G
Glass Book← Home
UK GDPR · Privacy Notice

Privacy policy

Last updated April 2026

1. Who we are

Glass Book is a trading name of Hamr Ltd, a company registered in England and Wales.

For all data protection enquiries please contact us at hello@glassbook.co.uk.

2. Our role under UK GDPR

Where you are a salon or clinic operator using Glass Book to manage your business, you are the data controllerfor your clients’ personal data. We are your data processor, processing that data only on your documented instructions under our Data Processing Agreement.

For our own corporate data — including our subscriber records, billing data, marketing communications and website analytics — Hamr Ltd is the data controller and this notice describes how we act in that capacity.

3. What we collect and why

From salon operators (our subscribers)

  • Name, email address, login activity, role within the salon — to operate your account.
  • Salon profile, branding, opening hours, treatment menu, prices — to render your booking page.
  • Billing details handled by Stripe Payments Europe Ltd. (we do not store card numbers).
  • Support correspondence and audit logs of administrative actions.

From end clients (booking through a salon)

  • Name, email address, phone number, appointment history.
  • Responses to medical history and consent forms, which can include special category data concerning health under UK GDPR Article 9. We collect this only where the salon requires it for safe treatment, on the basis of your explicit consent at the time of booking.
  • Payment intent identifiers from Stripe (no card data).
  • Cancellation and review activity tied to your appointment.

From all visitors to glassbook.co.uk

  • Strictly necessary cookies for authentication and remembering this notice (see our cookie policy).
  • Server logs (IP address, user agent, request path, status code) retained for security monitoring for up to 30 days.

4. Lawful basis for each processing activity

ActivityLawful basis (UK GDPR Art. 6)
Provide the booking platform to salonsContract (Art. 6(1)(b))
Process bookings, deposits and reminders for end clientsContract (Art. 6(1)(b)) — between client and salon
Store medical / consent form responsesExplicit consent (Art. 6(1)(a) and Art. 9(2)(a))
Send transactional service emails (booking confirmation, reminders)Legitimate interest and contract performance (Art. 6(1)(b), 6(1)(f))
Send marketing emails to salon operators about Glass BookConsent (soft opt-in) (Art. 6(1)(a))
Retain financial recordsLegal obligation (HMRC, Art. 6(1)(c))
Detect fraud and abuse, log security eventsLegitimate interest (Art. 6(1)(f))

5. Special category data (health)

Medical history and consent form responses are special category personal data concerning health under Article 9 of the UK GDPR. We process this category of data only where the client has given explicit consent at the moment of booking, and only for the purpose of allowing the salon or clinic to treat them safely. We do not use health data for marketing, profiling or any automated decision-making.

Health data is encrypted at rest and in transit, version-locked to the consent form schema in force at the time of submission, and signed by the client. Access inside the salon is restricted to staff members the salon owner has explicitly granted access to via our role-based permission system.

6. Where your data is stored

All databases and file storage are hosted in the United Kingdom (London). Some sub-processors (notably Vercel and Resend) may transfer data outside the UK; in those cases transfers are protected by the UK Addendum to the EU Standard Contractual Clauses. See our sub-processor list for the full chain.

7. How long we keep your data

  • Active client records: for as long as the salon operates its account with us, plus up to 5 years if the client has not booked again (after which we anonymise unless financial records require retention).
  • Medical / consent form responses: 7 years from the appointment date, in line with UK aesthetics insurance and clinical-records norms.
  • Financial records (payments, refunds, invoices): 7 years to comply with HMRC requirements.
  • Audit log of administrative actions: 2 years.
  • Server logs: 30 days.

When you exercise your right to erasure (see below), we anonymise personal data within the records that legal obligations require us to retain — we cannot delete the financial record entirely, but the personal identifiers are stripped and replaced with a pseudonymous reference.

8. Your rights under UK GDPR

You have the following rights at any time:

  • Right of access — ask for a copy of the personal data we hold about you (Art. 15).
  • Right to rectification — correct inaccurate or incomplete data (Art. 16).
  • Right to erasure — have your personal data deleted, subject to legal retention requirements (Art. 17).
  • Right to restrict processing — pause certain processing while a dispute is resolved (Art. 18).
  • Right to data portability — receive your data in a structured, machine-readable format (Art. 20).
  • Right to object — object to processing based on legitimate interest, including marketing (Art. 21).
  • Right not to be subject to automated decision-making — we do not perform any solely-automated decisions or profiling (Art. 22).
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email us at hello@glassbook.co.uk. If you are an end client of a salon using Glass Book, please contact the salon directly first — they are the data controller and we act on their instructions. We will respond to all requests within one calendar month.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office at any time: ico.org.uk/make-a-complaint.

9. Sub-processors

We use a small set of carefully chosen sub-processors to operate the platform. Each is bound by a Data Processing Agreement and has been assessed for technical and organisational security measures. The full, up-to-date list lives at glassbook.co.uk/subprocessors. We notify subscribers of any new sub-processor at least 30 days before the change takes effect.

10. Security

We follow controls aligned with ISO/IEC 27001:2022. Highlights include HTTPS everywhere with HSTS preload, encryption at rest in our databases and file storage, role-based access control with least-privilege defaults, multi-factor sign-in for administrators, restrictive content security policy, audit logging of every data-changing action, and a defined incident response process. We accept responsible-disclosure reports at hello@glassbook.co.uk (see also our security.txt).

11. Children

The Glass Book platform is not intended for use by anyone under the age of 16. Salons must obtain appropriate parental or guardian consent before booking treatments for minors, in accordance with their own clinical and safeguarding policies.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email to subscribers at least 30 days before they take effect. The “last updated” date at the top of this page always reflects the current version.

Hamr Ltd