Privacy Policy

1. Information We Collect

1.1 Information You Provide to Us

We collect information that you voluntarily provide when using our services:

For Clients:

• Account Information: Name, email address, phone number, password
• Profile Information: Profile photo, hair type, hair texture, preferences
• Booking Information: Service details, appointment dates, special requests
• Payment Information: Billing address, payment method details (processed securely by Stripe)
• Communication Data: Messages sent through our platform, reviews, ratings

For Stylists (Independent Service Providers):

• Professional Information: Business name, years of experience, certifications, specializations
• Verification Documents: Government-issued ID, cosmetology license, business registration, insurance documentation
• Portfolio: Photos of your work, service descriptions, pricing
• Location Data: Business address, service area
• Booking Data: Appointment details, service history, client interactions, and per-appointment earnings records
• Financial Information: Bank account details and tax information, collected and processed by Stripe Connect for direct payouts. KrownLink does not store your bank account numbers — this data is held exclusively by Stripe.

1.2 Information Collected Automatically

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages viewed, time spent on pages, clicks, search queries
• Location Data: Approximate location based on IP address (with your consent for precise location)
• Cookies and Similar Technologies: See our Cookie Policy for details

1.3 Information from Third Parties

• Social Media: If you connect via social login (Google, Facebook, Apple)
• Payment Processors: Transaction confirmation from Stripe
• Analytics Providers: Aggregated usage statistics

1.4 Device & Hardware Features

• Biometric Authentication: We use device-level security (Face ID / Touch ID) for quick and secure login via Apple's LocalAuthentication framework. Your biometric data never leaves your device's Secure Enclave. We only receive a success/failure result and do not collect, store, or transmit biometric templates or raw face data.
• Hardware Permissions: With your explicit consent, we may access your Camera and Photo Library (for profile/portfolio uploads and AR Try-On), Microphone and Speech Recognition (for AI Concierge voice commands), and Calendars and Reminders (to save your appointments).

2. How We Use Your Information

We use your information for the following purposes:

2.1 To Provide Our Services

• Create and manage your account
• Process bookings and payments
• Connect clients with stylists
• Facilitate communication between users
• Display stylist profiles and portfolios
• Send booking confirmations and reminders

2.2 To Improve Our Platform

• Analyze usage patterns and trends
• Conduct research and development
• Test new features and functionality
• Optimize user experience
• Fix bugs and technical issues

2.3 To Communicate with You

• Send transactional emails (booking confirmations, receipts)
• Respond to your inquiries and support requests
• Send important updates about our services
• Send marketing communications (with your consent)
• Request reviews and feedback

2.4 For Safety and Security

• Verify user identity and prevent fraud
• Detect and prevent abuse, spam, and illegal activities
• Enforce our Terms of Service
• Protect the rights and safety of our users
• Comply with legal obligations

2.5 For Legal and Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and prevent harm
• Enforce our agreements and policies
• Maintain records for tax and accounting purposes

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

3.1 Contractual Necessity

Processing is necessary to perform our contract with you (providing booking services, facilitating payments, etc.)

3.2 Legitimate Interests

We have legitimate interests in:

• Improving and developing our services
• Preventing fraud and ensuring platform security
• Analyzing usage to enhance user experience
• Marketing our services to existing users

3.3 Consent

We obtain your explicit consent for:

• Marketing communications
• Non-essential cookies
• Precise location tracking
• Sharing data with third parties for marketing

3.4 Legal Obligation

Processing is necessary to comply with legal requirements (tax laws, anti-money laundering, etc.)

4. Sharing Your Information

We share your information only in the following circumstances:

4.1 With Other Users

• Clients: Can see stylist profiles, portfolios, reviews, and location (neighborhood level)
• Stylists: Receive client name, contact info, and booking details after confirmation
• Public Information: Reviews and ratings are publicly visible

4.2 With Service Providers

We share data with trusted third-party service providers who assist us:

• Client Payment Processing: Client payment details (card number, billing address) are transmitted directly to Stripe for secure processing. KrownLink does not store credit or debit card numbers.
• Stylist Payout Processing: Stylist bank account details are collected and held exclusively by Stripe Connect. Deposits from clients are transferred directly to the stylist’s own Stripe Connect account — KrownLink does not process, hold, or have access to payout funds or bank account numbers.
• Stylist Subscription Processing: Stylist subscription payments are processed through Apple StoreKit (iOS) or Google Play Billing (Android) via RevenueCat. KrownLink does not have access to your App Store or Play Store payment details.
• Email Services: SendGrid or AWS SES
• Cloud Hosting: AWS, Google Cloud, or Hetzner (EU-based)
• Analytics: Google Analytics (anonymized data)
• Customer Support: Support ticket systems

All service providers are contractually bound to protect your data and use it only for specified purposes.

4.3 Third-Party AI Services

KrownLink uses third-party artificial intelligence services to provide certain features. Your explicit consent is obtained before any data is shared with these services. The following AI services are used:

Google Gemini (Search & Discovery)

• Data Sent: Your text search queries (e.g., "Braids near me") are sent to Google Gemini for intelligent intent parsing and query embedding generation
• Purpose: To understand your search intent and find the most relevant stylists for you
• Retention: Google processes queries transiently for the purpose of generating a response. Search queries are cached locally for 24 hours to improve performance
• Privacy Policy: Google Privacy Policy

LightX (AR Hairstyle Previews)

• Data Sent: A selfie photo (JPEG image) that you capture or select is sent to LightX for AI-powered hairstyle generation
• Purpose: To generate a realistic preview of how a selected hairstyle would look on you
• Retention: LightX processes images transiently to generate the preview. The original selfie and generated result are stored in your private KrownLink account until you choose to delete them
• Privacy Policy: LightX Privacy Policy

You can withdraw your AI consent at any time by clearing your app data or contacting privacy@krownlink.com. Withdrawing consent will disable AI-powered search and AR try-on features.

