Getting Started
Privacy, Data Export & Account Deletion
Last updated 19 May 2026
Privacy, Data Export & Account Deletion
Export everything OpenChair has on your account, or delete your account permanently. Self-service from Settings → Privacy. Compliant with Australian Privacy Act 1988, NZ Privacy Act 2020, and UK GDPR. All plans, all roles.
Where to find it — Web: Settings → Privacy. Mobile: not available — privacy management is web-only.
TL;DR
- Export your data as a ZIP (JSON + CSVs) — generated instantly in your browser.
- Delete your account permanently — password re-verify + type DELETE confirm.
- Personal data anonymised (not hard-deleted) so bookings stay in venue records without your identity.
- Legal consents (terms, privacy policy) tracked per acceptance with version, timestamp, IP.
Exporting your data
- Open Settings → Privacy.
- Tap Export my account data.
- The export generates in your browser (no server round-trip; nothing logged externally).
- A ZIP downloads automatically:
openchair-export-{YYYY-MM-DD}.zip.
What's in the export
| File | Format | Contents |
|---|---|---|
full-data-export.json |
JSON | Everything in a single structured document |
csv/profile.csv |
CSV | Your name, email, phone, role, account creation date |
csv/bookings.csv |
CSV | Every booking you've ever made or been linked to |
csv/transactions.csv |
CSV | Every payment, refund, and credit |
csv/orders.csv |
CSV | Checkout orders with line items |
csv/conversations.csv |
CSV | Inbox conversation history (SMS, email, Instagram) |
csv/memberships.csv |
CSV | Active and past memberships |
csv/legal_consents.csv |
CSV | Every legal-document acceptance with version, IP, source |
CSV injection guard prepends ' to values starting with =, +, -, or @ so opening in Excel can't execute formulas.
What's NOT in the export
- Other users' data (your colleagues, your customers) — those are governed by their own data rights
- Payment card details (stored by Stripe, not by us)
- Photos and binary uploads (treatment photos, portfolio images stay in storage)
- Server-side audit logs (
privacyRequestAuditLog, etc.) — request via support for legal-process needs
Deleting your account
- Open Settings → Privacy → Delete my account (red destructive card).
- Re-enter your password (verified via Supabase, won't mutate your session).
- Type
DELETEin the confirmation field. - Tap Delete account permanently.
- You're logged out; the deletion runs server-side.
What happens to your data
Anonymisation, not hard delete — designed so bookings remain in operators' records (so they don't have orphaned records of work they've done) but no personal identifier remains:
| Data | Treatment |
|---|---|
| Your profile (name, email, phone) | Anonymised to Deleted User + deleted+{userId}@openchair.invalid; phone cleared |
| Bookings | Customer-side name and contact fields anonymised; venue keeps the booking row for their records |
| Waitlist entries | Same anonymisation |
| Conversations | Anonymised; venue keeps message content for their records |
| Push notification devices | Hard-deleted |
| Sessions | Hard-deleted |
| Notification preferences | Hard-deleted |
| Legal consents | Hard-deleted |
| Account credentials (access/refresh/id/password tokens) | Nulled |
| Venues you own | Kept (your team and customers still need access), but contact details anonymised |
A confirmation email (AccountDeletedEmail) goes to your address before anonymisation completes.
Legal consent recording
Every time you accept the Terms of Service or Privacy Policy, we record:
- Document type (
terms_of_serviceorprivacy_policy) - Document version (sourced from
apps/web/src/config/legal.ts— each version stable across reads) - Consent timestamp
- IP address at acceptance
- User agent (browser/device)
- Source — where you accepted from (
web_signup,web_google_oauth,web_terms_update,mobile_consent_gate,mobile_email,mobile_google, etc.) - Country code (for regulatory mapping)
Idempotent — re-accepting a version you've already consented to is a no-op (no duplicate row). Your legal_consents.csv in the data export lists every acceptance.
