Privacy Policy

Effective: 20 April 2026 | Version 1.2.0

OpenChair Pty Ltd ("OpenChair", "we", "us", or "our") operates the OpenChair platform ("Platform"), a software-as-a-service solution for service-based venues including hair salons, barber shops, medispas, beauty studios, wellness centres, nail salons, and tattoo studios.

This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the Platform. It applies across all jurisdictions in which we operate, including Australia, New Zealand, and the United Kingdom. Where jurisdiction-specific requirements differ, we address those differences explicitly below.

1. Scope & Audience

This Privacy Policy covers the personal information that OpenChair collects directly from venue owners, operators, and staff members who use the Platform ("you" or "Venue Owners") — our business-to-business (B2B) customers.

Venue customer data. When Venue Owners use OpenChair to manage appointments, waitlists, or customer records, they may collect personal information from their own end-customers ("Venue Customers"). In that context, OpenChair acts as a data processor (or "service provider") and the Venue Owner is the data controller (or "data holder"). The collection, use, and protection of Venue Customer data is governed by the Venue Owner's own privacy policy. Venue Owners are responsible for ensuring that their privacy practices comply with applicable laws and for obtaining any necessary consents from their customers.

If you are a Venue Customer and have questions about how a venue handles your personal information, please contact that venue directly. If you believe OpenChair has processed your data inappropriately, you may also contact us at privacy@openchairpro.com.

2. Information We Collect

We collect the following categories of information in connection with the Platform:

2.1 Account Information

• Full name
• Email address
• Password (stored as a cryptographic hash — we never store plaintext passwords)
• Profile image (if uploaded)
• Phone number (optional)

2.2 Business Information

• Venue name, trading name, and ABN/NZBN/company number
• Venue address and location data
• Services offered, pricing, and duration
• Staff member names, roles, and schedules
• Operating hours, booking rules, and venue settings

2.3 Customer Data (Processed on Behalf of Venue Owners)

When a Venue Owner uses the Platform to manage their customer relationships, we process the following data on their behalf:

• Customer names
• Email addresses and phone numbers
• Booking history and appointment records
• Waitlist entries
• Form submissions (e.g., intake forms, consent forms)
• Notes added by venue staff

2.4 Payment Information

Payment processing is handled by our sub-processor, Stripe. When you enter payment details, those details are transmitted directly to Stripe's PCI DSS-compliant infrastructure. OpenChair does not store credit card numbers, CVVs, or full card details on our servers. We receive and store only:

• A tokenised reference to the payment method
• Card brand and last four digits (for display purposes)
• Transaction amounts, dates, and status
• Stripe customer and account identifiers

2.5 Usage Data

We collect usage data to understand how the Platform is used and to improve our service. This includes:

• IP address
• Browser type and version
• Operating system
• Pages visited and features used
• Referring URL and exit pages
• Timestamps and session duration

Usage analytics are collected via PostHog. See Section 10 (Cookies & Tracking) for details on how to manage analytics preferences.

2.6 Device Information (Mobile App)

• Device platform (iOS or Android)
• Operating system version
• Device model
• App version
• Push notification token (if notifications are enabled)

2.7 Communications

• Support emails and enquiries sent to us
• SMS messages sent through the Platform via Twilio (e.g., booking confirmations, waitlist notifications)
• In-app messages and feedback

2.8 AI Feature Data

When you use AI-powered features on the Platform (available to PRO-tier subscribers), the following data may be processed by third-party AI model providers via our routing partner, OpenRouter:

• Venue name, service catalogue, and pricing information
• Staff names and roles (for scheduling and coaching features)
• Customer names, booking history, and appointment notes (when you initiate an AI feature that requires this context)
• Conversation excerpts (for suggested replies and conversation summaries in the Inbox)
• Marketing copy drafts (for AI-assisted campaign and SMS generation)

AI requests are routed through OpenRouter to language model providers including OpenAI, Anthropic, and Google. These providers process data solely to generate responses and do not use your data to train their models (subject to their respective data processing terms with zero-retention API agreements). All AI interactions are logged via Langfuse for quality monitoring and safety.

