Privacy Policy

1. Data Controller

Fade is operated by Vera IT. By using Fade, you agree to this Privacy Policy. For users in the EU/EEA and UK, Vera IT is the data controller for the personal data we process, unless otherwise stated (e.g. when a salon is the data controller for data you provide directly to them).

Data Controller: Vera IT

Commercial register (Germany): Vera IT is entered in the Commercial Register (*Handelsregister*) at the Local Court of Hamburg (*Amtsgericht Hamburg*).

VAT identification number (German *USt-IdNr.*): DE456074487

Registered office: Rehrstieg 16d, 21147 Hamburg, Germany

Contact for privacy and data protection: privacy@getfadeapp.com

For data protection officer (DPO) enquiries, including exercising your GDPR rights: privacy@getfadeapp.com

Person responsible for editorial content under § 55(2) of the German Interstate Broadcasting Treaty (*Rundfunkstaatsvertrag*, RStV): Jovica Mihajlovic, Rehrstieg 16d, 21147 Hamburg, Germany

Scope of this Privacy Policy (platform vs salons):

This Privacy Policy explains how Vera IT runs the Fade platform (mobile app and getfadeapp.com) and processes personal data for that role. Salons and barbershops on Fade are independent businesses. When you book, chat with, or visit a salon, that salon is typically a separate data controller for personal data it needs to deliver its services (e.g. your name, contact details, appointment information, or health-related notes you choose to provide). This Policy does not replace any privacy information or terms a salon gives you on its own. Questions about how a specific salon uses your data should be put to that salon, in addition to your rights under applicable law (see also Section 10).

2. Categories of Data Collected

Information you provide:

•Account: Name, email, phone number, password (stored in Supabase Auth and user_profiles)

•Profile: Profile picture, preferences (Supabase Storage + user_profiles)

•Bookings: Appointment details, service selections, notes, and price or deposit fields the salon configures (appointments and related tables). Used for the salon calendar, reminders, and your booking history; any in-salon or card payment at the chair is between you and the salon unless a separate Fade payment feature applies (this policy would be updated).

•Salon subscriptions and promotions (salon owners only): Starter, Medium, Pro packages and Featured placement are purchased via Google Play Billing or Apple In-App Purchase (salon mobile app) or Stripe (getfadeapp.com dashboard). We do not store your card numbers.

•Communication: Chat messages with salons (messages table, linked to chats)

•Reviews: Rating (1–5), comment, optional staff rating (reviews table). Reviews are publicly visible; user_id is stored and may be linked to your profile by the salon.

•Address: Preferred address for map/directions (user_profiles)

•Referral code: If you use "Refer a barber", we store referral codes (user_profiles)

Salon owners and staff (business use):

•Business profile: Salon name, address, contact details, opening hours, services, prices, portfolio images, staff/barber profiles, check-in/QR settings, and similar operational data you enter.

•Client data at your salon: For appointments and chats with your salon, you see client names, phone, email, booking details, and message content—as in Section 10. Staff accounts you invite are scoped to your salon; you choose whom to grant access.

•Billing status: Subscription and Featured purchase status with Apple, Google, or Stripe (no full card data stored by us).

Email (how we use your address):

•Authentication: Sign-up confirmation, password reset, and similar security emails are sent via Supabase Auth (and its email delivery). These are necessary to operate your account.

•Optional product email: Where supported, additional service-related email respects your notification preferences (e.g. email toggle in Settings, stored on user_profiles). This is separate from pure marketing; we do not sell your email.

"My Hairdresser" and favorites:

•favorite_salons: user_id, salon_id – your chosen "My Hairdresser" salon (one per user)

•favorite_staff: user_id, staff_id – your chosen preferred barber (one per user)

•Purpose: Priority when booking; for Starter package salons, eligibility for weekly appointment reminders (push) depends on whether you have added the salon to "My Hairdresser" (favorites)—see section 10b

Push notifications:

•FCM token: Stored in fcm_tokens table (user_id, token, device_type). Used to deliver push notifications via Firebase. You can revoke by disabling notifications in device settings or deleting your account.

Support tickets:

•support_tickets / support_ticket_replies: subject, message, priority, status, timestamps, and admin replies. Used to handle your requests; visible to you and authorized Fade support/administrators.