Per-feature consents
Beyond top-level terms/privacy acceptance, OpenChair records consent for specific features:
| Feature | Consent location | Doc |
|---|---|---|
| AI Style Preview | venue.stylePreviewConsentAt / stylePreviewConsentBy |
AI Style Preview |
| Portfolio before/after photos | portfolio_images.consentObtainedAt / consentSignature / consentMethod |
Portfolio & Gallery |
| Card on file | venue_customers.cardOnFileConsentStatus / consentAt / consentVersion / consentSource |
Saved Payment Methods |
| Treatment photos | venue_customers.treatment_photo_consent |
Treatment Photos |
| Marketing SMS | venue_customers.marketingOptIn* (managed via STOP/START) |
SMS Allocation and Limits |
Each surface tracks its own consent record so the audit trail is feature-specific.
Regulatory compliance
| Country | Regulation | What it requires |
|---|---|---|
| Australia | Privacy Act 1988 + Australian Privacy Principles | Right to access (export), right to correction, right to deletion within reasonable time |
| New Zealand | Privacy Act 2020 | Same baseline rights |
| United Kingdom | UK GDPR + Data Protection Act 2018 | Right to access, rectification, erasure ("right to be forgotten"), portability |
OpenChair's posture: self-service export and deletion satisfy the access and erasure rights. SLA on operator-mediated requests is 72 hours.
If you're a venue owner handling customer requests
This page covers your own account. Customer requests about their data flow through:
- Customer sees your venue's storefront privacy page (auto-generated — see Privacy Pages)
- Customer contacts your privacy email (your venue email or your override)
- You receive the request via email
- Use the operator-side admin queue (managed via support — not currently in the venue dashboard) to fulfil
Customer-side self-service requests aren't yet in the dashboard — operator-mediated for now. The admin team handles backlog from the privacy queue with 72-hour SLA.
Tier
All plans. Privacy controls are not a paid feature.
Role access
All roles can manage their own account privacy (export, delete). Owner can also see their venue's privacy admin overview by contacting support.
What you can't do
- Restore a deleted account — deletion is permanent. Anonymised records can't be reverted.
- Selective export — the export is all-or-nothing; can't choose just bookings or just conversations.
- Selective deletion — same; deleting account anonymises everything linked to your user.
- Delete a specific booking — not possible; bookings belong to venues. Ask the venue to cancel/delete.
- See others' personal data — the export is yours only.
Common mistakes
| Problem | What to check |
|---|---|
| Export download blocked by browser | Confirm your browser allows ZIP downloads from this domain. Try Chrome or Edge if Safari blocks. |
| Forgot password during delete | Reset via the password-reset email first, then return to the delete flow. |
| Deleted account but venue says they can still see my name on bookings | Anonymisation is to "Deleted User" and deleted+{userId}@openchair.invalid. If the venue can see your original name, the anonymisation hasn't run yet — contact support. |
| Want to delete a single venue I own | Account deletion preserves venues (they have other team members and customer relationships). Transfer ownership or contact support to close a venue. |
| Customer asked me to delete their data | You're the data controller for your customers — see your storefront's auto-generated privacy page for the process. Contact OpenChair support for help executing the deletion server-side. |
FAQ
What can I export?
Everything we have linked to your account — bookings, profile, transactions, orders, conversations, memberships, and legal consents. Generated as a ZIP containing a full-data-export.json and a folder of CSVs, downloaded straight to your device. Filename: openchair-export-{date}.zip.
How do I delete my account?
Settings → Privacy → Delete my account. Re-enter your password, type DELETE to confirm, submit. Your personal data is anonymised (not hard-deleted) so any bookings you were on remain in the operator's records but with your name and contact details stripped. Account credentials, sessions, push devices are hard-deleted.
What about my customers' data?
If you're a venue owner, this page is about your own account. Customer data is governed by the customer's own request via the venue's privacy contact (auto-published on the storefront privacy page). You handle customer requests as the data controller; we process them via the admin privacy queue on your behalf.
Where are consents recorded?
Every accepted terms-of-service and privacy-policy version is recorded in our legal_consents table with timestamp, IP, user agent, source (where you accepted from), and the document version number. You can see your own consents in the data export ZIP under legal_consents.csv.
Is account deletion immediate?
Yes — the anonymisation runs synchronously when you confirm. You're logged out immediately. The confirmation email goes out before the anonymisation completes so you have a record.
How long do you keep my data after deletion?
Anonymised booking records may be retained indefinitely (they're now linked to "Deleted User" — no personal data remains). All sessions, push devices, credentials, and consent records are hard-deleted at the time of account deletion.