TurnoHub
Iniciar sesión
← Back to Home

Privacy Policy

Effective Date: 22 March 2026

Section 1: Who We Are

TurnoHub ("we," "us," or "our") operates the TurnoHub platform at turnohub.app. We are committed to protecting personal data in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and applicable UK data protection law.

Contact for data protection matters: [email protected]

Section 2: Our Role as Controller and Processor

2.1 Data Controller — Business Users

When you register and use TurnoHub as a business owner or professional, TurnoHub is the Data Controller for your personal data. We determine the purposes and means of processing your information.

2.2 Data Processor — End-Clients of Business Users

When a Business User uses TurnoHub to manage the personal data of their salon clients, TurnoHub acts as a Data Processor on behalf of the Business User. The Business User is the Data Controller for their clients' data. Processing in this capacity is governed by our Data Processing Agreement.

Section 3: Personal Data We Collect

3.1 Business Users

  • Identity data: name, business name
  • Contact data: email address, phone number
  • Account data: username, password (hashed)
  • Billing data: subscription plan, payment method tokens (managed by Lemon Squeezy — we do not store full card details)
  • Usage data: login timestamps, feature interactions, device and browser information
  • Communications: support emails and correspondence

3.2 End-Clients (processed as Data Processor)

  • Name and contact details provided during booking
  • Appointment history and service preferences
  • Notes entered by the Business User
  • Any other data entered by the Business User into the platform

Section 4: Legal Bases for Processing

We process personal data on the following legal bases:

  • Contract performance: to provide the Service and manage your subscription (Art. 6(1)(b) GDPR)
  • Legal obligation: to comply with tax, accounting, and other legal requirements (Art. 6(1)(c) GDPR)
  • Legitimate interests: to improve the Service, prevent fraud, and ensure security (Art. 6(1)(f) GDPR)
  • Consent: where explicitly obtained, e.g. for marketing communications (Art. 6(1)(a) GDPR)

Section 5: How We Use Your Data

We use personal data to:

  • Create and manage your account and subscription
  • Process payments through Lemon Squeezy
  • Provide platform features including booking management, CRM, and analytics
  • Operate the AI assistant (via Anthropic API) to respond to client enquiries
  • Send transactional emails such as booking confirmations and receipts (via Resend)
  • Provide customer support
  • Comply with legal obligations
  • Improve the Service and develop new features

We do not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects without human oversight.

Section 6: Sub-Processors

We engage the following sub-processors:

  • Supabase, Inc. — Database and authentication infrastructure. Servers located in the European Union.
  • Lemon Squeezy (A Stripe company) — Payment processing and subscription management.
  • Resend, Inc. — Transactional email delivery.
  • Anthropic, Inc. — AI language model powering the AI assistant feature.

An up-to-date list of sub-processors is available upon request at [email protected]. We will notify Business Users of any intended change to our sub-processor list at least thirty (30) days in advance.

Section 7: International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, or reliance on an adequacy decision.

Section 8: Data Retention

We retain personal data only for as long as necessary:

  • Account data: retained for the duration of the subscription and deleted within ninety (90) days after account termination, unless a longer retention period is required by law.
  • Financial and billing records: retained for a minimum of five (5) years in accordance with Spanish and EU tax law.
  • End-client data: retained in accordance with the instructions of the Business User, and deleted upon termination subject to the thirty (30) day export grace period.
  • Support communications: retained for two (2) years.

Section 9: Your Rights Under GDPR

As a Data Subject, you have the following rights (contact [email protected]):

  • Right of access: obtain a copy of your personal data
  • Right to rectification: request correction of inaccurate data
  • Right to erasure ('Right to be Forgotten'): request deletion of your personal data
  • Right to restriction of processing
  • Right to data portability: receive your data in a machine-readable format
  • Right to object: object to processing based on legitimate interests
  • Right to withdraw consent at any time

We will respond to rights requests within thirty (30) days. You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.

Section 10: Cookies

We use only technically necessary cookies to maintain session state and authentication. We do not use tracking or advertising cookies.

Section 11: Security

TurnoHub implements appropriate technical and organisational measures to protect personal data: encrypted data transmission (TLS), encrypted storage (AES-256 at rest via Supabase), access controls, and regular security assessments.

Section 12: Children's Data

The Service is not directed at individuals under the age of 18, and we do not knowingly collect personal data from minors.

Section 13: Changes to This Policy

Material changes will be communicated by email and/or a notice within the platform at least thirty (30) days before taking effect.

Section 14: Contact

[email protected]