Saaty/Legal

Saaty Legal

Privacy Policy

Effective 1. August 2026 · Version 1.0

This document is provided in English; the English version governs.

This document contains bracketed placeholder values and is pending final legal review.

1. Who is responsible for your data

This Privacy Policy explains how [COMPANY LEGAL NAME], [COMPANY REGISTERED ADDRESS] (“Saaty”, “we”) processes personal data when you use the Saaty booking platform. It is written to meet the EU/UK GDPR as a global baseline, plus the CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), and similar laws. [DPO NAME AND CONTACT, OR A STATEMENT THAT NO DPO IS APPOINTED]. Privacy contact: privacy@saaty.app.

Two roles. For your Saaty account, platform analytics, and our own marketing, Saaty is the data controller. For booking and customer data that a business (salon, spa, etc.) manages about its customers through the platform, that business is the controller and Saaty is its processor, acting under our Data Processing Addendum. Requests about a business’s customer records may be referred to that business.

2. What we collect

  • Account data — name, email, phone number (verified at point of need), password hash, profile photo, preferred language, account type.
  • Booking data — services booked, appointment times, chosen staff, booking references, notes you add, cancellations and no-shows.
  • Business data (business users) — business name, address, opening hours, services, prices, staff schedules, brand assets, gallery images.
  • Payment data — handled by our payment processors (e.g. Stripe); we receive payment status and a customer/payment reference, never full card numbers.
  • Communications — emails, SMS, and in-app notifications we send you, and messages you send to support; delivery and open metadata.
  • Reviews — ratings, review text, and edit history you submit.
  • Technical data — IP address, device and browser type, log data, and cookie identifiers (see the Cookie Policy).
  • OAuth data — if you sign in with Google or Facebook: your name, email, and profile picture from that provider.
  • Consent records — which versions of our legal documents you accepted, when, and through which flow.

We do not intentionally collect special-category data. Free-text fields (e.g. booking notes) should not be used for health or other sensitive information beyond what the service inherently requires.

3. Why we process it, and on what legal basis

PurposeExamplesLegal basis (GDPR)
Providing the platformAccounts, bookings, schedules, notifications about your bookingsContract performance (Art. 6(1)(b))
Payments and billingProcessing payments, invoices, fraud preventionContract; legal obligation (Art. 6(1)(b), (c))
Safety and securityAuthentication, rate limiting, abuse and fraud detection, audit logsLegitimate interests (Art. 6(1)(f))
Service communicationsBooking confirmations, reminders, security alertsContract performance
MarketingNewsletters and campaigns — always with unsubscribeConsent, or legitimate interest for existing customers, per local law
Product improvementAggregated usage statistics, debuggingLegitimate interests
Legal complianceTax and accounting records, responding to lawful requestsLegal obligation (Art. 6(1)(c))

Automated scheduling. Appointment slots are computed by an optimization engine using availability, staff schedules, and resource constraints. This does not produce legal or similarly significant effects about you and is not profiling within the meaning of GDPR Art. 22.

4. Who we share data with

  • The business you book with — your booking details, name, and contact information needed to deliver the service.
  • Service providers (processors) — hosting and database infrastructure, Cloudinary (image hosting), Resend (email delivery), Twilio (SMS), Stripe (payments), and Google (calendar sync, where you connect it). Each is bound by a data processing agreement.
  • Authorities — where required by law or to protect rights, safety, or the integrity of the platform.
  • Corporate transactions — a merger, acquisition, or asset sale, with notice to you.

We do not sell your personal data and we do not share it with third parties for their own cross-context behavioral advertising.

5. International transfers

We operate worldwide, so your data may be processed outside your country. Where data leaves the EU/EEA, UK, or another jurisdiction with transfer restrictions, we rely on adequacy decisions where available and otherwise on the European Commission’s Standard Contractual Clauses (or the UK IDTA / local equivalent), with supplementary measures where appropriate. A copy of the relevant safeguards can be requested at privacy@saaty.app.

6. How long we keep data

  • Account data — for the life of your account. You can delete your account at any time (Account → Privacy): accounts with no history are deleted immediately; others are scheduled with a 30-day grace window, after which identifying fields are permanently scrubbed.
  • Booking and review records — retained for the business’s legitimate record-keeping after account deletion, with your identity replaced (shown as “former customer”).
  • Financial records — as long as tax and accounting law requires (typically 7–10 years).
  • Logs and security data — short rolling windows, typically 30–90 days.
  • Consent records — for as long as needed to demonstrate compliance.

7. Your rights

Subject to your local law, you have the right to access, correct, delete, port, and restrict or object to the processing of your personal data, and to withdraw consent at any time without affecting prior processing. You will not be discriminated against for exercising your rights.

  • Self-service — export a copy of your data and delete your account under Account → Privacy; manage notification preferences under Account → Notifications; unsubscribe links appear in every marketing email.
  • By request — email privacy@saaty.app. We respond within one month (GDPR) or 45 days (CCPA), extendable as the law allows. We may need to verify your identity first.
  • Appeals and complaints — you may lodge a complaint with your local supervisory authority (EU/EEA), the ICO (UK), or your state Attorney General (US). We would appreciate the chance to resolve concerns first.
  • California — the rights to know, delete, correct, and opt out of sale/sharing apply. We do not sell or share personal information as defined by the CCPA/CPRA, and we do not use or disclose sensitive personal information beyond permitted purposes. Authorized agents may submit requests with proof of authorization.
  • Brazil (LGPD) — you additionally have the right to information about public and private entities with which we shared data, and to review of automated decisions.

8. Security

We apply technical and organizational measures appropriate to the risk: encryption in transit, hashed passwords, role-based access control, unguessable booking references, rate limiting, audit logging, and segregated environments. No system is perfectly secure; if a breach is likely to result in a high risk to you, we will notify you and the competent authority as the law requires.

9. Children

The platform is not directed at children under 16, and we do not knowingly collect their data without a parent or guardian’s involvement. Parents and guardians may book services on a minor’s behalf. If you believe a child has created an account, contact privacy@saaty.app and we will delete it.

10. Changes to this policy

We may update this policy as the platform or the law evolves. Material changes are announced by email or in-product notice at least 30 days before they take effect, and each version carries a version number and effective date. Continued use after the effective date constitutes acknowledgment of the updated policy; where consent is legally required for a change, we will ask for it.

11. Contact

Privacy requests: privacy@saaty.app · Legal: legal@saaty.app · Postal: [COMPANY LEGAL NAME], [COMPANY REGISTERED ADDRESS].