Privacy Policy

1. Data Controller

Fade is operated by Vera IT. By using Fade, you agree to this Privacy Policy. For users in the EU/EEA and UK, Vera IT is the data controller for the personal data we process, unless otherwise stated (e.g. when a salon is the data controller for data you provide directly to them).

Data Controller: Vera IT

Court of Registration: Amtsgericht Hamburg

VAT ID: DE456074487

Physical address: Rehrstieg 16d, 21147 Hamburg, Germany

Contact for privacy and data protection: privacy@getfadeapp.com

For data protection officer (DPO) enquiries, including exercising your GDPR rights: privacy@getfadeapp.com

Person responsible for content (per German law § 55 RStV): Jovica Mihajlovic, Rehrstieg 16d, 21147 Hamburg, Germany

2. Categories of Data Collected

Information you provide:

•Account: Name, email, phone number, password (stored in Supabase Auth and user_profiles)

•Profile: Profile picture, preferences (Supabase Storage + user_profiles)

•Bookings: Appointment details, service selections, notes (appointments table)

•Payment: Subscriptions (Starter, Medium, Pro) via Google Play Billing / Apple IAP. We do not store credit card details.

•Communication: Chat messages with salons (messages table, linked to chats)

•Reviews: Rating (1–5), comment, optional staff rating (reviews table). Reviews are publicly visible; user_id is stored and may be linked to your profile by the salon.

•Address: Preferred address for map/directions (user_profiles)

•Referral code: If you use "Refer a barber", we store referral codes (user_profiles)

"My Hairdresser" and favorites:

•favorite_salons: user_id, salon_id – your chosen "My Hairdresser" salon (one per user)

•favorite_staff: user_id, staff_id – your chosen preferred barber (one per user)

•Purpose: Priority when booking; for Starter package salons, reminder eligibility depends on whether you have the salon in favorites

Push notifications:

•FCM token: Stored in fcm_tokens table (user_id, token, device_type). Used to deliver push notifications via Firebase. You can revoke by disabling notifications in device settings or deleting your account.

Loyalty and rewards:

•loyalty_transactions: user_id, appointment_id, points, transaction_type (earned/redeemed), description

•loyalty_redemptions: user_id, salon_id, reward_title, points_redeemed, status (pending/confirmed/cancelled)

•qr_scan_history: user_id, salon_id, appointment_id, scan_date, points_earned – when you scan QR at salon for check-in or reward redemption

Automatically collected:

•Camera: Only for QR scanning. We do not record video – we process QR data (salon ID, appointment ID) for check-in or reward redemption.

•Uploaded photos: Profile, salon portfolio, staff photos (Supabase Storage, EU)

•Generated images: None – we do not use AI to generate images

•Device: Device type, OS, app version

•IP: Server logs, error reporting (Sentry)

•Usage analytics: If collected (Sentry, Firebase)

•Crash reports: Stack traces, device info (Sentry)

•Location: Precise location (with permission) to show nearby salons. Collected when app is in use, not in background. Optional – you can search by address.

Social sign-in (Google, Apple): When you sign in with Google or Apple, we receive: email, name, and provider user ID. We use these to create or link your Fade account. We do not receive your Google/Apple password.

3. Legal Basis for Processing (GDPR Art. 6)

For each category of data, we process based on:

•Account, bookings, messages: Contract performance (Art. 6(1)(b)) – necessary to provide the service

•Location: Consent (Art. 6(1)(a)) – you grant permission in the app

•Payment: Contract + Legal obligation – processed via Stripe/Apple/Google

•Analytics, crash reports: Legitimate interest (Art. 6(1)(f)) – service improvement, security

•Marketing: Consent only – we send marketing only if you opt in

•Tax, invoices: Legal obligation (Art. 6(1)(c)) – we must retain as required by law

What these legal bases mean:

•Consent: You have agreed to the processing (e.g. by granting permission).

•Contract: Processing is necessary to perform our agreement with you.

•Legitimate interest: We have a valid reason that does not override your rights (e.g. improving the service, security).

•Legal obligation: We must process the data to comply with law (e.g. tax records).