In-app notification feed:

•notifications: title, message, type, read status, optional image URL, links to related bookings or chats (related_id / related_type). unread_notifications may store unread counts for the bell icon.

•Purpose: show booking updates, messages, loyalty, referrals, and system notices inside the app.

Preferences:

•Language: preferred_language in user_profiles (and local app storage) so the UI and localized push content match your choice; optional "follow system language".

•Notification preferences: push and email toggles stored in your profile where applicable (notification_preferences).

Coupons and salon promotions:

•coupon_codes / coupon_usage: when a coupon is validated or redeemed (e.g. free or discounted salon subscription, Featured promotion), we store which code was used, user or salon identifiers, and redemption metadata. Card numbers are never stored by us—payments still go through Apple, Google Play, or Stripe as applicable.

Referrals (salon program):

•referral codes, referral_registrations, referral-related loyalty transactions: used to attribute sign-ups and reward salons or users where the program is active.

Booking details (structure):

•appointment_services: links an appointment to selected services (service IDs, duration) in addition to fields on the appointment record.

Appointment changes (cancellation, rescheduling, and salon contact):

•In-app cancel/reschedule: When you cancel or move an appointment within the limits shown in the app (including minimum time before the start), we update your appointment record (status, date, time, selected services where applicable), may add automated/system lines in chat where configured, and notify the salon so their calendar matches.

•Outside the in-app window: You may need to coordinate directly with the salon (e.g. via Fade chat). Those messages are processed like any other chat (see Section 10c). If the salon cancels, reschedules, or confirms a change, we update the appointment data we hold and may notify you by push or in-app notification.

•Late-change assistance: If self-service cancel or reschedule is no longer available shortly before the appointment, we may send the salon a short in-app or push notice with minimal booking details (e.g. who, date, time) so they can help you. Exact cut-off times and rules are in our Terms of Service.

Loyalty and rewards:

•loyalty_transactions: user_id, appointment_id, points, transaction_type (earned/redeemed), description

•loyalty_redemptions: user_id, salon_id, reward_title, points_redeemed, status (pending/confirmed/cancelled)

•qr_scan_history: user_id, salon_id, appointment_id, scan_date, points_earned – when you scan QR at salon for check-in or reward redemption

Automatically collected:

•Camera: Only for QR scanning. We do not record video – we process QR data (salon ID, appointment ID) for check-in or reward redemption.

•Uploaded photos: Profile, salon logo, portfolio, staff photos (Supabase Storage, EU). Images may come from your gallery or camera; only the file you confirm is uploaded (Section 13).

•Generated images: None – we do not use AI to generate images

•Device: Device type, OS, app version

•IP: Server logs, error reporting (Sentry)

•Crash and stability (Sentry): Stack traces, device type, OS version, app version, anonymised technical context. We do not use Firebase Analytics or other third-party product-analytics SDKs in the consumer app. Firebase is used only for push notification delivery (FCM)—see Section 6. We do not use advertising SDKs for cross-app tracking in the consumer app.

•Location: Precise location (with permission) to show nearby salons. Collected when app is in use, not in background. Optional – you can search by address.

Social sign-in (Google, Apple): When you sign in with Google or Apple, we receive: email, name, and provider user ID. We use these to create or link your Fade account. We do not receive your Google/Apple password.

3. Legal Basis for Processing (GDPR Art. 6)

For each category of data, we process based on:

•Account, bookings, messages: Contract performance (Art. 6(1)(b)) – necessary to provide the service

•Salon business data, staff accounts, owner dashboard: Contract performance (Art. 6(1)(b)) – providing partner tools to salons

•Authentication and security emails: Contract / steps prior to contract (Art. 6(1)(b)) – operating sign-in and account recovery

•Location: Consent (Art. 6(1)(a)) – you grant permission in the app

•Payment (salon subscriptions): Contract + Legal obligation – processed via Stripe/Apple/Google

•Crash reports and diagnostics (Sentry): Legitimate interest (Art. 6(1)(f)) – service improvement, security

•Marketing: Consent only – we send marketing only if you opt in

•Tax, invoices: Legal obligation (Art. 6(1)(c)) – we must retain as required by law

What these legal bases mean:

•Consent: You have agreed to the processing (e.g. by granting permission).

