Chairup

Privacy Policy

Effective May 15, 2026 · Version 2026-05-15-1

1. Who we are

This Privacy Policy describes how Chairup collects, uses, and shares information in connection with the operation of our hosted salon-software platform (the “Service”). It applies to two groups: Tenants (salon owners/staff with paid or trial accounts) and End-Customers (the clients who book appointments through a Tenant’s instance of the platform).

2. What we collect

From Tenants: account email, password (hashed), business name, address, payment-method details (handled by Stripe — we never see card numbers), staff records, services, pricing, schedules, payroll inputs, and any content you import or generate inside the dashboard.

From End-Customers: first/last name, email, phone, marketing & reminder consents, notes provided at booking, appointment history, payment outcomes, loyalty balances, gift-card balances, and membership balances. We collect a separate ToS/Privacy acceptance timestamp the first time an End-Customer books through the platform.

Automatically: standard request logs (IP, user-agent, timestamp), audit-log entries (who did what), basic usage analytics. We do not run third-party advertising trackers.

3. How we use it

• Operating the booking, payments, and CRM features the Tenant configured.
• Sending transactional messages (booking confirmations, reminders, receipts) to End-Customers.
• Sending marketing messages to End-Customers who opted in, at the Tenant’s direction.
• Generating AI-assisted briefings and suggestions for Tenants who have AI features enabled (see §4).
• Internal reporting, platform-level analytics, and aggregated benchmarking across Tenants (e.g. industry averages, performance trends, capacity planning) to operate and improve the Service. Tenant-identifiable revenue, transaction, and usage data may be reviewed by Chairup staff for support, billing, fraud prevention, and product decisions. Benchmarks shared with other Tenants or third parties are anonymized and aggregated.
• Billing, fraud prevention, debugging, security monitoring, and compliance with law.

4. AI processing

Tenants on AI-enabled plans have their appointment and customer data sent in narrow, purpose-bound payloads to Anthropic (our LLM provider) to produce briefings and other generative outputs. Anthropic acts as a processor under our agreement and does not train on this data. We may switch providers in the future and will update this Policy and version accordingly.

5. Third-party processors

• Stripe — subscription billing, retail-order checkout, and payouts to Tenants. Card and bank data is stored by Stripe, not by us.
• Plivo (or Twilio, where applicable) — outbound SMS reminders and marketing messages.
• AWS SES and/or Resend — outbound transactional and marketing email.
• Anthropic — large-language-model inference for AI features.
• Vercel & AWS — application hosting, image storage, file storage.
• Supabase (transitional) — authentication and Postgres hosting during our active migration to AWS-hosted authentication. End-Customer data flows through Supabase only insofar as required to operate authentication and storage for the live Tenant accounts.

6. Data sharing

We do not sell End-Customer data. We share data only (a) with the Tenant that owns it, (b) with the processors above as needed to operate the Service, and (c) where required by law (subpoena, court order, regulatory request).

7. Your rights

Subject to local law (including the EU/UK GDPR and California’s CCPA/CPRA), you have the right to access, correct, delete, port, and restrict our processing of your personal data. You may also object to processing or withdraw consent at any time. End-Customers should direct rights requests to the Tenant (salon) that holds their record; the Tenant can fulfil the request through the in-app tools or by contacting us. Tenants may request exercise of their own rights at the address in §10.

8. Cookies & tracking

We use only strictly necessary cookies (session, CSRF, theme preference) and a small amount of first-party analytics. We do not embed third-party advertising or cross-site tracking. The cookie banner appears on your first visit and your preference is stored locally; you can withdraw consent at any time by clearing your browser’s storage for this domain.

9. Data retention & security

We retain data for the active life of the Tenant account plus ninety (90) days after cancellation. Some audit-log entries may be retained longer for fraud and tax records. We use encryption in transit (TLS) and at rest, role-based access controls, and tenant-isolated row-level security on our Postgres database. We will notify affected parties of a security incident as required by applicable law.

10. Contact

For privacy questions or rights requests, email privacy@getchairup.com.

See also: Terms of Service.