Privacy Policy
Effective: June 26, 2025 · Last updated: June 26, 2025
Plain-English summary: Certxa collects only what we need to run our service. We never sell your personal data or use it for advertising. We never share it with third parties except to operate the platform (payments, messaging, AI). If you connect Google Business Profile, your Google data is used solely to manage your listing inside Certxa. You can request deletion or export of your data at any time.
Table of Contents
1. Who We Are
Certxa ("Certxa", "we", "us", "our") operates the SalonOS salon management platform available at certxa.com and its sub-domains. We provide appointment scheduling, point-of-sale, client management, AI receptionist, loyalty programs, staff management, payroll, multi-location tools, and Google Business Profile review management to beauty and wellness professionals.
This Privacy Policy describes how we collect, use, store, and share information when you use our platform. By using Certxa, you agree to the practices described in this Policy.
For privacy-related questions, contact us at privacy@certxa.com.
2. Data We Collect
Account & Profile Data
- Name, email address, phone number
- Business name, address, type (nail salon, nail studio, etc.), and operating hours
- Password (stored as a salted bcrypt hash — never in plain text)
- Profile photo and business logo (if uploaded)
- Billing and subscription information (processed by Stripe — we do not store raw card numbers or CVVs)
- Government-issued ID or tax information if required for Stripe Connect payouts
Business Operational Data
- Services offered, pricing, and service duration settings
- Staff profiles, schedules, roles, and commission structures
- Contractor and booth-renter agreements and payout records
- Appointment records, cancellations, and no-show history
- Point-of-sale transaction records, cash drawer logs, and end-of-day reports
- Inventory and retail product records
- Multi-location configurations and location-specific settings
- Subscription tier and billing cycle information
Client Data You Provide
When you add clients to Certxa, you provide us with their names, phone numbers, email addresses, visit history, appointment notes, and optional loyalty point balances. You represent that you have obtained any necessary consent from your clients to store their data and contact them through our platform. Your clients' data belongs to you — we process it on your behalf to operate the platform.
AI Receptionist & Communication Data
- Inbound and outbound call logs, including AI-generated call transcripts
- SMS message logs sent or received through the platform (via Twilio)
- Email communication logs for appointment reminders and marketing
- Audio recordings of calls where legally permitted and with appropriate disclosures
Usage & Technical Data
- Log data: IP address, browser type, pages visited, and timestamps
- Device information: screen resolution, operating system, and browser version
- Session tokens (stored in encrypted, server-side sessions via secure HttpOnly cookies)
- In-app feature usage and navigation patterns (aggregated and anonymised)
Analytics & Check-In Kiosk Data
- Walk-in queue events, kiosk check-in timestamps, and service selection logs
- Revenue reporting metrics and trend data tied to your business account
- Booking source attribution (online, kiosk, staff-created, AI-booked)
3. Google Business Profile API Data
Google API Services User Data Policy
Certxa's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including all applicable Limited Use requirements. We do not use Google user data to serve advertising, and we do not allow humans to read Google user data except as required to provide the service, respond to your support requests, or comply with applicable law.
What Google Data We Access
Certxa allows business owners to connect their Google Business Profile account using Google's secure OAuth 2.0 authorization process. This connection is entirely optional and requires explicit user consent before any Google data is accessed. When a business owner connects their Google Business Profile, Certxa may access:
- Business location and profile information (name, address, operating hours, categories)
- Public Google reviews associated with the business listing
- Business website URL field (only when you choose to update or synchronize your Certxa-hosted website URL)
- Business photos already published to the listing (read-only, for dashboard display)
How We Use This Google Data
We use Google Business Profile data solely to provide functionality within the Certxa platform, specifically to:
- Display your Google reviews inside your Certxa dashboard and on your Certxa-hosted website
- Help you manage and respond to reviews from within Certxa
- Allow you to update your Google Business Profile website URL to point to your Certxa booking page
- Synchronize business profile information for display and verification within the Certxa dashboard
What We Do Not Do With Google Data
- We do not access any Google account without explicit, active user authorization
- We do not access personal Gmail, Google Drive, Google Calendar, or any unrelated Google services
- We do not sell, rent, or share Google Business Profile data with any third party
- We do not modify your Google Business Profile data without a direct action or approval from you
- We do not use Google data to train AI models or for any purpose beyond operating Certxa for you
- We do not allow humans to read your Google data except to provide the service, resolve a support issue you raised, or comply with law
Data Storage & Disconnection
Certxa may temporarily cache Google Business Profile data (e.g., review lists) to reduce API calls and improve performance. You may disconnect your Google account at any time from your Certxa dashboard settings, which immediately revokes our access token and stops further data retrieval. Upon disconnection or account deletion, cached Google data is deleted within 30 days unless a shorter period is required by applicable law.
