Glamvoo - Booking system

Privacy Policy

Last updated: 9 May 2026

1. Who we are

The Service is a Norwegian booking platform that connects customers with independent salons. The platform operator is the data controller for the account-level data described in §2 (account, technical, marketing). For each booking, the salon you book with is an independent controller for the booking record on its side; we operate the platform that delivers the booking to the salon.

You can reach us through the contact page.

2. What data we collect

  • Account data — name, email, phone, password hash, and (if you sign in with Google) the Google account identifier. We never see or store your Google password.
  • Preferences — language (Bokmål / English) and theme (light / dark).
  • Booking data — the salon, services, staff, time, optional notes you provide, and any deposit linked to the booking.
  • Payment data — handled by our payment provider on a hosted page. We never see or store your full card number; the platform records only the last four digits and the provider's transaction reference for receipts and refunds.
  • Customer media — your avatar (if you upload one) and any photos a salon you book with adds to its portfolio. Files are stored on encrypted object storage and served through a signed-URL image proxy.
  • Technical data — IP address, device, browser, request times. Used for security, fraud prevention, and basic usage analytics.

3. Why we process it (legal basis under GDPR Art. 6)

  • Performance of contract (Art. 6(1)(b)) — to deliver the booking you placed and operate your account.
  • Legal obligation (Art. 6(1)(c)) — Norwegian bookkeeping (Bokføringsloven), tax records, mandatory consumer-rights notices.
  • Legitimate interest (Art. 6(1)(f)) — fraud prevention, account security (e.g. token rotation, rate limiting), service stability.
  • Consent (Art. 6(1)(a)) — marketing emails and any optional analytics cookies. You can withdraw consent at any time without affecting prior processing.

4. Who receives the data

We share data only with processors that are necessary to operate the Service:

  • The salon you booked — receives your name, contact details, and the booking they need to deliver.
  • Payment provider — receives the booking amount and your card details (entered directly on its hosted page, not on ours).
  • Hosting and object-storage provider — operates the EEA-region infrastructure that runs the Service.
  • Email and SMS gateway — delivers transactional confirmations and reminders.

All processors are bound by GDPR Article 28 data-processing agreements. We do not sell personal data.

5. Retention

Account and booking records are retained while your account is active, plus five years to satisfy Bokføringsloven § 13. When you delete your account, identifying fields are anonymised within 30 days, except where a longer retention is required by law (bookkeeping, tax, dispute records).

6. International transfers

The Service runs on EEA infrastructure. Where a processor operates outside the EEA, we rely on the European Commission's Standard Contractual Clauses and conduct a transfer-impact assessment.

7. Your rights

Under the GDPR and the Norwegian Personopplysningsloven you may access, correct, delete, restrict, object to or port your data. Send requests through the contact page — we reply within 30 days. You may also lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

8. Cookies

We use strictly-necessary cookies for authentication (an HTTP-only session cookie + a rotating refresh token) and for security (CSRF, rate limiting). Optional analytics cookies are loaded only after you consent in the cookie banner. We do not use third-party advertising cookies.

9. Changes to this policy

We update this page when our processing changes. Material changes are announced in-app at least 14 days before they take effect.