This Policy covers two different groups of people whose data we handle. Please read the section that applies to you:
For personal data of Subscribers, the Data Controller is:
We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR (we do not conduct large-scale monitoring or process special categories of data at scale). You can reach our privacy team at the address above.
| Category | Examples | Purpose |
|---|---|---|
| Identity & account | Business name, your name, email, hashed password | Create and secure your account, log you in |
| Contact | Owner WhatsApp number, notification email | Send you booking notifications and service messages |
| Billing | Stripe customer ID, subscription status, invoices | Process subscription payments; provide receipts |
| Business content | AI context, FAQ, business hours, brand colour, welcome message, allowed domains, widget settings | Configure the widget on your website |
| Usage | Message counts, appointment counts, login timestamps, last-activity dates | Enforce your plan limits and improve the Service |
| Technical | IP address of dashboard access, browser type | Security, fraud prevention, debugging |
We do not collect: your customers' identity documents, health data, payment card numbers (Stripe handles those directly), or biometric data.
When a website visitor chats with your widget, the following data is captured on your behalf:
| Category | Examples |
|---|---|
| Chat content | Every message the visitor sends and every reply the assistant produces |
| Booking details | Name, phone number, requested service, requested time (only if the visitor provides them for a booking) |
| Session | An anonymous session id stored in the visitor's browser localStorage; used to keep the conversation coherent |
| Technical | IP address (used only for rate limiting; not stored beyond one hour), consent timestamp |
Before any of this data is stored, the visitor is shown a plain-language consent screen explaining what will be saved and for how long. Nothing is collected until they click "Accept & chat".
For Visitors, the Data Controller is the salon that embedded the widget. Nelyma acts as the salon's Data Processor. Visitors should contact the salon first if they wish to exercise their GDPR rights; we can only act on the salon's documented instructions.
| Processing | Legal basis |
|---|---|
| Providing the Service to Subscribers | Contract (Art. 6(1)(b)) — necessary to perform our Terms with you |
| Sending billing notices, service updates | Contract (Art. 6(1)(b)) |
| Fraud prevention, security logging | Legitimate interest (Art. 6(1)(f)) — protecting the Service from abuse |
| Marketing emails (only if you opt in) | Consent (Art. 6(1)(a)) — you may withdraw at any time |
| Processing Visitor chat data | Legitimate interest of the salon (contract enquiry) plus explicit consent shown before the chat begins |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) — e.g. tax and accounting |
We use the following sub-processors. Each is bound by a written Data Processing Agreement (DPA) that requires them to protect your data to a standard equivalent to the GDPR.
| Sub-processor | Purpose | Data | Location |
|---|---|---|---|
| Anthropic PBC | Generate assistant replies | Business context + one chat turn | Ireland / USA (SCCs) |
| Twilio Inc. | WhatsApp notifications to owner | Owner phone + booking summary | Ireland / USA (SCCs) |
| Stripe Payments Europe Ltd. | Payment processing | Subscriber name, email, card (via Stripe) | Ireland (EU) |
| Railway / DigitalOcean / equivalent | Hosting the Service | All Service data | EU region where available |
| SendGrid / Postmark / equivalent | Email notifications | Owner email + booking summary | Ireland / USA (SCCs) |
We do not sell or rent personal data to third parties. We do not use it for cross-context advertising.
Some of our sub-processors are based outside the European Economic Area, notably in the United States. Every transfer outside the EEA is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, plus additional safeguards where relevant (encryption in transit and at rest, access controls, minimisation).
Under Articles 15-22 GDPR you have the right to:
We aim to respond to all valid requests within one month. If your request is complex or high-volume we may extend by two further months and will tell you why.
Exercising your rights is free. Where a request is manifestly unfounded or excessive we may either charge a reasonable fee or refuse — we would explain and give you a chance to appeal.
We keep cookies to a minimum:
The widget uses localStorage (not cookies) on visitor browsers to store:
sa_widget:<id>:session — an anonymous session id so the assistant remembers the current conversation.sa_widget:<id>:consent — a flag confirming the visitor has accepted the consent screen.Both are deleted when the visitor clicks "Delete my data".
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours and, where the risk is high, notify affected users without undue delay. Notifications will describe the nature of the breach, the categories of data affected, the likely consequences and the measures we have taken.
The Service is a B2B tool aimed at adult business owners. It is not directed at children. Subscribers must be 18 or over. When a visitor uses your widget, you (the salon) are responsible for verifying age where required, and for obtaining parental consent for visitors under 16 in line with Article 8 GDPR (as implemented in Ireland).
We may update this Policy occasionally. Material changes will be announced by email to Subscribers at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
Questions or complaints: [email protected].
You also have the right to lodge a complaint with the Data Protection Commission in Ireland, which is our lead supervisory authority under Article 55 GDPR:
If you live in another EU country, you may also lodge a complaint with your local supervisory authority.