•Contract: Processing is necessary to perform our agreement with you.

•Legitimate interest: We have a valid reason that does not override your rights (e.g. improving the service, security).

•Legal obligation: We must process the data to comply with law (e.g. tax records).

4. Purpose of Data Processing

We process your data for:

•Account management: Create and maintain your account

•Payment processing: Salon subscription and Featured purchases via Stripe/Apple/Google (no card storage by us)

•Salon partner operations: Dashboard, managing bookings at your salon, staff and portfolio, client messaging, subscriptions, promotions, and related tools for business users

•Service provision: Bookings, reminders, communication with salons

•Booking lifecycle: Apply self-service cancel/reschedule rules, update appointment records, notify you and the salon, process chat when you arrange changes with the salon, and—where applicable—alert the salon with minimal booking metadata when in-app self-service is closed near the appointment time so they can assist

•Customer support: Handling support tickets and replies

•In-app notifications: Showing booking updates, chat alerts, loyalty, referrals, and system notices in the notification center

•Coupons and referrals: Validating and recording promotional codes and referral attribution where programs are active

•QR code scanning: Camera is used to scan salon QR codes for appointment check-in and loyalty reward redemption (only when you use this feature)

•Stability and diagnostics: Crash and error reporting via Sentry (see Section 6)

•Fraud prevention: Detect and prevent abuse

•Service improvement: Crash reports (Sentry), feedback

•Legal compliance: Tax records, dispute resolution

We do NOT use AI for image generation. Uploaded photos are stored for display only and are not used to train any AI models.

Data minimisation and purpose limitation (GDPR Art. 5): We collect only the data necessary for the purposes described above. We do not use your data for purposes incompatible with those stated. If we need data for a new purpose, we will update this policy and obtain consent where required.

5. Data Retention

We retain your data for defined periods:

•Account data: Until you delete your account (+ 30-day grace period)

•Photos (profile, salon, staff): Until deletion or account closure

•Product analytics (Firebase Analytics, etc.): Not collected in the Fade app; Sentry retention applies as below

•Server logs: 90 days

•Crash reports (Sentry): 90 days

•Payment records: Up to 7 years (legal obligation)

•Booking history: Up to 3 years (where legally required)

•Chat messages: Until you or the salon hide the chat, or account deletion

•Support tickets and replies: Typically retained for the life of the account and a reasonable period after closure for legal and support quality; may be anonymised where required

•In-app notifications: Retained for a limited period or until you delete your account; exact duration may vary as we improve storage

•Block records (user_blocked_salons, salon_blocked_users): Until you unblock or account/salon deletion

•Reminder timestamps (last_reminder_sent_at): Retained with the appointment record; deleted when the appointment or account is removed

•FCM tokens: Until account deletion (tokens are removed when you delete your account)

•Favorite salons/staff (favorite_salons, favorite_staff): Until you remove them or delete your account

•Loyalty transactions and redemptions: Retained with booking history; deleted with account

•QR scan history: Retained for loyalty accounting; deleted with account

•Reviews: Retained until you delete them or your account. Reviews may remain visible if associated data is anonymised as required by law.

Aggregated and anonymised data: We may retain anonymised or aggregated data (e.g. usage statistics, trends, demographic summaries) indefinitely for analytics and service improvement. This data cannot identify you and is not personal data.

We do NOT use AI to generate images. Uploaded photos are stored in the EU (Supabase, Ireland region) and are not shared with AI providers.

6. Third-Party Service Providers – What We Use and For What

We use the following processors. Each processes data only for the stated purpose. We have Data Processing Agreements (DPAs) or equivalent with all providers. We do NOT sell your personal information.

•Supabase (EU – Ireland, AWS eu-west-1): Backend database, file storage, authentication (including Auth email for sign-up/reset). Stores: account data, bookings, messages, reviews, loyalty, FCM tokens, favorites, block lists, support tickets, in-app notifications, notification preference flags, and related metadata. Encryption at rest and in transit (TLS).

