Privacy Policy
Last Updated: February 2026
1. Introduction
Trimlinea ("we", "us", "our") provides a white-label booking platform for barbershops, salons, and similar service businesses ("Clients"). This Privacy Policy explains how we collect, use, and protect personal information.
This policy covers:
- Visitors to our marketing website (trimlinea.co.uk)
- Sales leads and prospective customers
- Client business users (administrators, barbers, staff) who use our platform
- Support ticket and enquiry handling
- Our role as a data processor for Client customer data
For End-Customers: If you book an appointment through a business using our platform, that business is the data controller for your booking data. Please refer to their privacy policy. This policy explains our role as their data processor.
2. Who We Are
Data Controller (for our own processing):
Trimlinea
4th Floor, 14 Museum Place, Cardiff, CF10 3BH
[email protected]
Business Type: Sole Trader
ICO Registration: ZC083991
3. Our Role: Controller vs Processor
We act in different capacities depending on whose data we're processing:
| Data Subject | Our Role | Data Controller |
|---|---|---|
| Marketing website visitors | Controller | Trimlinea |
| Sales leads & prospects | Controller | Trimlinea |
| Client business users (admins, barbers) | Controller | Trimlinea |
| Support ticket submitters | Controller | Trimlinea |
| End-customers booking appointments | Processor | The Client business |
| End-customers (platform feedback) | Controller | Trimlinea |
4. Information We Collect
4.1 Marketing Website Visitors
When you visit trimlinea.co.uk, we may collect:
| Data | Source | Purpose |
|---|---|---|
| IP address | Automatic | Security, analytics (with consent) |
| Browser/device information | Automatic | Website optimisation |
| Pages visited | Automatic (with consent) | Analytics to improve our site |
| Referral source | Automatic (with consent) | Marketing effectiveness |
Cookies: We use essential cookies and, with your consent, analytics cookies. See our Cookie Policy.
4.2 Sales Leads & Prospects
When you enquire about our services or request a demo, we collect:
| Data | Purpose | Legal Basis |
|---|---|---|
| Name | Identify you | Legitimate interest |
| Email address | Respond to your enquiry | Legitimate interest |
| Phone number (optional) | Follow-up calls | Legitimate interest |
| Business name | Understand your needs | Legitimate interest |
| Enquiry details | Provide relevant information | Legitimate interest |
4.3 Client Business Users
When Clients register and use our platform, we collect data about their administrators, barbers, and staff:
Account Registration:
| Data | Purpose |
|---|---|
| First name, last name | User identification |
| Email address | Login, communications |
| Phone number (optional) | Account recovery, support |
| Password (hashed) | Account security |
| Role (Admin/Barber) | Access control |
Professional Profile (Barbers):
| Data | Purpose |
|---|---|
| Bio | Display on booking page |
| Specialty | Service matching |
| Profile photo | Visual identification |
| Job title | Display purposes |
Business Information:
| Data | Purpose |
|---|---|
| Business name | Platform branding |
| Business address | Location display, compliance |
| Business email & phone | Contact purposes |
| Logo & branding | White-label customisation |
Financial Data:
| Data | Purpose |
|---|---|
| Stripe Account ID | Payment processing |
| Commission settings | Revenue splitting |
| Subscription details | Billing management |
| Payment history | Invoicing, support |
Usage Data:
| Data | Purpose |
|---|---|
| Login timestamps | Security monitoring |
| Actions performed | Audit trail |
| IP addresses | Security, fraud prevention |
| Feature usage | Product improvement |
4.4 Support Tickets & Communications
When you contact our support team:
| Data | Purpose |
|---|---|
| Name, email | Identify you, respond |
| Ticket content | Resolve your issue |
| Attachments (if provided) | Troubleshooting |
| Conversation history | Context for support |
4.5 End-Customer Data (As Processor)
When end-customers book appointments through Client websites, we process their data on behalf of our Clients:
| Data Processed | Purpose |
|---|---|
| Name | Booking identification |
| Booking confirmations | |
| Phone (optional) | Contact for bookings |
| Booking details | Service delivery |
| Payment information | Transaction processing |
| Notes | Service customisation |
Important: We only process this data according to our Client's instructions. We do not use end-customer data for our own marketing.
4.6 Platform Feedback (As Controller)
We may contact end-customers who have booked appointments through our platform to request feedback about the booking experience. For this limited purpose, we act as an independent data controller.
