1. Who we are
LayerOne is a salon booking, calendar, client-management and AI-assistant platform operated from Ireland. This Privacy Policy explains what personal data we collect, why, and what rights you have under the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
2. Who this policy applies to
We handle data for two distinct groups of people:
- Salon staff (owners, stylists, receptionists) who sign in to LayerOne to run their salon. You are our direct customer.
- Salon clients (the people who book hair appointments) whose data the salon stores in LayerOne. The salon is the data controller for that information; we are the data processor acting on the salon's instructions.
3. What data we collect
From salon staff:
- Name, email, phone number, profile photo
- Salon role and permissions
- Authentication credentials (hashed)
- Device + browser metadata for security and debugging
From salon clients (entered or imported by the salon):
- Name, phone number, email, date of birth (optional)
- Appointment history, services taken, prices paid
- Colour formulas, skin test records, allergies, salon notes
- Marketing and channel consent (SMS, WhatsApp, Email)
- Inbound/outbound message history (SMS, WhatsApp, Email)
We also collect technical data — IP address, request logs, error traces — for security, abuse prevention, and service improvement. Logs are automatically scrubbed of credentials and rotated after 30 days.
4. How we use it
- Run the booking, calendar, checkout, stock and messaging features
- Send appointment confirmations and reminders via email, SMS and WhatsApp
- Power the AI assistant (booking suggestions, reorder drafts, message replies)
- Bill the salon and process client payments via Stripe
- Detect fraud, abuse and security incidents
- Improve the product (anonymised analytics, opt-out via Settings → Privacy & data)
5. Third-party processors
We use the following sub-processors to deliver the service. We share only the minimum data each needs to do its job.
- Microsoft Azure — hosting, database, file storage (EU North region)
- Meta Platforms — WhatsApp Business Cloud API for client conversations
- Vonage — SMS sending (appointment reminders only)
- Postmark — transactional and marketing email delivery
- Stripe — payments, payouts and salon subscription billing
- OpenAI and Anthropic — AI features (only the message content needed to answer is sent; we never use your data to train their models)
- Sentry / Application Insights — error monitoring and performance telemetry
6. WhatsApp Business specifically
When a salon connects their WhatsApp Business Account to LayerOne, they authorise us (via Meta's Embedded Signup flow) to send and receive WhatsApp messages on their behalf. We do this to:
- Send appointment confirmations and reminders using Meta-approved templates
- Let the salon reply to inbound client messages from within LayerOne
- (Opt-in) Allow the AI assistant to draft or auto-send replies within reception's confidence band
Salon clients can opt out of WhatsApp at any time by replying STOP to any message, or by asking the salon to disable WhatsApp messaging on their profile. We never use WhatsApp for marketing without explicit consent.
Message content flows through Meta's WhatsApp Business Cloud API. Meta's handling of that data is governed by Meta's privacy policy. We store a copy of each message in our audit log for ~12 months.
7. Your GDPR rights
As a data subject in the EU/UK you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Erase your data ("right to be forgotten")
- Export your data in a portable format
- Withdraw consent for marketing or AI features at any time
- Lodge a complaint with the Irish Data Protection Commission (dataprotection.ie)
Salon clients should first contact the salon directly — they control your record. If the salon is unable to help, email us at the address below and we'll act as escalation.
8. Retention
Active salon account data is retained for as long as the salon uses the service. After account closure, personal data is deleted within 90 days unless we are legally required to keep it longer (e.g. for tax records, which we retain for 7 years per Irish Revenue rules).
9. International transfers
Your data is stored in the EU (Azure North Europe region). Some of our processors operate globally (e.g. Meta, OpenAI). Where data leaves the EEA, we rely on Standard Contractual Clauses approved by the European Commission to ensure equivalent protection.
10. Security
We use TLS encryption in transit, encrypted-at-rest databases, multi-factor authentication for admins, and least-privilege access controls. Secrets are rotated regularly and never logged. We disclose any data breach affecting you within 72 hours of discovery, as required by GDPR.
11. Changes to this policy
We may update this policy from time to time. Material changes will be flagged in-app and the "Last updated" date below will be revised. Continued use of the service after an update constitutes acceptance of the revised policy.
12. Contact
Data protection queries, access requests, deletion requests:
Email: privacy@layeronesalon.com
Data controller: LayerOne
Registered address: Ireland (full address available on request)