•Firebase / Google Cloud (may process in US): We use Firebase Cloud Messaging (FCM) only for push notifications—we do not use Firebase Analytics or other Firebase analytics products in the app. FCM receives: FCM device token, user ID (to target notifications). We send notification content (e.g. appointment reminder, new message) to Firebase, which delivers it to your device. Firebase does not store message content long-term. For EU users, Firebase offers GDPR-compliant processing; data may transit through US servers.

•Sentry (EU/US): Crash reporting and error monitoring. Receives: Stack traces, device type, OS version, app version, anonymised error context. In the current app configuration we do not attach your account email or name to crash reports. Used to fix bugs and improve stability.

•Stripe (EU/US): Web payment processing for salon subscriptions (website). Card details never touch our servers. Stripe is PCI-DSS certified.

•Google Play Billing (US): In-app subscription purchases (Android). Google processes payment; we receive only subscription status and transaction ID.

•Apple In-App Purchase (US): In-app subscription purchases (iOS). Apple processes payment; we receive only subscription status and transaction ID.

•Apple / Google (In-App Review): If you choose to rate the app, the OS may show the native store review dialog. Apple or Google process that interaction under their policies; we do not receive the text of your public store review in our backend.

•Google Sign-In (US): OAuth authentication. We receive: email, name, Google user ID. Used to create/link your Fade account. Google's privacy policy applies to their collection: https://policies.google.com/privacy

•Sign in with Apple (US): OAuth authentication. We receive: email (or private relay), name (optional), Apple user ID. Apple may hide your email. Used to create/link your Fade account.

•Google Maps / Google Geocoding (US) – mobile app (iOS/Android): Map display, directions, and address geocoding via the Google Geocoding API. We send: your location (if permitted) or searched address. Used to show nearby salons and routes. Google's privacy policy: https://policies.google.com/privacy

•OpenStreetMap Nominatim (OpenStreetMap Foundation; servers may be in the EU or elsewhere): Used on the website getfadeapp.com (and web-based flows) for address search and geocoding. We send: the address or query text you enter. The mobile app does not use Nominatim for geocoding—it uses Google as above. See: https://operations.osmfoundation.org/policies/nominatim/ and https://wiki.osmfoundation.org/wiki/Privacy_Policy

•Vercel (US): Hosting for getfadeapp.com website. Server logs (IP, request metadata) may be processed. The site may load Vercel Analytics and Vercel Speed Insights for aggregated traffic and performance (see Section 15). No Fade app account data is stored on Vercel beyond normal web logs.

7. International Data Transfers

Data may be transferred outside the EEA (European Economic Area). Our providers may process data in the US or other countries:

•Which countries / regions: US and other countries (Firebase FCM, Google, Apple, Stripe, Sentry). OpenStreetMap Nominatim queries are processed under OpenStreetMap Foundation policies and infrastructure (may include the EEA).

•Legal mechanism: Standard Contractual Clauses (SCC) or equivalent safeguards where applicable—our commercial providers offer SCC for GDPR compliance where data is transferred to the US

•Safeguards: Encryption in transit (TLS), Data Processing Agreements (DPAs) with each provider

When we transfer data outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V.

8. Data Deletion Process

How to request deletion: Settings → Delete account (in-app) or email privacy@getfadeapp.com

Response time: We respond within 30 days (GDPR Art. 12(3))

What is deleted: All personal data (profile, bookings, messages, photos, support tickets where applicable) – except data we must retain by law (e.g. financial records for 7 years, booking history up to 3 years where required)

Backup copies: Deleted data is removed from backups in the next backup cycle (typically within 30–90 days).

9. AI / Image Processing Transparency

We do NOT use AI to generate images. Your photos are:

•Uploaded by you (profile, salon, staff images)

•Stored in Supabase Storage (EU – Ireland, same region as the database)

•Compressed on your device before upload (quality 85, max 300KB for avatars)

•NOT shared with AI providers or used to train any AI models

•NOT processed for facial recognition or other AI analysis

If we add AI features in the future, we will update this policy and obtain consent where required.

10. Information Sharing with Salons

When you book an appointment or communicate with a salon, we share your personal data with that salon. This is necessary for contract performance and in both parties' legitimate interests.

