Legal

Privacy Policy

Last updated: 8 April 2026

AAKIJA Ltd (“AAKIJA”, “we”, “us”, “our”) is a company registered in England and Wales. We are committed to protecting the privacy and security of personal data processed through our AI-powered salon management platform (“the Platform”).

This Privacy Policy explains how we collect, use, store, share, and protect personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all users of the Platform, including salon owners, salon staff, and salon clients whose data is processed through the Platform.

1. Data Controller and Data Processor

AAKIJA as Data Processor: When a salon (“the Salon”) uses the Platform to manage client information, appointments, payments, and communications, the Salon is the Data Controller and AAKIJA acts as the Data Processor. We process personal data solely on the Salon’s behalf and in accordance with their instructions.

AAKIJA as Data Controller: When we collect data directly from salon owners and staff for account registration, billing, and platform administration, AAKIJA acts as the Data Controller.

AAKIJA Ltd is registered with the Information Commissioner’s Office (ICO).
Registration reference: ZC129393
Registered address: 61A Bridge Street, Kington, HR5 3DJ

Contact: privacy@aakija.com

2. What Personal Data We Collect

2.1 Salon Owner and Staff Data

  • Full name, email address, phone number
  • Business name, address, company registration details
  • Login credentials (passwords are hashed and never stored in plain text)
  • Role and permissions within the Platform
  • Payment and billing information (processed securely by Stripe)

2.2 Salon Client Data

When a Salon uses the Platform, the following client data may be processed on the Salon’s behalf:

  • Full name, email address, phone number
  • Appointment history, service preferences, booking notes
  • Consultation notes and treatment records
  • Marketing consent status (opt-in/opt-out)
  • Payment transaction history
  • Communication history (SMS and email messages sent via the Platform)
  • Feedback and review responses

2.3 Technical and Usage Data

  • IP address, browser type, device information
  • Pages visited, features used, session duration
  • Error logs and performance data

3. How We Use Personal Data

We process personal data for the following purposes:

  • Service delivery: Operating the Platform, managing appointments, processing payments, sending booking confirmations and reminders
  • AI-powered insights: Our AI intelligence layer (“Ki”) analyses salon data to generate business insights, identify revenue opportunities, and draft recommended actions. All AI-generated actions require human approval before execution
  • Communications: Sending transactional messages (booking confirmations, reminders, password resets) and, where the client has opted in, marketing campaigns on behalf of the Salon
  • Billing and payments: Processing subscription payments, platform fees, and salon transaction payments
  • Platform improvement: Analysing aggregate, anonymised usage patterns to improve features and performance
  • Legal compliance: Meeting regulatory obligations, responding to lawful requests, and maintaining audit trails

4. Lawful Basis for Processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

  • Contract (Art. 6(1)(b)): Processing necessary to perform our contract with salon owners (subscription services, platform access)
  • Legitimate interests (Art. 6(1)(f)): Platform security, fraud prevention, service improvement, and AI-driven business analysis on behalf of the Salon
  • Consent (Art. 6(1)(a)): Marketing communications to salon clients are only sent where the client has provided explicit opt-in consent, managed by the Salon
  • Legal obligation (Art. 6(1)(c)): Financial record-keeping, tax compliance, and responding to lawful regulatory requests

5. AI Processing and Automated Decision-Making

The Platform uses artificial intelligence to analyse salon data and generate business insights. This is a core feature of the service, branded as “Ki”.

5.1 AI Providers

  • Anthropic (Claude): Used for quality-critical AI outputs including business insights, action drafting, campaign copy, and conversational features. Anthropic processes data under a Data Processing Agreement (DPA) and does not use customer data to train their models
  • Nebius (Kimi K2.5): May be used for background AI tasks (classification, data mapping). Nebius operates GDPR-compliant EU-based inference infrastructure with a signed DPA

5.2 How AI Data is Handled

  • All AI processing is strictly scoped to a single salon’s data. No data is shared across salons
  • AI prompts are constructed using only the requesting salon’s data
  • Every AI interaction is logged to an immutable audit trail (provider, model, token usage, cost, timestamp)
  • AI-generated actions are always presented as recommendations and require explicit human approval before execution
  • We do not use client data to train AI models

5.3 No Solely Automated Decisions

The Platform does not make decisions that produce legal or similarly significant effects on individuals based solely on automated processing. Ki proposes actions; a human (the salon owner or manager) must approve them before they are executed. This is a core design principle of the Platform.

