Privacy Policy

CBHB&co — Privacy Policy (UK GDPR & PECR)

Last updated: 6 October 2025

This notice explains how CBHB&co Hair Salon ("we", "us", "our") collects, uses, shares and protects your personal data. It covers our salon services, website, online store and marketing.

Data Controller: CBHB&co Hair Salon, 8 Glenville Parade, Hucclecote, Gloucester, GL3 3ES
Contact: hello@cbhairandbeauty.co.uk · 01452 864070

1) The data we collect

We collect the following categories depending on how you interact with us:

  • Identity & contact: name, email, phone, address, social handle (if you DM us).

  • Booking & service information: appointment history, consultation notes, patch/strand test results, colour history, aftercare advice, photos of your hair (for records/consent‑based marketing), stylist assigned.

  • Health disclosures: allergies, sensitivities, pregnancy/breastfeeding status, relevant medication or scalp/skin conditions (only where needed to provide safe services).

  • E‑commerce & device data (website/shop): order details, delivery address, returns, device/browser, IP address, cookie identifiers, interactions on our site.

  • Payment data: last 4 digits/transaction IDs from payment providers (we do not see or store full card numbers).

  • Marketing preferences: opt‑in/out choices for email/SMS.

  • CCTV & audio recording: video and audio captured in public areas of the salon for security and incident management.

Children: Our services and website are not aimed at children. For under‑16 services, we require a parent/guardian to book and provide any health information.

2) Why we use your data (purposes & lawful bases)

We use your data only where we have a lawful basis under the UK GDPR. Here’s the plain‑English mapping:

Purpose Examples Lawful basis
Provide salon services manage bookings, consultations, colour history, aftercare Contract (to perform the service)
Safety & suitability patch/skin tests, health disclosures Consent (for special category data) + Legitimate interests (safety)
E‑commerce/online orders fulfil, deliver, returns, customer service Contract
Payments & fraud prevention take payments, verify transactions Contract + Legitimate interests
Marketing emails/SMS about offers, news Consent (email/SMS) or Legitimate interests (soft opt‑in for similar products/services to existing customers)*
Analytics & site performance cookies, aggregated stats, improve site Consent (non‑essential cookies)
Legal & tax accounting records, insurance, defending claims Legal obligation + Legitimate interests
CCTV & audio security, incident logs, staff & client safety Legitimate interests

*Soft opt‑in applies where you purchased from us and we gave you a clear opt‑out at the time and in every message. We never buy or sell marketing lists.

3) Where your data comes from

  • Directly from you (in‑salon, online forms, DMs, phone, email).

  • Automatically from your device when using our website (cookies, pixels—see Cookies section).

  • From our service providers (e.g., booking platform updates, payment approval/decline status, delivery partners).

4) Who we share it with (processors & recipients)

We share data with trusted providers who help run our business. They only process data under written contracts and instructions from us.

  • E‑commerce platform: Shopify (store hosting, checkout, order processing).

  • Payment providers: e.g., Shopify Payments/Stripe, PayPal, in‑salon card terminal provider.

  • Booking & salon software: e.g., [your platform – Fresha/Phorest/Vagaro/etc.].

  • Email/SMS communications: e.g., Shopify Email/Klaviyo/Omnisend/Twilio.

  • Analytics & pixels: e.g., Google Analytics, Meta Pixel (only if consented).

  • Delivery & logistics: Royal Mail/couriers for online orders.

  • CCTV monitoring/storage provider (if any): e.g., your CCTV system vendor/cloud storage.

  • Professional services: accountants, insurers, legal advisers (where necessary).

  • Law enforcement/regulators: if required by law.

We do not allow providers to use your data for their own marketing.

5) International transfers

Some providers store or access data outside the UK/EEA. Where this happens, we ensure appropriate safeguards (e.g., ICO‑approved standard contractual clauses, and provider security assessments). Shopify primarily processes EEA/UK customer data via Shopify International Limited (Ireland) and uses approved subprocessors for further processing. If any CCTV cloud service stores data abroad, we will ensure appropriate safeguards are in place.