What we share with salons:

•Name (as registered in your profile)

•Phone number (for contact regarding the appointment)

•Email address (for confirmations and reminders)

•Appointment details: date, time, selected service(s), any notes or special requests

•Message history: messages exchanged through the Fade platform

•Reviews and ratings you have submitted for that salon

Salon's use of your data:

Salons receive your data solely to fulfill the appointment and related communication (confirmations, rescheduling, reminders). Salons must not use your data for marketing outside Fade without your consent and must comply with data protection laws (e.g. GDPR). Salons are independent data controllers. For questions about how a salon uses your data, contact that salon.

Salon as data controller: When you provide health-related or sensitive information to a salon (e.g. allergies, skin conditions, medication notes) via booking notes or consultation forms, the salon is the data controller for that information. We process it on their behalf. Contact the salon directly about how they use and protect such data.

Salon's right to refuse:

Salons may refuse or cancel a booking at their discretion (see Terms of Service). If a salon refuses, they may retain minimal information (e.g. name, booking attempt) for a limited time to prevent abuse. We do not control how long salons retain data—contact the salon for their retention policy.

10a. Other Information Sharing

We may also share your information with: service providers (under data processing agreements), legal authorities (when required by law), and in case of business transfers. We share only what is necessary. We do NOT sell your personal information. We do not sell or share your phone number with third parties for marketing purposes, except where required by law.

10b. Salon Subscription Packages, Reminders, and Blocking

Salon subscription packages (Starter, Medium, Pro):

Salons subscribe to one of three packages. Each package affects which features and data processing apply:

•Starter package: Up to 2 barbers, limited portfolio, no Featured placement. Appointment reminders can only be sent to clients who have added the salon to "My Hairdresser" (favorites). Reminders are blocked for clients who have not added the salon to favorites.

•Medium package: Up to 5 barbers, more portfolio items, limited Featured visibility. Appointment reminders can be sent to all clients with appointments (no restriction).

•Pro package: Up to 10 barbers (or more), full portfolio, enhanced Featured placement. Appointment reminders can be sent to all clients with appointments (no restriction).

Appointment reminders – how they work:

•Reminders are optional notifications sent by the salon to remind clients of upcoming appointments.

•Delivery: Sent via push notification (Firebase Cloud Messaging) to the client's device.

•Frequency: At most once per week per appointment. The app prevents sending more frequently.

•Data used: Appointment date/time, salon name, client user ID (for delivery). We store last_reminder_sent_at per appointment.

•Legal basis: Legitimate interest (Art. 6(1)(f)) – facilitating appointment attendance; you can disable push notifications in your device settings at any time.

Blocking – users and salons:

•Users can block salons: From chat or salon profile → "Block salon". Blocked salons cannot message you; you cannot book new appointments at that salon; existing chats are hidden. We store (user_id, salon_id) in user_blocked_salons.

•Salons can block users: From chat or booking list → "Block user". Blocked users cannot book new appointments at that salon, cannot send messages, and cannot receive reminders from that salon. We store (salon_id, user_id) in salon_blocked_users.

•Both block types: Data retention – block records are kept until you unblock (Settings → Blocked salons) or the salon unblocks you. Block data is deleted when you delete your account or when the salon is deleted.

•Legal basis: Contract performance and legitimate interest – both parties may restrict unwanted communication.

10c. Chat, Reviews, Loyalty, QR Check-In, and Offline Appointments

Chat and messages:

•Stored in: chats (links user, salon, appointment) and messages (content, sender_id, sender_role)

•Who can see: You and the salon (owner and staff with access). We use Row Level Security so only participants see their chats.

•Content is stored in Supabase (EU). Encrypted in transit (HTTPS). We do not use end-to-end encryption – salon staff can read messages.

•Automated messages: Fade may insert messages in the thread using a [SYSTEM] prefix or structured JSON (Hairmap v1) for events such as booking confirmed, cancelled, or rescheduled. These are generated by the platform (not manually typed by staff) and are stored like other messages so you have a clear record.

•Cancellations and rescheduling: Self-service actions update your appointment row and often add system lines in the thread. If you message the salon because the in-app change window has passed, that content is ordinary chat; changes the salon makes in the dashboard update the same booking data you see.

