Last updated: April 2026 · Effective immediately upon publication
This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).
This Privacy Policy (“Policy”) is published by SalonSync (“Company”, “we”, “us”, “our”), and governs the collection, use, storage, disclosure, and protection of Personal Data provided by or collected from users (“Data Principals”) of the SalonSync platform, including the mobile application and website (collectively, “Platform”). By accessing or using the Platform, you (the “Data Principal”) consent to the practices described herein. This Policy forms part of and is incorporated into the Terms of Service.
In this Policy, unless the context otherwise requires, the following expressions shall have the meanings assigned to them hereunder:
"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDP Act, 2023.
"Sensitive Personal Data or Information" ("SPDI") means such personal information as is classified under Rule 3 of the IT (SPDI) Rules, 2011, including financial information, passwords, and biometric data.
"Data Fiduciary" means the Company, which alone or in conjunction with others determines the purpose and means of processing Personal Data, within the meaning of Section 2(i) of the DPDP Act, 2023.
"Data Principal" means the individual to whom the Personal Data relates, as defined under Section 2(j) of the DPDP Act, 2023.
"Data Processor" means any person who processes Personal Data on behalf of a Data Fiduciary, as defined under Section 2(k) of the DPDP Act, 2023.
"Processing" means an operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
"Consent" means free, specific, informed, unconditional, and unambiguous consent given by the Data Principal through a clear affirmative action, as required under Section 6 of the DPDP Act, 2023.
"OTP" means a One-Time Password transmitted to a registered mobile number for authentication purposes.
"App Token" means a cryptographically signed stateless authentication token generated upon successful login, stored encrypted on the Data Principal's device.
In accordance with the principle of data minimisation under Section 8(3) of the DPDP Act, 2023, we collect only such Personal Data as is necessary for the purposes specified in Clause 4 of this Policy. The following categories of data are collected:
2.1 Identity & Account Data
(a) Mobile phone number — Collected at registration; stored in encrypted form using AES-256 encryption at rest. A one-way SHA-256 hash (“phone_hash”) is additionally stored for privacy-preserving database lookups without decryption of the original number. Constitutes SPDI under Rule 3 of the IT (SPDI) Rules, 2011.
(b) Name — Provided voluntarily during onboarding.
(c) Email address — Optional. If not provided, the system auto-generates a non-functional placeholder in the format phone_XXXX@placeholder.salonsync.app. Placeholder addresses are not used for any communication.
(d) Date of birth, gender, address, city, pincode — Optional profile fields.
(e) Account PIN — A 4-digit numeric security PIN; stored exclusively as a bcrypt hash (cost factor ≥ 12). The plaintext PIN is never stored or logged.
(f) Profile photograph — Uploaded by you or auto-generated; stored on Cloudinary (see Clause 5).
2.2 Authentication & Session Data
(a) OTP verification records — Phone/email identifier, IP address of the OTP request, timestamp, attempt count, and verification result. OTP codes are stored in plaintext temporarily and automatically purged upon expiry (10 minutes) or successful verification, whichever is earlier. Maximum 3 failed attempts permitted per OTP issuance.
(b) App Token — A stateless HMAC-SHA256 signed token (user_id.timestamp.HMAC_signature) generated on each successful authentication event. Stored encrypted on the Data Principal's device via iOS Keychain / Android Keystore (Expo SecureStore). Tokens carry no server-side expiry; validity is predicated on signature integrity. Revoked upon logout.
(c) Web session data — For web browser access: session identifier, user ID, IP address, user agent string, and last activity timestamp stored server-side in Redis. Session lifetime: 120 minutes of inactivity. Session data is encrypted in transit (TLS 1.2+).
(d) Remember-me token — A cryptographically random 64-character token (SHA-256 hashed before storage) set for a 12-month period upon explicit opt-in.
(e) Password reset tokens — SHA-256 hashed random token; valid for the duration configured; single-use.
