Privacy Policy
Last updated: 10 June 2026
1. Who we are
ArturaOS ("we", "us", "our") is a software platform that provides beauty salon management tools. We act as a data processor on behalf of the salons that use our platform (the data controllers). This policy explains how we handle personal data in compliance with the General Data Protection Regulation (GDPR) and applicable EU/EEA data protection laws.
Contact: privacy@arturaos.com
2. Data we collect
2.1 Salon administrators
- Account data: name, email address, phone number
- Business data: salon name, address, logo
- Usage data: login timestamps, IP addresses (for security)
- Session data: access tokens, device information
2.2 End clients of salons
Salons enter their clients' data into the platform. This may include:
- Identity data: first name, last name, date of birth, gender
- Contact data: email, phone, address
- Health data: allergies, medical notes (special category data under Art. 9 GDPR)
- Appointment history and payment records
- Photos (before/after, portfolio — only with explicit consent)
3. Legal basis for processing
| Purpose | Legal basis |
|---|---|
| Providing the service | Art. 6(1)(b) — Contractual necessity |
| Appointment reminders | Art. 6(1)(f) — Legitimate interests |
| Email marketing | Art. 6(1)(a) — Consent |
| SMS marketing | Art. 6(1)(a) — Consent |
| Photo use (portfolio) | Art. 6(1)(a) — Consent |
| Health/allergy data | Art. 9(2)(a) — Explicit consent |
| Financial records | Art. 6(1)(c) — Legal obligation |
| Security & fraud prevention | Art. 6(1)(f) — Legitimate interests |
4. Your rights under GDPR
You have the following rights:
- Right of access (Art. 15) — request a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interests
- Right to withdraw consent — at any time, without affecting prior processing
To exercise your rights, contact the salon that holds your data directly, or email us at privacy@arturaos.com. We will respond within 30 days.
5. Data retention
- Client appointment records: 10 years (legal/tax obligation)
- Client personal data: until erasure requested or account closure
- Access/audit logs: 2 years
- Notification preferences: until withdrawn
- Uploaded photos: until deleted by the salon or client
6. Data transfers
We host data on servers in Germany (EU). Sub-processors include:
- Cloud infrastructure: EU-based servers
- Email delivery: SMTP provider with DPA in place
- Error monitoring: Sentry (US — covered by EU Standard Contractual Clauses)
7. Cookies
We use only strictly necessary session cookies for authentication. We do not use tracking, advertising, or analytics cookies.
8. Changes to this policy
We will notify you of material changes by email or in-app notification at least 30 days before they take effect.
9. Contact & supervisory authority
Data Protection Officer: dpo@arturaos.com
You have the right to lodge a complaint with your local supervisory authority. For Germany: Bundesbeauftragte für den Datenschutz (BfDI).