•Late-change assistance to salons: We may notify the salon with limited booking metadata when you cannot complete cancel or reschedule in the app shortly before the appointment (see Terms of Service for timing). This is so the salon can respond; we do not read the content of unrelated chats for that purpose.

•When you "hide" a chat, it is soft-hidden for you; messages remain in the database for dispute resolution and salon records.

•Push notifications for new messages: We send message content to Firebase to deliver the notification. Firebase does not retain content.

Reviews and ratings:

•Stored in: reviews table (user_id, salon_id, rating, comment, staff_id, staff_rating, owner_response)

•Visibility: Reviews are public – anyone can see them on the salon profile. Salon owners can see which user wrote which review (user_id is stored).

•You can edit or delete your reviews in the app. Salon owners can respond; their response is also stored.

•Legal basis: Contract performance (you received a service) and legitimate interest (reputation).

Loyalty points and rewards:

•Points earned: When you complete an appointment (QR check-in) or through referrals. Stored in loyalty_transactions.

•Redemptions: When you redeem a reward at a salon. Stored in loyalty_redemptions. Salon owner confirms the redemption.

•Who sees: You (your points), the salon (redemptions for their salon, your name for confirmation).

•Points are per-salon – you cannot transfer points between salons.

QR check-in:

•When you scan a QR code at the salon, we record: user_id, salon_id, appointment_id, scan_date, points_earned in qr_scan_history.

•Purpose: Verify you attended; award loyalty points; prevent duplicate scans.

•Salon owner can see that you checked in and earned points.

Offline appointments:

•Salon owners can create appointments for walk-in clients (no Fade account required). They may enter: client name, phone, service, date/time.

•If the client has no account, we store only what the owner enters (in appointments with user_id null or a guest placeholder where applicable).

•Offline appointments are visible only to the salon. If the client later creates an account and links the appointment, their data is merged.

10d. Payments – Platforms, Services, Invoices, and Data Protection

Which payment service we use depends on the platform:

Android (mobile app):

•Google Play Billing is the sole payment provider for in-app purchases. We do not use Stripe or any other payment method in the Android app.

•Used for: Salon subscriptions (Starter, Medium, Pro) and Featured salon promotions.

•Your payment (card, Google Pay, etc.) is processed entirely by Google. We never see or store your card details. We receive only: subscription status, transaction ID, and order identifier from Google.

•Data protection: Google Play Billing is PCI-DSS compliant. Payment data stays with Google.

iOS (mobile app):

•Apple In-App Purchase is the sole payment provider for in-app purchases. We do not use Stripe or any other payment method in the iOS app.

•Used for: Salon subscriptions (Starter, Medium, Pro) and Featured salon promotions.

•Your payment (card, Apple Pay, etc.) is processed entirely by Apple. We never see or store your card details. We receive only: subscription status, transaction ID, and transaction receipt from Apple.

•Data protection: Apple IAP is PCI-DSS compliant. Payment data stays with Apple.

Web (getfadeapp.com dashboard):

•Stripe is the payment provider for salon subscriptions purchased via the website (salon owner dashboard).

•Used for: Salon subscriptions when the owner subscribes through the getfadeapp.com website instead of the mobile app.

•Card details are entered on Stripe's secure checkout page. We never see or store your card number, CVC, or full card data. Stripe is PCI-DSS certified.

•Data protection: Stripe handles all payment data. We store only: invoice number, amount, status, transaction ID, and payment method label (e.g. "card").

Where to get your invoice or receipt:

•Subscription (mobile – Android/iOS): After purchase, tap "Show invoice" in the app to view the invoice we generate. For subscription and Featured purchases, you can also download your receipt from Google Play → Subscriptions & order history, or App Store → Account → Purchase history. The platform receipt is the official proof of payment for tax purposes.

•Subscription (web – Stripe): Invoices are available in the salon dashboard under Billing History. Stripe may also send a payment confirmation email. Invoice PDFs can be downloaded from the dashboard.

•Featured promotion (mobile): Receipt is available only from Google Play or App Store order history. We do not generate a separate invoice for Featured promotions – the platform receipt is your proof of payment.

•Appointment receipts: For individual appointments, some salons may provide a receipt; this is generated by the salon or via our booking system (e.g. in the owner dashboard). Contact the salon for appointment-related receipts.

