Who we are
Co Sweyt is the salon operating system that this policy applies to. We're currently operating as an unincorporated business based in London, in the process of registering as a UK limited company. Until that registration completes, "Co Sweyt" in this policy refers to [legal operator name to be confirmed at incorporation] trading as Co Sweyt.
Our registered office address is [registered office address to be added on incorporation]. You can reach us at founders@cosweyt.com for any question covered by this policy.
We're registered with the UK Information Commissioner's Office (ICO) under registration number [ICO registration to be added once issued].
The two relationships
Co Sweyt sits between two groups of people. The difference matters for who is legally responsible for what, so we're explicit about it up front.
Salon owners (our customers)
When a salon owner signs up for Co Sweyt, we act as the Data Controller for their data, deciding what we collect and why. This covers account email, business details, billing, login history, support correspondence, and the data needed to run the service for them.
End-customers (the people the salon books)
The people who phone, message, or get booked into a salon never sign up with Co Sweyt directly. Their relationship is with the salon. The salon is the Data Controller for that data; Co Sweyt is the Data Processor, processing it on the salon's instructions under a Data Processing Agreement.
If you're an end-customer and you want to exercise your data rights (access, rectification, deletion, etc.), please contact the salon you booked with directly. We will help the salon respond, but the salon makes the call.
What we collect
From salon owners
- Account. Name, email, phone, business name and address, password (hashed), login timestamps.
- Billing.Stripe customer ID, subscription status, payment method last-4 and brand (full card number never reaches Co Sweyt, Stripe tokenises it before it leaves the customer's browser).
- Service usage. Plan tier, voice minutes used, message segments sent, feature usage telemetry to improve the product.
- Support correspondence.Email, chat, and call threads with our team, kept while you're an active customer plus a year after.
From end-customers (on behalf of the salon)
- Identity. Phone number, name, email if given, Instagram handle if they DM you.
- Booking history. Service, stylist, date, time, notes, tags the salon adds, loyalty progress.
- Payment. Deposit and ticket amounts; card data is tokenised by Stripe and never stored by Co Sweyt.
- Conversations. SMS, WhatsApp, Instagram DM, web chat transcripts, and voice call transcripts plus recording links.
- Call metadata. Duration, direction (in / out), outcome (booked, transferred, missed), call sentiment.
We do not collect special-category data deliberately (race, religion, health, biometric, etc.). If a salon stores that in a customer note, the salon is responsible for the lawful basis and security of doing so.
Marketing-site visitors
- Lead capture.If you submit your phone number on the homepage form to have Remi call you, we store the number and a timestamp. We use it to contact you about getting onboarded with Co Sweyt and won't pass it to a third party.
- Analytics. We use Vercel Web Analytics, which is cookieless and aggregates by page/route. No cross-site tracking, no third-party cookies, no consent banner needed.
How we use it
We use the data for these purposes only. Each one is tied to a lawful basis under UK GDPR.
| Purpose | Lawful basis |
|---|---|
| Provide the service to a salon that has signed up, running bookings, calls, payments, payouts, the dashboard. | Performance of a contract with the salon. |
| Process end-customer data on behalf of the salon (calls, bookings, messages, deposits). | Processor acting on Controller's instruction (the salon). |
| Billing and tax. Issuing invoices, collecting subscriptions, complying with HMRC record-keeping. | Contract + legal obligation. |
| Contact leads who submit their phone on cosweyt.com to onboard them. | Legitimate interest (you asked us to ring you). You can opt out any time by replying STOP or emailing us. |
| Improve the product. Aggregated, anonymised usage analytics. | Legitimate interest. |
| Security and fraud prevention. Detecting account takeover, abusive behaviour, payment fraud. | Legitimate interest + legal obligation. |
We don'tsell personal data, ever. We don't use end-customer data for our own marketing. The customer's relationship is with the salon, full stop.
