Privacy Policy
Last updated: 7 July 2026
This policy explains how Klipin ("Klipin", "we", "us") collects, uses, stores and protects
personal data — and the choices and rights you have. It covers everything we run: the
klipin.app website, the partner portal at
app.klipin.app, public booking pages at
book.klipin.app, the
Klipin mobile app (iOS and Android,
com.klipin.app) and the emails we send.
1. The short version
- We collect only what's needed to run a booking and management service for barbershops and salons — no ads, no selling of data, no cross-app tracking — ever, and no analytics trackers today (we'd ask for consent before ever adding any).
- If you book an appointment, your barbershop or salon controls your data — we process it on their behalf so they can run your appointment. Ask them first; we'll always help.
- If you run a business on Klipin, we hold your account and business data to provide the service, and we act on your instructions for your client book.
- Data is stored with our hosting provider in AWS Mumbai (India), protected by contractual safeguards, encryption and per-business isolation.
- You can ask for a copy of your data, corrections, or deletion at any time — email privacy@klipin.app. We answer within 30 days.
2. Who we are
Klipin is booking and management software for barbershops and salons, operated from the United Arab Emirates and offered UAE-first. For personal data covered by this policy, the contact for all privacy matters is privacy@klipin.app.
This document is the privacy policy for the Klipin website (klipin.app), web application (app.klipin.app), customer booking pages (book.klipin.app), the Klipin mobile app for iOS and Android, and our transactional emails.
3. Our two roles: controller and processor
Klipin wears two hats, and your rights route differently depending on which one applies:
- Klipin as controller. For partner and staff accounts, organisation and billing records, website visits, security and audit logs, and support conversations, Klipin decides how and why data is processed — we are the data controller.
- Klipin as processor. The client books that businesses keep in Klipin — customer names, phone numbers, email addresses and other details the business records (like notes or dates of birth), plus appointment history — belong to that business. The barbershop or salon is the controller of its clients' data; Klipin processes it only on the business's instructions to provide the service. If you're a salon customer, your salon's own privacy practices govern that data — contact the salon first, and we will always assist them (or you) in honouring your rights.
By design, each business's client list is isolated: a customer known to one business is never visible to any other business on Klipin.
4. The data we collect
If you run or work at a business on Klipin
- Account details — name, email address, password (stored as a secure hash), optional phone number, date of birth and profile photo, and your role in the business. Name, email and password are required to create an account — without them we can't provide the service.
- Business records — business name and contact details, services, prices, opening hours, staff colours and schedules, and subscription/trial status. We do not store card details.
- Activity needed to run the service — appointments you create, invoices you issue, and audit logs of actions our own platform team takes on your account (for accountability).
- If a colleague invites you, we receive your name and email from the business that invites you — that business is the source of this data.
If you book an appointment at a business that uses Klipin
- Booking details — your name and phone number (required to make a booking — returning clients need only their phone number), plus an optional email address and optional notes. Without a name and phone number a first booking simply can't be made.
- Appointment history with that business — services, dates, prices and payment method (cash/card — never card numbers), so the business can serve you as a returning client.
- If a booking is made for someone else (for example your child), the business may record who the appointment is for by name, held in that business's client book.
- Your barbershop or salon may also add you to its client book directly, or import an existing client list — name, phone number, and optionally an email address, date of birth, notes and a marketing preference. The business is the source and controller of that data.
- If you give an email address, we send booking confirmations and cancellation notices on the business's behalf. These are service emails, not marketing.
If you use the Klipin mobile app
- Sign-in session — the app stores your login session on your device so you stay signed in.
- Push notification token — a device identifier (Expo push token, device platform and name) so we can deliver booking alerts you've opted into. Notification content includes appointment details such as the client's name and time.
If you just visit our websites
- klipin.app (this site) sets no cookies and runs no analytics or tracking. Your dark/light theme choice is saved only in your own browser and never sent to us.
- Our hosting providers keep standard, short-lived server logs (IP address, browser user-agent) to serve pages and prevent abuse, as any website host does.