2.9 Sensitive Data (Portfolio & Medical Aesthetics)

If you use the before-and-after portfolio feature (available for medical aesthetics, tattoo, and similar venues), the Platform may process:

• Before and after photographs of clients
• Client consent signatures (typed name or drawn signature)
• IP address and timestamp of consent (for audit purposes)

This data is treated as sensitive personal information. Client consent is obtained before any images are captured or uploaded. Images are stored securely and are only visible to authorised venue staff. Deleted portfolio images are soft-deleted and permanently purged after 30 days.

2.10 Instagram Direct Messages (Instagram DM Concierge)

Venue Owners on the PRO plan may connect their Instagram Business account to OpenChair via Instagram Login (Meta's Instagram API with Instagram Login flow). When connected, we receive the following data via the Instagram Graph API to power the Engage inbox and AI reply drafting:

• Inbound direct message content (text), timestamps, and the Instagram-scoped sender identifier (IGSID)
• Sender's Instagram handle and display name, when provided by the Instagram Graph API
• A long-lived Instagram access token for the connected Instagram Business account (stored encrypted at rest with AES-256-GCM and a versioned key)
• Metadata about outbound replies sent from OpenChair, including whether the reply was drafted by AI, edited by a human, or auto-sent, and (for auto-sent messages) a timestamp, classified intent, model confidence score, and any retraction event

We store this data encrypted and scoped to the venue that connected the account. We use it solely to operate the Instagram DM Concierge feature: to display conversations in the Venue Owner's inbox, to generate AI-drafted replies grounded in the venue's own services, prices, portfolio, and availability, and to maintain an audit trail of AI auto-sends.

We never share Instagram DM content with third parties. AI reply generation is performed by our AI sub-processors (see Section 5) under strict data-handling terms that prohibit use for model training. Customer Instagram handles are not logged in AI trace records; only hashed identifiers and first-80-character previews are retained for observability.

Disconnection and retention. Venue Owners can disconnect their Instagram account at any time from Settings → Integrations → Instagram. Disconnection revokes the access token with Meta, unsubscribes the associated Facebook Page from webhook notifications, and stops any further data ingestion. Existing message history remains in the venue's inbox for reference and is purged when the venue account is closed.

Customer requests. If an Instagram user who has messaged a connected venue wishes their message history to be deleted, the venue owner or our support team can remove it on request. See Section 8.5 for the full data deletion flow.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and operate the Platform — creating your account, managing venues, processing bookings, running waitlists, and delivering the core functionality you expect from OpenChair.
• Process payments — facilitating transactions between Venue Owners and their customers, processing subscription fees, and managing payouts via Stripe.
• Send transactional notifications — booking confirmations, appointment reminders, waitlist updates, payment receipts, and account-related alerts via email (Resend) and SMS (Twilio).
• Marketing communications — with your explicit consent, we may send product updates, feature announcements, and promotional content. You can unsubscribe at any time.
• Analytics and product improvement — understanding usage patterns, identifying bugs, measuring feature adoption, and improving the Platform experience (via PostHog).
• AI-powered features — providing intelligent business tools including service recommendations, marketing copy generation, booking optimisation, conversation summaries, and business coaching. These features are optional and available to PRO-tier subscribers. AI processing uses third-party language model providers (see Section 5) and is monitored via Langfuse for quality and safety. The data sent to AI providers may include venue information, service catalogues, anonymised booking patterns, and — where you initiate an AI feature — relevant customer context such as names, booking history, or conversation excerpts. We do not send personal data to AI providers for model training. See Section 2.8 for further details.
• Fraud prevention and security — detecting and preventing fraudulent activity, abuse, and security incidents.
• Legal compliance — meeting our obligations under applicable laws, regulations, and legal processes, including tax reporting and responding to lawful requests from authorities.

