Privacy policy
Effective date: June 15, 2026
1. Who we are
Clean Cutz (“we,” “us,” or “our”) operates the cleancutz.io platform—a software-as-a-service tool for appointment booking, storefront management, payment processing, team coordination, marketing, and social media content management serving salons, barbershops, independent cosmetology and barbering professionals, and their customers (collectively, “the Platform”). This Privacy Policy explains how we collect, use, share, and protect personal information in connection with the Platform.
By creating an account, connecting an integration, or using any part of the Platform, you acknowledge you have read and understood this policy. If you do not agree, do not use the Platform.
2. Information we collect
2.1 Account and identity information
When you register or are invited to the Platform we collect your name, email address, phone number, role (customer, contractor, organization administrator, or other), and password credentials (stored as a one-way hash). Organization administrators also provide business name, address, and slug for their public storefront.
2.2 Appointment and service records
We collect and retain records of bookings, services selected, service duration, location (physical address or mobile/house-call coordinates where enabled), pricing, notes, cancellations, and related communications created through the Platform.
2.3 Payment information
The Platform uses Square, Inc. as its payment processor. When you enter card or banking details, that information is transmitted directly to Square and governed by Square’s Privacy Policy. We do not receive, store, or have access to full card numbers, CVV codes, or bank account credentials. We do receive and store transaction identifiers, payout summaries, fee records, refund statuses, and connected Square account identifiers returned to us by Square’s API in order to display financial records inside the Platform.
2.4 Social media integration (Meta / Facebook & Instagram)
If you choose to connect a Facebook Page or Instagram Business Account through the Platform’s social content feature, we collect and store the following from Meta Platforms, Inc. via their Graph API:
- Your Meta user ID and the Page ID(s) you authorize
- Page name and Instagram username (display purposes)
- OAuth access tokens (user-level and Page-level) — these are encrypted at rest using AES-256-GCM before storage and are never transmitted to your browser or any third party other than Meta when making API calls on your behalf
- Token expiry timestamps used to prompt re-authorization before tokens expire
- Engagement metrics (likes, comments, reach, impressions) returned by the Meta Graph API for posts published through the Platform
Your use of the Meta integration is also governed by Meta’s Privacy Policy and Meta’s Platform Terms. We act as a data processor on your behalf for the limited purpose of storing your tokens and making Graph API calls you initiate. You may disconnect your Meta account at any time from the Content tab in the Platform; doing so removes stored tokens from our database and revokes our API access.
2.5 Communications and notifications
If you opt in to text messages, we use your mobile phone number to send transactional appointment notifications (such as booking confirmations, reminders, schedule changes, and receipts). These messages are delivered through our SMS provider, Twilio, which processes your phone number and message content on our behalf solely to deliver them. Message frequency varies and message and data rates may apply. You can opt out at any time by replying STOP or by turning off text notifications in your account settings. We do not sell or share your phone number or mobile opt-in information with third parties for their own marketing.
If your organization uses the Platform’s email or SMS marketing features, we process the contact lists, message content, and delivery records (including open/click events for email, and delivery receipts for SMS) you upload or create. Outbound messages are delivered via third-party providers (email delivery services and SMS gateway providers). You are solely responsible for ensuring you have obtained all legally required consents from your contacts before sending any marketing communication through the Platform.
2.6 Compliance and credentialing documents
Where you use optional compliance features, we may store copies of professional licenses, permits, insurance certificates, or similar documents you upload. These documents are stored in secured cloud object storage and are not shared with regulators or licensing boards unless required by law or compelled by legal process.
2.7 Device and log data
We automatically collect server logs, IP addresses, browser type, operating system, pages visited, session duration, and error reports for security monitoring, debugging, and performance improvement. This data is retained for a limited period and is not sold.
2.8 User-generated content
Portfolio images, before/after photos, storefront hero images, service descriptions, and other media you upload are stored in secured cloud storage. You retain ownership of your content; you grant us a limited license to host and display it within the Platform as directed by your settings.
3. How we use information
- To operate and deliver the Platform’s features you request
- To process and display payment and booking records
- To authenticate your identity and manage sessions (including JWT-based tokens stored in secure, HTTP-only cookies)
- To make API calls to Square and Meta on your behalf using credentials you have authorized
- To send transactional notifications (booking confirmations, payment receipts, invitation emails, password resets) — these are service communications required to operate the Platform and are not subject to marketing opt-out
- To provide customer support and respond to inquiries
- To monitor for fraud, abuse, unauthorized access, and security incidents and to enforce our Terms of Use
- To generate anonymized aggregate analytics for product improvement (we do not sell or share identifiable analytics externally)
- To comply with applicable law, respond to lawful legal process, and protect the rights, property, or safety of Clean Cutz, our users, or the public
4. Information sharing and disclosure
We do not sell, rent, or trade personal information to third parties for their own marketing purposes. We share information only as follows:
- Infrastructure subprocessors: Cloud hosting providers, managed database services, transactional email delivery providers, and our SMS provider (Twilio) process data on our behalf under data processing agreements. These providers may not use your data for their own purposes.
