Privacy Policy

Personal Information You Provide

• Account Information: Name, email address, phone number, date of birth
• Profile Information: Photos, bio, service descriptions, location preferences
• Payment Information: Credit card details, billing address, payout information
• Communication: Messages, reviews, support communications
• Professional Verification: Identity verification session metadata, verification status, and business details professionals choose to provide in their profiles or services

Information Automatically Collected

• Device Information: IP address, browser type, device identifiers
• Usage Information: Limited first-party product and onboarding activity data used to operate and improve the platform
• Location Information: GPS coordinates (with permission), service locations
• Cookies and Local Storage: One functional cookie plus essential local and session storage for authentication, preferences, onboarding progress, and resilience features. See our Cookie Policy for details.

Information from Third Parties

• Identity Verification Providers: Identity document verification results (via Stripe Identity)
• Payment Processors: Transaction data, fraud prevention information (via Stripe)

Platform Operations

• Create and maintain user accounts
• Facilitate bookings and service connections
• Process payments and manage transactions
• Enable communication between users
• Provide customer support and dispute resolution

Safety and Security

• Verify identity where required and review account status signals related to trust and safety
• Detect and prevent fraud, abuse, and illegal activity
• Maintain platform security and integrity
• Investigate violations of our terms and policies

Communication and Marketing

• Send transaction confirmations and service updates
• Send billing, policy, security, and support communications
• Respect supported email, SMS, and push notification preferences in your account
• Send optional product updates or promotional communications only where permitted

Platform Improvement

• Analyze limited first-party usage patterns and platform performance
• Develop new features and improve existing services
• Personalize user experience and recommendations
• Conduct research and analytics

With Other Users

• Professional profiles visible to potential clients
• Client information shared with booked professionals
• Reviews and ratings made public
• Communication facilitated through our messaging system

With Service Providers

• Payment Processors: Stripe, Inc. for payment processing, payouts, and identity verification
• Cloud Infrastructure: Supabase (database, authentication, file storage) hosted on AWS
• Mapping Services: Mapbox for map rendering and display
• Location Services: Google Maps and Places APIs for geocoding, address autocomplete, and validation

Legal Requirements

• Compliance with court orders, subpoenas, or legal processes
• Law enforcement requests with proper legal authorization
• Protection of our rights, property, and safety
• Prevention of illegal activity or policy violations

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the business transaction. We will notify users of any such changes.

Account Management

• Access: View and download the account and activity data included in our self-service export tool
• Update: Correct or update your account information
• Delete: Request deletion of your account and data
• Portability: Export eligible account and activity data in a common JSON format

Communication Preferences

• Manage email, SMS, and push notification preferences in your account
• Update or remove location and profile information from your account settings
• Delete your account in Settings or contact privacy@beauloom.app for other privacy requests
• Review our Cookie Policy for browser storage and third-party service details

Cookies and Local Storage

• We use only one functional cookie and essential local storage — no analytics or advertising cookies
• You can manage cookies through your browser settings
• See our Cookie Policy for a complete inventory

How to Exercise Your Rights

To exercise any of these rights, email us at privacy@beauloom.app with your request. We will respond within 30 days (or 45 days if we need an extension, with notice). Our self-service export currently covers core account and activity data stored in Beauloom; third-party provider records and binary uploads may require separate handling.

What we do (and do not) collect

When you enable biometric sign-in, your device uses its built-in biometric sensor (Face ID, Touch ID, or fingerprint reader) to verify your identity locally. Your biometric scan, template, or any other biometric identifier never leaves your device. Beauloom does not receive, store, or transmit your face, fingerprint, or any other biometric data. We only store an encrypted sign-in token inside your device secure enclave, which the device unlocks after a successful local biometric check.

Purpose

The sole purpose of biometric authentication is to let you sign back in to Beauloom on this device without re-entering your email and password. We do not use biometrics for identification, marketing, fraud detection, or any other purpose, and we never share biometric data with third parties.

Consent

Biometric sign-in is opt-in. The first time you enable it, the app shows you these disclosures and asks you to affirmatively check a consent box. We log the consent event (timestamp, platform, and the version of these disclosures you accepted) in our audit system. You can withdraw consent at any time from Settings → Security; doing so removes the encrypted token from your device immediately and marks the consent record as withdrawn.

Retention and destruction

The encrypted sign-in token is held only on your device and is destroyed when you disable biometric sign-in, sign out, or delete your account. The consent audit record is retained as required by BIPA — generally for the shorter of three years from your last interaction with biometric authentication, or until our purpose for collecting it has ended — and is permanently destroyed when you delete your account.

Categories of Personal Information Collected

• Identifiers: Name, email, phone number, IP address, account ID
• Financial Information: Payment method details (processed by Stripe), transaction records
• Commercial Information: Booking history, service preferences, subscription status
• Geolocation Data: GPS coordinates (with your permission), service addresses
• Professional/Employment Information: Professional credentials, service descriptions, business information (professionals only)
• Internet Activity: Pages visited, features used (no third-party tracking)
• Biometric Information: Biometric authentication data stored only on your device (mobile app only, with your consent — see Section 6a for our full BIPA/CUBI policy)
• Audio/Visual Information: Profile photos, service photos, portfolio images
• Inferences: None — we do not create consumer profiles from inferences

We Do Not Sell or Share Your Personal Information

Beauloom does not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

Your CCPA/CPRA Rights

• Right to Know: Request what personal information we have collected, used, disclosed, or sold
• Right to Delete: Request deletion of your personal information (available via Settings or email)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell or share your data, so no opt-out is needed
• Right to Limit Use of Sensitive PI: We only use sensitive PI (geolocation, biometrics) with your explicit consent
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Service Providers

We disclose personal information to the following categories of service providers for business purposes:

• Stripe, Inc. — Payment processing, identity verification, subscription billing
• Supabase, Inc. — Cloud database, authentication, and file storage
• Mapbox, Inc. — Map rendering and display services
• Google LLC — Geocoding, address autocomplete, validation, and font delivery
• Firebase (Google) — Push notification delivery (mobile app only)

Each service provider is contractually restricted to using your data only for the services they provide to us.

Submitting a Request

To exercise your California privacy rights, email privacy@beauloom.app, use the account deletion feature in Settings, or submit a request through our account deletion page. We will verify your identity before processing your request using your account email. You may also designate an authorized agent to make a request on your behalf.

For Users in the European Economic Area (EEA) or UK

If the EU General Data Protection Regulation (GDPR) or UK GDPR applies to you, you have additional rights including:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time
• Right to lodge a complaint with your local data protection authority

Our lawful bases for processing include: performance of our contract with you (account and service delivery), legitimate interests (platform security, fraud prevention, and service improvement), consent (location data, biometric data, and any optional promotional communications we may offer), and legal obligation (tax and financial record-keeping).