4. Legal Basis for Processing

The legal basis for our processing of personal information varies by jurisdiction:

4.1 United Kingdom (UK GDPR)

Under the UK General Data Protection Regulation, we process personal data on the following bases:

• Contract performance (Art. 6(1)(b)) — processing necessary to perform our contract with you, including providing the Platform, managing your account, and processing payments.
• Legitimate interests (Art. 6(1)(f)) — processing necessary for our legitimate interests, including product improvement, analytics, fraud prevention, and security, where those interests are not overridden by your data protection rights.
• Consent (Art. 6(1)(a)) — where you have given clear consent for us to process your personal data for a specific purpose, such as marketing communications or optional analytics cookies.
• Legal obligation (Art. 6(1)(c)) — processing necessary to comply with a legal obligation, such as tax reporting, financial record-keeping, or responding to lawful requests from regulatory authorities.

4.2 Australia (Privacy Act 1988)

Under the Australian Privacy Principles (APPs), we collect, use, and disclose personal information in accordance with:

• APP 3 (Collection) — we only collect personal information that is reasonably necessary for our functions and activities. We collect information by lawful and fair means, directly from you where practicable.
• APP 6 (Use and Disclosure) — we only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose that is directly related and reasonably expected, or with your consent.

4.3 New Zealand (Privacy Act 2020)

Under the Information Privacy Principles (IPPs) of the Privacy Act 2020, we process personal information in accordance with all applicable principles, including:

• IPP 1 (Purpose of collection) — we collect personal information only for a lawful purpose connected with our functions and activities, and only where the collection is reasonably necessary for that purpose.
• IPP 10 (Limits on use) — we use personal information only for the purpose for which it was obtained, unless an exception applies.
• IPP 11 (Limits on disclosure) — we do not disclose personal information except in accordance with the purposes for which it was collected, or where otherwise authorised.

5. Data Sharing & Sub-processors

We do not sell your personal information. We share personal information only with third-party sub-processors that are necessary to operate and deliver the Platform. Each sub-processor is bound by a data processing agreement that requires them to protect personal information to a standard consistent with this policy and applicable law.

Our sub-processors fall into the following categories:

• Payment processing — Stripe
• Web hosting and edge functions — Vercel
• Authentication and database — Supabase
• Analytics — PostHog
• Email communications — Resend
• SMS and voice communications — Twilio
• AI model routing — OpenRouter (routes requests to OpenAI, Anthropic, and Google AI model providers)
• AI observability — Langfuse
• Mobile push notifications — Expo (EAS)
• Maps and location — Google Maps Platform
• Instagram messaging — Meta Platforms (Meta Graph API) for venues who connect Instagram DM Concierge. Meta is the controller of the underlying Instagram user data; OpenChair processes inbound message content and access tokens solely to deliver the feature to the connected venue.

For a complete and current list of sub-processors, including their purposes and data processing locations, please see our Sub-processors page.

We may also disclose personal information where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. International Data Transfers

OpenChair is based in Australia. To operate the Platform, your personal information may be transferred to and processed in countries outside of your country of residence, including:

• United States — Vercel (hosting), Stripe (payments), Resend (email), Twilio (SMS/voice), OpenRouter (AI routing), Langfuse (AI observability), Expo (push notifications)
• European Union / United States — Supabase (authentication and database), PostHog (analytics)
• Australia — OpenChair's primary operations
• Global — Google Maps Platform (location services), Stripe (payment processing via regional infrastructure), AI model providers (OpenAI, Anthropic, Google — accessed via OpenRouter)

6.1 United Kingdom

For transfers of personal data from the UK to countries that have not received an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner's Office, as applicable. We ensure that appropriate safeguards are in place to protect your personal data in accordance with the UK GDPR.

6.2 Australia

Cross-border disclosures of personal information comply with Australian Privacy Principle 8 (APP 8). Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information, or we ensure that an exception under APP 8.2 applies.

