Privacy Policy

For information about your business (your account, billing details, the salon you operate), we are the data controller.

For information about your customers (people who book appointments with you), you are the data controller and we are a data processor — meaning we hold their information on your behalf and only use it to provide the Service to you.

Your customers should read your salon's own privacy notice for how their data is handled by the salon.

Account & billing information

• Your name, email, phone number
• Your business's name, address, business type, country
• Payment method details (held by our processor Stripe, never by us)
• Tax / registration numbers if you provide them (e.g. UEN, GST number)

Usage information

• Actions you take in the app (logins, bookings created, settings changes) for security and product improvement
• Technical telemetry: IP address, browser type, device type, time zone
• Cookies for authentication and (limited) analytics — see “Cookies” below

Communications

• Emails / SMS you send to us at mystudiowalker@gmail.com
• Records of email + SMS messages the platform sends to your customers on your behalf, including delivery status (for troubleshooting + your audit log)

Your customer data (held on your behalf)

• Customer names, emails, phone numbers, birthdays you import or collect
• Booking history, services purchased, packages, sales records
• Notes you write about customers

We don't ask you to provide special-category data (health, biometrics, race, etc.). If your salon's business model collects sensitive information (e.g. health declarations for spa treatments), you're responsible for getting appropriate consent and complying with the heightened protections that apply to such data.

• To provide the Service — log you in, store your data, deliver appointment reminders, process payments.
• To bill you — process subscription charges and SMS top-ups.
• To support you — answer your questions, debug issues you report, send service updates.
• To improve the Service — understand how features are used, build better ones. We aggregate or anonymise where possible.
• To prevent abuse — detect spam, fraud, or violations of our Acceptable Use Policy.
• To meet legal obligations — keep records that tax / consumer protection law requires.

We use a small number of trusted third-party processors to run the Service. They're only allowed to use your data to provide the service we've hired them for — never to market to you independently.

• Supabase — database hosting (Singapore region for SG accounts).
• Vercel — application hosting + serverless infrastructure.
• Stripe — payment processing. Your card details are stored with Stripe, not us.
• Resend — transactional email delivery (booking confirmations, marketing campaigns, billing receipts).
• Twilio — SMS delivery for the SMS reminder / confirmation features.

We do not sell your personal information. We do not share it with advertisers. We may disclose data when legally required (court order, regulator demand) and will challenge requests that look overbroad.

We use a small number of cookies:

• Essential cookies — login session, security tokens, language preference, dark-mode preference. Required for the Service to function.
• Functional cookies — feature preferences (e.g. dismiss-state for in-product banners).

We don't currently use third-party advertising or behavioural-tracking cookies. If that changes we'll update this policy and prompt you for consent.

We keep your data while your account is active. On account termination:

• Most data is deleted within 30 days of termination.
• Billing records and invoices are kept for at least 5 years to satisfy tax + accounting requirements.
• Anonymised aggregate analytics may persist indefinitely.

You can export your data before termination from Settings → Data export (or by email request).

Depending on where you live, you may have rights to:

• Access — get a copy of the personal information we hold about you.
• Correct — update inaccurate information.
• Delete — ask us to delete your information (subject to legal retention obligations).
• Restrict / Object — limit how we use it, or object to certain uses.
• Portability — receive your data in a machine-readable format.
• Withdraw consent — where processing is based on consent.
• Lodge a complaint — with your local data protection authority (Singapore PDPC, EU national DPA, UK ICO, California Attorney General, etc.).

To exercise any of these rights, email mystudiowalker@gmail.com. We'll verify your identity and respond within 30 days.

The Service is operated from Singapore but our processors (Vercel, Stripe, Twilio, Resend) operate globally. Your data may be processed in the United States, the EU, or other countries. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards as required by GDPR Article 46 for transfers out of the EEA.

Studio Walker is a B2B tool for businesses. It's not intended for use by anyone under 18, and we don't knowingly collect personal information from children. If you believe we've received data from a child, contact us and we'll delete it.

We take reasonable technical and organisational measures to protect your data:

• Data encrypted in transit (TLS) and at rest (AES-256 via Supabase).
• Passwords stored hashed via Supabase Auth.
• Service-role database access restricted to server functions; public reads gated by row-level security policies.
• Payment card details never touch our servers — handled entirely by Stripe.

No service is 100% secure. If we discover a breach affecting your personal information, we'll notify you and the relevant regulator without undue delay.

We may update this policy as the Service evolves. The “Last updated” date at the top reflects the most recent revision. Material changes will be announced by email to your account address with at least 30 days' notice.

Privacy questions, requests, complaints — mystudiowalker@gmail.com. Studio Walker is currently operated by an individual proprietor based in Singapore.