We store: invoice_number, amount, tax_amount, total_amount, issue_date, due_date, paid_date, payment_method label, transaction_id, subscription_id, salon_id. No card data. Invoice records are retained for up to 7 years for legal/tax compliance.

10e. Profile Visibility, Admin Access, and Data Export

Profile visibility – who sees what:

•Salon owners and staff: When you book an appointment or chat, the salon sees: your name (from profile), profile picture, phone number, email address. This is necessary to fulfill the appointment and contact you.

•Other app users: Your reviews are public on salon profiles. Reviews display your rating and comment; the salon can see which user_id wrote each review (and thus identify you). We do not display your full name or contact details publicly to other users.

•Map and search: Your profile is not publicly listed. Only salons you interact with (booking, chat) see your data.

Admin access:

•Fade has administrators who support the platform (e.g. fraud prevention, support, moderation). Admins can access: user profiles, salon data, bookings, messages, reviews, support tickets, and subscription records, when necessary to resolve disputes, prevent abuse, or provide support.

•Admin actions may be recorded in audit logs (e.g. admin_audit_log) for security and compliance.

•Admin access is logged and restricted to authorised personnel. Admins are bound by confidentiality and data protection obligations.

Data export (right to data portability):

•You can request a copy of your personal data in a portable format (e.g. JSON or CSV). Contact privacy@getfadeapp.com with the subject "Data export request".

•We will include: account data (name, email, phone), profile data, booking history, messages (where applicable), reviews you have written, loyalty points and redemptions, favorite salons/staff, block lists, support tickets, and in-app notification history where applicable.

•We respond within 30 days. The export will be sent securely (e.g. encrypted link or password-protected file). If you have "Request my data" in Settings, that triggers the same process.

11. Data Security and How We Store Your Data

Where we store your data:

•Primary storage: Supabase (EU – Ireland, AWS eu-west-1). All account data, bookings, messages, reviews, loyalty, favorites, blocks, and FCM tokens are stored in Supabase's PostgreSQL database. Files (photos) are stored in Supabase Storage in the same region.

•Backup: Supabase performs automated backups. Backups are encrypted and stored in the same region or compliant locations.

•No local copies: We do not download or store your data on our own servers; everything is in Supabase and the third parties listed in Section 6.

Security measures:

•Encryption in transit: All API traffic uses HTTPS (TLS 1.2+). No data is sent unencrypted.

•Encryption at rest: Supabase encrypts all data at rest (AES-256). Files in Storage are also encrypted.

•Access control: Row Level Security (RLS) in Supabase ensures users can only access their own data or data they are authorised to see (e.g. salon owner sees only their salon's data).

•Authentication: Passwords are hashed (bcrypt). Social sign-in uses OAuth – we never see your Google/Apple password.

•Secure payment: Card data is never stored by us. Payment is handled by Stripe, Apple, or Google (PCI-DSS compliant).

•Monitoring: Sentry for crash and error reports (see Section 6; account email/name not attached in current configuration). Server logs are retained for 90 days.

Data breach notification:

•If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority (BfDI or equivalent) within 72 hours (GDPR Art. 33) and inform you without undue delay (GDPR Art. 34) where the breach poses a high risk to you.

•Contact for breach-related enquiries: privacy@getfadeapp.com

Automated decision-making:

•We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you (GDPR Art. 22). All decisions (e.g. booking confirmation, reminder eligibility) are based on rules we define, not AI or automated profiling.

•If we introduce such processing in the future, we will update this policy and obtain consent or provide an alternative where required.

No method of transmission over the internet is 100% secure.

12. Your Rights (GDPR)

You have the right to delete your account and all associated data. You can do this within the app (Settings → Delete account) or by contacting us at privacy@getfadeapp.com.