6.3 New Zealand

Cross-border disclosures of personal information comply with Information Privacy Principle 12 (IPP 12) of the Privacy Act 2020. We will only disclose personal information to a foreign person or entity if we are satisfied that the recipient is subject to privacy laws that provide comparable safeguards to the Privacy Act 2020, or if the individual authorises the disclosure after being informed that the recipient may not be required to protect the information in a way that provides comparable safeguards.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Account data — retained for as long as your account is active. Upon receiving a deletion request, account data is deleted within 30 days.
• Financial and transaction records — retained for 7 years after the transaction date, as required by tax and financial reporting obligations in Australia, New Zealand, and the United Kingdom.
• Analytics data — anonymised after 26 months. Anonymised data is no longer personal information and may be retained indefinitely for statistical and product improvement purposes.
• Backups — deleted within 90 days of the corresponding data being deleted from our production systems.
• Venue Customer data — retained in accordance with the Venue Owner's instructions. When a Venue Owner deletes their account or requests deletion of customer data, we process that deletion in accordance with our standard retention schedule above.

8. Your Rights

Depending on your jurisdiction, you have certain rights in relation to your personal information. We are committed to honouring those rights.

8.1 United Kingdom (UK GDPR)

If you are located in the United Kingdom, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request that we correct inaccurate or incomplete personal data.
• Erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Data portability — receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Restriction of processing — request that we restrict the processing of your personal data in certain circumstances.
• Objection — object to the processing of your personal data where we rely on legitimate interests as the legal basis.
• Withdraw consent — where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

8.2 Australia (Privacy Act 1988)

If you are located in Australia, you have the right to:

• Access (APP 12) — request access to the personal information we hold about you.
• Correction (APP 13) — request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

8.3 New Zealand (Privacy Act 2020)

If you are located in New Zealand, you have the right to:

• Access (IPP 6) — request confirmation of whether we hold personal information about you and, if so, to access that information.
• Correction (IPP 7) — request the correction of personal information that is inaccurate.

8.4 How to Exercise Your Rights

To exercise any of the rights described above, you can submit a request using our Privacy Request Form, or email us at privacy@openchairpro.com. Please include sufficient information to identify yourself and specify the right you wish to exercise. We will respond to your request within 30 days, or within the timeframe required by applicable law.

We may need to verify your identity before processing your request. If we are unable to fulfil your request (for example, due to a legal obligation to retain certain data), we will inform you of the reasons.

8.5 Account Deletion

You can delete your account directly from within the Platform:

• Mobile app — navigate to More → Security → Delete Account
• Web— navigate to Settings → Account → Delete Account
• Email — send a request to privacy@openchairpro.com

Account deletion requires password verification and explicit confirmation. Once confirmed, your personal account data will be permanently deleted within 30 days. Financial and transaction records are retained for 7 years as required by tax and financial reporting obligations. If you are a Venue Owner, deletion of your account will also remove your access to any venue data managed through the Platform.

9. Data Processor Role

When Venue Owners use the Platform to collect and manage personal information about their customers, OpenChair acts as a data processor (under the UK GDPR) or equivalent role under Australian and New Zealand privacy law. In this capacity:

• The Venue Owner is the data controller and determines the purposes and means of processing Venue Customer data.
• OpenChair processes Venue Customer data only in accordance with the Venue Owner's instructions and the terms of our agreement.
• Venue Owners are responsible for obtaining appropriate consents from their customers and for ensuring their own compliance with applicable privacy laws.
• Venue Owners are responsible for responding to data subject requests from their customers. OpenChair will provide reasonable assistance to Venue Owners in fulfilling such requests.

A Data Processing Addendum (DPA) forms part of the customer contract where OpenChair acts as a processor and is incorporated by reference. To request a signed version for procurement, please email privacy@openchairpro.com.

10. Cookies & Tracking

We use cookies and similar technologies to operate the Platform, remember your preferences, and understand how you use our service.

10.1 Essential Cookies

These cookies are strictly necessary for the Platform to function. They include cookies for authentication (keeping you signed in), security (CSRF protection), and preferences (such as your selected theme). Essential cookies cannot be disabled.

10.2 Analytics Cookies

We use PostHog for product analytics. Analytics cookies help us understand which features are used, how users navigate the Platform, and where we can improve. Analytics cookies are optional and are controlled via our cookie consent manager. You can opt out at any time through your browser settings or our consent banner.

