Data Processing Addendum
Last updated: 12 July 2026
This explains how GlamIQ handles your clients' personal data on your behalf. It forms part of our Terms of Service and covers what UK GDPR (Article 28) requires between you and us.
Who's who
You (the salon or business) decide why and how your clients' personal data is used - so in data-protection terms you're the controller. We (OS Business Solutions Ltd, company no. 07151938, registered in England & Wales) run GlamIQ for you, so we're your processor. We only process your clients' data on your instructions - and using GlamIQ as intended counts as your instructions.
What we process, and why
We process your clients' data for one purpose: taking and managing your bookings. That covers the chat and calendar booking, checking availability, confirmations, reminders, cancellations, owner notifications, and storing client records and notes.
The data involved is your clients' names, emails, phone numbers, appointment details, any treatment notes you add, and chat transcripts. The people it's about are your clients and enquirers. We process it for as long as you use GlamIQ.
Our promises to you
As your processor, we will:
- only process your clients' data on your instructions, including for any transfer abroad;
- make sure anyone who handles it is bound by confidentiality;
- keep it secure with appropriate measures (see below);
- only use the sub-processors listed below, on equivalent data-protection terms;
- help you respond when a client exercises their data rights;
- help you with security, breach notifications and any data-protection assessments;
- tell you without undue delay if we become aware of a data breach;
- delete or return your clients' data when you stop using GlamIQ; and
- give you the information you need to show this is all being done properly.
The companies we use (sub-processors)
To run the service, we use a small number of trusted providers. Each one only handles what it needs to do its job. By using GlamIQ you give us general permission to use them:
- Anthropic (United States) - powers the Ai booking assistant. It sees the content of chat messages, which can include a client's name, contact details and booking. Covered by Standard Contractual Clauses, and your clients' data is not used to train Ai models.
- Google (United States / EU) - Calendar for your booking events, and Gmail for sending booking, reminder and cancellation emails.
- Hostinger (EU, Lithuania) - hosts the GlamIQ app, database and booking pages. This is where your booking data is stored.
- Cloudflare - sits in front of the sites to keep them fast and secure, handling technical request data in transit.
- Backblaze (United States) - stores our off-site backups. Backups are encrypted on our servers before they're sent, so Backblaze cannot read them.
- Zen Internet (United Kingdom) - keeps a second, encrypted backup copy and a standby host.
We'll tell you before we add or change a sub-processor, so you have a chance to object. (Separately, we use Google Analytics on our own website, and only if a visitor accepts analytics cookies - that's about our website visitors, not your clients' booking data.)
Sending data outside the UK
Most of your data stays in the UK/EU on our European hosting. Some is processed in the United States - chat content by Anthropic, and calendar and email by Google. For those transfers we rely on Standard Contractual Clauses (with the UK Addendum), the safeguard UK law recognises. Our off-site backups sent to the US are encrypted before they leave our servers, so only scrambled data ever crosses the border.
How long we keep it
We keep chat transcripts for 12 months, then delete them. We keep a client's record and booking history while they're active, and delete it after 36 months with no booking. If you or a client asks us to erase specific data sooner, we will, unless the law requires us to keep it. Deletion runs automatically.
Keeping it secure
We protect your clients' data with appropriate measures: encryption in transit and for sensitive data at rest, access controls, encrypted off-site backups, and rate-limiting in front of the service. Fuller detail on our security measures is available on request.
Helping with your clients' rights
If one of your clients asks to access, correct or delete their data, or objects to how it's used, we'll help you respond. We keep tooling that lets us export or erase a client's data quickly.
If something goes wrong
If we ever become aware of a breach affecting your clients' personal data, we'll tell you without undue delay, with the details you need to meet your own obligations to your clients and the regulator.
When you leave
When you stop using GlamIQ, we'll delete or return your clients' data, whichever you choose, and delete our copies - other than anything the law requires us to keep, and encrypted backups, which age out on their normal cycle.
Checking we're doing this properly
You can ask us for the information you need to show this processing is compliant, and we'll help with reasonable audit requests.
Changes
We may update this addendum and our sub-processor list as the service develops. We'll revise the date at the top and, for significant sub-processor changes, let you know so you have a chance to object.
Contact
Any questions about how we handle data? Email us at [email protected].
