Privacy Policy

This Privacy Policy applies to personal information we collect from: (a) visitors to bellafy.app; (b) beauty clinics and similar businesses that subscribe to Bellafy ("Merchants"); and (c) clients of those Merchants who interact with the Bellafy-powered Progressive Web App ("End Users").

Bellafy acts as a data controller with respect to personal information collected about Merchants, website visitors, and contacts. For personal information processed through a Merchant's account about its End Users, the Merchant is the data controller and Bellafy acts solely as a data processor on the Merchant's behalf. In such cases, the Merchant's own privacy policy governs the processing of End User data, and you should contact the Merchant directly to exercise your rights.

This Privacy Policy does not apply to third-party websites, services, or applications, even if they are linked to or from the Service.

Information you provide directly. When you register as a Merchant, contact us, or use the Service, we collect information such as your name, business name, email address, phone number, billing address, login credentials, and any other information you choose to share.

Payment information. Payments are processed by Stripe. We do not store full card numbers on our servers. We receive limited information from Stripe such as the last four digits of the card, card brand, expiration date, transaction identifiers, and Stripe account identifiers.

End User information (on behalf of Merchants). When End Users register through a Merchant's Progressive Web App, we process, on behalf of the Merchant, data such as name, email, phone number, booking history, loyalty points, vouchers, communication preferences, and payment method tokens generated by Stripe. Bellafy has technical access to this data as part of operating the Supabase infrastructure but does not use it for its own purposes.

Push notification data. If End Users opt in to receive push notifications, we store the push subscription endpoint and associated keys necessary to deliver the notifications. This data is only stored when explicitly accepted by the End User and can be revoked at any time from the device or app settings.

Referral and partner data. When a visitor arrives through a partner referral link (for example, bellafy.app/r/[code]), we set a first-party cookie containing the partner's unique code so that commissions can be attributed correctly if the visitor later signs up as a Merchant. No other personal data is collected at that stage.

Cookie consent records. When you interact with our cookie banner, we record your consent status, your IP address, a timestamp, and the version of the cookie banner shown. This record is stored in our Supabase database and is used solely to demonstrate compliance with applicable law.

Usage and device data. When you use the Service, we automatically collect technical information such as IP address, browser type, operating system, referring URL, pages viewed, timestamps, and general geographic location derived from the IP address. Some of this data is collected via Google Analytics as described below.

Communications. If you contact us by email, through a form, or through support channels, we retain those communications and any information you share with us.

We use personal information to: (a) provide, operate, secure, and improve the Service; (b) create and manage accounts and process payments; (c) deliver transactional emails, service notifications, and, where permitted, marketing communications; (d) respond to inquiries and provide customer support; (e) detect, prevent, and address fraud, abuse, and security incidents; (f) attribute partner referrals and calculate commissions; (g) comply with legal obligations; and (h) enforce our Terms of Service and other agreements.

We do not sell personal information for monetary consideration. We do not use End User personal information for our own marketing purposes.

We do not use personal information to train artificial intelligence or machine learning models.

Where applicable law requires a specific legal basis for processing personal information, we rely on the following: (a) performance of a contract, when processing is necessary to provide the Service; (b) compliance with a legal obligation; (c) legitimate interests, such as securing the Service, preventing fraud, and improving the product, provided these interests are not overridden by your rights; and (d) consent, for example for non-essential cookies and marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We share personal information only as described below and do not sell or rent it to third parties for their own marketing.

Service providers (subprocessors). We share information with trusted third parties that help us operate the Service, including: Stripe, Inc. (payments), Supabase Inc. (database and authentication), Resend (transactional email), Cloudflare, Inc. (bot protection via Turnstile and CDN), Google LLC (analytics via Google Analytics / Google Tag), and Vercel Inc. (hosting and deployment). These providers are bound by contractual obligations to process data only on our instructions and to implement appropriate security measures.

Merchants. Where we act as a processor, we process End User data exclusively on the instructions of the relevant Merchant.

Partners. When a Merchant signs up through a partner referral link, we share with the partner limited information required to calculate commissions, such as the fact that a referral converted, the Merchant's subscription status, and the commissions due. We do not share End User data with partners.

