STAILER

Privacy Policy

Last updated: April 1, 2026

This Privacy Policy explains how Stailer Corporation ("Stailer," "we," "us," or "our") collects, uses, stores, shares, and protects personal data when you use the Stailer platform, including its website, mobile applications, and all related services (collectively, the "Platform"). We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and all other applicable data protection laws.

Table of Contents

  1. Data Controller
  2. Categories of Personal Data
  3. Purposes and Legal Bases
  4. Data Retention
  5. Data Sharing and Recipients
  6. International Data Transfers
  7. Your Rights
  8. Data Security
  9. Cookies and Tracking Technologies
  10. Children and Minors
  11. Data Processing Roles
  12. Data Breach Notification
  13. Changes to This Policy
  14. Contact Us

1. Data Controller

The data controller for personal data processed through the Platform is: Stailer Corporation, 1111B S Governors Ave, STE 23978, Dover, DE 19904, USA.

For inquiries related to data protection, you may contact us at: privacy@stailer.app.

2. Categories of Personal Data

We do not intentionally collect special categories of personal data (e.g., health data, racial or ethnic origin). If you voluntarily provide such information (e.g., product allergies in appointment notes), we process it solely to deliver the requested service.

  • Account Data: Name, email address, phone number, hashed password, account role (client or professional). Source: provided directly by you. Legal basis: performance of a contract, Art. 6(1)(b) GDPR.
  • Business Profile Data: Business name, tax identification number, business address, professional licenses, IBAN, salon photos, service catalog and pricing. Source: provided directly by you. Legal basis: performance of a contract, Art. 6(1)(b) GDPR.
  • Booking Data: Service type, appointment date and time, client preferences, cancellation and attendance history. Source: generated through Platform use. Legal basis: performance of a contract, Art. 6(1)(b) GDPR.
  • Payment Data: Last four digits of payment card, payment processor token, transaction status, invoices. Source: payment processor (Stripe). Legal basis: performance of a contract, Art. 6(1)(b) GDPR; legal obligation, Art. 6(1)(c) GDPR.
  • Technical Data: IP address, device type, operating system, browser type, error logs, push notification token. Source: collected automatically. Legal basis: legitimate interest, Art. 6(1)(f) GDPR.
  • Marketing Data: Newsletter subscription status, campaign interaction data, advertising preferences. Source: provided by you or collected automatically. Legal basis: consent, Art. 6(1)(a) GDPR.
  • AI Feature Data: Optional selfie photos, hair color preferences, reference images for the Look Simulator. Source: provided directly by you. Legal basis: explicit consent, Art. 9(2)(a) GDPR.

3. Purposes and Legal Bases

  • Service Delivery: Account creation, appointment processing, payment handling, and customer support — legal basis: contract performance.
  • Platform Improvement: Statistical analysis, A/B testing, error monitoring, and feature development — legal basis: legitimate interest.
  • Marketing: Newsletters, push notifications, and promotional campaigns — legal basis: consent (opt-in only).
  • AI Features: Generating look simulations, AI call assistance, chatbot interactions, and personalized recommendations — legal basis: consent and/or contract performance.
  • Legal Compliance: Fraud prevention, tax reporting, accounting obligations, and responses to lawful authority requests — legal basis: legal obligation.

4. Data Retention

  1. Account and booking data: Retained for 5 years from last account activity, in accordance with applicable tax and accounting requirements.
  2. Technical logs: Retained for 12 months, then automatically deleted.
  3. Marketing data: Retained until you withdraw consent or after 3 years of inactivity, whichever comes first.
  4. AI feature data (selfies, reference images): Automatically deleted after 30 days unless you explicitly choose to save them in your portfolio.

5. Data Sharing and Recipients

We do not sell, rent, or trade personal data to third parties for their independent marketing purposes.

  • Service Processors: Stripe (payment processing), Amazon Web Services (cloud infrastructure), Twilio (SMS and voice services), OpenAI (AI language processing), Google Cloud (analytics and AI services). All processors operate under Data Processing Agreements incorporating Standard Contractual Clauses where required.
  • Partners and Clients: Salon partners can view booking data for their appointments; clients can view public business profiles and service listings.
  • Legal Authorities: We disclose data only when legally required to do so by applicable law, regulation, or court order.

6. International Data Transfers

Our primary infrastructure is hosted on Amazon Web Services in the EU (Frankfurt, Germany). Certain third-party services (e.g., OpenAI, Twilio) may process data in the United States.

For transfers outside the European Economic Area, we rely on Standard Contractual Clauses (Commission Implementing Decision 2021/914/EU), supplementary technical measures including encryption in transit and at rest, and, where applicable, adequacy decisions by the European Commission.

7. Your Rights

To exercise any of these rights, contact us at privacy@stailer.app. We will respond within 30 days, or within the timeframe required by applicable law.

  • Right of Access: Obtain confirmation of whether your data is being processed and request a copy.
  • Right to Rectification: Correct inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
  • Right to Restriction: Request that processing of your data be restricted under certain circumstances.
  • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interest, including profiling and direct marketing.
  • Right to Withdraw Consent: Withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right to Lodge a Complaint: You may file a complaint with the data protection supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. For U.S. residents, you may contact the relevant state attorney general.

8. Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, regular security assessments, and employee training. However, no system is completely secure, and we cannot guarantee absolute security.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Platform, remember your preferences, and analyze usage patterns. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy at stailer.app/cookies.

10. Children and Minors

The Platform is intended for users aged 18 and older. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete it promptly.

11. Data Processing Roles

Stailer acts as a data controller for data processed to operate the Platform, manage user accounts, and provide our services.

When Partners use the Platform to manage their client relationships (e.g., appointment records, client communications, marketing to their own clients), Stailer may act as a data processor on behalf of the Partner. In such cases, the Partner is the data controller and bears responsibility for having a lawful basis for the processing. Partners may request a Data Processing Agreement (DPA) by contacting legal@stailer.app.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Stailer will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to affected individuals, we will also notify them directly without undue delay.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Last updated" date at the top of this page indicates when this policy was most recently revised.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Stailer Corporation, 1111B S Governors Ave, STE 23978, Dover, DE 19904, USA. Email: privacy@stailer.app.

© 2026 Stailer Corporation. All rights reserved.