Privacy Policy

iCodice LLC, doing business as SalonAiX (“SalonAiX”, “we”, “our”, or “us”), operates the SalonAiX salon-management platform at salonaix.com and related subdomains. SalonAiX is a product brand of iCodice LLC; the legal entity you contract with under these notices is iCodice LLC.

Registered address: {{TODO: iCodice LLC registered address}}. For privacy questions, contact us at privacy@salonaix.com.

For visitors in the European Economic Area or United Kingdom, our Data Protection Officer is reachable at dpo@salonaix.com. Our representative for the purposes of Article 27 GDPR is {{TODO: EU representative under Art. 27 GDPR, if any}}.

This policy covers personal information we process in two distinct roles:

• As a data controller — for our marketing site visitors, sales prospects (anyone who fills in the contact form at /contact), and platform admins.
• As a data processor — when our salon customers (“tenants”) use the platform to manage their clients' information. In that case, the salon itself is the data controller; we process on their instructions under our Data Processing Addendum. End-clients of a salon should consult that salon's own privacy notice for specifics on how their data is used.

Categories we may collect, depending on how you interact with us:

• Identifiers — name, email address, phone number, business name. Provided when you contact sales, sign up, or sign in.
• Account data — username, hashed password, role, tenant association, audit-log records of actions you take on the platform.
• Commercial information — subscription tier, billing status, invoice history (we do not store full payment-card numbers; cards are handled by our payment processor).
• Salon-operations data on behalf of tenants — appointments, service catalog, staff schedules, customer profiles, messaging logs. We process this on the tenant's instructions.
• Internet/network activity — IP address, browser type, referrer, pages visited, action timestamps. Used for service operation, abuse prevention, and audit logging.
• Inferences and usage patterns — limited to aggregated product analytics (e.g. “most-used features”).

We do not intentionally collect “sensitive personal information” as defined under CPRA (e.g. precise geolocation, racial/ethnic origin, religion, biometric data, contents of mail/email/messages other than directed at us, financial account credentials). If a salon configures messaging that incidentally contains sensitive content, that data is handled under the Data Processing Addendum, not this policy.

We collect personal information from:

• You directly (forms, account signups, support tickets, emails).
• Your salon, if you're a staff member or end-client whose information was entered by salon owners.
• Cookies and similar technologies (see Section 9).
• Service providers (e.g. payment processor returning a transaction status).

For visitors and customers in the EU/UK, we rely on the legal bases below under Article 6 GDPR:

For California residents, we collect personal information for the business and commercial purposes listed above. We do not sell personal information for monetary consideration, and we do not “share” it for cross-context behavioral advertising as defined under CPRA. If that ever changes, we will update this notice and provide an opt-out.

We share personal information only with:

• Service providers acting on our behalf, under written contracts that require equivalent privacy protections. Current categories include cloud hosting (Microsoft Azure), payment processing (Stripe), email delivery (our SMTP provider), SMS gateway (312VOIP), and error monitoring.
• Salon tenants, with respect to data they themselves entered or that relates to their operation.
• Authorities, where required by law or to protect our rights, property, or safety, or those of others.
• Successors in the event of a merger, acquisition, or asset sale, subject to the buyer honoring this policy or providing equivalent protection.

Our infrastructure runs in the United States. If you access our service from the EEA, UK, Switzerland, or another jurisdiction with cross-border data-transfer rules, your information will be transferred to and processed in the United States. We rely on the European Commission's Standard Contractual Clauses and (where applicable) the EU-U.S. Data Privacy Framework as the transfer mechanism. A copy of the SCCs we use is available on request from dpo@salonaix.com.

We retain personal information only as long as necessary for the purposes for which it was collected, plus any period required by law. Indicative retention windows:

• Marketing inquiries (sales): up to 24 months from last contact, then deleted or anonymized.
• Account / login data: while your account is active, plus 30 days after closure to handle final billing and disputes.
• Audit logs: 24 months for security and compliance review.
• Invoices and tax records: 7 years (US) / as required by local tax law in your jurisdiction.

Our marketing site (salonaix.com apex) does not set advertising or analytics cookies by default. Strictly-necessary technical cookies may be used by our hosting provider to route traffic.

Inside the application (admin / staff / reseller / tenant subdomains) we use functional storage to keep you signed in (a JWT held in your browser's session storage) and to remember UI preferences (e.g. sidebar collapsed). These are not used for advertising.

If we add analytics or advertising cookies in the future, we will update this section and provide a consent mechanism.

If you're in the EEA or UK, you have the right to:

• access the personal data we hold about you;
• correct inaccurate or incomplete data;
• request erasure (the “right to be forgotten”) where applicable;
• restrict processing in certain circumstances;
• data portability — receive your data in a structured, commonly used, machine-readable format;
• object to processing based on legitimate interests, including profiling;
• withdraw consent at any time, where processing is based on consent;
• lodge a complaint with your local supervisory authority — for the UK, the ICO; for EU residents, the authority listed at edpb.europa.eu.

To exercise any right, email dpo@salonaix.com. We'll respond within 30 days, free of charge for non-excessive requests.

If you're a California resident, you have the right to:

• Know what categories and specific pieces of personal information we hold about you, and the categories of sources, purposes, and recipients.
• Delete personal information we collected from you, subject to legal exemptions.
• Correct inaccurate personal information.
• Opt out of any “sale” or “sharing” of personal information. As stated above, we do not sell or share for cross-context behavioral advertising. If that changes you can exercise this right via the link below.
• Limit use of sensitive personal information. We do not collect sensitive PI for the purpose of inferring characteristics, so this right is satisfied by default.
• Non-discrimination — we won't deny service or charge you a different price for exercising any of these rights.

To exercise these rights, email privacy@salonaix.com with “California Privacy Request” in the subject line. We will verify your identity using information already on file (e.g. matching the email you used to sign in) and respond within 45 days. You may use an authorized agent to submit a request on your behalf, with a signed authorization and proof of identity.

Do Not Sell or Share My Personal Information. We currently do not sell or share personal information for cross-context behavioral advertising. Should our practices ever change, you will be able to opt out via the link we'll publish in this section.

SalonAiX is a B2B platform not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided personal information to us, contact privacy@salonaix.com and we'll delete it.

We use industry-standard administrative, technical, and physical safeguards including encryption in transit (TLS), encryption of credentials at rest, role-based access control, audit logging, and Row-Level Security on tenant data. No security control is perfect; if you suspect unauthorized access to your account, contact us immediately at privacy@salonaix.com.

We may update this policy from time to time. The “Effective” date at the top indicates the latest revision. Material changes will be communicated by email or by a notice within the application before they take effect.

iCodice LLC (d/b/a SalonAiX)
{{TODO: iCodice LLC registered address}}
Privacy: privacy@salonaix.com
EU/UK Data Protection Officer: dpo@salonaix.com