure. If you believe your data has been compromised, contact us immediately at security@ipaha.co.uk.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and display a notice in your dashboard at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of Barber OS after the effective date of an update constitutes acceptance of the revised policy.

For any privacy-related queries, Subject Access Requests, or to exercise your rights:

Email: privacy@ipaha.co.uk Post: iPaha Ltd, Data Protection, [Registered Address], United Kingdom

For complaints: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF — ico.org.uk