Legal and safety. We may disclose information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or government request; (b) enforce our agreements; (c) protect the rights, property, or safety of Bellafy, our users, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.

Business transfers. If Bellafy is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections.

A current list of our subprocessors is maintained as part of this Privacy Policy. As of the last updated date, our subprocessors are:

Stripe, Inc. (United States) — payment processing and card tokenization.

Supabase Inc. (United States) — database, authentication, and file storage.

Resend (United States) — transactional and service emails.

Cloudflare, Inc. (United States) — bot protection (Turnstile) and content delivery.

Google LLC (United States) — website analytics via Google Analytics and Google Tag.

Vercel Inc. (United States) — application hosting and deployment.

We will update this list when we add or replace subprocessors. Merchants subject to a signed Data Processing Agreement will be notified of material changes in accordance with that agreement.

We use cookies and similar technologies to operate the Service, remember preferences, measure usage, and attribute partner referrals. Categories include: strictly necessary cookies (such as session and authentication), analytics cookies (Google Analytics), security cookies (Cloudflare Turnstile), and functional cookies (partner referral code, cookie consent record).

When required by law, non-essential cookies are loaded only after you provide consent through our cookie banner. You can change or withdraw your consent at any time. For details, see our Cookie Policy.

Bellafy is based in the United States and our subprocessors are primarily located in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States and other countries where our subprocessors operate.

Where required by law, we rely on appropriate safeguards such as Standard Contractual Clauses or other legally recognized transfer mechanisms to protect personal information transferred internationally.

We retain personal information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.

Merchant account data is retained while the account is active and for up to 30 days after termination, unless a longer period is required by law (for example, tax and accounting records are kept for up to 7 years).

End User data retention is controlled by the Merchant. When a Merchant closes its account, End User data will be deleted within the timeframe described in our Terms of Service, unless the Merchant requests earlier deletion or export.

Cookie consent records are retained for at least 13 months to demonstrate compliance, as recommended by regulators.

Marketing contact data is retained until you unsubscribe or request deletion.

We implement technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction, including encryption in transit, access controls, role-based permissions, bot protection, and regular security reviews.

No method of transmission or storage is completely secure. We cannot guarantee absolute security but work continuously to improve our practices.

Depending on where you reside, you may have certain rights regarding your personal information, including the right to: (a) access the personal information we hold about you; (b) correct inaccurate or incomplete information; (c) delete your personal information; (d) restrict or object to certain processing; (e) receive a copy of your personal information in a portable format; and (f) withdraw consent where processing is based on consent.

You may exercise these rights by contacting us at support@bellafy.app. We will respond within the timeframe required by applicable law. We may need to verify your identity before acting on your request.

If Bellafy is a processor of your data (for example, you are an End User of a Merchant), please direct your request to the Merchant. We will support the Merchant in responding as required by law.

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another U.S. state with a comprehensive privacy law, you may have additional rights under applicable law, including the right to know, access, correct, and delete personal information, the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising, and the right to opt out of certain profiling.

Bellafy does not sell personal information for monetary consideration and does not engage in cross-context behavioral advertising targeting End Users. If we use analytics cookies that may qualify as "sharing" under the CCPA/CPRA, you can opt out at any time via our cookie banner or by enabling the Global Privacy Control (GPC) signal in your browser, which we honor as an opt-out request.

California residents may designate an authorized agent to submit requests on their behalf, and may appeal our decisions regarding their privacy requests by replying to our response email with the subject line "Privacy Appeal".

To exercise any of these rights, contact us at support@bellafy.app.

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16. If you believe we have collected personal information from a child under 16, please contact us at support@bellafy.app and we will take steps to delete it.

Merchants are solely responsible for ensuring that their End Users meet any minimum age requirements applicable to the services they offer.

Some browsers offer a "Do Not Track" (DNT) signal. Because there is no common standard for how to respond to DNT signals, we do not currently respond to DNT signals.

We do honor the Global Privacy Control (GPC) signal where required by applicable law. When we detect a GPC signal, we treat it as an opt-out of sale or sharing for the browser from which it originates.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service at least 15 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Bellafy LLC

[Registered agent address, Wyoming]

Email: support@bellafy.app

In the event of any conflict between the English version of this Privacy Policy and any translated version, the English version shall prevail.