The English version of this document is the legally binding one. Translations are provided for your convenience only.
Privacy Policy
This Privacy Policy explains how SYLAR ("we", "our", or "us") collects, uses, shares, and protects information about you when you use our mobile application and related services (collectively, the "Service"). We take your privacy seriously and this policy is written to be readable, not to hide behind legalese.
Summary in plain English: We collect what's necessary to run your business profile inside SYLAR — your account info, the content you create (services, bookings, reviews), and, if you opt in, your approximate location for discovery. We do not sell your data. We do not share it with advertisers. You can export or delete everything at any time.
1. Who We Are
SYLAR is a software-as-a-service platform that lets small service businesses (salons, barbershops, tattoo studios, and similar) build and operate their own branded business profile — a mini-app inside the SYLAR mobile application. Clients discover these businesses and book services through the single SYLAR mobile application, available on the Apple App Store and Google Play. Business owners do not publish a separate app to the App Store or Play Store; they publish their profile to the SYLAR Discovery map.
The Service is provided by the operator of SYLAR (the "Controller") via the domain sylar.app and the SYLAR mobile applications.
For any privacy-related questions, contact privacy@sylar.app.
2. Information We Collect
2.1 Information you provide directly
- Account information — email address, password (hashed), display name, optional avatar image, optional phone number, preferred language, and timezone.
- Business profile data (for business accounts) — business name, vertical (salon, barbershop, etc.), services offered, staff members, schedule, pricing, payment details, and media (logo, gallery images).
- Client profile data (for client accounts) — display name and optional avatar.
- Bookings and reservations — appointment details, service selected, staff selected, date, time, any notes you add.
- Reviews — the text, rating, optional photo, voice recording (up to 30 seconds), or video recording (up to 15 seconds) you attach to a booking.
- Chat messages — content of messages exchanged between a business and a client within the Service.
- CRM data (created by business users) — notes about their clients, custom fields, and tags.
- Support interactions — messages you send to our support channel.
2.2 Information collected automatically
- Device identifiers — device model, operating system version, app version, and a randomly generated device identifier used for push notifications.
- Approximate location — when you enable location permissions in the app, we use your device location to find nearby businesses (discovery feature). Location is not continuously tracked; it is queried only when the discovery screen is in use.
- Usage information — basic events required to operate the Service (for example: which screen was opened, which button was tapped), processed for diagnostics.
- Log and error data — IP address, HTTP request metadata, and crash reports, retained for a limited period to debug issues. Passwords, tokens, and one-time codes are redacted before being logged.
- Push notification tokens — a unique Expo push token that lets us deliver notifications to your device.
2.3 Information from third parties
- Google Sign-In — if you register with Google, we receive your email address, name, and profile picture from Google. We never receive your Google password.
- Apple Sign In — if you register with Apple, we receive an Apple-provided identifier and (if you permit) your name and email. You can use Apple's private-relay email to shield your real address.
- App Store / Google Play — when you purchase a subscription, the respective store sends us a receipt (transaction identifier, product identifier, purchase date, renewal status). We do not receive your payment card details.
3. How We Use Your Information
- To provide the Service — authenticate your account, persist your data, deliver bookings and messages, generate business profiles inside SYLAR.
- To process payments — validate in-app subscription receipts with Apple or Google and maintain your subscription status.
- To send notifications — push alerts for booking updates, chat messages, reminders, and reviews. You can disable categories in the app.
- To protect the Service — detect abuse, enforce rate limits, moderate content (including automated image moderation to block unsafe content), and investigate security incidents.
- To improve the Service — analyze aggregate usage patterns, fix bugs, improve performance.
- To communicate with you — respond to support requests, notify you of material changes to the Service.
- To comply with law — respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
We do not sell your personal information. We do not use your data for behavioral advertising. We do not share your data with advertising networks.
4. Legal Basis for Processing (EU / UK users)
If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under the General Data Protection Regulation (GDPR):
- Contractual necessity — most processing is required to provide the Service you requested (e.g. storing your bookings).
- Legitimate interests — security, fraud prevention, and product improvement. You have the right to object to processing based on legitimate interests.
