Blyssbook Technologies Ltd. (“Blyssbook”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, and services (collectively, the “Services”). Please read it carefully.

1. Information We Collect

1.1 Information You Provide

Account Registration: Name, email address, phone number, business name, and password when you register for an account.
Business Information: Salon name, address, operating hours, services, staff details, and pricing that you enter into the platform.
Payment Information: Billing address and payment details, processed securely through our payment processors (Stripe, PayPal). We do not store full card numbers.
Contact Form Submissions: Name, email, phone, business details, and message content when you submit our contact or demo request forms.
WhatsApp Contact: If you contact us via WhatsApp, your phone number and message content are shared with us directly. We use this only to respond to your enquiry.
Subscription Billing: Plan selection, billing cycle, and transaction history are recorded for subscription management and financial reporting.
Communications: Messages, support requests, and feedback you send us through any channel.

1.2 Information We Collect Automatically

Usage Data: Pages visited, features used, time spent, clicks, and actions taken within the platform and website.
Device & Technical Data: IP address, browser type, operating system, device identifiers, and referral URLs.
Cookies & Local Storage: We use cookies and similar technologies including browser local storage to remember your preferences and analyse usage. See our Cookie Policy and Section 13 below for full details.
Attribution Data: UTM parameters, click IDs (including fbclid from Meta ads), referrer URLs, and landing page information to understand how users find us.

1.3 Customer Data (Salon End-Users)

When salon owners use Blyssbook to manage their clients, those clients' data (name, contact details, booking history) is processed on behalf of the salon owner as a data controller. We act as a data processor in this context and process such data only according to the salon owner's instructions.

2. How We Use Your Information

To provide, maintain, and improve the Services.
To process subscription payments and send related information including confirmations and invoices.
To send administrative and account-related communications including trial expiry and billing notices.
To send marketing communications where you have opted in or where permitted by applicable law.
To respond to contact form submissions and demo requests.
To personalise your experience and deliver content relevant to your interests.
To monitor and analyse usage trends to improve the platform and marketing effectiveness.
To detect, investigate, and prevent fraudulent transactions and other illegal activities.
To comply with legal obligations.
To measure the effectiveness of our advertising campaigns via conversion tracking (see Section 13).

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

Contract Performance: Processing necessary to provide our Services to you (account creation, billing, feature delivery).
Legitimate Interests: Analytics, security, fraud prevention, platform improvement, and measuring advertising effectiveness — where these interests are not overridden by your rights.
Consent: Marketing emails, non-essential cookies, analytics tracking, and advertising pixels where required. You may withdraw consent at any time.
Legal Obligation: Compliance with applicable laws and regulations, including financial record-keeping.

4. Sharing Your Information

We do not sell your personal data. We may share information with:

Analytics & Advertising Providers: Google LLC (Google Analytics, Google Tag Manager, Google Ads), Meta Platforms Inc. (Meta Pixel, Meta Conversions API), Microsoft Corporation (Microsoft Clarity), PostHog Inc. — to analyse usage and measure advertising performance. Data shared is subject to hashing or anonymisation where applicable. See Section 13 for details.
Payment Processors: Stripe, Inc. and PayPal Holdings, Inc. to process subscription payments securely.
Email Service Providers: Resend, Inc. or similar transactional email providers to send account and notification emails.
Cloud Infrastructure: Our hosting providers (e.g., Vercel, AWS, Cloudflare) who process data only to deliver the Services.
Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred with appropriate notice.
Legal Requirements: When required by law, court order, or governmental authority.
Protection of Rights: To protect the rights, property, or safety of Blyssbook, our users, or the public.

Data we never share with ad platforms: We do not send passwords, full payment card details, WhatsApp message content, customer health or allergy information, private booking notes, or any sensitive personal data to Google, Meta, or any other advertising platform.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Services. Detailed analytics event logs are retained for up to 24 months, after which they are deleted or anonymised. You may request deletion at any time. We may retain certain information as required by law or for legitimate business purposes (e.g., financial records, dispute resolution, fraud prevention) for up to 7 years.

