Beautonomi Privacy Policy

Effective date: This policy describes how Beautonomi ("we", "us", "our") collects, uses, discloses, and protects personal information when you use our websites, mobile applications, and related services (together, the "Platform"). By using the Platform, you acknowledge this policy.

Notices by jurisdiction. Depending on where you live, additional rights and requirements may apply. Sections below summarise common regions; they do not limit any mandatory protections you have under local law.

1. Who we are & roles

Beautonomi operates an online marketplace connecting customers with independent or business beauty and wellness providers. Depending on the activity, we may act as a controller of your account and platform usage data, while providers are typically controllers of information they collect to deliver services (e.g. notes about your appointment). Payment and messaging processors act as processors under our instructions where applicable.

2. Geographic scope

We aim to comply with applicable privacy laws in the regions where we operate or where users access the Platform, including without limitation:

• European Economic Area (EEA), United Kingdom, and Switzerland — GDPR, UK GDPR / Data Protection Act 2018, and Swiss FADP (as applicable).
• South Africa — Protection of Personal Information Act (POPIA).
• United States — Federal and state laws (including California Consumer Privacy Act / California Privacy Rights Act where applicable, and similar state statutes).
• Brazil — Lei Geral de Proteção de Dados (LGPD).
• Australia — Privacy Act 1988 (Cth) and Australian Privacy Principles.
• Canada — Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws where they apply.
• Singapore — Personal Data Protection Act (PDPA).
• India — Digital Personal Data Protection Act (DPDPA), where applicable.

If local law conflicts with a provision of this policy, local law prevails to the extent required.

3. Personal information we collect

We may collect:

• Account & profile: name, email, phone, password hash, photo, language, marketing preferences, referral codes.
• Booking & commerce: appointments, cart and product orders, addresses, messages in-platform, reviews, support tickets.
• Payments: transaction metadata (we use payment partners; we do not store full card numbers).
• Provider & business data: business profile, services, pricing, staff, verification/KYC documents where required for payouts or compliance.
• Device & technical: IP address, device identifiers, app version, crash logs, coarse location from IP, and—with permission—precise location for features such as travel or nearby search.
• Analytics & communications: product analytics (where consented or permitted), email/SMS/push engagement, attribution identifiers where allowed by your device settings.
• Cookies & similar technologies: as described in our Cookie Policy.
• Inferences: we may derive preferences, fraud risk scores, or segment labels from usage patterns to operate and secure the Platform.

4. Where we get personal information

You provide information when you register, book, list services, pay, message, or contact support. Automatic technologies collect device and usage data when you use the Platform. Third parties may provide information where you connect an account (e.g. sign-in with Apple or Google), where payment partners confirm transaction status, or where providers enter details about appointments.

5. Sensitive, health-related, or special category information

Beauty and wellness services may involve information about allergies, skin conditions, or similar topics that providers record to deliver services safely. Providers who enter such information are typically responsible as controllers for that treatment data. We process it as needed to operate messaging, bookings, and compliance features. Where GDPR applies, we rely on applicable Article 6 and, where relevant, Article 9 bases (such as explicit consent, substantial public interest, or health care/treatment with professional secrecy as permitted by law). Do not upload unnecessary medical records through the Platform unless a feature explicitly requires it.

6. How we use information & legal bases (EEA/UK/CH)

We use data to operate, secure, and improve the Platform; process bookings and payments; provide support; prevent fraud and abuse; comply with law; and send service messages. Where GDPR-style laws apply, we rely on:

• Contract — providing services you request.
• Legitimate interests — security, analytics, product improvement, and marketplace integrity (balanced against your rights).
• Consent — optional marketing, non-essential cookies, or tracking where required.
• Legal obligation — tax, regulatory, or law enforcement requests subject to due process.

7. How we share information

We may share data with: providers you book (to fulfil appointments); payment processors; cloud hosting and email/SMS/push vendors; analytics and attribution partners (subject to your device/app choices); professional advisers; and authorities when required by law. We use contracts (including standard contractual clauses where appropriate) to protect international transfers from the EEA/UK/CH.

8. Retention

We keep information only as long as needed for the purposes above, including legal, tax, and dispute resolution. Inactive accounts may be subject to separate retention or deactivation notices where permitted by law.

9. Security

We implement technical and organisational measures appropriate to the risk (encryption in transit, access controls, monitoring). No method of transmission or storage is 100% secure.

10. Your rights — EEA, UK, Switzerland

You may have rights to access, rectify, erase, restrict processing, data portability, object to certain processing, and withdraw consent. You may lodge a complaint with your local supervisory authority (e.g. ICO in the UK, a lead authority in the EEA, or FDPIC in Switzerland).

11. Your rights — South Africa (POPIA)

You may request access to, correction of, or deletion of personal information we hold, subject to exceptions. You may object to processing and complain to the Information Regulator (South Africa).

12. Your rights — United States

California residents (CPRA): You may have rights to know categories and specific pieces of personal information collected; delete; correct inaccuracies; opt out of sale or sharing (including certain cross-context behavioural advertising); and limit use of sensitive personal information. We do not discriminate for exercising rights. You may use an authorised agent where the law allows.

"Sale" and "sharing": We do not sell personal information for money. We may share data with analytics or advertising partners in ways that some state laws treat as "sharing" for cross-context behavioural advertising; where required we honour opt-out signals and requests.

Financial incentives: we do not offer programmes that require payment of different prices for collecting personal data beyond ordinary loyalty or referral offers described at enrolment.

Other US states: Colorado, Virginia, Connecticut, Utah, and others may grant similar access, deletion, correction, and opt-out rights. Submit requests via our Help centre; we will verify your identity.

11. Your rights — Brazil (LGPD)

You may have rights of confirmation, access, correction, anonymisation, portability, deletion, information about sharing, and revocation of consent, plus complaint to the ANPD.

14. Your rights — Australia

You may access and request correction of personal information. Complaints may be raised with the OAIC if unresolved.

15. Canada & Singapore (brief)

Canada: access and challenge accuracy under PIPEDA or provincial equivalents. Singapore: access and correction rights under PDPA; you may withdraw consent where processing is consent-based.

16. India (DPDPA)

Where the DPDPA applies, you may have rights to access, correction, erasure, grievance redressal, and nomination, as provided by law and our processes.

17. Business transfers

If we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction subject to confidentiality and continued protection consistent with this policy.

18. Biometric information

We do not use facial recognition or other biometric verification as a default feature of the Platform. If we launch a feature that processes biometrics, we will provide a separate notice and obtain consent where required.

19. Children

The Platform is not directed to children under the age where parental consent is required in your jurisdiction. We do not knowingly collect personal information from such children without appropriate consent.

20. Automated decisions

We do not use solely automated decision-making that produces legal or similarly significant effects about you, except where disclosed at the point of use or required by law.

21. Third-party links & app stores

Our apps are distributed through Apple App Store and Google Play. Those platforms have their own privacy terms. Links to third-party sites are governed by their policies.

22. Copyright and intellectual property complaints

If you believe content on the Platform infringes your copyright or other rights, contact us through Help & support with enough detail to locate the material and verify your claim. We may remove or disable access to content where appropriate.

23. Changes to this policy

We may update this policy and will post the revised version with a new effective date. Where required, we will notify you or seek consent.

24. Contact

For privacy requests or questions, contact us through Help & support. We will respond within timelines required by applicable law.