4. Purpose of Data Processing

We process your data for:

•Account management: Create and maintain your account

•Payment processing: Handle subscriptions via Stripe/Apple/Google Pay

•Service provision: Bookings, reminders, communication with salons

•QR code scanning: Camera is used to scan salon QR codes for appointment check-in and loyalty reward redemption (only when you use this feature)

•Analytics: Improve the app (if collected)

•Fraud prevention: Detect and prevent abuse

•Service improvement: Crash reports (Sentry), feedback

•Legal compliance: Tax records, dispute resolution

We do NOT use AI for image generation. Uploaded photos are stored for display only and are not used to train any AI models.

Data minimisation and purpose limitation (GDPR Art. 5): We collect only the data necessary for the purposes described above. We do not use your data for purposes incompatible with those stated. If we need data for a new purpose, we will update this policy and obtain consent where required.

5. Data Retention

We retain your data for defined periods:

•Account data: Until you delete your account (+ 30-day grace period)

•Photos (profile, salon, staff): Until deletion or account closure

•Analytics: Up to 26 months (if collected)

•Server logs: 90 days

•Crash reports (Sentry): 90 days

•Payment records: Up to 7 years (legal obligation)

•Booking history: Up to 3 years (where legally required)

•Chat messages: Until you or the salon hide the chat, or account deletion

•Block records (user_blocked_salons, salon_blocked_users): Until you unblock or account/salon deletion

•Reminder timestamps (last_reminder_sent_at): Retained with the appointment record; deleted when the appointment or account is removed

•FCM tokens: Until account deletion (tokens are removed when you delete your account)

•Favorite salons/staff (favorite_salons, favorite_staff): Until you remove them or delete your account

•Loyalty transactions and redemptions: Retained with booking history; deleted with account

•QR scan history: Retained for loyalty accounting; deleted with account

•Reviews: Retained until you delete them or your account. Reviews may remain visible if associated data is anonymised as required by law.

Aggregated and anonymised data: We may retain anonymised or aggregated data (e.g. usage statistics, trends, demographic summaries) indefinitely for analytics and service improvement. This data cannot identify you and is not personal data.

We do NOT use AI to generate images. Uploaded photos are stored in EU (Supabase) and are not shared with AI providers.

6. Third-Party Service Providers – What We Use and For What

We use the following processors. Each processes data only for the stated purpose. We have Data Processing Agreements (DPAs) or equivalent with all providers. We do NOT sell your personal information.

•Supabase (EU – Frankfurt): Backend database, file storage, authentication. Stores: account data, bookings, messages, reviews, loyalty points, FCM tokens, favorites, block lists. All personal data you provide is stored in Supabase. Encryption at rest and in transit (TLS).

•Firebase / Google Cloud (may process in US): Push notifications (FCM). Receives: FCM device token, user ID (to target notifications). We send notification content (e.g. appointment reminder, new message) to Firebase, which delivers it to your device. Firebase does not store message content long-term. For EU users, Firebase offers GDPR-compliant processing; data may transit through US servers.

•Sentry (EU/US): Crash reporting and error monitoring. Receives: Stack traces, device type, OS version, app version, anonymised error context. Used to fix bugs and improve stability. No personal data (names, emails) is sent to Sentry.

•Stripe (EU/US): Web payment processing for salon subscriptions (website). Card details never touch our servers. Stripe is PCI-DSS certified.

•Google Play Billing (US): In-app subscription purchases (Android). Google processes payment; we receive only subscription status and transaction ID.

•Apple In-App Purchase (US): In-app subscription purchases (iOS). Apple processes payment; we receive only subscription status and transaction ID.

•Google Sign-In (US): OAuth authentication. We receive: email, name, Google user ID. Used to create/link your Fade account. Google's privacy policy: https://policies.google.com/privacy

•Sign in with Apple (US): OAuth authentication. We receive: email (or private relay), name (optional), Apple user ID. Apple may hide your email. Used to create/link your Fade account.

•Google Maps (US): Map display, geocoding, directions. We send: your location (if permitted) or searched address. Used to show nearby salons and routes. Google's privacy policy: https://policies.google.com/privacy

•Vercel (US): Hosting for getfadeapp.com website. Server logs (IP, request metadata) may be processed. No app user data.

