GDPR Compliance

12 min read Intermediate Updated: 1/10/2026

Understand GDPR requirements, data privacy, and customer rights

BarberSlot is fully GDPR compliant, helping you protect customer privacy and meet legal obligations. This guide explains your responsibilities and how the system supports compliance.

What is GDPR?

General Data Protection Regulation - EU law protecting personal data privacy.

Applies to:

  • All businesses operating in EU
  • All businesses serving EU customers
  • Anywhere customer data is collected/processed

Key principle: Individuals control their personal data.

GDPR Articles Relevant to BarberSlot

Article 15: Right to Access

Customers can request: Copy of all data you hold about them

BarberSlot provides:

  • Automatic data export feature
  • Complete JSON file with all customer data
  • Delivered via secure download

Your obligation: Respond within 30 days (BarberSlot makes this instant).

Article 17: Right to Erasure (“Right to be Forgotten”)

Customers can request: Delete their account and data

BarberSlot handles:

  • Anonymizes personal data
  • Preserves booking history (anonymized for legal/accounting)
  • Removes identifiable information
  • Cannot be undone

Exceptions: Data required for legal obligations (tax records, contracts) can be retained in anonymized form.

Article 20: Right to Data Portability

Customers can request: Machine-readable copy of their data

BarberSlot provides:

  • JSON format export
  • Includes: profile, bookings, messages, preferences
  • Customer can import to another system

Data BarberSlot Collects

Customer Data

Personal information:

  • Name
  • Email address
  • Phone number
  • Booking history
  • Service preferences
  • Communication history

Technical data:

  • IP address (for security)
  • Browser information
  • Login timestamps
  • Session data

Barber/Account Data

Account information:

  • Profile details
  • Authentication credentials (encrypted)
  • 2FA secrets (encrypted)
  • OAuth tokens (encrypted)
  • Login history

Business data:

  • Services offered
  • Pricing
  • Schedules
  • Shop configuration

GDPR requires lawful basis for collecting data:

Contract Performance

Basis: Data needed to provide service Applies to: Booking management, calendar, notifications Customer cannot opt out: Essential for service

Basis: Customer explicitly agrees Applies to: Marketing emails, SMS, push notifications Customer can opt out: Anytime, easily

Legitimate Interest

Basis: Necessary for business operation Applies to: Fraud prevention, security, service improvement Customer can object: In some cases

Basis: Required by law Applies to: Tax records, accounting, legal disputes Customer cannot opt out: Mandated by law

Customer Rights & How to Exercise Them

1. Right to Access (Article 15)

Customer wants: “Show me all data you have about me”

How to provide:

  1. Customer logs in (or contacts you)
  2. Go to Customer Profile
  3. Click “Export Customer Data”
  4. Download link sent to customer email
  5. JSON file contains everything

Alternatively:

  • Settings → Data & Privacy → Export Data

2. Right to Rectification

Customer wants: “Correct my inaccurate data”

How to provide:

  1. Open customer profile
  2. Click “Edit”
  3. Update incorrect information
  4. Save

Customer can also: Update own profile if they have account.

3. Right to Erasure (Article 17)

Customer wants: “Delete my account”

How to provide:

  1. Customer profile → “Delete Account”
  2. Confirm deletion
  3. System:
    • Anonymizes personal data (name → “Deleted User #12345”)
    • Removes email, phone
    • Disables account
    • Deletes messages
    • Preserves booking history (anonymized for accounting)

Cannot delete:

  • Completed bookings (legal requirement for tax)
  • Payment records (7 years retention mandated)

4. Right to Data Portability (Article 20)

Customer wants: “Give me my data to use elsewhere”

How to provide: Same as Right to Access - export provides portable JSON format.

5. Right to Object

Customer wants: “Stop processing my data for marketing”

How to provide:

  1. Customer profile → Preferences
  2. Toggle off:
    • Email marketing
    • SMS marketing
    • Push notifications
  3. Save

Customer still receives: Booking confirmations, reminders (essential communications).

6. Right to Restrict Processing

Customer wants: “Temporarily stop using my data”

How to provide:

  1. Mark customer account as “Restricted”
  2. No marketing
  3. No proactive communication
  4. Bookings still honored (contractual obligation)

BarberSlot maintains versioned legal documents customers must accept.

Terms of Service

Covers:

  • Service usage rules
  • Payment terms
  • Liability limitations
  • Dispute resolution

Acceptance tracked:

  • Timestamp
  • IP address
  • User agent (browser info)
  • Document version

Privacy Policy

Covers:

  • What data is collected
  • How data is used
  • Who data is shared with
  • Customer rights
  • Data retention

Acceptance tracked: Same as Terms.

Covers:

  • Cookies used
  • Purpose of each cookie
  • How to disable cookies
  • Third-party cookies

Version Control

When documents updated:

  1. New version created
  2. Version number incremented
  3. All users must re-accept on next login
  4. Old acceptances preserved (audit trail)

You see: Which customers accepted which version.

Separate from legal document acceptance.

Email Marketing:

  • Promotional offers
  • New service announcements
  • Seasonal campaigns

SMS Marketing:

  • Text message promotions
  • Flash deals
  • Event invitations

Push Notifications:

  • Mobile app alerts (future)
  • Browser notifications

Granular Control

Customer chooses:

  • ✅ Email only
  • ✅ SMS only
  • ✅ Both
  • ❌ Neither

Independent from:

  • Booking confirmations (always sent)
  • Reminders (customer can opt out, but recommended to keep)
  • Account notifications (security-related, always sent)

For each consent:

  • Date/time given
  • Method (checkbox, email link, etc.)
  • IP address
  • Withdrawn date (if applicable)

Proof of consent in case of dispute.

