Salon Ally ← Back to Home

Privacy Policy

Last updated: February 2026

At Salon Ally, we take your privacy seriously. This Privacy Policy explains how we collect, use, and protect information when you use our AI-powered salon management platform, including our scheduling, messaging, call intelligence, email management, and related services.

1. Information We Collect

Account & Authentication Data

• Registration Information: Name, email address, phone number, salon business name, and role
• Credentials: Passwords are hashed using Argon2id (the current industry gold standard) and are never stored in plaintext
• Authentication Tokens: Short-lived session tokens with automatic rotation; refresh tokens for persistent sessions
• Invite Records: Email address and role when staff are invited to join a workspace

Salon & Business Data

• Workspace Configuration: Salon name, locations, business hours, service menus, pricing, and staff profiles
• Appointment Data: Bookings, reschedules, cancellations, holds, waitlist entries, and availability records
• Client Records: Client names, contact information, appointment history, preferences, VIP tiers, family links, and service notes
• Register & Transaction Data: Checkout records, payment summaries, and discount applications

Communication Data

• SMS Messages: Inbound and outbound text messages between your salon and clients, processed for AI-assisted response drafting
• Phone Calls: Call metadata (caller ID, duration, timestamps) and transcripts when available from your telephony provider, used for call intelligence and coaching analysis
• Email: Email threads sent and received through connected IMAP/SMTP accounts, including headers, body content, and attachments for AI-assisted drafting
• Cross-Channel Memory: AI maintains conversation context across SMS, calls, and email so that relevant history is available regardless of channel

AI Processing Data

• Proposals & Actions: AI-generated action proposals (booking, rescheduling, replying), staff approval/rejection decisions, and edit history
• Call Analysis: AI-generated coaching scorecards, sentiment analysis, and behavioral flags derived from call transcripts
• Audit Logs: Every action in the system is logged with actor identity, timestamp, and action details for accountability
• AI Model Tokens: Service tokens used to communicate with AI model providers; these do not contain your personal data

Technical & Usage Data

• Device Information: Browser type, operating system, and screen size for optimization
• Usage Patterns: Feature usage, page views, and interaction metrics to improve the platform
• Error Logs: Technical error reports for debugging and reliability

2. How We Use Information

Core Platform Operations

• Manage appointments, scheduling, and waitlist matching
• Process and display client communications across SMS, phone, and email
• Generate AI-assisted response drafts and action proposals for staff approval
• Analyze phone calls for coaching insights, rebook opportunities, and service quality
• Maintain cross-channel conversation context for continuity
• Record audit trails for every system action

Business Intelligence

• Generate dashboard KPIs, analytics, and performance reports
• Produce call coaching scorecards and trend analysis
• Surface alerts, flags, and triage recommendations

Account Administration

• Authenticate users and enforce role-based access controls
• Manage multi-tenant workspace isolation
• Process billing and subscription management
• Provide customer support

3. Multi-Tenant Data Isolation

Salon Ally is built on a multi-tenant architecture where each salon workspace is fully isolated:

• Each workspace's data is logically separated and cannot be accessed by other workspaces
• Staff members only see workspaces they have been explicitly invited to
• Role-based access controls limit what each staff member can view and do within a workspace
• Platform administrators have separate access paths and cannot view salon-level client data without explicit authorization

4. Data Storage & Security

• Encryption in Transit: All data transmitted via HTTPS/TLS
• Password Security: Hashed with Argon2id; never stored or transmitted in plaintext
• Token Management: Short-lived access tokens with automatic rotation; refresh tokens stored securely
• Email Credentials: IMAP/SMTP passwords are encrypted at rest and redacted in all API responses
• Audit Logging: Immutable logs of all actions including actor, timestamp, and details
• Infrastructure: Hosted on secure cloud infrastructure with SOC 2 compliance standards
• Backups: Regular automated backups with encryption

5. AI & Third-Party Processing

• AI Model Providers: Conversation and call data is processed by AI model providers to generate response drafts, proposals, and analysis. We use service tokens (not your credentials) for these API calls.
• No Training on Your Data: Your salon's conversations and client data are not used to train AI models. Processing is inference-only.
• Telephony Providers: Call metadata and transcripts are received from your connected phone system provider
• Email Providers: Email is fetched via IMAP and sent via SMTP through your configured mail server

6. Data Sharing

We do NOT:

• Sell any data to third parties
• Share client data between different salon workspaces
• Use client data for marketing without explicit consent
• Provide AI model providers with more data than needed for processing

We only share data:

• With your explicit consent
• To comply with legal obligations
• With service providers who help us operate (e.g., hosting, AI processing, payment processing)

7. Data Retention

• Communication Data: Retained while your account is active for cross-channel context
• Audit Logs: Retained for a minimum of 12 months for accountability
• Call Analysis: Retained while your account is active; anonymized after account closure
• Analytics Data: Aggregated and anonymized after 90 days
• Account Data: Retained while account is active + 90 days after closure
• Backups: Rotated every 14 days

8. Your Rights

You have the right to:

• Access your data
• Correct inaccurate data
• Request deletion of your data
• Export your data in a standard format
• Opt-out of AI-assisted processing (manual mode)
• Revoke connected email or phone integrations at any time

9. Cookies

We use minimal, necessary cookies:

• Session Cookies: To maintain your authenticated session
• Preference Cookies: To remember your settings
• Affiliate Cookies (marketing site only): If you visit from an affiliate link (e.g., with ?ref=CODE), we set a referral cookie to attribute pricing and inquiries to the referring partner. This cookie contains only the referral code and expires after 60 days (or a shorter period if configured).

We do NOT use advertising cookies. Referral cookies are used solely for affiliate attribution on the marketing site and are not present in the application.

10. Children's Privacy

Our service is not directed to individuals under 16. We do not knowingly collect information from children under 16.

11. Changes to This Policy

We may update this policy from time to time. We will notify workspace owners of any material changes via email.