If you contact us
- We receive your email address and the contents of your message, and keep them only as long as needed to resolve the matter.
5. How we use data — purposes and legal bases
We only use personal data for what you'd expect from a booking product. For GDPR, each purpose has a legal basis; for the UAE Personal Data Protection Law (PDPL), each rests on consent or a statutory exception, as mapped below.
| Purpose | GDPR basis | UAE PDPL basis |
|---|---|---|
| Creating and operating partner/staff accounts; signing you in | Contract (Art 6(1)(b)) | Contract necessity (Art 4) |
| Taking, managing and honouring bookings; invoicing and checkout | Contract — performed for the business as its processor | Contract necessity (Art 4) |
| Sending booking confirmation and cancellation emails | Contract | Contract necessity (Art 4) |
| Push notifications for new bookings (staff app) | Consent — the OS permission prompt; opt out any time in-app or in device settings | Consent (Art 6) |
| Security, abuse prevention, audit logging | Legitimate interests — keeping the platform and tenants' data safe | Statutory exception (Art 4) |
| Answering support requests and privacy/rights inquiries | Contract / legitimate interests | Contract necessity (Art 4) |
| Complying with law (e.g. tax record-keeping for invoices) | Legal obligation (Art 6(1)(c)) | Legal obligation (Art 4) |
We do no marketing emails, no profiling and no automated decision-making that produces legal or similarly significant effects. If we ever introduce marketing communications, we will ask for your consent first, record it, and make opting out one tap.
6. Who we share data with
We never sell personal data and share it with no one except the service providers that run Klipin's infrastructure (acting on our instructions, under contract) and the business you book with. Our providers:
| Provider | What they do | Where |
|---|---|---|
| Supabase (on AWS) | Database, authentication and application backend — where Klipin's data lives; also sends account emails (sign-in codes, invites, password resets) | AWS ap-south-1 (Mumbai, India) |
| Netlify | Serves our websites (standard web-server request logs) | Global CDN (US company) |
| Resend | Delivers booking confirmation and cancellation emails | United States |
| Expo | Delivers push notifications to the staff mobile app | United States |
| Apple / Google | Operating-system push delivery (APNs / FCM) and app distribution | Global |
| rsms.me | Serves the Inter font used by the web portal and booking pages (receives your IP address and browser user-agent when the font loads) | EU |
- When you book at a business, your booking details go to that business — it's their client book.
- We may disclose data if the law requires it (for example a valid legal order), and we'd tell the affected business or person unless legally barred.
- There are no analytics providers, ad networks or data brokers anywhere in Klipin.
7. Where data is stored and international transfers
Klipin's application data is stored with Supabase on AWS in Mumbai, India (ap-south-1). Email and push delivery transit our providers in the United States. That means personal data of UAE users is stored outside the UAE, and personal data of any EU/EEA users is stored outside the EU.
- UAE (PDPL Arts 22–23): these cross-border transfers are protected by contractual data-protection commitments with each provider that bind them to safeguards equivalent to those in this policy.
- EU/EEA (GDPR Arts 44–49): transfers rely on the providers' data processing agreements incorporating the EU Standard Contractual Clauses; for operating-system push delivery, Apple's and Google's own published data-protection terms apply. You can request a copy (or summary) of these safeguards via privacy@klipin.app.
- All traffic is encrypted in transit (TLS/HTTPS) and databases are encrypted at rest.
8. How long we keep data
- Partner and staff accounts — kept while the account exists; personal identifiers are deleted or anonymised after a verified deletion request (see section 10).
- Client books and appointment history — kept while the business's account is active and the business keeps the client on its list; removed when the business removes them or instructs us to, or on a verified erasure request routed through the business.
- Invoices and financial records — retained for as long as the business is legally required to keep them (e.g. UAE VAT record-keeping), even after a deletion request; we keep only what the law demands.
- Email delivery and security/audit logs — kept only as long as needed for delivery assurance, troubleshooting and accountability, then deleted.