Data Retention

How long data is kept:

Active Customers

Indefinitely while account active and customer booking regularly.

Inactive Customers

24 months after last booking:

  • If no activity, data flagged for deletion
  • Notification sent to customer
  • Customer can reactivate or confirm deletion
  • If no response, auto-deleted after 90 days

Deleted Accounts

Immediately:

  • Personal data anonymized
  • Account disabled

Retained (anonymized):

  • Booking history (for accounting, 7 years)
  • Payment records (tax law requirement)

Audit Logs

3 years: Login attempts, permission changes, data access logs

7 years: Proof of consent to terms

Data Security Measures

How BarberSlot protects data:

Encryption

In Transit:

  • TLS/SSL encryption for all connections
  • HTTPS only
  • No unencrypted data transmission

At Rest:

  • Database encryption
  • Password hashing (bcrypt)
  • 2FA secrets encrypted
  • OAuth tokens encrypted

Access Control

Role-based permissions:

  • Barbers see only own customers
  • Shop managers see only own shop
  • Tenant owners see own organization
  • No cross-tenant access

Authentication

Multi-factor:

  • Password + 2FA for sensitive accounts
  • OAuth for convenience
  • Magic links for password reset
  • Rate limiting (5 attempts then lock)

Monitoring

Automated alerts:

  • Unusual login patterns
  • Multiple failed attempts
  • Data export requests
  • Account deletion requests
  • Permission changes

Backups

Daily backups:

  • Encrypted storage
  • Geo-redundant
  • 30-day retention
  • Tested monthly for recovery

Data Sharing

Who BarberSlot shares data with:

Service Providers (Data Processors)

Hosting: AWS (encrypted servers) Email: SendGrid (transactional emails only) SMS: Twilio (SMS notifications) Analytics: Privacy-focused (anonymized data)

All providers:

  • GDPR compliant
  • Data Processing Agreements in place
  • Subject to audits

Third Parties (Never)

  • ❌ No selling customer data
  • ❌ No sharing with advertisers
  • ❌ No third-party tracking (except essential analytics)

Data shared when:

  • Court order
  • Legal obligation
  • Fraud investigation
  • User safety threat

Customer notified unless legally prohibited.

Your Obligations as Data Controller

You (the barber) are the data controller - you decide what data to collect and how to use it.

Responsibilities

  1. Collect only necessary data: Don’t ask for info you don’t need
  2. Keep data accurate: Update outdated info
  3. Secure data: Use strong passwords, enable 2FA
  4. Respect customer rights: Respond to access/deletion requests
  5. Report breaches: Notify authorities within 72 hours
  6. Maintain records: Document how you process data

BarberSlot as Data Processor

BarberSlot processes data on your behalf:

  • Provides tools for compliance
  • Handles technical security
  • Enables customer rights
  • Maintains audit logs

But: You remain responsible for how you use the system.

Data Breach Protocol

If data breach occurs:

BarberSlot’s Response

Within 1 hour:

  • Identify breach scope
  • Contain the issue
  • Document incident

Within 24 hours:

  • Notify affected users
  • Provide details of what was compromised
  • Explain remediation steps

Within 72 hours:

  • Notify authorities (if required)
  • Publish incident report
  • Implement preventive measures

Your Response

If you suspect breach:

  1. Contact BarberSlot support immediately
  2. Do not delete evidence
  3. Document what happened
  4. Notify customers if their data affected
  5. Report to authorities (if required by law)

Never cover up: Transparency is legal requirement.

Best Practices

Do’s ✅

  1. Enable 2FA (prevents unauthorized access)
  2. Regular data audits (clean up old data)
  3. Train staff on privacy
  4. Use strong passwords
  5. Log out on shared computers
  6. Review customer requests promptly
  7. Keep legal documents updated

Don’ts ❌

  1. Don’t share login credentials
  2. Don’t collect unnecessary data
  3. Don’t ignore deletion requests
  4. Don’t use customer data for unauthorized purposes
  5. Don’t keep data longer than needed

Frequently Asked Questions

Q: Do I need GDPR compliance if I’m not in EU? A: Yes, if you serve EU customers. GDPR is extraterritorial.

Q: Can I refuse customer deletion request? A: Only if you have legal obligation to retain data (tax records). Otherwise, you must comply within 30 days.

Q: What if customer requests data I don’t have? A: Explain what data you do have and provide that. If you never collected certain data, state that clearly.

Q: Can I charge for data export? A: No. First request must be free. Subsequent requests can be charged if “manifestly unfounded or excessive.”

Q: How long do I keep deleted customer data? A: Anonymize immediately. Keep anonymized records only as long as legally required (7 years for tax/accounting).

Q: What’s the penalty for GDPR violation? A: Up to €20 million or 4% of global annual revenue, whichever is higher. Plus reputational damage.

Resources

Next Steps

Now that you understand GDPR:

  1. Review customer data: Ensure you only keep what’s necessary
  2. Enable 2FA: Secure your account
  3. Train staff: Share this guide
  4. Audit regularly: Quarterly data review

GDPR questions? Email privacy@barberslot.com or consult legal professional.

Was this guide helpful?

Help us improve our documentation with your feedback.