Home Blog Tools About

Compare

Tavix vs Fresha Tavix vs Booksy
Start your free trial

0% commission · 30 days free · WhatsApp first

Privacy Policy

Last updated: March 2026

Home Blog Tools About

Compare

Tavix vs Fresha Tavix vs Booksy
Start your free trial

0% commission · 30 days free · WhatsApp first

Introduction

This Privacy Policy explains how Tavix (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our salon booking platform at tavix.app.

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to two groups of users:

  • Salon owners (business users) who register for a Tavix account to manage their bookings and clients.
  • Clients (end users) who book appointments through a salon’s Tavix booking page.

Who We Are

Tavix is a salon booking platform operated at tavix.app. We act as the data controller for data collected through our platform.

For salon owners using Tavix to manage client bookings, the salon owner is a joint data controller for their client data. Tavix processes this data on their behalf as a data processor.

Data We Collect

Account Data

When salon owners register, we collect your name and email address. If you sign up via Google OAuth, we receive your name and email from your Google account.

Business Data

Salon owners provide business information including business name, address, services offered, pricing, staff member details, and working hours.

Booking Data

When clients book appointments, we collect appointment details, service history, and any notes added by the salon owner or client.

Contact Data

We collect phone numbers from clients for WhatsApp OTP verification and appointment notifications. Salon owners may also provide contact phone numbers.

OTP Codes

We generate and temporarily store one-time password (OTP) codes used to verify client phone numbers before booking. These codes are short-lived and automatically deleted after use or expiry.

How We Use Your Data

We use your personal data for the following purposes:

  • Providing our service: Processing bookings, managing appointments, and maintaining client records.
  • Phone verification: Sending OTP codes via WhatsApp (or SMS as fallback) to verify client identity before booking.
  • Appointment notifications: Sending booking confirmations, 24-hour and 2-hour appointment reminders, and cancellation or rescheduling alerts via WhatsApp.
  • Account management: Authentication, password resets, and account security.
  • Payment processing: Processing subscription payments from salon owners and deposit payments from clients via Stripe.
  • Service improvement: Understanding how our platform is used to improve features and user experience.

Lawful Bases

Under UK GDPR, we rely on the following lawful bases for processing your personal data:

  • Contract performance (Article 6(1)(b)): Processing bookings, managing appointments, sending booking confirmations and reminders, and providing the platform service to salon owners under our Terms of Service.
  • Legitimate interests (Article 6(1)(f)): Sending appointment notifications (reminders, cancellation alerts), fraud prevention, and platform security. We have assessed that these interests do not override your rights and freedoms.
  • Consent (Article 6(1)(a)): Non-essential cookies and any future marketing communications. You can withdraw consent at any time.

Data Processors

We share your personal data with the following third-party processors who help us deliver our service:

  • Self-hosted PostgreSQL — Our primary database is self-hosted on infrastructure we manage directly. Data is stored on servers located in the UK. We maintain full control over database security, access, and encryption.
  • Meta Cloud API (WhatsApp Business Platform) — Delivery of WhatsApp messages including OTP verification codes, booking confirmations, appointment reminders, and marketing messages such as birthday offers and re-engagement campaigns. Messages are sent via Meta’s official WhatsApp Business Platform API.
  • Twilio — SMS delivery as a fallback when WhatsApp delivery fails. Used for OTP verification codes only.
  • Stripe — Payment processing for salon owner subscriptions and client deposit payments. Stripe is PCI DSS Level 1 compliant. We never store card details on our servers.
  • Resend — Transactional email delivery for account-related communications including signup confirmations, password reset links, staff invitations, and billing notifications.

All processors are bound by data processing agreements and are required to handle your data in accordance with UK GDPR.

WhatsApp Communications

We use WhatsApp for notifications and marketing. WhatsApp messages are sent for the following purposes:

  • OTP verification: A one-time code to verify your phone number when making a booking.
  • Booking confirmations: Confirmation of your appointment details after booking.
  • Appointment reminders: Reminders sent 24 hours and 2 hours before your appointment.
  • Cancellation and rescheduling alerts: Notifications when an appointment is cancelled or rescheduled.
  • Marketing messages: Birthday offers, re-engagement campaigns, and review requests sent by salon owners through the Tavix platform. These are sent under the salon owner’s brand with their consent and within Meta’s WhatsApp Business Policy.

Marketing messages can be opted out of at any time by replying STOP or through the salon’s booking page. Transactional messages (booking confirmations, reminders) are essential to the service and sent under the contract performance lawful basis.

All WhatsApp messages are sent using pre-approved templates in compliance with Meta’s WhatsApp Business Policy and GDPR requirements.

Data Retention

We retain your personal data for the following periods:

  • Booking history: 6 years from the date of the appointment, in line with HMRC record-keeping requirements for business financial records.
  • OTP codes: 5 minutes from generation. Codes are automatically deleted after verification or expiry.
  • Account data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days, except where we are legally required to retain it (e.g., financial records).
  • Client data: Retained for as long as the salon owner’s account is active. When a salon owner deletes their account, associated client data is removed within 30 days.

Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can request correction of inaccurate or incomplete personal data.
  • Right to erasure: You can request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to restrict processing: You can request that we limit how we use your data in certain circumstances.
  • Right to data portability: You can request your data in a structured, commonly used, machine-readable format (CSV or JSON).
  • Right to object: You can object to processing based on legitimate interests.
  • Rights related to automated decision-making: We do not currently make decisions based solely on automated processing that produce legal or similarly significant effects.
  • Right to withdraw consent: Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at privacy@tavix.app. We will respond within one month.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Cookies

We use a limited number of cookies that are essential for the platform to function. We do not use advertising or tracking cookies.

Essential Cookies

  • authjs.session-token — NextAuth.js session cookie. This is necessary to keep salon owners signed in and secure their account. Expires when your session ends or after the configured session duration.
  • authjs.csrf-token — Cross-site request forgery protection token. Prevents unauthorised form submissions. Expires when your browser session ends.
  • client_session — Client booking session token. Used to maintain your verified session when booking appointments so you do not need to re-verify your phone number for each booking.
  • has_business — Dashboard routing optimisation. A simple flag used to route authenticated users to the correct dashboard view without an additional database query.
  • cookie_consent — Stores your cookie preference (either “all” or “essential”). Expires after 1 year.

All cookies listed above are essential for the operation of our platform. They do not track you across other websites and are not used for advertising purposes.

Children’s Privacy

Tavix is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child under 16, please contact us at privacy@tavix.app and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. When we make material changes, we will notify registered salon owners by email and update the “Last updated” date at the top of this page.

We encourage you to review this policy periodically to stay informed about how we protect your data.

Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us: