Legal
Privacy Policy
Last updated: April 21, 2026
1. Who We Are
BarberBook ("we", "us", "our") is a barber shop management and appointment booking platform, operated by Muhammad Roman Khan, Karachi, Pakistan. As the data controller, we are responsible for how your personal information is collected, used, and protected. If you have any privacy-related questions or requests, contact our privacy team at privacy@barberbook.app.
2. Legal Basis for Processing
We process personal data under the following lawful bases, depending on the nature of the processing activity: (a) Contract performance — processing necessary to provide the service you signed up for, such as managing your account, bookings, and appointments; (b) Legitimate interests — processing for security monitoring, fraud prevention, and platform improvement, where our interests do not override your rights; (c) Consent — processing based on your explicit consent, such as receiving WhatsApp or email notifications; (d) Legal obligation — processing required to comply with applicable laws and regulations.
3. Information We Collect
Information you provide directly
When you create an account we collect your name and email address. Passwords are securely hashed using bcrypt and are never stored or accessible in plain text. Shop owners also provide their shop name, city, timezone, and service details. When booking an appointment as a guest, we collect your name, phone number, and email address.
Information collected automatically
We collect standard server logs including IP address, browser type, device type, pages visited, and timestamps. We use this data for security, fraud prevention, and improving the Platform — not for advertising.
Information from third parties
If you sign in with Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive your Google password. We only request the minimum scopes needed to authenticate you.
4. How We Use Your Information
- Provide, maintain, and improve the BarberBook platform (contract performance)
- Authenticate your identity and secure your account (contract performance + legitimate interests)
- Send appointment confirmations, reminders, and queue updates via email and WhatsApp (contract performance + consent)
- Process subscription payments and send billing receipts (contract performance)
- Respond to support requests and enquiries (legitimate interests)
- Detect and prevent fraudulent or abusive activity (legitimate interests)
- Comply with legal obligations (legal obligation)
We do not sell your personal data to third parties. We do not use your data for targeted advertising.
5. Payments
Subscription payments are processed securely through our payment provider. BarberBook does not store full card details, bank account numbers, or payment credentials on its own servers. All payment transactions are handled by the payment processor and are subject to their privacy policy and PCI-DSS compliance standards. You will be notified if we change our payment provider.
6. WhatsApp & Email Notifications
We use Twilio to send WhatsApp messages and Resend/Nodemailer to send email notifications on behalf of barber shops. Messages include appointment confirmations, reminders, and queue status updates. By providing your phone number or email during booking, you consent to receive these transactional messages. You can opt out by contacting the shop directly or clicking the unsubscribe link in email messages. We do not send marketing messages without your explicit consent.
7. Real-Time Features
We use Pusher to power real-time features such as live queue updates and appointment status changes. Pusher may process connection metadata (IP address, connection time) as part of delivering these features. No personal appointment data is permanently stored by Pusher.
8. Data Sharing & Disclosure
With barber shops
When you book an appointment, your name, phone number, email, and booking details are shared with the relevant barber shop. The shop owner and their authorised staff can view this information within their dashboard.
With service providers
We share data with trusted third-party service providers that help us operate the Platform: Neon (PostgreSQL database hosting), Pusher (real-time infrastructure), Twilio (WhatsApp notifications), Resend (email delivery), and Google (OAuth authentication). These providers are bound by their own privacy policies and contractual obligations to protect your data.
Legal requirements
We may disclose your information if required by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of BarberBook, our users, or others.
9. Data Retention
We retain your account data for as long as your account is active or as needed to provide the service. Appointment and booking records are retained to support dispute resolution and operational continuity. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law. Please note that deleted data may remain in secure encrypted backup systems for a limited additional period before it is automatically and permanently purged. Guest booking data (name, phone, email) is retained for up to 12 months after the appointment date and then deleted.
10. Cookies & Local Storage
We currently use only essential session cookies and local storage to keep you logged in and maintain your preferences (e.g., dark/light mode). We do not use third-party tracking cookies or advertising cookies, so no cookie consent banner is required at this time. If we introduce non-essential cookies (e.g., analytics tools such as Google Analytics) in the future, we will update this policy and display an appropriate consent banner before setting any such cookies. You can disable cookies in your browser settings, but this may affect your ability to use authenticated features.
11. Security
We implement industry-standard security practices including TLS encryption for all data in transit, passwords hashed with bcrypt, secure session tokens, and strict access controls. Database credentials and API keys are stored as environment variables and never exposed in client-side code. However, no system is completely secure, and we cannot guarantee absolute security. We encourage you to use a strong password and enable two-factor authentication.
12. Two-Factor Authentication
If you enable two-factor authentication (2FA) on your account, we store a TOTP secret associated with your account. This secret is used solely for generating and verifying authentication codes. We do not share this secret with any third party.
13. Your Rights
You have the right to: (a) access the personal data we hold about you; (b) correct inaccurate data; (c) request deletion of your data ("right to be forgotten"), subject to legal retention requirements; (d) restrict or object to certain processing; (e) data portability (export your appointment history); (f) withdraw consent at any time for consent-based processing, without affecting the lawfulness of prior processing. To exercise any of these rights, contact us at privacy@barberbook.app. We will respond within 30 days.
14. Children's Privacy
BarberBook is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information without parental consent, please contact us at privacy@barberbook.app and we will delete it promptly. Users between 13 and 18 should use the Platform only with the knowledge and permission of a parent or guardian.
15. International Data Transfers
BarberBook is operated from Pakistan. Our infrastructure providers (Neon, Pusher, Twilio, Resend) may process data in other jurisdictions including the United States and European Union. By using the Platform, you consent to your data being transferred to and processed in these locations, subject to appropriate safeguards.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Platform after changes take effect constitutes acceptance of the revised policy.
17. Contact Us
For privacy-related questions, data requests, or concerns, please contact our privacy team at: privacy@barberbook.app. For general support: support@barberbook.app. For legal matters: legal@barberbook.app. We aim to respond to all enquiries within 5 business days. Operated by: Muhammad Roman Khan, Karachi, Pakistan.