Privacy Policy
Effective date: June 23, 2026
This Privacy Policy explains how AsparaOS ("AsparaOS," "we," "our," or "us") collects, uses, and protects information when you use the AsparaOS platform. It applies to salon owners and staff ("Customers") and, where relevant, to the clients of those salons whose data passes through the platform ("End Users").
1. Who We Are & Our Role
AsparaOS operates the AsparaOS platform — a cloud-based booking, operations, and storefront system for appointment-based beauty and grooming businesses.
For Customer account data (salon owners and staff): AsparaOS is the data controller — we determine how your business information is collected and used.
For End User data (salon clients): The salon (our Customer) is the data controller. AsparaOS acts only as a data processor, processing End User data solely on the salon's instructions to operate the Platform. We do not independently control or monetize End User data.
2. Information We Collect
From salon owners and staff (Customers):
- Name, email address, phone number
- Business name, address, and location details
- Subscription and billing information (processed by Stripe — we never see or store card numbers)
- Profile photos and staff bios (if provided)
- Usage data: features accessed, settings configured, actions taken within the portal
From salon clients (End Users), on behalf of the salon:
- Name, email address, phone number
- Appointment history, service preferences, notes
- Digital signatures (for service consent records)
- Payment card data (processed by Stripe or Square; we store only the authorization reference, not card numbers or CVVs)
Automatically collected:
- IP address, browser type, and device information
- Pages visited, features used, and error events (via Sentry)
- Session cookies and authentication tokens
3. How We Use Your Information
We use Customer data to:
- Provide, operate, and maintain the AsparaOS Platform
- Process subscription payments and send billing communications
- Send transactional emails (account notices, security alerts, trial reminders)
- Detect, investigate, and prevent fraud, abuse, and security incidents
- Provide customer support and respond to inquiries
- Improve the Platform through aggregated, anonymized usage analytics
- Comply with legal obligations
We use End User data only to:
- Enable appointment booking, confirmation, and reminders (on the salon's behalf)
- Facilitate deposit holds and payment processing (via Stripe/Square, on the salon's behalf)
- Maintain appointment records for the salon
We do not sell, rent, or share your data or your clients' data with third parties for their own marketing purposes. We do not use End User data for AsparaOS's own advertising or analytics.
4. Legal Basis for Processing (GDPR)
For users in the EU and UK, our legal basis for processing personal data is:
- Contract performance (Art. 6(1)(b)) — to provide the services you signed up for
- Legal obligation (Art. 6(1)(c)) — to comply with financial, tax, and anti-fraud regulations
- Legitimate interests (Art. 6(1)(f)) — for security monitoring, fraud prevention, and Platform improvement, where not overridden by your rights
- Consent (Art. 6(1)(a)) — for optional communications and analytics, where you have opted in
5. Data Sharing & Sub-Processors
We share data only with trusted service providers acting as sub-processors under strict contractual obligations:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Subscription billing & payment processing (PCI-DSS Level 1) | USA |
| Square | Optional payment processing (when salon connects Square) | USA |
| Supabase | Database hosting (PostgreSQL with row-level security) | USA (AWS) |
| Vercel | Application hosting and CDN | USA / Global edge |
| Resend | Transactional email delivery | USA |
| Sentry | Error monitoring and crash reporting (no PII logged) | USA |
| Upstash | Rate limiting (Redis; request metadata only) | USA |
We do not sell access to your data. We may disclose data to law enforcement or regulatory authorities when required by law, court order, or to protect the safety of users and the public.
6. Data Storage & Security
Your data is stored in Supabase (PostgreSQL) on AWS infrastructure in the United States. We implement:
- Row-level security (RLS) enforced on all 29+ database tables — each salon can only access its own data
- TLS 1.2+ encryption in transit for all data
- Encryption at rest via the hosting provider (AES-256)
- Strict server-side API secrets that are never exposed to browser code
- Rate limiting on all public-facing endpoints to prevent abuse
- HMAC-signed session tokens for the admin portal
- Automated error monitoring via Sentry (with PII scrubbing policies)
No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we take data protection seriously and continuously review our practices.
