Terms of Service Home

Privacy Policy

Last updated: 15 July 2026 · Governed by the EU General Data Protection Regulation (GDPR) and Irish data protection law

Important: This Policy has been drafted as a good-faith starting point for a small SaaS business operating from Ireland and processing personal data of EU residents. It is not a substitute for professional legal advice. If your business handles special categories of data (health, minors, political opinions), obtain formal legal counsel before relying on this document.

Contents

  1. Who this Policy is about
  2. Who we are (Data Controller)
  3. Data we collect about you as a Subscriber
  4. Data we process about Visitors on your behalf
  5. Legal bases for processing
  6. How long we keep data
  7. Who we share data with (sub-processors)
  8. International data transfers
  9. Your rights under the GDPR
  10. How to exercise your rights
  11. Cookies & local storage
  12. Security measures
  13. Data breach notification
  14. Children
  15. Changes to this Policy
  16. Contact & supervisory authority

1. Who this Policy is about

This Policy covers two different groups of people whose data we handle. Please read the section that applies to you:

2. Who we are (Data Controller)

For personal data of Subscribers, the Data Controller is:

We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR (we do not conduct large-scale monitoring or process special categories of data at scale). You can reach our privacy team at the address above.

3. Data we collect about you as a Subscriber

CategoryExamplesPurpose
Identity & accountBusiness name, your name, email, hashed passwordCreate and secure your account, log you in
ContactOwner WhatsApp number, notification emailSend you booking notifications and service messages
BillingStripe customer ID, subscription status, invoicesProcess subscription payments; provide receipts
Business contentAI context, FAQ, business hours, brand colour, welcome message, allowed domains, widget settingsConfigure the widget on your website
UsageMessage counts, appointment counts, login timestamps, last-activity datesEnforce your plan limits and improve the Service
TechnicalIP address of dashboard access, browser typeSecurity, fraud prevention, debugging

We do not collect: your customers' identity documents, health data, payment card numbers (Stripe handles those directly), or biometric data.

4. Data we process about Visitors on your behalf

When a website visitor chats with your widget, the following data is captured on your behalf:

CategoryExamples
Chat contentEvery message the visitor sends and every reply the assistant produces
Booking detailsName, phone number, requested service, requested time (only if the visitor provides them for a booking)
SessionAn anonymous session id stored in the visitor's browser localStorage; used to keep the conversation coherent
TechnicalIP address (used only for rate limiting; not stored beyond one hour), consent timestamp

Before any of this data is stored, the visitor is shown a plain-language consent screen explaining what will be saved and for how long. Nothing is collected until they click "Accept & chat".

For Visitors, the Data Controller is the salon that embedded the widget. Nelyma acts as the salon's Data Processor. Visitors should contact the salon first if they wish to exercise their GDPR rights; we can only act on the salon's documented instructions.

5. Legal bases for processing (Article 6 GDPR)

ProcessingLegal basis
Providing the Service to SubscribersContract (Art. 6(1)(b)) — necessary to perform our Terms with you
Sending billing notices, service updatesContract (Art. 6(1)(b))
Fraud prevention, security loggingLegitimate interest (Art. 6(1)(f)) — protecting the Service from abuse
Marketing emails (only if you opt in)Consent (Art. 6(1)(a)) — you may withdraw at any time
Processing Visitor chat dataLegitimate interest of the salon (contract enquiry) plus explicit consent shown before the chat begins
Complying with legal obligationsLegal obligation (Art. 6(1)(c)) — e.g. tax and accounting

6. How long we keep data

7. Who we share data with (sub-processors)

We use the following sub-processors. Each is bound by a written Data Processing Agreement (DPA) that requires them to protect your data to a standard equivalent to the GDPR.

Sub-processorPurposeDataLocation
Anthropic PBCGenerate assistant repliesBusiness context + one chat turnIreland / USA (SCCs)
Twilio Inc.WhatsApp notifications to ownerOwner phone + booking summaryIreland / USA (SCCs)
Stripe Payments Europe Ltd.Payment processingSubscriber name, email, card (via Stripe)Ireland (EU)
Railway / DigitalOcean / equivalentHosting the ServiceAll Service dataEU region where available
SendGrid / Postmark / equivalentEmail notificationsOwner email + booking summaryIreland / USA (SCCs)

We do not sell or rent personal data to third parties. We do not use it for cross-context advertising.

8. International data transfers

Some of our sub-processors are based outside the European Economic Area, notably in the United States. Every transfer outside the EEA is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, plus additional safeguards where relevant (encryption in transit and at rest, access controls, minimisation).

9. Your rights under the GDPR

Under Articles 15-22 GDPR you have the right to:

10. How to exercise your rights

We aim to respond to all valid requests within one month. If your request is complex or high-volume we may extend by two further months and will tell you why.

Exercising your rights is free. Where a request is manifestly unfounded or excessive we may either charge a reasonable fee or refuse — we would explain and give you a chance to appeal.

11. Cookies & local storage

We keep cookies to a minimum:

The widget uses localStorage (not cookies) on visitor browsers to store:

Both are deleted when the visitor clicks "Delete my data".

12. Security measures

13. Data breach notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours and, where the risk is high, notify affected users without undue delay. Notifications will describe the nature of the breach, the categories of data affected, the likely consequences and the measures we have taken.

14. Children

The Service is a B2B tool aimed at adult business owners. It is not directed at children. Subscribers must be 18 or over. When a visitor uses your widget, you (the salon) are responsible for verifying age where required, and for obtaining parental consent for visitors under 16 in line with Article 8 GDPR (as implemented in Ireland).

15. Changes to this Policy

We may update this Policy occasionally. Material changes will be announced by email to Subscribers at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

16. Contact & supervisory authority

Questions or complaints: [email protected].

You also have the right to lodge a complaint with the Data Protection Commission in Ireland, which is our lead supervisory authority under Article 55 GDPR:

If you live in another EU country, you may also lodge a complaint with your local supervisory authority.