BarberSlot is fully GDPR compliant, helping you protect customer privacy and meet legal obligations. This guide explains your responsibilities and how the system supports compliance.
What is GDPR?
General Data Protection Regulation - EU law protecting personal data privacy.
Applies to:
- All businesses operating in EU
- All businesses serving EU customers
- Anywhere customer data is collected/processed
Key principle: Individuals control their personal data.
GDPR Articles Relevant to BarberSlot
Article 15: Right to Access
Customers can request: Copy of all data you hold about them
BarberSlot provides:
- Automatic data export feature
- Complete JSON file with all customer data
- Delivered via secure download
Your obligation: Respond within 30 days (BarberSlot makes this instant).
Article 17: Right to Erasure (“Right to be Forgotten”)
Customers can request: Delete their account and data
BarberSlot handles:
- Anonymizes personal data
- Preserves booking history (anonymized for legal/accounting)
- Removes identifiable information
- Cannot be undone
Exceptions: Data required for legal obligations (tax records, contracts) can be retained in anonymized form.
Article 20: Right to Data Portability
Customers can request: Machine-readable copy of their data
BarberSlot provides:
- JSON format export
- Includes: profile, bookings, messages, preferences
- Customer can import to another system
Data BarberSlot Collects
Customer Data
Personal information:
- Name
- Email address
- Phone number
- Booking history
- Service preferences
- Communication history
Technical data:
- IP address (for security)
- Browser information
- Login timestamps
- Session data
Barber/Account Data
Account information:
- Profile details
- Authentication credentials (encrypted)
- 2FA secrets (encrypted)
- OAuth tokens (encrypted)
- Login history
Business data:
- Services offered
- Pricing
- Schedules
- Shop configuration
Legal Basis for Data Processing
GDPR requires lawful basis for collecting data:
Contract Performance
Basis: Data needed to provide service Applies to: Booking management, calendar, notifications Customer cannot opt out: Essential for service
Consent
Basis: Customer explicitly agrees Applies to: Marketing emails, SMS, push notifications Customer can opt out: Anytime, easily
Legitimate Interest
Basis: Necessary for business operation Applies to: Fraud prevention, security, service improvement Customer can object: In some cases
Legal Obligation
Basis: Required by law Applies to: Tax records, accounting, legal disputes Customer cannot opt out: Mandated by law
Customer Rights & How to Exercise Them
1. Right to Access (Article 15)
Customer wants: “Show me all data you have about me”
How to provide:
- Customer logs in (or contacts you)
- Go to Customer Profile
- Click “Export Customer Data”
- Download link sent to customer email
- JSON file contains everything
Alternatively:
- Settings → Data & Privacy → Export Data
2. Right to Rectification
Customer wants: “Correct my inaccurate data”
How to provide:
- Open customer profile
- Click “Edit”
- Update incorrect information
- Save
Customer can also: Update own profile if they have account.
3. Right to Erasure (Article 17)
Customer wants: “Delete my account”
How to provide:
- Customer profile → “Delete Account”
- Confirm deletion
- System:
- Anonymizes personal data (name → “Deleted User #12345”)
- Removes email, phone
- Disables account
- Deletes messages
- Preserves booking history (anonymized for accounting)
Cannot delete:
- Completed bookings (legal requirement for tax)
- Payment records (7 years retention mandated)
4. Right to Data Portability (Article 20)
Customer wants: “Give me my data to use elsewhere”
How to provide: Same as Right to Access - export provides portable JSON format.
5. Right to Object
Customer wants: “Stop processing my data for marketing”
How to provide:
- Customer profile → Preferences
- Toggle off:
- Email marketing
- SMS marketing
- Push notifications
- Save
Customer still receives: Booking confirmations, reminders (essential communications).
6. Right to Restrict Processing
Customer wants: “Temporarily stop using my data”
How to provide:
- Mark customer account as “Restricted”
- No marketing
- No proactive communication
- Bookings still honored (contractual obligation)
Legal Documents
BarberSlot maintains versioned legal documents customers must accept.
Terms of Service
Covers:
- Service usage rules
- Payment terms
- Liability limitations
- Dispute resolution
Acceptance tracked:
- Timestamp
- IP address
- User agent (browser info)
- Document version
Privacy Policy
Covers:
- What data is collected
- How data is used
- Who data is shared with
- Customer rights
- Data retention
Acceptance tracked: Same as Terms.
Cookie Policy
Covers:
- Cookies used
- Purpose of each cookie
- How to disable cookies
- Third-party cookies
Version Control
When documents updated:
- New version created
- Version number incremented
- All users must re-accept on next login
- Old acceptances preserved (audit trail)
You see: Which customers accepted which version.
Marketing Consent
Separate from legal document acceptance.
Consent Types
Email Marketing:
- Promotional offers
- New service announcements
- Seasonal campaigns
SMS Marketing:
- Text message promotions
- Flash deals
- Event invitations
Push Notifications:
- Mobile app alerts (future)
- Browser notifications
Granular Control
Customer chooses:
- ✅ Email only
- ✅ SMS only
- ✅ Both
- ❌ Neither
Independent from:
- Booking confirmations (always sent)
- Reminders (customer can opt out, but recommended to keep)
- Account notifications (security-related, always sent)
Consent Tracking
For each consent:
- Date/time given
- Method (checkbox, email link, etc.)