7. Data Retention
- Account data — retained while your account is active, plus 30 days post-deletion grace period, then permanently deleted
- Appointment records — retained for 3 years after the appointment date for business records
- Payment records — retained for 7 years as required by financial regulations; card data is held only by Stripe/Square
- Chargeback documentation (signatures, service records) — retained for 36 months per Stripe requirements
- Audit logs — retained for 12 months
- Error logs (Sentry) — retained for 90 days
8. International Data Transfers
Our servers are located in the United States. If you are based in the EU, UK, or another jurisdiction with data transfer restrictions, your data is transferred to the US under appropriate safeguards including Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework where applicable. Our sub-processors maintain their own transfer mechanisms compliant with applicable law.
9. Cookies
We use the following types of cookies:
- Essential cookies — session authentication tokens required to keep you logged in. Cannot be disabled.
- Security cookies — CSRF protection and rate-limiting session identifiers.
- Preference cookies — your selected location, color scheme, and UI preferences.
We do not use third-party advertising cookies or behavioral tracking cookies. No data is sold to advertising networks.
10. Your Privacy Rights (GDPR — EU & UK)
If you are located in the EU or UK, you have the following rights under GDPR:
- Access (Art. 15) — request a copy of the personal data we hold about you
- Rectification (Art. 16) — correct inaccurate or incomplete data
- Erasure (Art. 17) — request deletion ("right to be forgotten"), subject to legal retention requirements
- Portability (Art. 20) — receive your data in a structured, machine-readable format
- Restriction (Art. 18) — limit processing in certain circumstances
- Object (Art. 21) — object to processing based on legitimate interests
- Withdraw consent — at any time, for processing based on consent; withdrawal does not affect prior processing
To exercise these rights, email privacy@asparaos.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
11. Your Privacy Rights (CCPA — California)
If you are a California resident, you have the following rights under the CCPA/CPRA:
- Know — what personal information we collect, use, disclose, and sell (we do not sell)
- Delete — request deletion of your personal information, subject to exceptions
- Correct — request correction of inaccurate personal information
- Opt out — opt out of sale or sharing of personal information (we do not sell or share)
- Limit use of sensitive PI — limit use of sensitive personal information to necessary purposes
- Non-discrimination — we will not discriminate against you for exercising your rights
To submit a CCPA request, email privacy@asparaos.com. We will verify your identity and respond within 45 days (extendable by 45 days with notice).
12. Data Subject Rights for End Users (Salon Clients)
If you are a salon client whose data is held by a salon using AsparaOS, the salon is your data controller. Please contact the salon directly to exercise your rights. We will assist the salon in fulfilling your request where technically feasible. If you need to escalate, contact us at privacy@asparaos.com.
13. Children's Privacy
The AsparaOS Platform is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately at privacy@asparaos.com and we will delete it.
14. Data Export & Account Deletion
Export. You can request a full export of your salon's data (appointments, clients, services, staff records) from Settings → Privacy → Export data. Exports are generated as a downloadable archive available via a signed URL for 15 minutes.
Deletion. You can delete your account from Settings → Account → Delete account. Account deletion is permanent. After a 30-day grace period, all salon data (appointments, client records, staff profiles) is permanently deleted from our systems, except where retention is required by law.
15. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email at least 30 days before they take effect. The effective date at the top of this page shows when it was last updated. Continued use of the Platform after changes constitutes acceptance.
16. Contact & Data Protection
For privacy questions, data requests, or to report a concern:
- Privacy requests: privacy@asparaos.com
- General support: support@asparaos.com
- Postal: AsparaOS, Rosemead, CA
We aim to respond to all privacy inquiries within 30 days. EU/UK residents may also lodge a complaint with their national data protection authority.