- Mobile opt-in and SMS consent: We do not share or sell your mobile phone number or SMS opt-in information with any third parties or affiliates for their own marketing purposes. Phone numbers collected for text notifications are used only to deliver those messages through our SMS provider.
- Square: Transaction data is transmitted to and from Square to initiate, settle, and manage payments. Square operates under its own privacy policy and PCI DSS obligations.
- Meta Platforms, Inc.: When you use the social content feature, API calls are made to Meta on your behalf using your authorized tokens. Meta receives content you choose to publish and returns engagement data pursuant to their Platform Terms.
- Within your organization: Information visible to organization administrators, managers, or team members is determined by the role and permission configuration you set. We are not responsible for how organization admins manage access within their own accounts.
- Legal process: We may disclose information when required by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to prevent imminent harm, enforce our Terms, or protectClean Cutz’s legal rights.
- Business transfers: In the event of a merger, acquisition, asset sale, or bankruptcy, personal information may be transferred as a business asset. We will provide notice before such transfer where required by law.
5. Data security
We implement technical and organizational safeguards proportional to the risk associated with the data we process, including:
- AES-256-GCM encryption of sensitive OAuth tokens (social media credentials) at rest
- HTTPS/TLS encryption in transit for all Platform communications
- Password hashing using industry-standard one-way algorithms (we never store plaintext passwords)
- JWT-signed authentication tokens with short expiry windows
- Role-based access controls limiting data access to authorized personnel
- Monitoring and alerting for anomalous access patterns
No security measure is perfect or impenetrable. You are responsible for keeping your account credentials, devices, and any connected third-party accounts (Square, Meta) secure. Unauthorized access to your account resulting from credential sharing, phishing, or device compromise is not within our control. Notify us immediately at legal@cleancutz.io if you believe your account has been compromised.
6. Data retention
We retain personal information for as long as necessary to provide the Platform, satisfy our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:
- Account data: Retained while your account is active and for a reasonable period after closure for legal and dispute-resolution purposes.
- Payment records: Retained for a minimum of seven (7) years for tax, accounting, and chargeback dispute purposes, consistent with IRS requirements and applicable state law.
- Social media tokens:Removed from our database when you disconnect a social account. Tokens may also expire naturally per Meta’s token lifetime policies.
- Server logs: Typically purged after 90 days unless retained longer for an active security investigation.
- Compliance documents:Retained per your organization’s configuration or applicable professional licensing retention requirements.
7. Children’s privacy
The Platform is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you become aware that a child under 13 has provided us personal information, contact us at legal@cleancutz.io and we will take steps to delete that information.
8. Your rights and choices
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access and portability: Request a copy of personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete personal information. Most account data can be corrected directly within your account settings.
- Deletion: Request deletion of your personal information, subject to our legal obligations to retain certain records (e.g., payment and tax records).
- Restriction and objection: In certain circumstances, request that we restrict processing or object to certain uses of your personal information.
- California residents (CCPA/CPRA): You have the right to know what personal information we collect, disclose, and sell (we do not sell personal information); the right to delete personal information (subject to exceptions); the right to correct inaccurate personal information; the right to opt out of sharing for cross-context behavioral advertising (not currently applicable); and the right to non-discrimination for exercising your rights. To exercise these rights, contact us at legal@cleancutz.io.
- Social media disconnection:You may disconnect your Meta account at any time from the Content tab. To revoke our app’s access at the Meta level, visit your Facebook account settings under Apps and Websites.
To exercise any of these rights, email us at legal@cleancutz.iowith “Privacy Request” in the subject line. We will respond within the timeframe required by applicable law. We may need to verify your identity before processing your request.
9. Third-party links and integrations
The Platform connects to third-party services (Square, Meta) whose privacy practices are governed by their own policies. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you connect to through the Platform.
10. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will post the updated policy on this page with a revised effective date. Material changes will be communicated via in-app notice or email. Your continued use of the Platform after the effective date of any update constitutes your acceptance of the revised policy.
11. Contact
Questions, concerns, or requests regarding this Privacy Policy or our data practices should be directed to:
Clean Cutz
Privacy & Legal Inquiries
legal@cleancutz.io
