Day Spa Data

Privacy Policy

Last updated: May 11, 2026

1. Introduction

Day Spa Data LLC ("Company," "we," "us," or "our") respects your privacy and is committed to protecting the personal and business data you entrust to us. This Privacy Policy describes how we collect, use, share, and protect information when you use the Day Spa Data platform ("the Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

Account information: When you create an account, we collect your name, email address, role within your organization, and associated location assignments. Account creation is managed by your organization's administrator.

Spa business data: We extract operational data from your spa management software via its CDC (Change Data Capture) API. This includes:

  • Appointment and scheduling data
  • Sales transactions (services, retail, gift cards)
  • Employee schedules, time clock records, and performance metrics
  • Client visit history (visit dates, services received, frequency)
  • Gift card issuance, redemptions, and balances
  • Revenue, payment, and discount information

This data belongs to you. We process it solely to provide analytics dashboards and related features of the Service.

Client personal information: Source data may include your spa clients' names, contact information, and visit history. We treat this information as confidential business data and process it only as necessary to provide the Service. We do not use spa client data for marketing, profiling, or any purpose outside of providing analytics to you.

Usage data: We automatically collect information about how you interact with the Service, including pages viewed, features used, login timestamps, browser type, device information, and IP address. This data helps us improve the Service and diagnose technical issues.

Security audit logs: We log security-related events such as login attempts, terms acceptance, and administrative actions. These logs include your IP address, user agent, and timestamp, and are used solely for security monitoring, incident investigation, and compliance purposes.

Inquiry and communication data: When you submit a demo request, contact form, or support request, we collect the information you provide (name, email, message content).

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service: Extract, transform, store, and display your spa management data as analytics dashboards
  • Authentication and access control: Verify user identity and enforce role-based permissions (Super Admin, Executive, Manager, Employee)
  • Service communications: Send account setup notifications, data freshness alerts, maintenance notices, and security alerts
  • Support: Respond to your inquiries, troubleshoot issues, and provide technical assistance
  • Improvement: Analyze usage patterns to improve Service functionality, performance, and user experience
  • Security: Detect, investigate, and prevent fraudulent or unauthorized access to the Service
  • Legal compliance: Comply with applicable laws, regulations, legal processes, or enforceable governmental requests

We do not use your business data or spa client data for advertising, marketing to third parties, or any purpose other than providing and improving the Service.

AI Data Analyst: The Service includes an optional AI-powered analytics feature ("AI Data Analyst") that allows you to ask natural-language questions about your business data. When you use this feature, your query and relevant business data retrieved from the data warehouse — which may include client names, employee names, revenue figures, and performance metrics — are sent to Anthropic, our third-party AI language model provider, to generate a response.

Anthropic processes this data to generate a response to your query and does not use data submitted via its API for model training or improvement. Anthropic may retain API inputs and outputs for a limited period for abuse monitoring and safety purposes; see Anthropic's data usage policy for current retention details.

AI Data Analyst conversations are stored in our database (Supabase) and are subject to the same data retention and deletion policies described in Section 6. The same role-based access controls and location filtering that apply to the dashboard also apply to the AI Data Analyst — users can only query data they are authorized to access.

4. Data Sharing and Third-Party Processors

We do not sell your data. We do not share, rent, or trade your personal or business data with third parties for their marketing or advertising purposes.

We use the following third-party service providers ("sub-processors") to operate the platform. Each acts as a data processor under our direction and is contractually bound to protect your data:

  • Google Cloud Platform (BigQuery, Cloud Run, Cloud Scheduler): Data warehouse, compute infrastructure, and ETL pipeline hosting. Data stored in the us-east1 region.
  • Supabase: User authentication (login, sessions, password management) and user metadata storage. Hosted in a US region.
  • Vercel: Dashboard web application hosting and content delivery.
  • Resend: Transactional email delivery for account notifications, password resets, and inquiry form submissions.
  • Your spa management software vendor: Source spa management platform. We access your data via their API with your authorization.
  • Sentry: Error monitoring and performance tracking. In production, application errors and associated request metadata (URL, browser, stack traces) are sent to Sentry to help us identify and fix issues. No spa client data is intentionally included in error reports.
  • PostHog: Product analytics (when enabled). When active, page views, feature usage events, and basic user identifiers (email, name, role) are sent to PostHog to help us understand how the Service is used and improve it.
  • Stripe: Subscription billing and payment processing. Stripe processes your payment information (credit card, billing address) on our behalf. We do not store full payment card details on our servers.
  • Anthropic: AI language model provider for the AI Data Analyst feature. When you use the AI Data Analyst, your query and retrieved business data are sent to Anthropic to generate a response. Anthropic does not retain data beyond the API request lifecycle and does not use API data for model training.

We may also disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard technical and organizational measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and our servers, and between our internal systems, is encrypted using TLS 1.2 or higher
  • Encryption at rest: All stored data is encrypted using AES-256 encryption via Google Cloud's default encryption
  • Multi-tenant data isolation: Each location's raw source data is stored in a separate, isolated BigQuery dataset. Cross-tenant data access is architecturally prevented at the database level
  • Role-based access control: The dashboard enforces role-based permissions that restrict data visibility based on each user's assigned role and location access
  • Server-side authentication: All authentication is handled server-side with httpOnly session cookies. Raw business data is never exposed to client-side JavaScript
  • Credential management: All API keys, secrets, and service account credentials are stored in Google Cloud Secret Manager, not in source code or environment files
  • Access logging: Authentication events and administrative actions are logged for security audit purposes

While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

Active accounts: Your business data is retained for as long as your subscription is active. Historical data accumulates over time to enable year-over-year comparisons, trend analysis, and long-term reporting.

After termination: Upon account termination, you have a 90-day window to request an export of your data in a standard machine-readable format (CSV or JSON). After this 90-day period, your data is permanently and irreversibly deleted from all our systems, including backups.

Usage and log data: Server logs and usage analytics data are retained for up to 12 months for security monitoring and service improvement, after which they are automatically purged.

Inquiry data: Contact form submissions and demo requests are retained for up to 24 months or until you request their deletion.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal and business data we hold about you
  • Correction: Request correction of inaccurate or incomplete personal information
  • Deletion: Request deletion of your account and associated personal data
  • Data portability: Request your data in a structured, machine-readable format
  • Restrict processing: Request that we limit how we use your data in certain circumstances
  • Object: Object to certain types of processing of your personal data
  • Withdraw consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, contact us at legal@dayspadata.com. We will respond to your request within 30 days. We may need to verify your identity before processing certain requests.

Note that deleting your personal data or account may affect your ability to use the Service. Business data deletion is governed by the retention schedule in Section 6.

8. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

  • Right to know: You have the right to know what personal information we collect, how we use it, and whether we share it
  • Right to delete: You have the right to request deletion of personal information we have collected
  • Right to opt out: We do not sell personal information. We do not share personal information for cross-context behavioral advertising
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

To submit a request, contact us at legal@dayspadata.com with "CCPA Request" in the subject line.

9. Cookies and Local Storage

We use cookies and browser storage to operate and improve the Service. We categorize these as follows:

Essential cookies (required): These cookies are necessary for the Service to function and cannot be disabled.

  • Authentication session: httpOnly, secure session cookies to maintain your login state
  • Authentication tokens: Secure tokens for session management
  • Owner selection: Cookies used to manage the active team context for users with access to multiple organizations

Analytics cookies (when enabled): When product analytics are active, PostHog may set cookies and use localStorage to track page views and feature usage. This helps us understand how the Service is used and prioritize improvements. Analytics can be disabled by your organization's administrator.

Local storage: We use browser localStorage to store dashboard preferences such as date range selections, theme choice (light/dark/system), and view settings. This data stays on your device and is not transmitted to our servers.

We do not use advertising cookies, marketing cookies, or tracking technologies for the purpose of serving ads or cross-site behavioral advertising. For a detailed list of all cookies used by the Service, see our Cookie Policy.

10. Data Breach Notification

In the event of a data breach that compromises your personal or business data, we will:

  • Notify affected customers via email within 72 hours of becoming aware of the breach
  • Provide details about the nature of the breach, the data affected, and steps we are taking to remediate it
  • Notify applicable regulatory authorities as required by law
  • Offer guidance on steps you can take to protect your accounts and data

11. International Data Transfers

The Service is operated from the United States. Your business data is stored in US-based data centers (Google Cloud us-east1 region). Certain sub-processors (e.g., the AI language model provider used for the AI Data Analyst) may process individual requests on globally distributed infrastructure. If you access the Service from outside the United States, your data will be transferred to and primarily processed in the United States.

By using the Service, you consent to the transfer of your data to the United States. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

12. Third-Party Links

The Service may contain links to third-party websites or services (e.g., your spa management software vendor, payment processors). We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party services you interact with.

13. Children's Privacy

The Service is designed for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at legal@dayspadata.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via email at least 30 days before they take effect. Non-material changes may be made without advance notice.

The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

15. Contact

For questions about this Privacy Policy, our data practices, or to exercise your privacy rights, contact us at:

Day Spa Data LLC
Email: legal@dayspadata.com