Privacy Policy

1. Who we are

CHAIR SOFTWARE LTD(“CHAIR”, “we”, “us”) provides a booking platform for professionals and their clients. We are the data controller for the personal data described in this policy. Contact us at [email protected] for any data-related questions.

2. What we collect

Account data: name, email address, password (hashed), profile details you choose to provide (bio, photo, social links).
Business data (professionals only): business name, address, service catalogue, opening hours, photos, bank details (via Stripe — see below).
Booking data: appointment date, time, service, customer name, customer email, optional notes.
Payment data: we do not store card numbers. Payments are processed by Stripe; we store transaction IDs and amounts to reconcile your bookings.
Technical data: IP address (anonymised before analytics are processed), browser type, device information, pages visited. Used for security, abuse prevention, and aggregate analytics.
Cookies: a session cookie (chair_session), a theme preference cookie (chair_theme), and — only if you accept — Google Analytics cookies. No advertising cookies. See our Cookie Policy for the full list.

2a. Analytics (Google Analytics 4)

When you accept analytics cookies, we use Google Analytics 4(provided by Google Ireland Limited, our data processor for this purpose) to understand how people use the platform — which pages they visit, which features they engage with, where they drop off. We use this in aggregate to prioritise what to improve.

Legal basis: consent (UK GDPR Art. 6(1)(a)) — you can withdraw at any time via the Cookie settings link in the footer.
IP anonymisation: enabled. Google truncates the last octet of your IP before storing it.
Google Signals: disabled. We do not opt into Google's cross-device user-graph.
Data retention: we use Google's minimum retention setting (2 months for event data).
Data transfers: Google may transfer data outside the UK/EEA. Google's standard contractual clauses and UK adequacy regulations cover this transfer.

If you reject analytics cookies, GA still receives anonymised pageviews from your browser (in “cookieless” mode via Google Consent Mode v2) so we can count visits in aggregate, but it cannot identify you, set cookies, or link your visits across sessions or devices.

3. How we use it

To provide the booking platform itself (you cannot use the service without your account data).
To process payments and reconcile bookings via Stripe.
To send you transactional emails (booking confirmations, payment receipts, subscription renewal reminders).
To protect the platform from abuse (rate limiting, fraud detection, audit logging).
To comply with legal obligations (HMRC, anti-money-laundering requirements where applicable).

4. Who we share with

We use the following third-party processors, each with their own privacy policies:

Stripe (payments + KYC verification for professionals) — stripe.com/privacy
Cloudflare (hosting, security, content delivery) — cloudflare.com/privacypolicy
Google Ireland Limited — optional sign-in via Google OAuth, and (with your consent) Google Analytics 4 for aggregate usage statistics. policies.google.com/privacy
Stripe (payment processing for subscriptions and bookings via Stripe Connect) — stripe.com/privacy

We do not sell your personal data, and we do not share it with advertising networks.

5. How long we keep it

Active accounts: for as long as your account is open.
Deleted accounts: personal data is removed within 30 days of account deletion, except where retention is required by law (e.g. transaction records for HMRC for 6 years).
Booking data: retained for 6 years after the booking date to support tax and accounting obligations of the professional.
Audit logs: retained for 1 year for security and fraud-prevention purposes.

6. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your data (subject to legal retention requirements).
Export your data in a portable format.
Object to processing or restrict it in certain circumstances.
Complain to the Information Commissioner's Office (ico.org.uk) if you believe we have mishandled your data.

To exercise any of these rights, email [email protected].

7. Security

We use industry-standard security measures: HTTPS for all traffic, secure session cookies (HttpOnly, Secure, SameSite), salted password hashes (PBKDF2 with 100,000 iterations), and audit logging of administrator actions. No system is perfectly secure — we will notify affected users within 72 hours of becoming aware of a personal data breach affecting them.

8. Changes to this policy

We may update this policy occasionally. Material changes will be communicated by email or a banner on the platform. The “Last updated” date above tracks the most recent revision.

9. Contact

Questions about this policy or your data: [email protected].