7. International Data Transfers

Data may be transferred outside the EEA (European Economic Area). Our providers may process data in the US or other countries:

•Which countries: US (Firebase, Google, Apple, Stripe, Sentry)

•Legal mechanism: Standard Contractual Clauses (SCC) – all providers offer SCC for GDPR compliance

•Safeguards: Encryption in transit (TLS), Data Processing Agreements (DPAs) with each provider

When we transfer data outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V.

8. Data Deletion Process

How to request deletion: Settings → Delete account (in-app) or email privacy@getfadeapp.com

Response time: We respond within 30 days (GDPR Art. 12(3))

What is deleted: All personal data (profile, bookings, messages, photos) – except data we must retain by law (e.g. financial records for 7 years, booking history up to 3 years where required)

Backup copies: Deleted data is removed from backups in the next backup cycle (typically within 30–90 days).

9. AI / Image Processing Transparency

We do NOT use AI to generate images. Your photos are:

•Uploaded by you (profile, salon, staff images)

•Stored in Supabase Storage (EU – Frankfurt)

•Compressed on your device before upload (quality 85, max 300KB for avatars)

•NOT shared with AI providers or used to train any AI models

•NOT processed for facial recognition or other AI analysis

If we add AI features in the future, we will update this policy and obtain consent where required.

10. Information Sharing with Salons

When you book an appointment or communicate with a salon, we share your personal data with that salon. This is necessary for contract performance and in both parties' legitimate interests.

What we share with salons:

•Name (as registered in your profile)

•Phone number (for contact regarding the appointment)

•Email address (for confirmations and reminders)

•Appointment details: date, time, selected service(s), any notes or special requests

•Message history: messages exchanged through the Fade platform

•Reviews and ratings you have submitted for that salon

Salon's use of your data:

Salons receive your data solely to fulfill the appointment and related communication (confirmations, rescheduling, reminders). Salons must not use your data for marketing outside Fade without your consent and must comply with data protection laws (e.g. GDPR). Salons are independent data controllers. For questions about how a salon uses your data, contact that salon.

Salon as data controller: When you provide health-related or sensitive information to a salon (e.g. allergies, skin conditions, medication notes) via booking notes or consultation forms, the salon is the data controller for that information. We process it on their behalf. Contact the salon directly about how they use and protect such data.

Salon's right to refuse:

Salons may refuse or cancel a booking at their discretion (see Terms of Service). If a salon refuses, they may retain minimal information (e.g. name, booking attempt) for a limited time to prevent abuse. We do not control how long salons retain data—contact the salon for their retention policy.

10a. Other Information Sharing

We may also share your information with: service providers (under data processing agreements), legal authorities (when required by law), and in case of business transfers. We share only what is necessary. We do NOT sell your personal information. We do not sell or share your phone number with third parties for marketing purposes, except where required by law.

10b. Salon Subscription Packages, Reminders, and Blocking

Salon subscription packages (Starter, Medium, Pro):

Salons subscribe to one of three packages. Each package affects which features and data processing apply:

•Starter package: Up to 2 barbers, limited portfolio, no Featured placement. Appointment reminders can only be sent to clients who have added the salon to "My Hairdresser" (favorites). Reminders are blocked for clients who have not added the salon to favorites.

•Medium package: Up to 5 barbers, more portfolio items, limited Featured visibility. Appointment reminders can be sent to all clients with appointments (no restriction).

•Pro package: Up to 10 barbers (or more), full portfolio, enhanced Featured placement. Appointment reminders can be sent to all clients with appointments (no restriction).

Appointment reminders – how they work:

•Reminders are optional notifications sent by the salon to remind clients of upcoming appointments.

•Delivery: Sent via push notification (Firebase Cloud Messaging) to the client's device.

•Frequency: At most once per week per appointment. The app prevents sending more frequently.

•Data used: Appointment date/time, salon name, client user ID (for delivery). We store last_reminder_sent_at per appointment.

•Legal basis: Legitimate interest (Art. 6(1)(f)) – facilitating appointment attendance; you can disable push notifications in your device settings at any time.

Blocking – users and salons:

•Users can block salons: From chat or salon profile → "Block salon". Blocked salons cannot message you; you cannot book new appointments at that salon; existing chats are hidden. We store (user_id, salon_id) in user_blocked_salons.

•Salons can block users: From chat or booking list → "Block user". Blocked users cannot book new appointments at that salon, cannot send messages, and cannot receive reminders from that salon. We store (salon_id, user_id) in salon_blocked_users.

•Both block types: Data retention – block records are kept until you unblock (Settings → Blocked salons) or the salon unblocks you. Block data is deleted when you delete your account or when the salon is deleted.

•Legal basis: Contract performance and legitimate interest – both parties may restrict unwanted communication.

10c. Chat, Reviews, Loyalty, QR Check-In, and Offline Appointments

Chat and messages:

•Stored in: chats (links user, salon, appointment) and messages (content, sender_id, sender_role)

•Who can see: You and the salon (owner and staff with access). We use Row Level Security so only participants see their chats.

•Content is stored in Supabase (EU). Encrypted in transit (HTTPS). We do not use end-to-end encryption – salon staff can read messages.

•When you "hide" a chat, it is soft-hidden for you; messages remain in the database for dispute resolution and salon records.

•Push notifications for new messages: We send message content to Firebase to deliver the notification. Firebase does not retain content.

Reviews and ratings:

•Stored in: reviews table (user_id, salon_id, rating, comment, staff_id, staff_rating, owner_response)

•Visibility: Reviews are public – anyone can see them on the salon profile. Salon owners can see which user wrote which review (user_id is stored).

•You can edit or delete your reviews in the app. Salon owners can respond; their response is also stored.

•Legal basis: Contract performance (you received a service) and legitimate interest (reputation).

Loyalty points and rewards:

•Points earned: When you complete an appointment (QR check-in) or through referrals. Stored in loyalty_transactions.

•Redemptions: When you redeem a reward at a salon. Stored in loyalty_redemptions. Salon owner confirms the redemption.

•Who sees: You (your points), the salon (redemptions for their salon, your name for confirmation).

•Points are per-salon – you cannot transfer points between salons.

QR check-in:

•When you scan a QR code at the salon, we record: user_id, salon_id, appointment_id, scan_date, points_earned in qr_scan_history.

•Purpose: Verify you attended; award loyalty points; prevent duplicate scans.

•Salon owner can see that you checked in and earned points.

Offline appointments:

•Salon owners can create appointments for walk-in clients (no Fade account required). They may enter: client name, phone, service, date/time.

•If the client has no account, we store only what the owner enters (in appointments with user_id null or a guest placeholder where applicable).

•Offline appointments are visible only to the salon. If the client later creates an account and links the appointment, their data is merged.

10d. Payments – Platforms, Services, Invoices, and Data Protection

Which payment service we use depends on the platform:

Android (mobile app):

•Google Play Billing is the sole payment provider for in-app purchases. We do not use Stripe or any other payment method in the Android app.

•Used for: Salon subscriptions (Starter, Medium, Pro) and Featured salon promotions.

•Your payment (card, Google Pay, etc.) is processed entirely by Google. We never see or store your card details. We receive only: subscription status, transaction ID, and order identifier from Google.

•Data protection: Google Play Billing is PCI-DSS compliant. Payment data stays with Google.

iOS (mobile app):

•Apple In-App Purchase is the sole payment provider for in-app purchases. We do not use Stripe or any other payment method in the iOS app.

•Used for: Salon subscriptions (Starter, Medium, Pro) and Featured salon promotions.

•Your payment (card, Apple Pay, etc.) is processed entirely by Apple. We never see or store your card details. We receive only: subscription status, transaction ID, and transaction receipt from Apple.

•Data protection: Apple IAP is PCI-DSS compliant. Payment data stays with Apple.

Web (getfadeapp.com dashboard):

•Stripe is the payment provider for salon subscriptions purchased via the website (salon owner dashboard).

•Used for: Salon subscriptions when the owner subscribes through the getfadeapp.com website instead of the mobile app.

•Card details are entered on Stripe's secure checkout page. We never see or store your card number, CVC, or full card data. Stripe is PCI-DSS certified.

•Data protection: Stripe handles all payment data. We store only: invoice number, amount, status, transaction ID, and payment method label (e.g. "card").

Where to get your invoice or receipt:

•Subscription (mobile – Android/iOS): After purchase, tap "Show invoice" in the app to view the invoice we generate. For subscription and Featured purchases, you can also download your receipt from Google Play → Subscriptions & order history, or App Store → Account → Purchase history. The platform receipt is the official proof of payment for tax purposes.

•Subscription (web – Stripe): Invoices are available in the salon dashboard under Billing History. Stripe may also send a payment confirmation email. Invoice PDFs can be downloaded from the dashboard.

•Featured promotion (mobile): Receipt is available only from Google Play or App Store order history. We do not generate a separate invoice for Featured promotions – the platform receipt is your proof of payment.

•Appointment receipts: For individual appointments, some salons may provide a receipt; this is generated by the salon or via our booking system (e.g. in the owner dashboard). Contact the salon for appointment-related receipts.

We store: invoice_number, amount, tax_amount, total_amount, issue_date, due_date, paid_date, payment_method label, transaction_id, subscription_id, salon_id. No card data. Invoice records are retained for up to 7 years for legal/tax compliance.

10e. Profile Visibility, Admin Access, and Data Export

Profile visibility – who sees what:

•Salon owners and staff: When you book an appointment or chat, the salon sees: your name (from profile), profile picture, phone number, email address. This is necessary to fulfill the appointment and contact you.

•Other app users: Your reviews are public on salon profiles. Reviews display your rating and comment; the salon can see which user_id wrote each review (and thus identify you). We do not display your full name or contact details publicly to other users.

•Map and search: Your profile is not publicly listed. Only salons you interact with (booking, chat) see your data.

Admin access:

•Fade has administrators who support the platform (e.g. fraud prevention, support, moderation). Admins can access: user profiles, salon data, bookings, messages, reviews, and subscription records, when necessary to resolve disputes, prevent abuse, or provide support.

•Admin access is logged and restricted to authorised personnel. Admins are bound by confidentiality and data protection obligations.

Data export (right to data portability):

•You can request a copy of your personal data in a portable format (e.g. JSON or CSV). Contact privacy@getfadeapp.com with the subject "Data export request".

•We will include: account data (name, email, phone), profile data, booking history, messages (where applicable), reviews you have written, loyalty points and redemptions, favorite salons/staff, block lists.

•We respond within 30 days. The export will be sent securely (e.g. encrypted link or password-protected file). If you have "Request my data" in Settings, that triggers the same process.

11. Data Security and How We Store Your Data

Where we store your data:

•Primary storage: Supabase (EU – Frankfurt, Germany). All account data, bookings, messages, reviews, loyalty, favorites, blocks, and FCM tokens are stored in Supabase's PostgreSQL database. Files (photos) are stored in Supabase Storage in the same region.

•Backup: Supabase performs automated backups. Backups are encrypted and stored in the same region or compliant locations.

•No local copies: We do not download or store your data on our own servers; everything is in Supabase and the third parties listed in Section 6.

Security measures:

•Encryption in transit: All API traffic uses HTTPS (TLS 1.2+). No data is sent unencrypted.

•Encryption at rest: Supabase encrypts all data at rest (AES-256). Files in Storage are also encrypted.

•Access control: Row Level Security (RLS) in Supabase ensures users can only access their own data or data they are authorised to see (e.g. salon owner sees only their salon's data).

•Authentication: Passwords are hashed (bcrypt). Social sign-in uses OAuth – we never see your Google/Apple password.

•Secure payment: Card data is never stored by us. Payment is handled by Stripe, Apple, or Google (PCI-DSS compliant).

•Monitoring: Sentry for crash reports (no personal data). Server logs are retained for 90 days.

Data breach notification:

•If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority (BfDI or equivalent) within 72 hours (GDPR Art. 33) and inform you without undue delay (GDPR Art. 34) where the breach poses a high risk to you.

•Contact for breach-related enquiries: privacy@getfadeapp.com

Automated decision-making:

•We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you (GDPR Art. 22). All decisions (e.g. booking confirmation, reminder eligibility) are based on rules we define, not AI or automated profiling.

•If we introduce such processing in the future, we will update this policy and obtain consent or provide an alternative where required.

No method of transmission over the internet is 100% secure.

12. Your Rights (GDPR)

You have the right to delete your account and all associated data. You can do this within the app (Settings → Delete account) or by contacting us at privacy@getfadeapp.com.

You also have the right to:

•Access: Request a copy of your personal information

•Correction: Update or correct your information in account settings

•Deletion: Request account deletion – we delete within 30 days (30-day grace period applies)

•Data Portability: Request your data in a portable format (JSON/CSV)

•Opt-out: Unsubscribe from marketing at any time

•Withdraw Consent: For location, notifications, or marketing in app/device settings

•Object: Object to processing for specific purposes (e.g. marketing)

•Restrict processing: Request that we restrict processing in certain circumstances (GDPR Art. 18) – e.g. where you contest accuracy or where processing is unlawful but you prefer restriction to deletion

•Complain: Lodge a complaint with a supervisory authority. In Germany: BfDI (www.bfdi.bund.de). EU consumers may contact their local data protection authority. EU dispute resolution: https://ec.europa.eu/consumers/odr/

To exercise these rights: privacy@getfadeapp.com (we respond within 30 days).

13. Location and Camera – Specific Use

We use your precise location to show nearby salons on the map. We use your camera solely for scanning QR codes at salon locations to verify appointments and redeem loyalty rewards. We do not record, store, or transmit video – we only process the QR code data.

Location is optional: you can use the map, search addresses, and add your address manually without granting location permission. Location is required only when you tap "Use device location" or for QR check-in at a salon.

You can disable location and camera in your device settings at any time. This may limit some app functionality (e.g. QR check-in for loyalty points).

14. Children's Privacy

Our service is not intended for children under 13 (or 16 in some EU countries). We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, contact us immediately at privacy@getfadeapp.com. We will delete the data promptly and inform you.

15. Cookies & Local Storage

Fade mobile app: Does not use web cookies. We use local storage for login tokens, app settings and preferences. No third-party analytics. No advertising IDs (IDFA/GAID) for ad tracking – we do not show third-party ads.

Fade website (getfadeapp.com): May use essential cookies (session, auth) and analytics (e.g. Vercel Analytics). You can refuse non-essential cookies via browser settings.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification and update the "Last updated" date. We encourage you to review this policy periodically.

17. Contact Us & Supervisory Authority

If you have questions about this Privacy Policy, please contact us:

Fade is operated by Vera IT.

Court of Registration: Amtsgericht Hamburg

VAT ID: DE456074487

Person responsible for content (per German law § 55 RStV):

Jovica Mihajlovic

Rehrstieg 16d

21147 Hamburg, Germany

Email: privacy@getfadeapp.com (also for GDPR and data protection enquiries)

Support: support@getfadeapp.com

Legal: legal@getfadeapp.com

Data deletion: Request via Settings → Delete account (30-day grace period) or privacy@getfadeapp.com. We respond within 30 days.

Right to complain: You may lodge a complaint with a supervisory authority (e.g. BfDI in Germany: www.bfdi.bund.de). EU consumers may use the EU ODR platform: https://ec.europa.eu/consumers/odr/

18. Disclaimers and Third-Party Links

Third-party links: Our Privacy Policy and app may contain links to external websites (e.g. Google, Apple, Stripe, Supabase). We are not responsible for the privacy practices or content of these third parties. When you leave Fade (e.g. via a link to Google Maps or App Store), their privacy policies apply. We encourage you to read their policies.

No warranty for data accuracy: While we take reasonable measures to keep data accurate and secure, we do not guarantee that all data stored or displayed is error-free, complete, or up to date. Salon information (hours, services, prices) is provided by salons and may change. We are not liable for inaccuracies in third-party-provided data.

Severability: If any provision of this Privacy Policy is found to be invalid or unenforceable by a court, the remaining provisions will remain in full force and effect.

English/German: This policy is provided in English. In case of conflict between translations, the English version prevails unless otherwise required by law.

Links

Web Impressum Privacy (web)Terms (web)