Data Protection

1. Our Commitment

At Simpli Nail, protecting your data is a core responsibility — not an afterthought. We operate a point-of-sale and business management platform that handles sensitive business and customer information on behalf of nail salon owners, technicians, and their clients. We take that trust seriously.

This Data Protection page describes the specific measures we take to keep your data safe, how we process it responsibly, and what your rights are as someone who trusts us with their information.

2. What We Protect

Simpli Nail processes several categories of data on behalf of our users. We apply appropriate protection to all of the following:

• Business Information: Your salon name, address, contact details, and business configuration settings.
• Employee and Technician Data: Staff names, contact information, schedules, and performance data entered into the system.
• Client Records: Appointment history, service preferences, contact information, and notes stored about your salon's clients.
• Financial Records: Transaction data, payment summaries, and revenue reporting data. Full payment card numbers are never stored on our servers — all card processing is handled by PCI-compliant payment processors.
• Account Credentials: Usernames, hashed passwords, and session tokens used to access the Simpli Nail platform.
• Usage Data: Logs of platform activity used for support, security monitoring, and product improvement.

3. How We Protect Your Data

Encryption

All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS 1.2 or higher). Data stored in our databases is encrypted at rest. Passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plain text.

Access Controls

Access to customer data within Simpli Nail is governed by role-based access controls. We apply the principle of least privilege — staff members only have access to the data required to perform their role. Internal access to production systems is restricted to authorized personnel and requires multi-factor authentication.

Infrastructure Security

Our platform is hosted on enterprise-grade cloud infrastructure with built-in redundancy, automated backups, and continuous security monitoring. We perform regular vulnerability assessments and apply security patches promptly.

Payment Security

Simpli Nail does not store full credit or debit card numbers. All payment processing is handled by PCI DSS-compliant third-party payment processors. We receive only tokenized payment references sufficient to manage billing, not raw card data.

4. Data Processing Principles

We process personal data in accordance with the following core principles:

• Lawfulness and Transparency: We collect and use data only for clearly disclosed purposes, with a legitimate basis for doing so.
• Purpose Limitation: Data collected for one purpose is not repurposed for unrelated activities without your consent.
• Data Minimization: We collect only the data necessary to provide our Services and fulfill our obligations. We do not collect data speculatively.
• Accuracy: We provide tools to update your data and correct inaccuracies. We encourage users to keep their information current.
• Storage Limitation: Data is retained only as long as necessary for its original purpose or as required by law. See Section 8 for our retention schedule.
• Integrity and Confidentiality: We use appropriate technical and organizational measures to protect data against unauthorized access, loss, or destruction.

5. Data Storage and Location

Simpli Nail stores data on cloud infrastructure operated by trusted providers in the United States. All data centers used by our platform maintain SOC 2 Type II certification and comply with applicable data protection regulations.

If you are located outside the United States, please be aware that your data may be transferred to and processed in the United States. By using our Services, you consent to this transfer. We ensure that such transfers are protected by appropriate safeguards.

6. Third-Party Processors

We work with a limited number of trusted third-party service providers (sub-processors) to operate our platform. These may include cloud hosting providers, payment processors, email delivery services, and customer support tools.

All sub-processors are:

• Vetted for their security practices before engagement
• Bound by data processing agreements that limit their use of your data to the services they provide to us
• Prohibited from using your data for their own marketing or commercial purposes
• Required to maintain appropriate security standards

We do not sell, rent, or share your data with any third party for advertising or marketing purposes.

7. Data Breach Response

Despite our best efforts, no system is immune to security incidents. In the event of a data breach that affects your personal information, Simpli Nail will:

• Detect and contain the incident as quickly as possible
• Assess the scope and nature of the data involved
• Notify affected users within 72 hours of discovering a breach that poses a significant risk to your rights or interests, where required by applicable law
• Report to relevant regulatory authorities as required
• Provide clear guidance on any steps you should take to protect yourself
• Conduct a post-incident review and implement corrective measures

If you believe your account has been compromised, please contact us immediately at the information in Section 11.

8. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide Services. When you close your account:

• Account data is deleted or anonymized within 90 days of account closure, except where required to be retained by law.
• Transaction and financial records may be retained for up to 7 years to comply with tax and accounting regulations.
• Backup copies are purged within 90 days of the primary data deletion.
• Anonymized or aggregated data (data that cannot identify you) may be retained indefinitely for analytics and platform improvement purposes.

You may request deletion of your personal data at any time by contacting us. We will process deletion requests within 30 days, subject to any legal obligations that require us to retain certain records.

9. Your Data Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you and receive a copy in a portable format.
• Correct inaccurate or incomplete data we hold about you.
• Delete your personal data (the "right to be forgotten"), subject to legal retention requirements.
• Restrict processing of your data in certain circumstances.
• Object to processing based on legitimate interests.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data protection authority if you believe we have handled your data improperly.

To exercise any of these rights, contact us at the information in Section 11. We will respond within 30 days of receiving your request and may need to verify your identity before processing it.

10. Business and POS Data

For salon owners and businesses using Simpli Nail as their point-of-sale and management platform, we want to be clear about data ownership and responsibility:

• You own your business data. Client records, appointment history, service data, and employee information you enter into Simpli Nail belong to your business. We process it on your behalf as a data processor.
• You are the data controller for the personal information of your clients and staff that you input into our system. You are responsible for collecting that data lawfully and informing your clients and staff about how it is used.
• Data export is available. You can export your business data at any time from the Simpli Nail platform. We will not hold your data hostage if you decide to leave.
• We do not use your client data to contact your clients directly, market to them, or share them with competitors.

11. Contact Us

If you have questions about this Data Protection page, wish to exercise your data rights, or want to report a potential security issue, please contact us:

For security vulnerabilities, please disclose responsibly by emailing us directly rather than posting publicly. We are committed to working with security researchers in good faith.