Chairup
Privacy Policy
Effective May 30, 2026 · Version 2026-05-30-1
1. Who we are
This Privacy Policy describes how Chairup (“Chairup,” “we,” “us”) collects, uses, and shares information in connection with the operation of our hosted salon-software platform (the “Service”). It applies to two groups: Tenants (salon owners and the staff they invite, who hold a paid or trial subscription with us) and End-Customers (the clients who book or transact through a Tenant’s instance of the Service).
For Tenant account data, Chairup acts as the data controller. For End-Customer data that a Tenant collects and processes through the Service (names, phone numbers, appointment history, payment history, etc.), the Tenant is the controller and Chairup is the processor acting on the Tenant’s documented instructions. End-Customers seeking access, correction, deletion, or other rights over their personal data should contact the Tenant (salon) directly; Chairup will assist the Tenant in responding.
2. What we collect
From Tenants: account email, password (hashed), business name and address, payment-method details (handled by Stripe — we never see card numbers), assigned Telnyx phone number and SMS preferences, staff records, services, pricing, schedules, payroll inputs, and any content you import or generate inside the dashboard.
From End-Customers (on behalf of the Tenant): first/last name, email, phone, marketing & reminder consents, notes provided at booking, appointment history, payment outcomes, loyalty balances, gift-card balances, and membership balances. We collect a separate ToS/Privacy acceptance timestamp the first time an End-Customer books through the platform.
Automatically: standard request logs (IP, user-agent, timestamp), audit-log entries (who did what), basic first-party usage analytics. We do not run third-party advertising trackers and we do not sell personal information.
3. How we use it
- Operating the booking, payments, messaging, and CRM features the Tenant configured.
- Sending transactional messages (booking confirmations, reminders, receipts) to End-Customers.
- Sending marketing messages to End-Customers who opted in, at the Tenant’s direction.
- Generating AI-assisted briefings and suggestions for Tenants who have AI features enabled (see §4).
- Internal reporting, platform-level analytics, and aggregated benchmarking across Tenants to operate and improve the Service. Benchmarks shared with other Tenants or third parties are anonymized and aggregated.
- Billing, fraud prevention, debugging, security monitoring, and compliance with law.
4. AI processing
Tenants on AI-enabled plans have their appointment and customer data sent in narrow, purpose-bound payloads to Anthropic (our LLM provider) to produce briefings and other generative outputs. Anthropic acts as a sub-processor under our agreement and does not train on this data. We may switch providers in the future and will update this Policy and version accordingly.
5. Sub-processors
We share data with the following sub-processors strictly to operate the Service:
- Vercel — application hosting and edge delivery.
- Supabase and AWS — authentication and Postgres hosting. We are actively migrating authentication from Supabase to an AWS-hosted stack; until that migration is complete, both providers may process auth and account data.
- Stripe Connect — subscription billing, tenant payout, and End-Customer payment processing. Card and bank data is stored by Stripe, not by us.
- Telnyx — outbound SMS reminders and marketing messages, 10DLC registration, and number provisioning.
- Resend — outbound transactional and marketing email. We will be transitioning email delivery to AWS SES after launch; this Policy will be updated when that change is live.
- Anthropic — large-language-model inference for AI features (opt-in plans only).
6. Data sharing
We do not sell personal information. We share data only (a) with the Tenant that owns it, (b) with the sub-processors above as needed to operate the Service, and (c) where required by law (subpoena, court order, regulatory request).
7. Your rights (CCPA, CPRA, and other state laws)
Subject to applicable law (including California’s CCPA/CPRA, Virginia’s VCDPA, Colorado’s CPA, Connecticut’s CTDPA, and similar U.S. state laws), you have the right to:
- Know what personal information we collect and how we use it.
- Access and obtain a copy of your personal information.
- Correct inaccurate personal information.
- Delete personal information, subject to limited exceptions (e.g. tax and fraud records).
- Opt out of any sale or share of personal information for cross-context behavioral advertising. We do not sell or share personal information for those purposes.
- Non-discrimination for exercising any of these rights.
End-Customers: because the Tenant (salon) is the controller of your booking record, please direct rights requests to the salon you booked with. Chairup will assist the salon in responding using the in-app export and deletion tools.
Tenants: submit rights requests to the contact address in §10. We will respond within the timeframes required by applicable law.
8. Children’s privacy (COPPA)
The Service is not directed to children under thirteen (13) and we do not knowingly collect personal information from children under 13. Tenants whose business serves minors (e.g. kids’ haircuts) are responsible for obtaining verifiable parental consent before submitting a child’s information through the Service, and remain the controller of that information. If you believe a child under 13 has provided personal information to us directly, contact us and we will promptly delete it.
9. Cookies & tracking
We use only strictly necessary cookies (session, CSRF, theme preference) and a small amount of first-party analytics. We do not embed third-party advertising or cross-site tracking. The cookie banner appears on your first visit and your preference is stored locally; you can withdraw consent at any time by clearing your browser’s storage for this domain.
10. Data retention & security
We retain data for the active life of the Tenant account plus ninety (90) days after cancellation. Some audit-log entries may be retained longer for fraud and tax records. We use encryption in transit (TLS) and at rest, role-based access controls, and tenant-isolated row-level security on our Postgres database. We will notify affected parties of a security incident as required by applicable law.
11. International users
The Service is operated from the United States. If you access the Service from outside the U.S., you understand that your information will be transferred to, stored, and processed in the U.S. We do not currently market the Service to data subjects in the EU/UK; if you are an EU/UK data subject and choose to use the Service, the rights described in §7 apply alongside any non-waivable rights you have under GDPR/UK GDPR.
12. Contact
For privacy questions, data requests, or to report a concern, email anthony@bluecollarlabs.org.
See also: Terms of Service · Accessibility Statement.