6. Data Security

We implement industry-standard security measures including TLS/SSL encryption in transit, AES-256 encryption at rest for sensitive credentials, role-based access controls, and regular security reviews. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate data.
Erasure: Request deletion of your personal data (“right to be forgotten”).
Restriction: Request restriction of processing in certain circumstances.
Portability: Receive your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests or for direct marketing.
Withdraw Consent: Withdraw consent at any time where processing is based on consent. For cookie-based tracking, use our Cookie Preferences link in the website footer.

To exercise any of these rights, email us at contact@blyssbook.com. We will respond within 30 days.

8. International Data Transfers

Blyssbook operates globally. Your data may be transferred to and processed in countries outside your own, including the UAE, United Kingdom, and United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission where applicable.

9. Children's Privacy

Our Services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at contact@blyssbook.com.

10. Third-Party Links

Our platform may contain links to third-party websites or services including payment providers and social media platforms. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on our platform at least 14 days before the changes take effect. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, requests, or complaints:

Email: contact@blyssbook.com
Post: Blyssbook Technologies Ltd., Data Privacy Office, Dubai, UAE

If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

13. Analytics and Advertising Technologies

We use the following third-party analytics and advertising tools on our website. All non-essential technologies require your consent, which you can manage at any time using the Cookie Preferences link in the footer.

13.1 Google Analytics 4 (GA4)

We use Google Analytics 4, provided by Google LLC, to understand how visitors use our website. GA4 collects anonymised usage data including pages visited, session duration, and traffic sources. Data is processed in the United States under Google's privacy terms. GA4 is loaded only after analytics consent is granted. You can opt out at tools.google.com/dlpage/gaoptout.

13.2 Google Tag Manager (GTM)

We use Google Tag Manager, provided by Google LLC, to manage and deploy tracking scripts on our website. GTM itself does not collect personal data but acts as a container for other tags. It operates under Google Consent Mode v2, which defaults all tracking signals to ‘denied’ until you provide consent.

13.3 Meta Pixel and Meta Conversions API

We use the Meta Pixel and Meta Conversions API, provided by Meta Platforms Inc., to measure the effectiveness of our advertising on Facebook and Instagram. The Meta Pixel is a browser-based script that loads only after marketing consent is granted where required by applicable law. The Meta Conversions API sends conversion event data server-to-server.

What we send to Meta: Conversion events such as account sign-ups, trial starts, checkout initiations, and contact form submissions. Where user identity data is included (email address or phone number for match quality), it is SHA-256 hashed before transmission — raw email addresses or phone numbers are never sent.

What we never send to Meta: Passwords, payment card details, WhatsApp message content, health or medical data, allergy notes, private booking notes, or any sensitive personal information.

Meta processes this data in the United States. You can manage Meta's use of your data at facebook.com/privacy/explanation.

13.4 Microsoft Clarity

We may use Microsoft Clarity, provided by Microsoft Corporation, to understand user behaviour on our website through session recordings and heatmaps. Clarity is loaded only after analytics consent is granted. Microsoft processes this data under its own privacy policy. You can learn more at privacy.microsoft.com.

13.5 PostHog

We may use PostHog, provided by PostHog Inc., for product analytics to understand how users interact with our platform features. PostHog is initialised in ‘opted out’ mode and only begins capturing events after analytics consent is granted. No personally identifiable information is included in PostHog events beyond an anonymised user identifier. Learn more at posthog.com/privacy.

13.6 Google Consent Mode v2

Our website implements Google Consent Mode v2, which signals consent status to Google tags before any data collection begins. All Google advertising and analytics signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) default to ‘denied’ when you first visit. They are updated to ‘granted’ only after you accept the relevant cookie categories. This ensures no advertising or analytics data is shared with Google before you have consented.

13.7 Cookies and Local Storage

We use cookies and browser local storage to maintain your session, remember your cookie preferences (stored in bk_consent), and enable analytics and advertising tools. See our full Cookie Policy for a complete list of cookies and their purposes. You can manage your cookie preferences at any time using the Cookie Preferences link in the footer of our website.

13.8 Conversion Tracking and Remarketing

Where you have provided marketing consent, we use conversion tracking to measure actions taken on our website (such as sign-ups and trial starts) to evaluate advertising effectiveness. We may also use remarketing features to show ads to people who have previously visited our website. You can opt out of interest-based advertising at youronlinechoices.eu (EEA) or optout.aboutads.info (US).