AI Receptionist & Google Data Separation
Certxa's AI Receptionist feature is completely separate from the Google Business Profile integration. The AI Receptionist does not access, read, or use any data obtained from Google APIs. Call transcripts, booking context, and AI responses are processed using only data in your Certxa account (client records, services, and availability settings). Google Business Profile data and AI Receptionist data are stored separately and never combined for any purpose whatsoever.
4. How We Use Your Data
To Provide the Service
We use your data to operate Certxa — running your appointment calendar, online booking page, POS, client management, staff scheduling, payroll calculations, and loyalty program.
To Process Payments
We pass payment information to Stripe to process charges, issue refunds, and manage subscriptions. For businesses using Stripe Connect, we facilitate payouts to staff and contractors. We do not store full card numbers or CVV codes at any point.
To Send Communications
We use your data to send appointment reminders, booking confirmations, and marketing messages to your clients via SMS (Twilio) and email (Mailgun), on your behalf and at your direction. We also send you platform notifications, billing receipts, and service updates.
To Power the AI Receptionist
Call transcripts and booking context are used by our AI systems to answer calls, book appointments, and identify returning clients. These calls are processed using AI services (including OpenAI). Transcripts are stored in your account and may be reviewed by you at any time.
To Sync Google Business Profile
If connected, we use the Google API to display and help you manage your business listing, reviews, and website URL — as described in Section 3.
To Improve the Platform
We analyze aggregated, anonymised usage patterns to improve product features, fix bugs, and prioritize development. We never share individual-level data externally for this purpose.
To Prevent Fraud & Comply With Law
We use data to detect abuse, enforce our Terms of Service, and comply with applicable legal obligations including tax reporting and financial record-keeping.
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or UK, our lawful basis for processing your personal data is:
- Contract performance — processing necessary to provide the service you signed up for
- Legitimate interests — fraud prevention, security monitoring, product improvement, and analytics
- Legal obligation — financial record-keeping, tax compliance
- Consent — marketing communications and Google API access (withdrawable at any time)
5. Data Sharing & Third Parties
We do not sell your personal data. We do not share your data with third parties for their own marketing or advertising purposes. We share data only with the following service providers, strictly to operate Certxa:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing & payouts | Billing info, identity data for Stripe Connect |
| Twilio | SMS and voice call delivery | Phone numbers, message content |
| Mailgun | Transactional & marketing email | Email addresses, message content |
| OpenAI | AI Receptionist — call handling & booking automation | Call transcripts, appointment context (no raw PII beyond what's needed for the call) |
| Google APIs | Business Profile sync, OAuth login | Only data you explicitly authorize via OAuth |
| Cloud hosting | Infrastructure & storage | All platform data (stored encrypted at rest) |
| Analytics | Aggregated usage analysis | Anonymised, aggregated usage events only |
We require all service providers to maintain appropriate data protection standards and contractual data processing agreements where required by law. We do not permit them to use your data for their own independent purposes.
We may also disclose data when required by applicable law, valid legal process (such as a court order or subpoena), or to protect the rights, property, or safety of Certxa, our users, or the public.
6. Data Retention
- Active accounts: Data is retained for the full duration of your active subscription.
