Privacy Policy
INTRODUCTION
Salt Beauty Limited ("Salt Beauty", "we", "us", or "our") is a beauty studio located at 47 Duke Street, Douglas, Isle of Man. We are the data controller in respect of the personal data we process about you, meaning we determine how and why your personal data is used.
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have in relation to it. It applies to data collected through our website (www.saltbeauty.im), our online booking system, our in-studio consultation forms, and any other interaction you have with us.
We process personal data in accordance with the Isle of Man Data Protection Act 2018 and the General Data Protection Regulation as applied to the Isle of Man (together, the "Applied GDPR").
If you have any questions about how we handle your personal data, please contact us at hello@saltbeauty.im at any time.
1. INFORMATION WE COLLECT
We collect the following categories of personal data about you:
Identity and Contact Information
- Full name
- Email address
- Phone number
- Postal address (where provided)
- Date of birth (where relevant to a treatment)
Booking and Appointment Data
- Appointment history, dates, times, and treatment types
- Booking preferences and notes
- Cancellation and rescheduling records
Treatment and Consultation Records
- Consultation form responses, including health and lifestyle information relevant to your treatments
- Known allergies and sensitivities
- Patch test records and results
- Treatment notes, SOAP notes, and formulas recorded by your therapist
- Photographs taken before or after treatments (where you have consented)
Financial and Transactional Data
- Records of purchases made at Salt Beauty, including treatments, products, passes, and gift cards
- Payment confirmation records (we do not store full card or bank account details — these are handled by our payment processor)
- Loyalty points and account balances
Communications Data
- Emails, messages, and enquiries sent to us
- Reviews and feedback you have provided
Technical and Website Data
- IP address and browser type
- Pages visited and time spent on our website
- Cookie and tracking data (see Section 11)
2. HOW WE COLLECT IT
We collect personal data from you in the following ways:
- Directly from you — when you book an appointment online or in person, complete a consultation or health form, contact us by email, phone, or social media, or make a purchase.
- Through our booking system — our booking platform (Ovatu) automatically captures information you provide when making or managing a booking online.
- Through our website — when you visit our website, certain data is collected automatically through cookies and analytics tools.
- From third-party platforms — if you contact us or tag us via Facebook or other social media, we may receive your publicly visible profile information and the content of your message.
- From your therapist — your therapist may add treatment notes, product formulas, and observations to your client file following your appointment.
3. WHY WE PROCESS YOUR DATA
We process your personal data for the following purposes, on the legal bases indicated:
- Managing and confirming your bookings and appointments — Performance of a contract
- Delivering treatments safely and effectively — Performance of a contract; explicit consent for health data
- Sending appointment reminders and booking confirmations — Performance of a contract
- Processing payments and managing your account balance — Performance of a contrac
- Maintaining accurate business and accounting records — Legal obligation
- Sending marketing emails and SMS messages about our services, offers, and promotions — Consent
- Sending post-appointment review requests — Legitimate interests — improving our services
- Responding to enquiries, complaints, and feedback — Legitimate interests — managing client relationships
- Improving our website, services, and client experience — Legitimate interests — business improvement
- Preventing fraud and ensuring the security of our business and systems — Legitimate interests — security and fraud prevention
Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests at any time — see Section 10.
4. SENSITIVE HEALTH INFORMATION
Some of the information we collect — such as details about your skin conditions, allergies, medical history, medications, or other health-related factors — falls within the category of special category data under the Applied GDPR. This type of data receives a higher level of protection.
We collect this information only for the purpose of providing your treatments safely and effectively. For example, knowing about allergies is essential before applying products, and patch test records ensure we do not proceed with treatments that could cause harm.
We rely on your explicit consent as our legal basis for processing this information. You will be asked to provide this consent through our consultation forms. You may withdraw your consent at any time; however, where certain health information is essential to carry out a treatment safely, we may be unable to proceed without it.
We will never use your health information for marketing purposes or share it with any third party except where strictly necessary to deliver a treatment or where required by law.
5. MARKETING COMMUNICATIONS
We would like to send you information about our latest treatments, promotions, and news from Salt Beauty by email and/or SMS. We will only do this where you have given us your consent to receive marketing communications.
You can opt out of receiving marketing communications at any time by:
- Clicking the unsubscribe link in any marketing email we send you
- Replying STOP to any marketing SMS
- Contacting us directly at hello@saltbeauty.im
Withdrawing your marketing consent will not affect our ability to send you essential transactional communications, such as appointment reminders and booking confirmations.
We do not share your contact details with third parties for their own marketing purposes.
6. WHO WE SHARE YOUR DATA WITH
We do not sell, rent, or trade your personal data. We share it only where necessary, and only with trusted parties as described below.
Service Providers (Data Processors)
We use the following categories of third-party service providers who process data on our behalf, under our instruction, and only for the purposes we specify:
- Booking and client management platform (Ovatu) — stores your client profile, appointment history, consultation forms, and booking preferences on our behalf.
- Payment processor — processes payment transactions securely. We do not see or store your full card details.
- Website hosting provider (Webflow) — hosts our website and may collect technical data relating to your visit.
- Email and SMS service providers — used to send booking confirmations, reminders, and, where you have consented, marketing messages.
- Analytics providers — provide anonymised or aggregated data about how our website is used, to help us improve it.
All service providers are required to handle your data securely, in accordance with the Applied GDPR, and only for the purposes we have specified.
Legal and Regulatory Disclosures
We may disclose your personal data to law enforcement authorities, regulators, or courts where we are required by law to do so, or where disclosure is necessary to protect our legal rights or the safety of our clients and team.