6. Third-Party Processors

We use carefully selected third-party service providers to operate the Platform. Each operates under a Data Processing Agreement (DPA) and processes data only as necessary for the stated purpose:

  • Stripe: Payment processing, subscription billing, salon payouts, and KYC verification. Stripe is PCI DSS Level 1 certified. We never store full card numbers on our servers. See Stripe’s Privacy Policy
  • SMS provider: Outbound SMS delivery for appointment reminders, booking confirmations, and salon marketing campaigns (where the client has opted in). Messages are sent on behalf of the Salon
  • Email provider: Transactional and marketing email delivery including booking confirmations, password resets, and salon campaigns (where the client has opted in)
  • Anthropic: AI inference for business intelligence features (see Section 5)
  • Cloud infrastructure provider: Hosting and data storage with data centres in the UK/EEA

7. International Data Transfers

Some of our processors operate outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the ICO
  • UK adequacy regulations where the destination country has been deemed adequate
  • Binding Corporate Rules where applicable

We do not transfer data to any jurisdiction that does not offer adequate protection or where appropriate safeguards cannot be implemented. We have specifically excluded AI providers hosted in jurisdictions that do not offer signed DPAs or GDPR-equivalent protections.

8. Data Retention

  • Active account data: Retained for the duration of the salon’s subscription plus 90 days after cancellation
  • Salon client data: Retained as instructed by the Salon (Data Controller). When a salon cancels, we provide a 90-day data export window before deletion
  • Financial records: Retained for 7 years as required by UK tax and accounting regulations (HMRC requirements)
  • AI audit logs: Retained for 2 years for transparency and compliance, then anonymised
  • Communication logs: SMS and email delivery records retained for 12 months
  • Technical logs: Server and error logs retained for 90 days

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised.

9. Your Rights Under UK GDPR

If you are a salon owner or staff member (where AAKIJA is the Data Controller), you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements
  • Right to restriction (Art. 18): Request that we limit how we process your data
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (CSV or JSON)
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Rights related to automated decision-making (Art. 22): As noted in Section 5.3, the Platform does not make solely automated decisions with legal effect

Salon clients: If you are a client of a salon that uses AAKIJA, the salon is the Data Controller for your data. Please contact the salon directly to exercise your rights. We will support the salon in fulfilling your request.

To exercise your rights, contact us at privacy@aakija.com. We will respond within 30 days.

10. Data Portability and Export

Salon owners can export their data at any time through the Platform’s settings panel. Available export formats include:

  • Client records (CSV)
  • Appointment history (CSV)
  • Financial transactions (CSV)
  • AI action history and audit logs (JSON)

Upon subscription cancellation, salon owners have a 90-day window to export all data before it is permanently deleted.

11. Right to Erasure (Data Deletion)

Salon owners may request full deletion of their account and all associated data by contacting us at privacy@aakija.com or through the Platform’s account settings.

Upon receiving a valid erasure request, we will:

  • Delete all client records, appointment data, and communication history
  • Delete all AI-generated insights, action logs, and embeddings for the tenant
  • Anonymise financial records that must be retained for legal compliance (7 years)
  • Remove all data from backup systems within 30 days
  • Confirm deletion in writing

12. Multi-Tenant Data Isolation

The Platform operates a strict multi-tenant architecture. Every salon’s data is logically isolated at the database level:

  • Every database query is scoped to the salon’s unique tenant identifier
  • AI processing cannot access data belonging to another salon
  • Vector search indexes (used for semantic search) are isolated per tenant
  • Cached data is tagged per tenant and cannot be served to another salon

Cross-tenant data leakage is classified as a critical security incident and subject to immediate remediation.

13. Cookies

Our website and Platform use the following categories of cookies:

  • Strictly necessary cookies: Required for the Platform to function (authentication sessions, CSRF protection). These do not require consent
  • Functional cookies: Remember user preferences (language, display settings). Set only with consent
  • Analytics cookies: Help us understand how visitors use the website. Set only with consent. We use privacy-respecting analytics that do not track individuals across websites

We do not use advertising or tracking cookies. We do not sell data to third parties. You can manage your cookie preferences at any time through the cookie banner on our website. For full details, see our Cookie Policy.

14. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Password hashing using bcrypt with appropriate cost factors
  • Role-based access control (RBAC) limiting data access by user role
  • JWT-based authentication with short-lived access tokens and secure refresh token rotation
  • Row-level security at the database layer for tenant isolation
  • Immutable audit logging of all sensitive operations
  • Regular security reviews and dependency updates

15. Data Breach Notification

In the event of a personal data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals. We will notify affected salons without undue delay.

16. Children’s Data

The Platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered salon owners and displayed prominently on the Platform. The “Last updated” date at the top of this page indicates when the most recent changes were made.

18. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

We encourage you to contact us first at privacy@aakija.com so we can try to resolve any concerns directly.

19. Contact

AAKIJA Ltd
61A Bridge Street, Kington, HR5 3DJ
Email: privacy@aakija.com
Website: aakija.com

Terms of ServiceCookie PolicyAbout AAKIJA