- Cancelled or expired accounts: We retain your data for 90 days after cancellation to allow account recovery, then delete or anonymise it.
- Client data: Deleted with your account unless you export it first. You may export all client records from your dashboard at any time.
- Google API data: OAuth tokens are revoked immediately on disconnection. Synced review records are deleted within 30 days of account deletion or disconnection.
- Billing & financial records: Retained for 7 years as required by applicable financial and tax regulations.
- Call transcripts & AI logs: Retained for 90 days, then purged unless you choose to archive them.
- Server logs: Retained for 30 days for security monitoring, then purged.
7. Security
We take data security seriously and maintain the following controls:
- All data is transmitted over HTTPS/TLS — plain HTTP is redirected and not accepted
- Passwords are stored using bcrypt with per-user random salts — we never store or log plain-text passwords
- OAuth tokens and API keys are stored encrypted at rest using server-side encryption
- Session tokens use HttpOnly, Secure, and SameSite=Lax cookie attributes to prevent XSS and CSRF attacks
- Role-based access control (RBAC) restricts what staff accounts can view or modify
- Database servers are not publicly accessible — only accessible from application servers within a private network
- API credentials and service secrets are stored in secure environment secret vaults, never committed to source code
- Audit logging records sensitive admin actions with timestamps and actor IDs
- We conduct periodic security reviews and dependency vulnerability audits
If you believe you have discovered a security vulnerability in Certxa, please report it responsibly to security@certxa.com. We investigate all credible reports promptly.
8. Your Rights (GDPR & Global)
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you or your business account
- Correction: Request correction of inaccurate or incomplete data
- Deletion ("Right to be forgotten"): Request deletion of your account and associated personal data
- Portability: Receive your data in a structured, machine-readable format (e.g., CSV export)
- Objection: Object to processing for direct marketing or based on legitimate interests
- Restriction: Request that we restrict processing in specific circumstances (e.g., while a dispute is being resolved)
- Withdraw consent: Where processing is based on consent (e.g., marketing emails, Google connection), you may withdraw at any time without affecting lawfulness of prior processing
To exercise any of these rights, email privacy@certxa.com from the email address on your account. We will respond within 30 days. For Google-specific data access, you may also manage or revoke our permissions directly via Google Account Settings.
9. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months
- Right to Delete: Request deletion of your personal information, subject to certain exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale or Sharing: We do not sell your personal information, and we do not share it for cross-context behavioral advertising. You do not need to opt out, but you may contact us to confirm.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information to what is necessary to provide the service
- Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights
Do Not Sell or Share My Personal Information: Certxa does not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising.
To submit a California privacy request, email privacy@certxa.com with the subject line "California Privacy Request." We will respond within 45 days as required by law.
10. Cookies & Tracking
We use the following types of cookies and similar technologies:
- Strictly necessary: Session authentication cookie — required for you to stay logged in. Cannot be disabled without breaking login.
- Functional: Remembers your UI preferences such as timezone and display settings. These expire after your session or within 30 days.
- Analytics: Aggregated, anonymised page-view analytics to help us understand how the platform is used. No cross-site tracking, no fingerprinting, no individual user profiles shared externally.
We do not use third-party advertising cookies or tracking pixels. We do not engage in cross-site behavioral advertising. You can manage or clear cookies through your browser settings at any time; disabling the session cookie will log you out.
11. Children's Privacy
Certxa is a business platform intended for users aged 18 and over. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it promptly. If you believe a child's data has been submitted, contact privacy@certxa.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email (to the address on your account) at least 14 days before the effective date, and post the updated policy here with a revised "Last updated" date. Continued use of Certxa after the effective date of the updated policy constitutes acceptance. If you do not accept the changes, you may close your account and request deletion of your data.
13. Contact Us
For privacy-related questions, data requests, or to exercise your rights:
- Privacy inquiries: privacy@certxa.com
- General support: support@certxa.com
- Security reports: security@certxa.com
- Website: certxa.com/contact
© 2026 Certxa. All rights reserved.