Privacy Policy

Bossmetics ("we", "us", "our") operates the bossmetics.com website and the Bossmetics platform accessible via partners.bossmetics.com, my.bossmetics.com, and admin.bossmetics.com. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and applicable national data protection laws. By using our services, you acknowledge that you have read and understood this Privacy Policy.

The data controller responsible for processing your personal data is: Bossmetics [Registered address] Email: hello@bossmetics.com For data protection enquiries, please contact our Data Protection Officer at: privacy@bossmetics.com

We collect the following categories of personal data depending on how you use our services: Account data: Name, email address, phone number, password (hashed), preferred language, profile picture. Business data (Professionals): Business name, business address, service offerings, pricing, staff member details (name, email, role), business branding assets (logo, cover image). Client data (managed by Professionals): Name, email, phone, date of birth, gender, appointment history, treatment records, preferences, allergies (encrypted), before/after photos, consent records. Financial data: Subscription plan, billing cycle, payment method (processed by Stripe — we do not store full card numbers), invoice history, transaction records. Usage data: Pages visited, features used, device type, browser type, IP address, session duration. Communication data: Contact form submissions, support messages, appointment reminders sent via email.

We process your personal data based on the following legal grounds under GDPR Article 6(1): Contract performance (Art. 6(1)(b)): Processing necessary to provide our platform services, manage subscriptions, process payments, and deliver appointment reminders. Consent (Art. 6(1)(a)): Marketing communications, analytics cookies, health data processing (Art. 9(2)(a)), and photo consent. Legitimate interest (Art. 6(1)(f)): Fraud prevention, platform security, service improvements, and aggregate analytics. Legal obligation (Art. 6(1)(c)): Tax record retention, responding to lawful data access requests, and complying with applicable regulations.

We use your personal data to: • Provide and maintain the Bossmetics platform • Process subscription payments and generate invoices • Send appointment reminders and transactional emails • Enable online booking and client management • Provide customer support • Improve our services through aggregate, anonymised analytics • Comply with legal obligations We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling.

We share personal data with the following categories of service providers, each bound by data processing agreements: Supabase (Supabase Inc.): Database hosting, authentication, and file storage. Data is hosted in EU-West-1 (Ireland). Supabase acts as a data processor. Stripe (Stripe Payments Europe, Ltd.): Payment processing for subscriptions and client payments. Stripe is a PCI DSS Level 1 certified payment processor. Privacy policy: https://stripe.com/privacy Vercel (Vercel Inc.): Website and application hosting. Requests may be served from edge locations globally, but persistent data remains in the EU. Brevo (Sendinblue GmbH): Transactional email delivery (appointment reminders, password resets). Email addresses and message content are processed. Privacy policy: https://www.brevo.com/legal/privacypolicy Optional integrations (configured by Professionals): Google Calendar, Google Drive, Microsoft Calendar, Xero, QuickBooks, Lexware, sevDesk, WhatsApp Business, GoCardless, Mollie, Klarna, SumUp. These are activated only when a Professional connects them. Each integration is governed by its own privacy policy.

When beauty professionals store allergy information, treatment records, or health-related notes about their clients, this constitutes special category data under GDPR Article 9. We protect this data with: • Explicit consent required before any health data is stored (Art. 9(2)(a)) • Field-level encryption for allergies and treatment notes using Supabase Vault (pgsodium) • Row-level security (RLS) ensuring only authorised staff within the relevant business can access the data • Consent records with timestamps, IP addresses, and withdrawal capability • Health waiver signatures are immutable and preserved with the exact waiver content at the time of signing

All data is stored on servers located in the European Union (AWS EU-West-1, Ireland) via our infrastructure provider Supabase. Security measures include: • TLS 1.3 encryption for all data in transit • AES-256 encryption for data at rest • Field-level encryption for sensitive health data (pgsodium/Supabase Vault) • Row-level security (RLS) on all database tables ensuring strict tenant isolation • HTTP-only, secure, SameSite cookies for authentication • Content Security Policy (CSP) headers • Regular security audits and dependency updates • Role-based access control (RBAC) with granular permissions

We retain your personal data only as long as necessary for the purposes for which it was collected: • Active accounts: Data is retained for the duration of your subscription. • Cancelled accounts: Account data is retained for 30 days after cancellation to allow reactivation, then permanently deleted or anonymised. • Financial records: Invoice and payment data is retained for 10 years in accordance with applicable tax regulations. • Consent records: Retained indefinitely as proof of lawful data processing. • Audit logs: Retained for 2 years for security and compliance purposes. • Contact form submissions: Retained for 12 months unless a business relationship is established.

You have the following rights regarding your personal data: Right of access (Art. 15): Request a copy of the personal data we hold about you. Right to rectification (Art. 16): Request correction of inaccurate or incomplete data. Right to erasure (Art. 17): Request deletion of your personal data. We process erasure requests within 30 days. Right to restriction (Art. 18): Request that we limit the processing of your data. Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON/CSV export available). Right to object (Art. 21): Object to processing based on legitimate interest. Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To exercise any of these rights, contact us at privacy@bossmetics.com. We will respond within 30 days.

Our use of cookies is described in detail in our Cookie Policy. We use essential cookies for authentication and session management. Analytics and marketing cookies are only set with your explicit consent.

Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to US-based service providers such as Stripe and Vercel), such transfers are protected by: • EU-US Data Privacy Framework (DPF) adequacy decision • Standard Contractual Clauses (SCCs) approved by the European Commission • Supplementary security measures as required

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@bossmetics.com and we will promptly delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you by email. If you have questions about this Privacy Policy, contact us at: privacy@bossmetics.com You have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully.