Privacy Policy
Policy version: 2026-05-23 · Last update: May 2026
1. Data controller
The data controller is Hair Rich Olbia, based at Via Regina Elena 33/A, Olbia (SS), Italy. For any request related to your personal data, write to info@hairrich.it.
2. Legal basis and purpose
We process your personal data in compliance with EU Regulation 2016/679 (GDPR) and the Italian Privacy Code. Purposes: (a) execution of the service contract (booking management, haircut and treatment delivery, receipts) under Art. 6.1.b GDPR; (b) further purposes based on your explicit consent (Art. 6.1.a), listed in section 3.
3. Separate, revocable consents
On your first login to the customer area we ask five distinct consents, each optional and revocable at any time from /profilo → Settings. Every grant/revoke is recorded in our immutable audit ledger with timestamp, policy version shown, IP and user agent. The five consents: (1) Marketing & promotions — offers, previews, newsletter; (2) Appointment reminders — message 24h and 2h before; (3) Before/after photos — archive visible only to you in your personal area; (4) Behavioral profiling — targeted campaigns based on visit history (birthday, reactivation); (5) Referral program — participation in word-of-mouth.
4. Data categories
Identification data (first name, last name), contact (email, phone), date of birth (only if provided under consent 4), appointment history, before/after photos (only with consent 3), service preferences, referral codes generated or used, consents granted and revoked with timestamps.
5. Data retention
We retain data for the duration of the relationship and for the 10 following years required by tax regulations (D.P.R. 600/1973). Before/after photos are deleted within 24 months of last visit unless extended retention is requested. The consents ledger is retained indefinitely as proof of consent under Art. 7.1 GDPR.
6. Recipients and external processors
Your data is not sold to third parties for commercial purposes. It is hosted on Supabase (EU servers — Frankfurt) and may be processed by: Google Workspace (transactional email), Telegram (notifications to the owner for cancellations and orders), OpenAI (only anonymized text for owner-facing AI drafts, never PII). All providers are GDPR-compliant; sub-DPAs available on request.
7. Non-EU transfers
OpenAI is US-based. Transfer relies on the European Commission's Standard Contractual Clauses (SCC) and is limited to strictly anonymized data. For every other processing, data stays within the European Union.
8. Your GDPR rights
You have the right to: access your data (Art. 15), correct it (Art. 16), erase it — right to be forgotten (Art. 17), restrict processing (Art. 18), receive it in portable format (Art. 20 — available as JSON export from /profilo → Settings), object to processing (Art. 21), revoke consents without affecting prior processing (Art. 7.3). To exercise these rights write to info@hairrich.it. You also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
9. Security
We adopt appropriate technical and organizational measures: TLS-encrypted connections, Row Level Security at the database level, two-factor authentication for staff, immutable audit log of all changes to sensitive data. Passwords are never stored in plaintext.
10. Policy changes
Material changes will be communicated at next login and we will ask you to renew consents on the new version. Current version is shown at the top of this page.