Privacy Policy

SpaOne POS is a salon and spa point-of-sale software platform operated by TATT VENTURES, LLC (“Company,” “we,” “us,” or “our”), a California limited liability company. Our website is https://www.spaonepos.com.

This Privacy Policy describes how we collect, use, share, and protect personal information when our salon and spa business customers (“Salon Customers”) use the SpaOne POS platform, and when end-users (clients of those salons) interact with the platform or receive communications sent through it.

2.1 From Our Business Customers (Salons/Spas)

• Business name, address, phone, and email
• Owner/operator name and contact details
• Payment and billing information
• Login credentials (passwords and PINs are stored as bcrypt hashes — never in plaintext)
• Twilio account credentials (encrypted at rest)
• Staff records, schedules, and payroll data

2.2 From Our Customers' End-Users (Salon Clients)

• Name, phone number, and email address
• Appointment history and visit records
• Loyalty points and transaction history
• Birthday (month and day, for birthday promotions)
• SMS and promotional marketing consent preferences (opt-in/opt-out status)
• Health disclosures relevant to safe service delivery (collected by the salon at check-in)
• Service preferences and notes

2.3 Automatically Collected

• IP address, browser type, and device information for security and analytics
• Usage logs and audit trail entries (who did what, when)
• Cookies and similar technologies for authentication and session management

We use collected information to:

• Provide and operate the SpaOne POS platform
• Send SMS messages on behalf of Salon Customers (see Section 4)
• Send email communications, receipts, and notifications
• Process payments and maintain transaction records
• Authenticate users and prevent fraud
• Comply with legal obligations
• Improve our platform and customer support

SpaOne POS sends SMS messages on behalf of salon and spa businesses using our platform. By providing a phone number to a salon using SpaOne POS and opting in, end-users may receive:

• Appointment confirmations and reminders
• Digital receipts
• Billing and account notifications
• Review and feedback requests
• Birthday promotions and special offers
• Loyalty rewards and member discounts
• Win-back and re-engagement messages
• Marketing campaigns and promotional announcements

Example message: “Hello, this is a friendly reminder of your upcoming appointment on [date] at [time]. Reply STOP to opt out of SMS messages at any time.”

4.1 Opt-In

End-users opt in to SMS messages through one or more of the following methods:

• Checking an SMS consent checkbox while submitting an online booking form on the salon's website
• Checking an SMS consent checkbox at the salon's in-person check-in kiosk (digital tablet)
• Texting STARTto a participating salon's number to re-subscribe after opting out

If you do not wish to receive SMS messages, you may choose not to check the SMS consent box on any form.

4.2 Opt-Out

End-users may opt out of SMS messages at any time by replying STOP to any message. Opt-out is processed immediately and automatically. After opting out, the recipient will receive a single confirmation message and no further messages will be sent. You may also contact the salon directly to request removal from their messaging list.

4.3 Help

For help, end-users may reply HELP to any message, or contact the salon directly. End-users with questions about the SpaOne POS platform itself may contact us at info@spaonepos.com or visit https://www.spaonepos.com.

4.4 Costs and Carrier Disclaimer

Message and data rates may applybased on the recipient's mobile carrier plan. These fees may vary for domestic or international messages. Neither TATT VENTURES, LLC nor the Salon Customer is responsible for any carrier charges related to SMS messages. Carriers (T-Mobile, AT&T, Verizon, and other major US carriers) are not liable for delayed or undelivered messages. SMS delivery is subject to carrier availability and is not guaranteed.

4.5 Message Frequency

Message frequency may vary depending on the type of communication and the Salon Customer's campaign settings. Transactional messages (confirmations, reminders, receipts) are sent as triggered by salon activity. You may receive up to 2 SMS messages per week related to your appointments or account status; promotional message frequency varies by salon.

4.6 Standard Messaging Disclosures

• Message and data rates may apply.
• You can opt out at any time by texting STOP.
• For assistance, text HELP or visit our Privacy Policy and Terms of Service pages.
• Message frequency may vary.

4.7 Phone Number Privacy

We do not sell, rent, or share phone numbers with third parties for marketing purposes. Phone numbers collected as part of the SMS consent process are used solely to send the messages described above. Phone numbers are shared only with Twilio Inc., our SMS delivery provider, solely for the purpose of message delivery. Phone numbers and SMS opt-in/opt-out status are stored securely and are accessible only to the salon that collected them and to authorized SpaOne POS staff for support purposes.

For full details on the SMS program, see our Terms of Service (Section 4).

We do not sell your personal information. We share data only with:

• Twilio Inc. — our SMS delivery provider, for the sole purpose of delivering messages
• Payment processors (e.g., CardPointe/Fiserv) — to process credit card transactions
• Hosting and infrastructure providers — to operate the platform (encrypted in transit and at rest)
• Email delivery providers (e.g., Resend) — to deliver transactional emails and receipts
• Salon Customers — end-user data is accessible to the salon that collected it
• Law enforcement or government authorities — when required by law, court order, or valid legal process

All service providers are bound by contractual obligations to protect your data and use it only for the purposes specified.

• Business customer data: retained for the duration of the subscription plus 3 years
• End-user customer records:retained while the Salon Customer's account is active; on cancellation, business customers may request a data export within 30 days
• SMS opt-out records: retained indefinitely to honor opt-out requests across the platform
• Audit logs: retained for at least 7 years for compliance purposes
• Payment records: retained as required by tax and financial regulations

We use industry-standard security measures to protect your data, including:

• TLS encryption in transit (HTTPS for all web and API traffic)
• AES-256 encryption at rest for sensitive fields
• Bcrypt hashing for passwords and PINs (cost factor 12)
• Encrypted storage of Twilio credentials — auth tokens are never exposed after entry
• Role-based access controls and audit logging
• Regular security reviews and dependency updates

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected users in the event of a data breach as required by applicable law.

Depending on your state of residence (including California under CCPA/CPRA, and other states with similar laws), you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Opt out of SMS communications by replying STOP to any message
• Opt out of email marketing by clicking the unsubscribe link in any email
• Request a portable copy of your data
• Withdraw consent for data processing where applicable
• Lodge a complaint with a data protection authority

To exercise these rights, contact us at info@spaonepos.com. We will respond within the timeframe required by applicable law (typically 30–45 days).

8.1 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, to delete personal information, to correct inaccurate information, and to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as defined under the CCPA.

Our platform is not directed to children under 13, and we do not knowingly collect personal information from children under 13. End-users opting into SMS communications must be at least 18 years old, or have parental/guardian consent. If we learn that we have collected personal information from a child under 13 without verified parental consent, we will delete it.

SpaOne POS is operated in the United States. If you access the platform from outside the United States, you understand that your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

We may update this Privacy Policy from time to time. Material changes will be notified to business customers by email and posted on our website with an updated “Last updated” date. Continued use of SpaOne POS after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy, to exercise your privacy rights, or to report a privacy concern, please contact us:

TATT VENTURES, LLC dba SpaOne POS

• Email: info@spaonepos.com
• Privacy inquiries: info@spaonepos.com
• Website: https://www.spaonepos.com
• Terms of Service: https://www.spaonepos.com/terms