Your privacy matters to us. Thyme Studio Ltd is committed to protecting the personal information of our users. This policy explains what data we collect, why we collect it, and how you can control it. We comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Thyme Studio Ltd is a software company registered in England and Wales (CRN: 16966378), with our registered address at 128 City Road, London, EC1V 2NX.
We are the data controller for personal data collected through our website (thymestudio.co.uk) and our salon management platform. For enquiries relating to this policy, please contact us at privacy@thymestudio.co.uk.
2. Data we collect
2.1 Information you provide to us
- Account data: name, email address, password (hashed), business name, phone number
- Billing data: payment card details (processed by Stripe — we never store raw card numbers)
- Client data: details of your salon clients that you enter into the platform (name, phone, appointment history, notes)
- Communications: messages you send us via email, chat, or support forms
2.2 Data we collect automatically
- Usage data: pages visited, features used, time on platform, actions taken
- Device data: IP address, browser type, operating system, device identifiers
- Cookies and similar technologies — see Section 7
2.3 Data from third parties
We may receive information about you from third-party services such as Google (for calendar integration) or payment processors, where you have granted us access.
3. How we use your data
- To provide, maintain, and improve the Thyme Studio platform
- To manage your account and process payments
- To send transactional emails (booking confirmations, receipts, security alerts)
- To send marketing communications where you have opted in
- To provide customer support
- To analyse usage and improve our product
- To comply with our legal obligations
- To detect and prevent fraud or misuse
We will never sell your personal data to third parties.
4. Legal basis for processing
Under UK GDPR, we rely on the following legal bases:
- Contract: processing necessary to deliver the services you have subscribed to
- Legitimate interests: improving our platform, security monitoring, fraud prevention
- Consent: marketing communications and non-essential cookies (you can withdraw at any time)
- Legal obligation: financial record-keeping and compliance requirements
5. Who we share data with
We share data only where necessary, with trusted sub-processors including:
- Supabase — database hosting (UK/EU region)
- Stripe — payment processing
- Twilio — SMS reminders sent on your behalf
- SendGrid — transactional and marketing email
- Google — calendar integration (only when you connect your Google account)
- Vercel / Railway — application hosting
All sub-processors are bound by data processing agreements and handle data in accordance with UK GDPR.
We may disclose data if required by law, court order, or to protect the rights and safety of our users or the public.
6. How long we keep data
- Account data: for the duration of your subscription, plus 2 years after cancellation
- Billing records: 7 years (UK legal requirement)
- Client data you enter: retained until you delete it or close your account
- Usage/analytics data: 26 months in aggregated form
- Support communications: 3 years
Upon account closure you may request full data deletion at privacy@thymestudio.co.uk. We will process deletion within 30 days, except where retention is required by law.
7. Cookies
We use cookies and similar technologies to operate the platform. These include:
- Essential cookies: required for authentication and security — cannot be disabled
- Analytics cookies: help us understand how the platform is used (e.g. page views, feature adoption). Requires your consent.
- Preference cookies: remember your settings such as pricing toggle state
You can manage cookie preferences at any time through your browser settings or our in-app cookie preference centre. Withdrawing consent for non-essential cookies will not affect your ability to use the platform.
8. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — request deletion of your data (subject to legal exceptions)
- Right to restriction — ask us to stop processing your data in certain circumstances
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests or for direct marketing
- Rights related to automated decision-making — we do not make solely automated decisions with legal or significant effects on you
To exercise any of these rights, email privacy@thymestudio.co.uk with the subject line "Data Rights Request". We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
9. Data security
We take the security of your data seriously and implement appropriate technical and organisational measures including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Password hashing using bcrypt
- Role-based access controls and row-level security
- Regular security reviews and penetration testing
- Multi-factor authentication options for accounts
In the event of a personal data breach that risks your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay.
10. Changes to this policy
We may update this policy from time to time. Where changes are material, we will notify you by email or via an in-app notification at least 30 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent version.
Continued use of the platform after the effective date constitutes acceptance of the updated policy.