4.3.1 Face Data & AR Try-On

KrownLink’s AR Try-On feature uses your device camera to capture a selfie photo, which is sent to LightX (a third-party AI service) for hairstyle generation. Here is how face data is handled:

• No Raw Face Data Retention: KrownLink does not retain raw face data. Your selfie is transmitted to LightX solely for processing and is not stored on our servers.
• Third-Party Processing: LightX processes your selfie transiently to generate the AI hairstyle image. LightX does not retain, store, or use your face data after processing is complete. See LightX Privacy Policy.
• Generated Image Storage: The generated AR result images (hairstyle previews) are saved securely on our backend servers to your private lookbook. These are stored for as long as your account exists or until you delete them.
• Purpose & Access of Storage: We store generated images (not raw face data) so you can revisit hairstyle previews and share them with your selected hairstylist service provider when booking an appointment. Access to these images is stringently restricted to you and the specific stylist with whom you explicitly choose to share them.
• Third-Party Sharing: Face data is shared only with LightX transiently for the sole purpose of AI hairstyle generation. No other third parties receive this data, and generated images are never shared beyond your chosen stylist.
• Deletion: You can delete any generated AR images at any time from your lookbook. Deleting your account removes all associated data permanently.

4.4 For Legal Reasons

We may disclose your information if required by law or if we believe it's necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service
• Protect our rights, property, or safety
• Prevent fraud or illegal activities
• Protect the safety of our users or the public

4.5 Business Transfers

If KrownLink is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

4.6 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

5.1 Active Accounts

• Account Data: Retained while your account is active
• Booking History: Retained for 7 years for tax and legal compliance
• Messages: Retained for 6 months after the last message
• Reviews: Retained indefinitely unless deleted by you or removed for policy violations

5.2 Closed Accounts

• Most personal data is deleted within 30 days of account closure
• Financial records retained for 7 years for legal compliance
• Anonymized data may be retained for analytics

5.3 Legal Holds

We may retain data longer if required by law, legal proceedings, or to prevent fraud.

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights:

6.1 Right to Access

You can request a copy of all personal data we hold about you.

How to exercise: Email privacy@krownlink.com or use the "Download My Data" feature in your account settings.

6.2 Right to Rectification

You can correct inaccurate or incomplete personal data.

How to exercise: Update your information in account settings or contact us.

6.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances.

How to exercise: Use the "Delete Account" feature or email privacy@krownlink.com

Note: Some data may be retained for legal compliance (e.g., financial records).

6.4 Right to Restriction of Processing

You can request that we limit how we use your data in certain situations.

6.5 Right to Data Portability

You can receive your data in a structured, machine-readable format and transfer it to another service.

How to exercise: Use the "Export Data" feature in your account settings.

6.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing.

How to exercise: Click "Unsubscribe" in marketing emails or adjust settings in your account.

6.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

6.8 Right to Lodge a Complaint

You can file a complaint with your local data protection authority:

• Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)
• Netherlands: Autoriteit Persoonsgegevens
• France: Commission nationale de l'informatique et des libertés (CNIL)
• Spain: Agencia Española de Protección de Datos (AEPD)
• Italy: Garante per la protezione dei dati personali

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

• Essential Cookies: Required for the Platform to function (session management, security)
• Analytics Cookies: Help us understand how users interact with the Platform (Google Analytics)
• Preference Cookies: Remember your settings (language, theme)
• Marketing Cookies: Used with your consent for targeted advertising

7.2 Managing Cookies

• You can manage cookies through our cookie consent banner
• Browser settings allow you to block or delete cookies
• Disabling cookies may affect Platform functionality

For complete details, see our Cookie Policy.

8. Data Security

8.1 Security Measures

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication for staff
• Regular Audits: Security assessments and penetration testing
• Data Minimization: We collect only the data we need
• Fraud Monitoring: Payout and transactional activity is monitored for irregular patterns to protect both clients and stylists
• PCI-DSS Compliance: All payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider
• Incident Response: Documented procedures for data breach response

8.2 Data Breach Notification

In the event of a data breach that affects your personal data:

• We will notify affected users within 72 hours (as required by GDPR)
• We will notify the relevant supervisory authority
• We will provide details about what data was affected and steps to protect yourself

9. International Data Transfers

9.1 Where Your Data May Be Stored

• European Union: Primary data storage (Supabase EU, Hetzner)
• United States: Some service providers (Stripe, Google Analytics)

9.2 Transfer Safeguards

When transferring data outside the EEA, we ensure appropriate safeguards:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Binding Corporate Rules where applicable
• EU-US Data Privacy Framework certification (where applicable)

10. Children's Privacy

KrownLink is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.

If we discover that we have collected data from a child under 16, we will delete it immediately. If you believe a child has provided us with personal data, please contact us at privacy@krownlink.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

• We will update the "Last Updated" date at the top
• We will notify you via email for material changes
• We may provide additional notice through the Platform
• Continued use after changes constitutes acceptance

We encourage you to review this policy periodically.

12. Contact Us

By using KrownLink, you acknowledge that you have read, understood, and agree to this Privacy Policy.