Privacy Policy

Trimly is a booking platform for service-based businesses such as barbers, salons, tattoo studios, nail artists, trainers and similar professionals.

Legal entity name: [REQUIRED BEFORE PRODUCTION].

Contact email: [REQUIRED BEFORE PRODUCTION].

Business address: [REQUIRED BEFORE PRODUCTION, if applicable].

This notice is a working privacy scaffold for visitors, professionals/business users who create Trimly accounts, and customers who make bookings or orders through hosted shop pages.

The final controller/processor roles between Trimly and each shop require legal review before production launch.

Account data: email address, password hash, email verification state, authentication sessions and connected provider account records when OAuth login is used.

Shop/business profile data: shop name, slug, type, phone, address, city, postal code, social links, logo/banner images, services, staff, opening hours and product details.

Booking/customer data: customer name, phone, optional email, booking date/time, selected service, selected staff member, booking status, payment status and booking notes.

Order data: customer contact details, delivery details entered during checkout, ordered items, payment method, order status and order notes.

Review data: rating, optional comment and the related customer/shop/staff references.

Payment/subscription data: payment amount, currency, provider, provider payment identifier and payment status when payment flows are used.

Security/rate-limit data: request IP address is used to enforce rate limits and origin checks.

Create and secure professional accounts.

Provide public shop pages, booking functionality, order checkout and dashboard management.

Send transactional emails such as verification, password reset, booking, cancellation and order emails when configured.

Process payments or subscriptions when Stripe checkout flows are enabled.

Protect the service with origin checks and rate limiting.

Marketing, analytics and advertising tracking are not described as active here unless they are separately implemented and reviewed.

Final legal bases must be reviewed before production. Candidate bases may include performance of contract or steps before contract, legal obligation where applicable, legitimate interests where applicable, and consent for optional marketing or non-essential tracking where applicable.

Privacy acknowledgement is not treated as blanket consent for all processing.

[LEGAL REVIEW REQUIRED] Customer booking and order data may involve both Trimly and the individual shop. The final policy must clarify whether each shop acts as an independent controller for its customer data and whether Trimly acts as processor/platform provider for specific processing activities.

The codebase currently includes PostgreSQL/Prisma for storage, NextAuth for authentication, Resend for transactional email when an API key is configured, Stripe checkout/webhooks for payment flows when configured, and Google/Apple OAuth providers when configured.

Twilio/SMS, analytics tools, advertising pixels and broader AI/marketing automations require a future policy update before they are enabled for personal data processing.

[RETENTION PERIOD TO DEFINE] Account, shop, booking, customer, payment, order and review retention periods must be defined before production.

[PROCESS TO DEFINE] Account deletion, customer deletion and booking retention workflows should be finalized before launch.

[REVIEW REQUIRED] Hosting locations and active provider transfer mechanisms must be reviewed before production, especially before enabling Vercel deployment, Stripe, Resend, OAuth providers, SMS providers or analytics.

Depending on applicable law and the final role analysis, users may have rights to access, correction, deletion, restriction, objection, portability, withdrawal of consent where processing is based on consent, and complaint to a supervisory authority.

Request process/contact details: [REQUIRED BEFORE PRODUCTION].

The project uses password hashing for credentials accounts, email verification, same-origin checks for mutations, rate limiting and role-based access checks for shop dashboard actions.

No certifications, audits or encryption guarantees are claimed in this scaffold.

This page is a pre-production scaffold. Last updated: [REQUIRED BEFORE PRODUCTION].

How policy updates will be announced: [TO DEFINE].