2.3 Device & Push Notification Data
(a) Expo push notification token — A device-specific token issued by the Expo Push Service (exp.host) upon grant of notification permission by the Data Principal. Stored alongside platform identifier (iOS/Android) and device name (e.g., “Samsung Galaxy A52”).
(b) Token lifecycle — Tokens are deactivated automatically upon rejection by the Expo Push Service (indicating app uninstallation or token rotation) and are deleted upon logout.
Collection of push notification data is conditional upon the Data Principal granting the relevant OS-level permission. Denial of permission does not affect core Platform functionality.
2.4 Location Data
(a) GPS coordinates (foreground, optional) — Latitude and longitude, collected with explicit consent, for proximity-based salon discovery. Denial of location permission does not prevent use of the Platform.
(b) Check-in GPS coordinates (event-based, optional) — At each QR check-in event, the device may capture and transmit GPS coordinates for anti-fraud location verification, subject to location permissions being active at the time.
(c) Saved address data — City, area, and optional coordinates saved by the Data Principal for convenience.
(d) Geocoding queries — Address search strings transmitted to Ola Maps API (primary) and OpenStreetMap Nominatim (fallback) for geocoding. No personally identifiable information is appended to geocoding requests.
2.5 Financial Data
(a) Booking and payment records — Service details, appointment timestamp, amounts (expressed in paise), GST components, discount application, payment status.
(b) Payment gateway references — Razorpay order ID, payment ID, payment method category (UPI / card / netbanking), gateway fee amount, refund IDs, and Razorpay-generated payment signature. No card numbers, CVV codes, UPI PINs, or bank account credentials are collected or stored by the Company. All sensitive payment instrument data is processed exclusively by Razorpay under their PCI-DSS Level 1 certification.
(c) Wallet transaction records — Credit/debit type, amount, source category (topup / refund / referral / promotion / review coins), real-balance and bonus-balance split, balance-before and balance-after snapshots.
(d) Refund records — Amount, reason, refund method, Razorpay refund reference ID, processing status.
Financial information constitutes SPDI under Rule 3(2)(i) of the IT (SPDI) Rules, 2011 and is treated accordingly.
2.6 Behavioural & Operational Data
(a) QR check-in logs — For each check-in event: action type, timestamp, QR code value scanned, IP address, user agent string, device type classification, success/failure status, failure reason (if any), and optionally GPS coordinates. These logs constitute operational records necessary for service delivery and fraud prevention.
(b) No-show records — Timestamp of auto-marking, trigger method.
(c) Review submission metadata — Review content, ratings, tags, photographs, edit history; IP address and user agent at time of submission (retained for moderation and fraud investigation).
(d) Audit logs — All significant system events (booking status changes, payment captures, refund initiation, admin interventions) are logged with: actor user ID, action description, delta of changed data, IP address, and timestamp. Audit logs are retained indefinitely for financial compliance and dispute resolution.
The Company processes Personal Data on the following lawful bases, as recognised under the DPDP Act, 2023 and the IT Act, 2000:
3.1 Consent (Section 6, DPDP Act, 2023)
The Data Principal provides free, informed, and unambiguous consent by completing OTP verification and creating an account. Consent is obtained in plain language prior to data collection. Consent may be withdrawn at any time (see Clause 9.5), subject to the limitations set out therein.
3.2 Contractual Necessity (Section 7(a), DPDP Act, 2023)
Processing is necessary for the performance of a contract to which the Data Principal is a party — specifically, the booking services contract and associated payment and wallet services. Core data (phone number, booking records, payment data) is processed on this basis.
3.3 Legal Obligation (Section 7(b), DPDP Act, 2023)
Processing is necessary for compliance with legal obligations applicable to the Company, including: maintenance of financial records under the Goods and Services Tax Act, 2017; compliance with lawful orders of courts, tribunals, or government authorities; and obligations under the IT Act, 2000 and rules made thereunder.