- Consent — optional features such as location access, push notifications, and marketing communications. You may withdraw consent at any time.
- Legal obligation — tax, accounting, and compliance with court orders.
5. Sharing of Information
We share information only with the following categories of recipients:
| Recipient | Purpose | Location |
|---|
| Supabase Inc. | Database and file storage | United States / EU / APAC |
| Cloudflare Inc. | Media storage (R2), CDN, DDoS protection | Global |
| Railway Corp. | Backend application hosting | United States |
| Upstash Inc. | Cache and task queue (Redis) | United States / EU |
| Expo (650 Industries, Inc.) | Push notification delivery | United States |
| Apple Inc. | App Store, in-app purchases, Sign in with Apple | Global |
| Google LLC | Google Play, in-app billing, Google Sign-In, Maps | Global |
| Resend Inc. | Transactional email delivery | United States |
| Sentry (Functional Software, Inc.) | Error tracking and crash reporting | United States / EU |
| Competent authorities | Where required by law | Varies |
We sign data-processing agreements with our vendors where applicable and use Standard Contractual Clauses for transfers out of the EEA/UK.
Note: Businesses and clients of SYLAR may see each other's profile information as part of the normal operation of the Service (for example, a business sees a client's name and booking when the client books an appointment). Such disclosures are inherent to the product.
6. Data Retention
- Account data — kept for as long as your account is active.
- Bookings, reviews, chats, CRM records — kept while the owning account is active. When you delete your account, this data is deleted or anonymised within 30 days.
- Payment and billing records — retained for up to 7 years to comply with tax and accounting obligations, even after account deletion.
- Log and error data — 90 days.
- Push notification tokens — deleted when the token is reported as invalid by Apple/Google or when you disable notifications.
- Support messages — 2 years.
7. Your Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal information:
- Access — request a copy of the personal data we hold about you. You can trigger an automated export in the app: Profile → Settings → Export data.
- Rectification — correct inaccurate data. Most fields are directly editable in the app.
- Erasure — request deletion of your account and associated data. In the app: Profile → Settings → Delete account. Deletion is processed within 30 days.
- Restriction and objection — ask us to restrict or stop processing your data.
- Portability — receive your data in a structured, machine-readable format (JSON).
- Withdraw consent — where processing relies on consent, you may withdraw it at any time.
- Complain — lodge a complaint with your local data-protection authority.
To exercise any of these rights outside the app, email privacy@sylar.app. We respond within 30 days.
8. California Residents (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information within the meaning of the California Consumer Privacy Act.
9. International Data Transfers
SYLAR is a global service. Your data may be processed in countries other than the one where you reside, including the United States. Where we transfer personal data out of the European Economic Area or the United Kingdom, we rely on Standard Contractual Clauses approved by the European Commission or the UK government, along with supplementary measures where necessary.
10. Security
We apply industry-standard safeguards to protect your information:
- Passwords are hashed with bcrypt; we never store them in plain text.
- All connections to the Service are encrypted with TLS 1.2 or higher.
- Access-control middleware enforces that only you (or an authorised business owner) can reach your data.
- Rate limiting, webhook signature verification, and anti-replay checks protect against abuse.
- Secrets rotation, least-privilege credentials, and audit logging are in place.
- Security headers (HSTS, CSP, frame-deny) are enforced on all HTTP responses.
- We run automated dependency vulnerability scans and apply critical patches promptly.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@sylar.app.
11. Children's Privacy
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it. If you believe a child has provided us with personal information, please contact privacy@sylar.app.
12. Tracking Technologies
The SYLAR mobile application does not use cookies (it is not a browser-based app), nor does it use third-party tracking SDKs or analytics that profile individual users for advertising purposes. We do use a minimal set of technical identifiers (a random device ID, a push notification token) necessary to deliver the Service.
13. Subscription and Billing
Subscriptions to SYLAR Pro are processed by the respective app store (Apple App Store or Google Play). We receive a transaction receipt and subscription status; we do not receive or store your payment card details. For billing inquiries, refer to the store where you purchased the subscription.
14. Changes to this Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the app or by email at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version.
15. Contact
If you have questions about this policy or about how we handle your personal data: