Privacy Policy

Last updated: 3 September 2025

How Short Zak & Sides (“we”) collects and uses your data when you use our website and booking service. We comply with UK GDPR and the Data Protection Act 2018.

Data Controller

Short Zak & Sides, 4 Castleton Rd, Hope, Hope Valley, S33 6AA. Contact: zak@zaksbarbers.co.uk 07487 632975.

Data We Collect

  • Bookings: name, email, optional phone, selected service, date/time, notes, status.
  • Tokens: long random appointment tokens for self-service actions; no personal data in the token; revoked on use/expiry.
  • Communications: messages you send us and delivery metadata.
  • Technical: IP, user agent and request data needed for security, rate-limiting and error logs.
  • Staff/Admin: internal schedules, time-off, closures, role/permission data.

We do not process online payments on this site and collect no card data.

Why We Use It (Lawful Bases)

  • Contract: take/manage bookings; confirmations, reminders, updates.
  • Legitimate interests: security, reliability, diagnostics, abuse prevention, improvement.
  • Consent: optional marketing (email/SMS) – withdraw anytime.
  • Legal obligation: records for tax/accounting; lawful requests.

How & Where We Process

  • Hosting: modern cloud with global edge delivery; app/API executed server-side.
  • Database: managed Postgres (Supabase, EU project region) with role-based access and row-level security.
  • Email: authenticated SMTP from our mailbox (Nodemailer); delivery metadata retained briefly.
  • Outbox: short-lived queue entries (recipient, subject, timestamps) for reliable sends.

Sub-Processors

  • Vercel – hosting/edge delivery.
  • Supabase (EU) – database/storage.
  • SMTP email provider – transactional email.

We update this list if providers change or new ones are added.

International Transfers

Where data leaves the UK, we use UK adequacy or Standard Contractual Clauses with supplementary measures.

Cookies

Strictly necessary cookies only for session/booking. No analytics or advertising cookies.

Retention

  • Bookings: up to 6 years.
  • Email/outbox metadata: ~90 days.
  • Error/security logs: ~90–180 days.
  • Marketing lists: until you opt out/withdraw consent.

Security Measures

  • HTTPS/TLS; encryption at rest by providers.
  • RBAC, least-privilege keys, 2FA on provider accounts.
  • Signed, time-limited tokens; server-side validation; rate-limiting; audit logs.
  • Secrets in provider env/kv; versioned deployments; backups.

Sharing

No sale of personal data. Sharing limited to the processors above, professional advisers where necessary, lawful requests, or a business reorganisation.

Your Rights

  • Access, correction, deletion, portability.
  • Restrict/object; withdraw marketing consent.
  • Complain to the ICO: ico.org.uk.

To exercise rights, email zak@zaksbarbers.co.uk.

Children

Children’s haircuts may be booked by/with a parent or guardian. We do not knowingly collect children’s data without appropriate consent.

Changes & Contact

We update this page when required. Questions: zak@zaksbarbers.co.uk 07487 632975.