3.4 Legitimate Uses (Section 7(f), DPDP Act, 2023)
Processing of certain data (e.g., audit logs, check-in IP records, review metadata) is necessary for the prevention, detection, investigation, or prosecution of offences or contraventions of law, and for exercising legal rights and claims — constituting legitimate uses under the DPDP Act.
In accordance with the purpose limitation principle under Section 8(3) of the DPDP Act, 2023, Personal Data shall be processed only for the following specified, explicit, and legitimate purposes:
4.1 Authentication & Account Management
Verifying identity via OTP; maintaining secure sessions; enabling account recovery; detecting and preventing unauthorised access.
4.2 Service Delivery & Fulfilment
Processing and confirming bookings; facilitating QR check-in and attendance verification; tracking service completion; managing StylePass redemptions.
4.3 Payment Processing & Financial Management
Processing payments via Razorpay; managing wallet credits and debits; processing refunds; settling salon earnings; maintaining financial records for GST compliance.
4.4 Fraud Prevention & Security
Detecting and investigating fraudulent transactions, QR manipulation, fake reviews, referral abuse, and account compromise; maintaining audit trails for evidence preservation.
4.5 Communications & Notifications
Transmitting transactional communications (booking confirmations, cancellation alerts, refund notifications, OTPs) via SMS (MSG91/Twilio), email (Brevo/Resend), and push notifications (Expo).
4.6 Personalisation & Discovery
Displaying geographically proximate salons; surfacing relevant offers; remembering user preferences to reduce friction.
4.7 Legal Compliance & Dispute Resolution
Maintaining records mandated by applicable Indian law; responding to lawful judicial or governmental orders; preserving evidence for dispute resolution; exercising and defending legal rights.
4.8 Platform Analytics & Improvement
Analysing aggregated and de-identified usage patterns for platform improvement. No individual profiling for advertising purposes.
4.9 No Secondary Use: Personal Data shall not be processed for any purpose beyond those specified above without obtaining fresh, specific consent from the Data Principal, in compliance with Section 6(3) of the DPDP Act, 2023.
The Company engages the following Data Processors pursuant to written data processing agreements that impose obligations commensurate with those applicable to the Company under the DPDP Act, 2023 and the IT (SPDI) Rules, 2011. Each processor receives only the minimum data necessary for their designated function.
Razorpay Software Private Limited — Payment Processing
Data shared: Payment amount, Razorpay-generated order parameters, Data Principal's contact details (phone/email) for payment confirmation, and saved payment instrument tokens for auto-charge functionality (salon subscriptions only). Not shared: Full payment card numbers, CVV, or UPI credentials — these are collected directly by Razorpay's PCI-DSS Level 1 certified infrastructure and never transmitted to the Company. Razorpay's Privacy Policy governs their independent data processing.
MSG91 (Walkover Web Solutions Pvt. Ltd.) / Twilio Inc. / TextLocal — SMS Delivery
Data shared: Registered mobile phone number and SMS message content (OTP, booking notifications). MSG91 is the primary provider for India (DLT-registered sender ID: SALSYN); Twilio serves as global fallback. TextLocal is available as an auxiliary provider. Only one provider receives a given message; parallel transmission does not occur. DLT template compliance maintained as mandated by TRAI regulations.
Brevo (formerly Sendinblue) / Resend — Email Delivery
Data shared: Email address and email content for transactional communications (booking confirmations, refund notifications, PIN resets). Data is not used by these providers for their own marketing or profiling.
Expo Push Service (Expo, Inc.) — Push Notification Delivery
Data shared: Device push token, notification title, body, and data payload. Expo acts as an intermediary, forwarding notifications to Apple APNs (iOS) and Google FCM (Android). The Company does not transmit personally identifiable information directly to Apple or Google beyond what is inherent in the Expo push infrastructure.
Ola Maps (ANI Technologies Pvt. Ltd.) / OpenStreetMap Nominatim — Geocoding
Data shared: Address search string or GPS coordinates for geocoding/reverse geocoding. No user account identifiers are transmitted alongside location queries. Nominatim (OpenStreetMap) is a free, open-source fallback with no API key authentication; queries are anonymised.
