Privacy Policy

Welcome to Glamyad. We are a beauty and wellness service booking platform that connects clients with beauty professionals, salons, and spas. This Privacy Policy applies to all users of our platform, including:

• Clients — customers who book beauty and wellness services through our platform.
• Providers — beauty professionals, salons, and spas offering services on our platform.
• Admins — platform administrators who manage and operate the service.

By using Glamyad, you agree to the collection and use of information in accordance with this policy. We comply with applicable data protection laws, including the Nigeria Data Protection Act (NDPA), the General Data Protection Regulation (GDPR) for users in the European Economic Area, and the California Consumer Privacy Act (CCPA) for California residents.

If you do not agree with the terms of this Privacy Policy, please do not access or use our platform.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

• Privacy inquiries: support@glamyad.com
• Legal inquiries: support@glamyad.com
• Website: https://glamyad.com

We will respond to all legitimate requests within 30 days. If your request is particularly complex or you have made multiple requests, it may take us longer, but we will keep you informed of any delays.

Information You Provide to Us

We collect information that you voluntarily provide when you create an account, book a service, update your profile, or communicate with us. This includes:

• Identity information: First name, last name, avatar/profile photo, birthday, birth year, gender, and pronouns.
• Contact information: Email address, phone number, and physical address (street, apartment/suite, city, state, country, postcode).
• Account credentials: Google OAuth ID, Apple ID (if you sign in using these services), and notification preferences (email and SMS).
• Professional information: Occupation (for Clients), business details and service offerings (for Providers).
• Emergency contact information: Name and contact details of your designated emergency contact.
• Referral information: Referral code, device fingerprint, and IP address associated with referral activities.
• Saved preferences: Saved providers, booking history, and service preferences.

Information We Collect Automatically

When you use our platform, we automatically collect certain information:

• Device and usage data: IP address, browser type, device identifiers, operating system, and pages visited.
• Location data: Approximate or precise location (with your consent) to help you find nearby Providers.
• Log data: Timestamps of your activity, referral URLs, and interaction patterns on the platform.
• Cookies and similar technologies: See our Cookie Notice below for details.

How We Use Your Information

We use the information we collect to:

• Create and manage your account and authenticate your identity.
• Facilitate bookings, appointments, and payments between Clients and Providers.
• Send appointment confirmations, reminders, and service updates via email, SMS, or push notifications.
• Personalize your experience, including recommending Providers and services based on your preferences and history.
• Communicate with you about platform updates, promotions, and important notices.
• Detect, prevent, and address fraud, abuse, security issues, and technical problems.
• Comply with legal obligations and enforce our Terms of Service.
• Analyse usage patterns to improve our platform, develop new features, and conduct research.
• Administer referral programmes and track their effectiveness.

Under data protection laws, we must have a valid legal basis for processing your personal information. Here is what each of our legal bases means:

• Contractual necessity: We process your data because it is necessary to perform the services you have requested — for example, creating your account, processing bookings, and facilitating payments. Without this data, we cannot provide the platform to you.
• Legitimate interests: We process your data for purposes that are in our legitimate business interests, such as improving our platform, preventing fraud, conducting analytics, and marketing our services — provided these interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests.
• Consent: In some cases, we ask for your explicit consent to process your data — for example, sending marketing communications or accessing your precise location. You can withdraw your consent at any time without affecting the lawfulness of processing that occurred before withdrawal.
• Legal obligation: We may process your data where required by applicable law, such as retaining financial records for tax purposes or responding to lawful requests from public authorities.
• Vital interests: In rare circumstances, we may process your data to protect someone's life or physical safety — for example, sharing emergency contact information in an emergency situation.

If you are based in the European Economic Area (EEA), you have additional rights under the GDPR, including the right to lodge a complaint with your local supervisory authority. If you are a California resident, you have additional rights under the CCPA, including the right to know what personal information we collect and the right to delete it.

We do not sell your personal information. We may share your data with the following categories of recipients:

Service Providers (Data Processors)

We work with trusted third-party companies that help us operate our platform. These providers are contractually obligated to protect your data and use it only for the purposes we specify:

• Paystack — payment processing and financial transactions.
• Resend — email delivery and transactional communications.
• Cloudinary — image and media storage (profile photos, Provider images).
• PostHog & Amplitude — product analytics and usage insights.
• Google & Apple — OAuth authentication services.
• Mapbox — location services and mapping.
• Twilio / Africa's Talking — SMS notifications and communications.
• Firebase — push notification delivery.
• Redis — session management and caching.

Providers (Beauty Professionals, Salons, Spas)

When you book a service, we share the information necessary for the Provider to fulfil your appointment — typically your name, contact details, and the service details. Providers are independent data controllers for the information they receive and are responsible for their own privacy practices.

Other Disclosures

• Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change.
• Protection of rights: We may disclose information to protect the rights, property, or safety of Glamyad, our users, or the public.

Your personal information may be stored and processed in Nigeria and other countries where our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

When we transfer your data internationally, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by relevant data protection authorities.
• Data processing agreements that require third-party providers to implement adequate security measures.
• Compliance with the Nigeria Data Protection Act (NDPA) requirements for cross-border data transfers.

If you are located in the EEA, your data may be transferred to countries outside the EEA. We ensure such transfers comply with GDPR requirements through appropriate legal mechanisms.