Who we share it with
Co Sweyt uses a handful of third-party services ("sub-processors") to deliver the product. We only share the personal data each one needs to do its job, and only under a contract that requires them to meet UK GDPR equivalent standards.
| Sub-processor | What they handle | Where |
|---|---|---|
| Supabase | Primary application database (salon + customer records, bookings, transcripts). | AWS London (eu-west-2), UK. |
| Vercel | Web hosting and cookieless analytics for cosweyt.com and app.cosweyt.com. | Global edge; primary region London. United States for analytics aggregation. |
| Stripe | Payment processing, subscription billing, deposit handling, Stripe Terminal card reads. | United States and Ireland. |
| Twilio | Voice calls (inbound + outbound), SMS, WhatsApp Business messages. | United States and Ireland. |
| Retell AI | AI voice agent runtime, call transcripts, call recordings. | United States. |
| ElevenLabs | Text-to-speech voices used by Remi in calls (via Retell). | United States. |
| Anthropic | Large-language-model inference for Remi (booking, drafting, Ask Remi answers). | United States. |
| OpenAI | Fallback large-language-model inference when Anthropic is unavailable. | United States. |
| SendGrid (Twilio) | Transactional email (booking confirmations, reminders, payment receipts). | United States. |
| Meta Platforms | Instagram DM integration, Meta Business APIs for message delivery. | Ireland. |
Anthropic, OpenAI, and Retell do not traintheir models on Co Sweyt customer data under our agreements. Transcripts and prompts are used for inference only and are subject to each provider's retention policy.
We'll update this list before we add a new sub-processor that handles personal data. Email founders@cosweyt.com if you'd like to be notified when we change it.
International data transfers
Your data is stored in the UK by default (AWS London). Some of our sub-processors operate from outside the UK, primarily the United States and Ireland. Those transfers are protected by:
- The UK International Data Transfer Agreement (IDTA) with each US-based sub-processor; and
- Reliance on the EU-US Data Privacy Framework where the sub-processor is certified under it (Stripe, Twilio, Meta).
Ireland-based transfers stay inside the EU adequacy regime applicable to the UK.
How long we keep it
| Data | How long |
|---|---|
| Voice call recordings + transcripts | 60 days by default. Salons can request longer retention in writing. |
| SMS, WhatsApp, Instagram DM, web chat conversations | 90 days from last message. |
| Booking + customer records (held by salon) | For the duration of the salon's account, plus 30 days after termination so the salon can reactivate without losing history. |
| Billing + invoicing records | 6 years after the end of the relevant tax year, per HMRC requirements. |
| Marketing-site lead phone numbers | Up to 12 monthsif you don't onboard, then deleted. Removed immediately on STOP. |
| Cookieless analytics | Aggregated, no personal identifier, retained indefinitely as anonymous counts. |
When we delete data, deletion propagates to backups within 30 days as backup snapshots roll forward.
Your rights
Under UK GDPR you have the right to:
- Be informedabout how we process your data (you're reading the page that does that).
- Access a copy of the data we hold on you.
- Rectifydata that's inaccurate.
- Eraseyour data (the "right to be forgotten"), subject to legal retention obligations.
- Restrict processing while a query is being resolved.
- Object to processing based on legitimate interest, including marketing follow-up.
- Portability: receive a machine-readable copy of your data.
- Withdraw consent at any time where consent is the basis for processing.
- Complainto the UK Information Commissioner's Office at ico.org.uk if you think we've mishandled your data.
Salon owners can exercise these rights by emailing founders@cosweyt.com. We'll respond within one month, free of charge, per UK GDPR.
End-customers should contact the salon directly. We help the salon fulfil the request as part of our Data Processing Agreement with them.
Our self-serve data deletion page explains exactly how to request erasure.
How we protect it
- All data is encrypted in transit (TLS 1.2+) and at rest.
- Passwords are hashed with industry-standard algorithms; Co Sweyt staff cannot see them.
- Row-level security enforces tenant isolation in the database, so one salon's data is never visible to another.
- Co Sweyt staff access to production is logged and requires multi-factor authentication.
- Stripe Terminal and Stripe.js handle all card data, Co Sweyt's servers never see a card number.
- We notify the ICO within 72 hours of any personal data breach that meets the reporting threshold, and notify affected salons promptly per Article 33 / 34.
Children
Co Sweyt's service is for businesses and the adults running them. Salon end-customers under 16 can be booked by a parent or guardian, and the salon is responsible for the lawful basis of recording any data about a minor.
We don't knowingly collect data directly from anyone under 16. If you believe a child has interacted with Co Sweyt directly, contact us at founders@cosweyt.com and we'll investigate and delete on confirmation.
Changes to this policy
We'll update this policy when we change a sub-processor, change what we collect, or change how long we keep it. Material changes are emailed to active salon accounts at least 30 days before they take effect. Minor edits (wording, broken links, formatting) update the date at the top of this page and don't trigger a notification.
Contact
Email founders@cosweyt.comfor any question about this policy or to exercise a right above. We don't have a dedicated Data Protection Officer at our current size; one of the founders handles privacy questions directly.
For complaints we haven't resolved, contact the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.