Cloudinary (Cloudinary Ltd.) — Media Storage & Delivery
Data shared: Profile photographs, salon media, staff photographs, and review photographs uploaded by Data Principals or salon partners. Files are stored under the Company's Cloudinary account. Cloudinary does not independently access or process uploaded media for any purpose other than storage and CDN delivery.
5.7 Cross-Border Transfers: Some Data Processors (Twilio, Cloudinary, Expo, Resend) may process data in jurisdictions outside India. Such transfers are effected pursuant to contractual safeguards including standard contractual clauses, and are subject to the cross-border transfer provisions to be notified under the DPDP Act, 2023. By using the Platform, you acknowledge and consent to such transfers to the extent necessary for the provision of services.
The Company implements reasonable security practices and procedures as mandated under Section 43A of the IT Act, 2000 read with Rule 8 of the IT (SPDI) Rules, 2011. The following technical and organisational measures are maintained:
7.1 Encryption at Rest
Phone numbers: AES-256 encryption. PINs: bcrypt hashing. Reset tokens: SHA-256 hashing. No sensitive data stored in plaintext.
7.2 Encryption in Transit
All data transmissions use TLS 1.2 or higher. App Token integrity enforced via HMAC-SHA256 verification on every API request.
7.3 Payment Data Security
No payment card data traverses or is retained by Company systems. Payment processing delegated entirely to Razorpay (PCI-DSS Level 1). Webhook payloads verified via HMAC-SHA256 signature before processing.
7.4 Device-Side Security
Auth tokens and sensitive user data stored in iOS Keychain / Android Keystore via Expo SecureStore. Inaccessible to other applications on the device.
7.5 Access Controls
Internal access to Personal Data is restricted on a need-to-know basis via role-based access controls. All privileged access events are logged in the audit trail.
7.6 Financial Transaction Integrity
Wallet credits, debits, escrow operations, and settlement transactions are protected by database-level row locking (SELECT ... FOR UPDATE) to prevent race conditions and double-processing.
7.7 Limitation: Notwithstanding the foregoing, no information security system provides absolute protection. The Company cannot guarantee that unauthorised third parties will never defeat these measures. In the event of a Personal Data Breach as defined under Section 2(u) of the DPDP Act, 2023, the Company shall notify the Data Protection Board of India and affected Data Principals in accordance with Section 8(6) of the DPDP Act, 2023 and applicable rules.
In accordance with the storage limitation principle under Section 8(7) of the DPDP Act, 2023, Personal Data shall not be retained beyond the period necessary for the stated purpose or as required by law. The following retention schedule applies:
| Category | Retention Period | Justification |
|---|---|---|
| OTP records | 10 minutes or upon verification | Single-use authentication; auto-purged |
| Web session data | 120 minutes of inactivity | Session management |
| Device push tokens | Until logout or invalidation by push provider | Notification delivery |
| Account / profile data | Duration of account; anonymised on deletion | Contractual necessity |
| Booking records | Indefinite (minimum 8 years) | GST Act, 2017 — records retention |
| Payment / refund records | Indefinite (minimum 8 years) | Tax compliance, dispute resolution |
| Wallet transactions | Indefinite | RBI PPI guidelines, financial reconciliation |
| Audit logs | Indefinite | Legal compliance, fraud investigation |
| QR check-in logs | Indefinite | Dispute resolution, fraud prevention |
| Reviews | Indefinite or upon erasure request (where permissible) | Platform integrity |
8.1 Post-Deletion Retention: Upon account deletion, the Data Principal's profile information (name, email, phone, address) shall be anonymised or pseudonymised. Financial records, booking records, payment records, and audit logs associated with the account shall be retained in compliance with statutory obligations under the GST Act, 2017 and other applicable legislation, and such retained records shall not be used for any purpose other than legal compliance, financial reconciliation, and dispute resolution.