Business Transfers
In the event that Salt Beauty is acquired, merged, or its assets are transferred to another party, your personal data may form part of the transferred assets. We will notify you in advance of any such transfer and explain how your data will be handled by the new controller.
7. INTERNATIONAL TRANSFERS
Some of our third-party service providers are based outside the Isle of Man and the European Economic Area (EEA). In particular, our booking platform provider (Ovatu) is based in Australia.
Where we transfer personal data to countries that do not benefit from an adequacy decision under the Applied GDPR, we ensure that appropriate safeguards are in place to protect your data. These safeguards include:
- Standard Contractual Clauses (SCCs) — contractual protections approved under data protection law, requiring the recipient to handle your data to a standard equivalent to that required in the Isle of Man.
- Data Processing Agreements — binding agreements with each processor setting out their obligations to protect your data.
You may contact us at hello@saltbeauty.im if you would like further information about the specific safeguards in place for any international transfer.
8. HOW LONG WE KEEP YOUR DATA
We retain personal data only for as long as necessary for the purposes for which it was collected, and in accordance with our legal obligations.
- Client profile and appointment history — retained for the duration of your relationship with Salt Beauty, plus 3 years after your last appointment, for continuity of care and legitimate business purposes.
- Consultation and health records (including patch test results) — retained for the duration of your relationship with Salt Beauty, plus 7 years after your last appointment, for safety, duty of care, and potential legal claims.
- Financial and transactional records — retained for 7 years from the date of the transaction, to meet legal and tax obligations under Isle of Man law.
- Marketing consent records — retained until consent is withdrawn, plus 1 year thereafter, to demonstrate compliance with consent requirements.
- Website analytics data — retained for up to 26 months for website improvement purposes.
- General correspondence and enquiries — retained for 3 years from the date of the communication.
When data is no longer required, it is securely deleted or anonymised. If you would like us to delete your data earlier, please see your rights in Section 9 — though we may not always be able to comply where we have a legal obligation to retain records.
9. YOUR RIGHTS
Under the Applied GDPR, you have the following rights in relation to your personal data:
Right of Access
You have the right to request a copy of the personal data we hold about you, along with information about how we use it. This is sometimes called a Subject Access Request (SAR).
Right to Rectification
You have the right to ask us to correct any inaccurate or incomplete personal data we hold about you.
Right to Erasure
You have the right to ask us to delete your personal data in certain circumstances — for example, where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent. This right does not apply where we have a legal obligation to retain the data.
Right to Restrict Processing
You have the right to ask us to restrict how we use your data in certain circumstances — for example, while we are investigating a dispute about its accuracy.
Right to Data Portability
Where processing is based on consent or a contract, you have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format, and to have it transferred to another controller.
Right to Object
You have the right to object to processing based on our legitimate interests. Where you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, or where the processing is necessary for legal claims. You also have an absolute right to object to the use of your data for direct marketing at any time.
Rights Related to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces a legal or similarly significant effect on you. We do not currently use automated decision-making of this kind.
Right to Withdraw Consent
Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, please contact us at hello@saltbeauty.im or write to us at the address in Section 12. We will respond within one month. There is usually no charge for exercising your rights, though we may charge a reasonable fee where requests are manifestly unfounded or excessive.
10. COOKIES
Our website uses cookies — small text files placed on your device — to help it function correctly, to understand how visitors use the site, and to improve your experience.
Types of Cookies We Use
- Strictly necessary cookies — essential for the website to function. These cannot be disabled. They include cookies that manage your session and remember your preferences during a visit.
- Analytics cookies — help us understand how visitors interact with our website, which pages are most popular, and how we can improve the experience. The data collected is aggregated and anonymised where possible.
- Functional cookies — remember choices you make to provide a more personalised experience.
Managing Cookies
When you visit our website for the first time, you will be shown a cookie banner giving you the option to accept or decline non-essential cookies. You can change your preferences at any time by adjusting your browser settings. Most browsers allow you to block or delete cookies; however, doing so may affect the functionality of our website.
For more information about cookies and how to manage them, visit www.aboutcookies.org.
11. SECURITY
We take the security of your personal data seriously and have put in place technical and organisational measures to protect it against unauthorised access, loss, alteration, or disclosure. These include:
- Access controls and individual login credentials for all systems holding client data
- Secure, encrypted storage through our booking and management platform
- Limiting access to client data to only those members of the team who need it to carry out their duties
- Regular review of our data handling practices
Where we become aware of a data breach that is likely to affect your rights and freedoms, we will notify the Isle of Man Information Commissioner within 72 hours and, where required, notify you directly.
If you believe your data may have been compromised, please contact us immediately at hello@saltbeauty.im.
12. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the services we offer. When we make material changes, we will update the "Last Updated" date at the top of this page. Where changes are significant, we may notify you directly by email.
13. CONTACT US & COMPLAINTS
If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please get in touch:
Salt Beauty Limited
47 Duke Street, Douglas, Isle of Man
Email: hello@saltbeauty.im
Phone: +44 1624 621125
Website: www.saltbeauty.im
We will respond to all requests within one month.
Right to Complain to the Supervisory Authority
You have the right to lodge a complaint with the Isle of Man Information Commissioner if you believe we have not handled your personal data in accordance with the Applied GDPR. We would always appreciate the opportunity to address your concerns directly before you contact the regulator, but you are not required to do so first.
Isle of Man Information Commissioner
PO Box 69, Douglas, Isle of Man, IM99 1EQ
Phone: 01624 693260
Website: www.ico.org.im