We implement industry-standard technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption: Data is encrypted in transit (using TLS/SSL) and at rest.
• Access controls: Strict access controls and authentication mechanisms limit who can access your data within our organisation.
• Secure infrastructure: Our platform is hosted on secure, monitored infrastructure with regular security audits and vulnerability assessments.
• Employee training: Our team receives regular training on data protection and security best practices.
• Incident response: We maintain a data breach response plan and will notify affected users and relevant authorities in accordance with applicable law.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to enhance our security posture.

You also play an important role in protecting your data. Please keep your account credentials secure, use strong passwords, and notify us immediately at support@glamyad.com if you suspect any unauthorised access to your account.

All payment transactions on Glamyad are processed securely through Paystack, a PCI DSS-compliant payment service provider.

We do not store your full payment card details on our servers. When you make a payment, your card information is entered directly into Paystack's secure payment form. Paystack handles the processing, storage, and security of your payment data in accordance with their own Privacy Policy.

We may retain limited transaction records (such as the amount, date, and Provider) for accounting, dispute resolution, and fraud prevention purposes. These records do not include your full card number or CVV.

Our platform may contain links to external websites, including Provider websites, social media pages, and third-party services that are not operated by Glamyad. We have no control over the content, privacy policies, or practices of these external sites.

We encourage you to review the privacy policies of any third-party websites you visit. Glamyad is not responsible for the privacy practices or content of these external sites.

Similarly, Providers listed on our platform may have their own websites and privacy policies. When you interact with a Provider outside of our platform, their privacy policy — not ours — governs the handling of your information.

We retain your personal information for as long as your account is active or as needed to provide you with our services. After that, we retain data only for as long as necessary to:

• Comply with our legal and regulatory obligations (e.g., tax and financial record-keeping requirements, typically 6–7 years).
• Resolve disputes, enforce our agreements, and protect our legal rights.
• Maintain backup copies of data for disaster recovery purposes.

Specific retention periods include:

• Account data: Retained while your account is active and for a reasonable period thereafter.
• Booking history: Retained for the duration of your account plus the applicable legal retention period.
• Marketing communications: Retained until you unsubscribe or withdraw consent.
• Analytics data: Retained in aggregated or anonymised form for ongoing analysis.

When data is no longer needed, we securely delete or anonymise it. If you delete your account, we will remove your personal information from our active systems, subject to the retention obligations described above.

We may aggregate and anonymise your personal information so that it can no longer be linked to you as an individual. This aggregated data is used for:

• Analysing platform usage trends and user behaviour patterns.
• Generating reports for business intelligence and strategic planning.
• Sharing with partners, investors, or the public in a way that does not identify any individual.

Aggregated and anonymised data is not considered personal information under applicable data protection laws. We may use and disclose such data for any lawful purpose without restriction, provided it remains truly anonymised and cannot be reverse-engineered to identify you.

Depending on your location, you may have the following rights regarding your personal information:

Rights for All Users

• Right of access: Request a copy of the personal information we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal information.
• Right to erasure: Request deletion of your personal information, subject to certain legal exceptions.
• Right to restrict processing: Request that we limit how we use your personal information in certain circumstances.
• Right to data portability: Request a machine-readable copy of your personal information to transfer to another service.
• Right to object: Object to our processing of your personal information, including for direct marketing purposes.
• Right to withdraw consent: Where we rely on your consent, you may withdraw it at any time.

Additional Rights for EEA Residents (GDPR)

• Right to lodge a complaint: You have the right to file a complaint with your local data protection supervisory authority.
• Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Additional Rights for California Residents (CCPA)

• Right to know: Request information about the categories and specific pieces of personal information we have collected, the sources, the business purpose, and the third parties with whom we have shared it.
• Right to delete: Request deletion of your personal information, subject to certain exceptions.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to opt out of sale/sharing: Glamyad does not sell personal information. If this changes, we will provide a clear opt-out mechanism.

Additional Rights for Nigerian Residents (NDPA)

• Right to be informed: You have the right to be informed about how your data is collected and processed.
• Right to object: You may object to the processing of your personal data, particularly for direct marketing.
• Right to redress: You have the right to seek redress for violations of your data protection rights through the Nigeria Data Protection Commission (NDPC).

To exercise any of these rights, please contact us at support@glamyad.com. We will respond to your request within 30 days and may ask for additional information to verify your identity before processing your request.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy.
• Notify you through a prominent notice on our platform or via email, where required by law.
• Seek your consent where the changes are significant and consent is legally required.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of Glamyad after the updated policy takes effect constitutes your acceptance of the changes.

Glamyad uses cookies and similar tracking technologies (such as web beacons, pixels, and local storage) to provide, improve, and secure our platform.

What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us remember your preferences, understand how you use our platform, and deliver a better experience.

Types of Cookies We Use

• Essential cookies: Required for the platform to function properly. These include session cookies for authentication, security cookies, and cookies that remember your preferences. You cannot opt out of these cookies.
• Analytics cookies: Help us understand how users interact with our platform (via PostHog and Amplitude). This data is used to improve our services and is typically anonymised.
• Functional cookies: Remember your settings and preferences, such as language, location, and notification settings.
• Marketing cookies: Used to deliver relevant advertisements and measure the effectiveness of our marketing campaigns. These may be set by our advertising partners.

Managing Your Cookie Preferences

Most web browsers allow you to control cookies through their settings. You can typically:

• View what cookies are stored on your device.
• Delete individual or all cookies.
• Block cookies from specific or all websites.
• Set preferences for when cookies are accepted.

Please note that blocking certain cookies may affect the functionality of our platform. For more information on managing cookies, visit your browser's help section or allaboutcookies.org.

If you have questions about our use of cookies, please contact us at support@glamyad.com.