- Push tokens — deleted when you sign out of the mobile app or turn push notifications off in the app; tokens that stop working (for example after uninstalling, or an opt-out in device settings) are removed automatically.
9. Your rights
Wherever you are, you can ask us for: access to your data (a copy), correction, deletion, restriction of processing, portability (a machine-readable copy), and to object to processing or stop it. Where processing rests on consent (like push notifications) you can withdraw consent at any time — withdrawing doesn't affect what was lawfully done before.
- How to exercise them: email privacy@klipin.app. We may ask you to verify your identity, and we respond within 30 days.
- Salon customers: for data in a business's client book, your business is the controller — the fastest route is asking them directly (in person or by phone), and they can action it in Klipin or instruct us. You can also email us and we'll route the request to the business and assist.
- Complaints: UAE users can complain to the UAE Data Office; EU/EEA users can complain to their local data protection supervisory authority. We'd appreciate the chance to resolve any concern first.
Klipin makes no solely-automated decisions about you and does not profile you.
10. Deleting your account or data
Deletion is available to everyone, whether or not you can log in:
- Business owners — email privacy@klipin.app from your account email to delete your business or your whole organisation. We verify the request, then delete or anonymise personal data within 30 days (keeping only records the law requires, like tax invoices).
- Staff members — ask the business owner to remove you (this ends your access), and email us directly to have your account and personal identifiers deleted. Business records you created for your employer (appointments you booked, invoices you issued) stay with the business, with your personal identifiers removed.
- Salon customers — ask your barbershop or salon to remove you from their client list, or email us and we'll route and assist. Booking history is deleted or anonymised; the business keeps only legally required financial records.
- Mobile app data on your device — signing out removes your session and push token; uninstalling the app removes the data the app stored on your device (a device backup you control, such as an OS cloud backup, may retain a copy under your own account).
Every deletion we carry out on request is a real deletion of personal data, not a deactivation — where we must keep a record (law, fraud prevention), we say so above and keep the minimum.
11. Cookies & local storage
klipin.app sets no cookies and runs no analytics. None of our surfaces use advertising or tracking cookies, so there's no cookie banner — there's nothing to consent to. The small amount of browser/device storage we do use is strictly necessary to make the product work:
| Where | What | Why |
|---|---|---|
| klipin.app | Theme preference (dark/light) | Remembers your choice; never leaves your browser |
| app.klipin.app | Sign-in session token; a local working copy of your business's data | Keeps you signed in and the portal fast; cleared on sign-out |
| book.klipin.app | A local copy of the salon's public booking info (services, staff, opening hours, busy times) | Makes the booking page fast; contains no personal data about you or other clients |
| Mobile app | Sign-in session; selected business; theme and notification preferences | Keeps you signed in and remembers your settings |
If we ever add analytics, we will update this policy and ask for consent first where required.
12. Security
How we protect data, in plain terms:
- Encryption in transit (TLS/HTTPS everywhere) and at rest in the database.
- Per-business isolation enforced in the database itself (row-level security): one business can never read another's clients or appointments.
- Role-based access — staff see only what their role needs; platform-level administrative actions (actions our own team takes on partner accounts) are audit-logged.
- Passwords are hashed, never stored or visible in plain text.
No system is perfectly secure, but if a breach ever put your rights at risk we would notify the relevant authority (the UAE Data Office, or the competent EU supervisory authority within 72 hours for GDPR-scope data) and affected users as required.
13. Children
Klipin is a business tool directed at adults; accounts are for people 18 and over, and we do not knowingly collect children's data ourselves. Clients may share a dependant's details (like a child's name) with their salon when booking for them — that information belongs to the salon's client book, under the salon's control as described above. If you believe a child's data has been given to us in error, email privacy@klipin.app and we will delete it.
14. Changes to this policy
When we change this policy materially we'll update the date at the top and give notice — email for account holders, a notice on our sites for everyone else — before the changes take effect. Earlier versions are available on request.
15. Contact us
For anything in this policy — questions, requests, complaints: privacy@klipin.app. We reply within 30 days, usually much faster.