10.3 No Advertising Cookies

We do not use third-party advertising cookies. We do not serve ads on the Platform and we do not share your data with advertising networks.

For full details on the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

11. Security Measures

We implement a range of technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest — database contents are encrypted at rest using AES-256 encryption provided by our database infrastructure.
• Access controls — we follow the principle of least privilege. Access to personal information is restricted to personnel who require it to perform their roles.
• Password security — passwords are stored using industry-standard cryptographic hashing. We never store plaintext passwords.
• Regular security reviews — we conduct regular reviews of our security practices, infrastructure, and access controls.
• PCI DSS compliance — we do not store raw payment card data. All payment processing is handled by Stripe, which is certified PCI DSS Level 1 compliant.
• Multi-tenant isolation — the Platform architecture ensures that each venue's data is logically isolated from other venues.

While we take reasonable steps to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any vulnerabilities or incidents.

12. Breach Notification

In the event of a personal data breach, we will act promptly and in accordance with the notification requirements of each applicable jurisdiction:

12.1 Australia

Under Part IIIC of the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, where an eligible data breach occurs, we will provide required notifications to the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after completing the required assessment and forming the required belief.

12.2 New Zealand

Under the Privacy Act 2020, we will notify the Office of the Privacy Commissioner and affected individuals as soon as practicable after becoming aware of a notifiable privacy breach — that is, a privacy breach that it is reasonable to believe has caused, or is likely to cause, serious harm to an affected individual.

12.3 United Kingdom

Under the UK GDPR, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify affected individuals without undue delay.

Where OpenChair is acting as a data processor on behalf of a Venue Owner, we will notify the Venue Owner of any data breach without undue delay, enabling them to meet their own notification obligations.

13. Complaints & Supervisory Authorities

If you have a concern or complaint about how we handle your personal information, we encourage you to contact us first so we can try to resolve it:

We will acknowledge your complaint and aim to respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

Australia

Office of the Australian Information Commissioner (OAIC)
www.oaic.gov.au

New Zealand

Office of the Privacy Commissioner
www.privacy.org.nz

United Kingdom

Information Commissioner's Office (ICO)
www.ico.org.uk

14. Children's Privacy

The Platform is a business-to-business service designed for use by venue owners, operators, and their staff. It is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16.

If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete that information as promptly as possible. If you believe that a child under 16 has provided personal information to us, please contact us at privacy@openchairpro.com so that we can take appropriate action.

Where a Venue Owner collects personal information from minors (for example, a parent booking a service for their child), the Venue Owner is responsible for obtaining appropriate parental or guardian consent in accordance with applicable law.

15. Tracking & Advertising

We do not use your data for cross-app tracking, cross-site tracking, or targeted advertising. We do not share your data with advertising networks, data brokers, or any third party for advertising purposes. We do not serve advertisements on the Platform.

Our analytics (PostHog) are used solely for product improvement and are opt-in by default. We do not use the Apple Identifier for Advertisers (IDFA), Google Advertising ID (GAID), or any similar advertising identifier. We do not participate in any advertising attribution or measurement networks.

We do not currently respond to "Do Not Track" browser signals, as there is no industry-standard technology for honouring them. However, because we do not engage in cross-site tracking or targeted advertising, the practical impact is the same regardless of your Do Not Track setting.

16. California Residents

Although OpenChair primarily operates in Australia, New Zealand, and the United Kingdom, we provide the following disclosures for California residents in accordance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• We do not sell your personal information, nor have we sold personal information in the preceding 12 months.
• We do not share your personal information for cross-context behavioural advertising.
• You have the right to request access to, deletion of, and correction of your personal information, as described in Section 8 above.
• We will not discriminate against you for exercising your privacy rights.

For the categories of personal information we collect and our purposes for processing, please refer to Sections 2 and 3 of this Privacy Policy.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Effective" date at the top of this page and, where appropriate, by providing additional notice (such as email notification or a prominent notice within the Platform).

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: