Privacy Policy

1. Information we collect

We only collect the information necessary to provide and improve the Service:

• Account information — your full name and email address are required to create your account and confirm your appointments. A phone number is optional and only used if you provide it (so the salon can contact you about last-minute changes).
• Authentication data — we send a 6-digit one-time code (OTP) to your email to verify it's you. The code is stored temporarily (5 minutes) and deleted immediately after use.
• Booking information — the services you add to your cart, the appointment date and time, the stylist you select, and any guest names you add for group bookings.
• Profile photo — optional. Only uploaded if you choose one in Edit Profile. Stored on Firebase Cloud Storage.
• Device and technical data — limited information automatically logged for security and debugging: device type, operating system version, app version, IP address (used for rate-limiting OTP requests), approximate timestamps of requests. We do not use any third-party analytics, advertising, or tracking SDKs.

We do not collect: precise location, browsing history outside the App, contacts, calendar, microphone audio, camera unless you actively take a profile photo, or any financial/payment information.

2. How we use your information

We use the information we collect strictly to:

• Create and manage your Quasar Salon account
• Verify your identity via OTP at sign-in
• Confirm, reschedule, and cancel your salon appointments
• Send transactional emails (sign-in codes, booking confirmations, reschedule and cancellation notices)
• Provide customer support when you contact us
• Detect and prevent abuse, fraud, and security incidents (e.g. rate-limiting OTP requests by IP)
• Comply with legal obligations

We do not use your information for advertising, profiling, automated decision-making, or sale to third parties.

3. Legal basis for processing (GDPR)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases:

• Performance of a contract — to provide the booking service you signed up for.
• Legitimate interests — to keep the Service secure, prevent abuse, and improve reliability.
• Consent — for any optional information you provide (e.g. profile photo).
• Legal obligation — where we are required to retain limited records (e.g. tax/accounting).

4. Service providers and data processors

We rely on the following third-party services to operate the Service. Each acts as our data processor and is bound by their own privacy and security obligations:

• Google Firebase (Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, Hosting) — stores your account information, booking history, and any uploaded photos. Operated by Google LLC. Data is stored on Google's European cloud infrastructure (region: eur3).
• Resend (transactional email service) — sends OTP and booking emails on our behalf. Resend operates on Amazon Web Services. Only your email address and the email content (which includes your name, appointment details, and the OTP code) are shared with Resend, strictly for delivery.
• Apple App Store / Google Play Store — when you install or update the App, the respective store may share aggregated, anonymised install statistics with us. We do not receive any personally identifiable information from the stores.

We do not sell, rent, or share your personal information with any party for advertising or marketing purposes.

5. International data transfers

Quasar Salon is operated from Mohali, India. Your data is stored on Google's European cloud servers (eur3 region) and may be processed in the United States by our email provider. We rely on Standard Contractual Clauses and Google's / Resend's data processing agreements to safeguard international transfers under GDPR Article 46.

6. Data retention

We retain your information for as long as your account is active. Specifically:

• OTP codes — deleted within 5 minutes (after use or expiry).
• Account profile — retained until you delete your account.
• Booking history — retained until you delete your account (so you can reference past visits). Completed and cancelled bookings older than 3 years may be archived in compressed form for legal/accounting reasons.
• Server logs — retained for up to 30 days for security and debugging, then automatically deleted.

When you delete your account, all personal data is removed from our active systems within 30 days. Backups containing your data are purged within a further 60 days through our backup rotation.

7. Your rights

You have the following rights regarding your personal information:

• Access — view what we hold about you. Most of it is visible in Profile → Edit Profile and My Bookings. Email us for a complete export.
• Correction — edit your name, phone, and photo any time from Profile → Edit Profile.
• Deletion ("right to be forgotten") — delete your account permanently from Profile → Delete Account inside the App, or via the web form at app.quasarsalon.com/delete-account, or by emailing bookings@quasarsalon.com.
• Portability — request a machine-readable copy of your data by email.
• Withdraw consent — for any optional data (e.g. remove your profile photo).
• Object / restrict processing — contact us to discuss specific objections.
• Complain to a supervisory authority — if you are in the EEA/UK you may complain to your national data-protection authority. Indian users may approach the Data Protection Board of India.

We respond to verified requests within 30 days. There is no charge for normal requests.

8. California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what categories of personal information we collect, the sources, the business purposes, and the categories of third parties we share with — all of which are described in sections 1, 2, and 4 above. You also have the right to request deletion (section 7), and the right not to be discriminated against for exercising your rights. We do not sell or share personal information for cross-context behavioural advertising, and we have not done so in the preceding twelve months.

9. Security

All communication between the App and our servers is encrypted in transit using TLS 1.2+. Data at rest is encrypted by Google Firebase. Authentication tokens are short-lived (1 hour) and refreshed automatically. We follow industry best practices for input validation, rate-limiting, and least-privilege access. However, no online service can be guaranteed 100% secure. If we ever become aware of a breach that affects your personal information, we will notify you and the relevant authorities as required by law.

10. Children's privacy

The Service is intended for adults aged 18 and over. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Permissions the App requests on your device

• Photo library access — only if you choose to upload a profile photo. We never read or upload other photos.
• Camera access — only if you choose to take a new profile photo.
• Internet — required to communicate with our servers.

The App does not request location, contacts, microphone, calendar, SMS, or notification permissions.

12. Changes to this Privacy Policy

If we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you via the App or email. Continued use of the Service after an update constitutes acceptance of the revised Policy.

13. Contact us

For privacy questions, data-rights requests, or any concerns about this Policy:

Email: bookings@quasarsalon.com
Address: Quasar Salon, Mohali, Punjab, India
Data controller: Quasar Salon (the operator of the App)