- IP address
- Withdrawn date (if applicable)
Proof of consent in case of dispute.
Data Retention
How long data is kept:
Active Customers
Indefinitely while account active and customer booking regularly.
Inactive Customers
24 months after last booking:
- If no activity, data flagged for deletion
- Notification sent to customer
- Customer can reactivate or confirm deletion
- If no response, auto-deleted after 90 days
Deleted Accounts
Immediately:
- Personal data anonymized
- Account disabled
Retained (anonymized):
- Booking history (for accounting, 7 years)
- Payment records (tax law requirement)
Audit Logs
3 years: Login attempts, permission changes, data access logs
Legal Documents Acceptance
7 years: Proof of consent to terms
Data Security Measures
How BarberSlot protects data:
Encryption
In Transit:
- TLS/SSL encryption for all connections
- HTTPS only
- No unencrypted data transmission
At Rest:
- Database encryption
- Password hashing (bcrypt)
- 2FA secrets encrypted
- OAuth tokens encrypted
Access Control
Role-based permissions:
- Barbers see only own customers
- Shop managers see only own shop
- Tenant owners see own organization
- No cross-tenant access
Authentication
Multi-factor:
- Password + 2FA for sensitive accounts
- OAuth for convenience
- Magic links for password reset
- Rate limiting (5 attempts then lock)
Monitoring
Automated alerts:
- Unusual login patterns
- Multiple failed attempts
- Data export requests
- Account deletion requests
- Permission changes
Backups
Daily backups:
- Encrypted storage
- Geo-redundant
- 30-day retention
- Tested monthly for recovery
Data Sharing
Who BarberSlot shares data with:
Service Providers (Data Processors)
Hosting: AWS (encrypted servers) Email: SendGrid (transactional emails only) SMS: Twilio (SMS notifications) Analytics: Privacy-focused (anonymized data)
All providers:
- GDPR compliant
- Data Processing Agreements in place
- Subject to audits
Third Parties (Never)
- ❌ No selling customer data
- ❌ No sharing with advertisers
- ❌ No third-party tracking (except essential analytics)
Legal Requirements
Data shared when:
- Court order
- Legal obligation
- Fraud investigation
- User safety threat
Customer notified unless legally prohibited.
Your Obligations as Data Controller
You (the barber) are the data controller - you decide what data to collect and how to use it.
Responsibilities
- Collect only necessary data: Don’t ask for info you don’t need
- Keep data accurate: Update outdated info
- Secure data: Use strong passwords, enable 2FA
- Respect customer rights: Respond to access/deletion requests
- Report breaches: Notify authorities within 72 hours
- Maintain records: Document how you process data
BarberSlot as Data Processor
BarberSlot processes data on your behalf:
- Provides tools for compliance
- Handles technical security
- Enables customer rights
- Maintains audit logs
But: You remain responsible for how you use the system.
Data Breach Protocol
If data breach occurs:
BarberSlot’s Response
Within 1 hour:
- Identify breach scope
- Contain the issue
- Document incident
Within 24 hours:
- Notify affected users
- Provide details of what was compromised
- Explain remediation steps
Within 72 hours:
- Notify authorities (if required)
- Publish incident report
- Implement preventive measures
Your Response
If you suspect breach:
- Contact BarberSlot support immediately
- Do not delete evidence
- Document what happened
- Notify customers if their data affected
- Report to authorities (if required by law)
Never cover up: Transparency is legal requirement.
Best Practices
Do’s ✅
- Enable 2FA (prevents unauthorized access)
- Regular data audits (clean up old data)
- Train staff on privacy
- Use strong passwords
- Log out on shared computers
- Review customer requests promptly
- Keep legal documents updated
Don’ts ❌
- Don’t share login credentials
- Don’t collect unnecessary data
- Don’t ignore deletion requests
- Don’t use customer data for unauthorized purposes
- Don’t keep data longer than needed
Frequently Asked Questions
Q: Do I need GDPR compliance if I’m not in EU? A: Yes, if you serve EU customers. GDPR is extraterritorial.
Q: Can I refuse customer deletion request? A: Only if you have legal obligation to retain data (tax records). Otherwise, you must comply within 30 days.
Q: What if customer requests data I don’t have? A: Explain what data you do have and provide that. If you never collected certain data, state that clearly.
Q: Can I charge for data export? A: No. First request must be free. Subsequent requests can be charged if “manifestly unfounded or excessive.”
Q: How long do I keep deleted customer data? A: Anonymize immediately. Keep anonymized records only as long as legally required (7 years for tax/accounting).
Q: What’s the penalty for GDPR violation? A: Up to €20 million or 4% of global annual revenue, whichever is higher. Plus reputational damage.
Resources
- GDPR Official Text: https://gdpr.eu/
- ICO Guide (UK): https://ico.org.uk/for-organisations/guide-to-data-protection/
- CNIL Guide (France): https://www.cnil.fr/en/home
- Garante Guide (Italy): https://www.garanteprivacy.it/
Next Steps
Now that you understand GDPR:
- Review customer data: Ensure you only keep what’s necessary
- Enable 2FA: Secure your account
- Train staff: Share this guide
- Audit regularly: Quarterly data review
GDPR questions? Email privacy@barberslot.com or consult legal professional.