You also have the right to:

•Access: Request a copy of your personal information

•Correction: Update or correct your information in account settings

•Deletion: Request account deletion – we delete within 30 days (30-day grace period applies)

•Data Portability: Request your data in a portable format (JSON/CSV)

•Opt-out: Unsubscribe from marketing at any time

•Withdraw Consent: For location, notifications, or marketing in app/device settings

•Object: Object to processing for specific purposes (e.g. marketing)

•Restrict processing: Request that we restrict processing in certain circumstances (GDPR Art. 18) – e.g. where you contest accuracy or where processing is unlawful but you prefer restriction to deletion

•Complain: Lodge a complaint with a supervisory authority. In Germany: BfDI (www.bfdi.bund.de). EU consumers may contact their local data protection authority. EU dispute resolution: https://ec.europa.eu/consumers/odr/

To exercise these rights: privacy@getfadeapp.com (we respond within 30 days).

13. Location, Camera, and Photo Library

Location: We use your precise location to show nearby salons on the map. Location is optional—you can use the map, search addresses, and add your address manually without granting location permission. Location is needed when you tap "Use device location" or for proximity checks tied to QR check-in where the product uses them.

Camera: We use the camera solely for scanning QR codes at salon locations to verify appointments and redeem loyalty rewards. We do not record, store, or transmit video—we only process the QR code data.

Photo library (gallery): Where you upload a profile picture, salon logo, portfolio image, or staff photo, you may choose an existing image from your device gallery. The app only accesses the specific image you select; it does not browse or import your entire library. On some devices, saving an image to your gallery (e.g. an export) may use add-only photo access as required by the OS.

You can disable location, camera, and photo access in your device settings at any time. This may limit features (e.g. QR check-in, choosing a gallery photo for uploads).

14. Children's Privacy

Our service is not intended for children under 13 (or 16 in some EU countries). We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, contact us immediately at privacy@getfadeapp.com. We will delete the data promptly and inform you.

15. Cookies & Local Storage

Fade mobile app: Does not use web cookies. We use local storage (e.g. SharedPreferences) for login session tokens, language choice, follow-system-language flag, onboarding flags, and similar UI settings. We use Sentry for crash reporting (see Section 6) and Firebase only for push (FCM), not Firebase Analytics. No third-party advertising SDKs for ad tracking in the app. No advertising IDs (IDFA/GAID) used for cross-app ad tracking—we do not show third-party ads in the consumer app.

Fade website (getfadeapp.com): May use essential cookies (session, auth) and site analytics/performance tools (e.g. Vercel Analytics, Vercel Speed Insights). You can refuse non-essential cookies via browser settings.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification and update the "Last updated" date. We encourage you to review this policy periodically.

17. Contact Us & Supervisory Authority

If you have questions about this Privacy Policy, please contact us:

Fade is operated by Vera IT.

Commercial register (Germany): Local Court of Hamburg (*Amtsgericht Hamburg*).

VAT identification number (German *USt-IdNr.*): DE456074487

Person responsible for editorial content (§ 55(2) RStV — German Interstate Broadcasting Treaty):

Jovica Mihajlovic

Rehrstieg 16d

21147 Hamburg, Germany

Email: privacy@getfadeapp.com (also for GDPR and data protection enquiries)

Support: support@getfadeapp.com

Legal: legal@getfadeapp.com

Data deletion: Request via Settings → Delete account (30-day grace period) or privacy@getfadeapp.com. We respond within 30 days.

Right to complain: You may lodge a complaint with a supervisory authority (e.g. BfDI in Germany: www.bfdi.bund.de). EU consumers may use the EU ODR platform: https://ec.europa.eu/consumers/odr/

18. Disclaimers and Third-Party Links

Third-party links: Our Privacy Policy and app may contain links to external websites (e.g. Google, Apple, Stripe, Supabase). We are not responsible for the privacy practices or content of these third parties. When you leave Fade (e.g. via a link to Google Maps or App Store), their privacy policies apply. We encourage you to read their policies.

No warranty for data accuracy: While we take reasonable measures to keep data accurate and secure, we do not guarantee that all data stored or displayed is error-free, complete, or up to date. Salon information (hours, services, prices) is provided by salons and may change. We are not liable for inaccuracies in third-party-provided data.

Severability: If any provision of this Privacy Policy is found to be invalid or unenforceable by a court, the remaining provisions will remain in full force and effect.

English/German: This policy is provided in English. In case of conflict between translations, the English version prevails unless otherwise required by law.

Links

Web Impressum Privacy (web)Terms (web)