Pursuant to Sections 11 through 14 of the DPDP Act, 2023, Data Principals have the following rights, exercisable by contacting the Grievance Officer (Clause 11):
9.1 Right to Access Information (Section 11, DPDP Act)
You have the right to obtain a summary of the Personal Data processed by the Company, the processing activities being undertaken, and the identities of Data Processors to whom data has been disclosed. Core data is directly accessible through the Platform (booking history, wallet transactions, profile details).
9.2 Right to Correction and Erasure (Section 12, DPDP Act)
You have the right to correct inaccurate or misleading Personal Data. Profile data may be corrected directly through the Edit Profile screen. You have the right to request erasure of Personal Data that is no longer necessary for the specified purposes. Erasure requests are processed within 30 days, subject to statutory retention obligations set out in Clause 8 — specifically, financial and transactional records which must be retained under applicable law and cannot be erased.
9.3 Right to Grievance Redressal (Section 13, DPDP Act)
You have the right to have your grievances regarding processing of your Personal Data redressed. Grievances must be raised with the Grievance Officer (see Clause 11) and shall be responded to within 30 days of receipt, as mandated under the DPDP Act, 2023 and Rule 12 of the IT (Intermediary Guidelines) Rules, 2021.
9.4 Right to Nominate (Section 14, DPDP Act)
You have the right to nominate an individual who shall, in the event of your death or incapacity, exercise your rights under Sections 11 to 13 of the DPDP Act, 2023 on your behalf. To register a nominee, contact the Grievance Officer.
9.5 Right to Withdraw Consent (Section 6(4), DPDP Act)
Consent may be withdrawn at any time by contacting the Grievance Officer or by requesting account deletion. Withdrawal of consent for core data processing (e.g., phone number for authentication) will necessarily terminate your ability to use the Platform, as such processing is foundational to service delivery. Withdrawal shall not affect the lawfulness of processing undertaken prior to withdrawal.
9.6 Complaint to Data Protection Board
If your grievance is not resolved to your satisfaction, you have the right to make a complaint to the Data Protection Board of India established under Section 18 of the DPDP Act, 2023, after exhausting the Company's internal grievance mechanism.
The Platform is intended exclusively for individuals who have attained the age of majority (18 years) under applicable Indian law. In accordance with Section 9 of the DPDP Act, 2023, the Company does not knowingly process Personal Data of children (persons under 18 years of age) without verifiable parental consent. If the Company becomes aware that Personal Data of a child has been collected without appropriate consent, it shall take prompt steps to erase such data. Any person aware of such a situation is requested to notify the Grievance Officer immediately at support@salonsync.com.
The Company reserves the right to amend this Policy at any time. In the event of material amendments affecting Data Principals' rights or the nature of data processing, prior notification shall be provided via push notification or registered email at least 7 days before the amended policy takes effect. Continued use of the Platform after the effective date of an amended Policy constitutes acceptance of the changes. Data Principals who do not accept the amended Policy should discontinue use and may request account deletion per Clause 9.2.
In accordance with the IT Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Rule 3(2)(b)), and the DPDP Act, 2023, the Company has designated a Grievance Officer to address complaints and concerns relating to Personal Data processing:
Contact Details
Designation: Grievance Officer, SalonSync
Email: support@salonsync.com
Subject Line: “Privacy Grievance” or “DPDP Act Request”
Resolution Timeline
• Acknowledgement: within 48 hours
• Resolution: within 30 days of receipt
• Escalation to Data Protection Board available if unresolved
Governing Law: This Policy is governed by the laws of the Republic of India. Disputes arising under this Policy shall be subject to the exclusive jurisdiction of courts of competent jurisdiction in Bengaluru, Karnataka, India.
This Privacy Policy is governed by the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000 (India). Jurisdiction: Bengaluru, Karnataka.
© 2026 StyloSynk. All rights reserved. A product of Synauratech Pvt Ltd.