6) How long we keep your data (retention)

We keep data only as long as necessary for the stated purposes:

  • Client service/consultation records: usually up to 6 years after your last appointment (reflects typical limitation periods/insurance requirements).

  • Patch/skin test records & hair photos (non‑marketing): up to 6 years after last service.

  • Marketing data (email/SMS): until you opt out or after 24 months of no engagement, whichever is sooner.

  • Online order records & invoices: 6 years for tax/accounting.

  • CCTV & audio: typically 30 days unless required longer for an active investigation, incident, insurance or legal claim.

Where laws require longer/shorter periods, we follow those. When data is no longer needed, we securely delete or anonymise it.

7) Your rights

Under the UK GDPR you can:

  • Access your data and get a copy.

  • Rectify inaccurate or incomplete data.

  • Erase your data in certain cases (“right to be forgotten”).

  • Restrict or object to our processing in certain cases (including direct marketing at any time).

  • Data portability for information you provided to us under consent or contract (where technically feasible).

  • Withdraw consent at any time where we rely on consent (e.g., marketing, health disclosures).

To exercise your rights: email hello@cbhairandbeauty.co.uk. We’ll respond within one month.

Complaints: If you’re unhappy with how we handle your data, contact us first. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or 0303 123 1113.

8) Cookies & similar technologies

We use essential cookies to make the site work and (with your consent) analytics/advertising cookies to improve performance and show relevant content.

  • On your first visit we display a cookie banner where you can accept, reject, or customise non‑essential cookies. You can change your preferences any time via Cookie Settings in the footer.

  • Analytics cookies (e.g., Google Analytics 4) help us understand site usage. Advertising pixels (e.g., Meta) only load if you consent.

  • Blocking cookies may affect some features (e.g., checkout remember‑me, analytics accuracy), but the site will still function.

A detailed cookie list is available on our Cookie Settings page.

9) Marketing

  • Email/SMS: We’ll only send marketing where we have your consent or a valid soft opt‑in (you bought from us and we offered an opt‑out). Every message includes an unsubscribe link or STOP instructions.

  • Social ads: We may use aggregated or hashed data to reach existing customers on platforms (subject to your consent where required). You can opt out at any time.

10) Security

We use administrative, technical and physical safeguards appropriate to the risk, including encryption in transit, access controls, staff training, and data minimisation. If we become aware of a personal data breach likely to result in a risk to you, we will notify you and the ICO where required by law.

CCTV & audio security: Access to recordings is strictly limited to management. Recordings are stored securely, automatically delete after retention (see Section 6), and are only exported when necessary for an incident or legal obligation. We do not use CCTV/audio for routine employee monitoring.

11) Photography, CCTV & audio recording

  • CCTV & audio in the salon: For safety, security and incident management we operate CCTV with audio in public areas (e.g., reception, salon floor). We do not record in private areas (e.g., toilets/staff room). Clear signage is displayed at entry points.

  • Lawful basis: Legitimate interests in protecting clients, staff and property.

  • Your choices: If you prefer to discuss sensitive information out of audio range, ask and we’ll move to a quieter area where practicable.

  • Use of images: We may take hair photos for service records (legitimate interests). We will only use your images for marketing with your explicit consent. You can withdraw your consent at any time.

12) Automated decision‑making

We do not use automated decision‑making that produces legal or similarly significant effects. We may use basic segmentation (e.g., service type, last visit) to send relevant updates; you can opt out.

13) Changes to this notice

We may update this policy to reflect changes in law or our services. We’ll post the new version with a new “Last updated” date. If changes are material, we’ll let you know via email or site notice.

Contact

For privacy queries or to exercise your rights: hello@cbhairandbeauty.co.uk

This notice is designed to meet the UK GDPR and PECR requirements for a small salon/online store. It does not constitute legal advice. Consider a legal review to tailor retention periods and vendor lists to your exact systems (booking, payments, email/SMS).