| Data Used | Purpose | Legal Basis |
|---|---|---|
| Email address | Send feedback request | Legitimate interest |
| Booking reference | Context for feedback | Legitimate interest |
Your rights:
- Every feedback email includes an unsubscribe link
- We honour opt-out requests within 48 hours
- We do not use this data for marketing or share it with third parties
- The Client business may also opt out its customers from feedback requests
5. How We Use Information
5.1 Our Own Processing (As Controller)
| Purpose | Legal Basis |
|---|---|
| Provide our platform | Contract performance |
| Process payments & subscriptions | Contract performance |
| Send service communications | Contract performance |
| Provide customer support | Contract / Legitimate interest |
| Request platform feedback from end-customers | Legitimate interest |
| Improve our products | Legitimate interest |
| Ensure platform security | Legitimate interest |
| Prevent fraud & abuse | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Marketing (with consent) | Consent |
5.2 Processing on Behalf of Clients (As Processor)
We process end-customer data solely to provide the booking platform service:
- Storing and displaying booking information
- Sending booking confirmations and reminders (on Client's behalf)
- Processing payments (via Stripe)
- Generating reports for Clients
- Maintaining audit trails
We do NOT:
- Use end-customer data for our own marketing
- Sell end-customer data to third parties
- Access end-customer data except as necessary to provide the service or as instructed by the Client
6. Who We Share Information With
6.1 Sub-Processors
We use the following third-party service providers to operate our platform:
| Provider | Service | Location | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | SCCs, DPA |
| ZeptoMail (Zoho) | Transactional email | EU/India | SCCs, DPA |
| Microsoft Azure | Backend & database | UK | ISO 27001, SOC 2, GDPR DPA |
| Cloudflare, Inc. | CDN, security | Global | ISO 27001, SOC 2, SCCs |
| Vercel Inc. | Frontend hosting | USA | SOC 2, SCCs |
| Google Analytics | Website analytics (consent-based) | USA | Consent, SCCs |
| Sentry.io | Error monitoring (consent-based) | USA | Consent, SCCs |
6.2 Our Clients
We share end-customer data with the Client business that the customer booked with. This includes:
- Customer name and contact details
- Booking history and details
- Payment status
- Any notes or preferences
6.3 Legal Requirements
We may disclose information when required by:
- Law or regulation
- Court order or legal process
- Government or regulatory request
- Protection of our legal rights
6.4 Business Transfers
In the event of a merger, acquisition, or sale, your information may be transferred as part of business assets. We will notify affected parties of any change in data controller.
7. International Data Transfers
We are based in the United Kingdom. Some of our sub-processors operate internationally:
| Destination | Transfer Mechanism |
|---|---|
| European Economic Area | Adequacy decision |
| United States | Standard Contractual Clauses (SCCs) |
| Other countries | SCCs or other approved mechanisms |
All transfers are made in compliance with UK GDPR requirements.
8. Data Retention
8.1 Our Own Data (As Controller)
| Data Type | Retention Period |
|---|---|
| Marketing leads (unconverted) | 2 years from last contact |
| Client account data | Duration of relationship + 6 years |
| Billing & subscription records | 6 years (HMRC requirement) |
| Support tickets | 3 years from resolution |
| Security/audit logs | 2 years |
| Website analytics | 26 months (anonymised) |
8.2 End-Customer Data (As Processor)
We retain end-customer data according to our Clients' instructions and our Data Processing Agreement:
- Active accounts: For the duration of the Client's subscription
- After Client termination: Deleted within 90 days, unless legal retention required
- Backup copies: Purged within 180 days of deletion
Clients can request earlier deletion of specific customer data via our support channels.
9. Data Security
We implement comprehensive security measures to protect personal data:
Technical Measures
Encryption in transit
TLS 1.2+ (HTTPS only)
Encryption at rest
AES-256 database encryption
Password security
Bcrypt hashing, complexity requirements
Authentication
JWT tokens, secure session management
Access control
Role-based permissions, multi-tenancy isolation
Payment security
PCI DSS via Stripe (card data never touches our servers)
Organisational Measures
| Measure | Implementation |
|---|---|
| Staff training | Data protection awareness |
| Access logging | Comprehensive audit trails |
| Incident response | Documented breach procedures |
| Vendor management | DPAs with all sub-processors |
| Regular review | Periodic security assessments |
Incident Response
In the event of a data breach:
- We will assess the breach within 24 hours
- We will notify affected Clients without undue delay (within 72 hours for reportable breaches)
- We will cooperate with Client's breach notification obligations
- We will document and remediate the incident
10. Your Rights
10.1 For Our Direct Data Subjects
If we are the data controller for your information (marketing contacts, Client users, support enquiries), you have the following rights:
| Right | How to Exercise |
|---|---|
| Access | Request a copy of your data |
| Rectification | Correct inaccurate information |
| Erasure | Request deletion ("right to be forgotten") |
| Restriction | Limit how we process your data |
| Portability | Receive your data in a portable format |
| Objection | Object to processing based on legitimate interest |
| Withdraw consent | Revoke consent at any time |
Contact: [email protected]
We will respond within one month (extendable by two months for complex requests).
10.2 For End-Customers (Data Subjects of Our Clients)
If you are an end-customer who booked through a business using our platform:
- First, contact the business directly - They are the data controller
- The business may instruct us to fulfil your request
- We will action data subject requests within 10 business days of Client instruction
We cannot independently action data subject requests for end-customer data without Client authorisation, as they are the data controller.
11. Data Processing Agreement
We enter into Data Processing Agreements (DPAs) with all Clients, ensuring:
- Processing only on documented instructions
- Confidentiality obligations
- Security measures appropriate to the risk
- Sub-processor management and notification
- Assistance with data subject rights
- Breach notification within 48 hours
- Deletion or return of data on termination
- Audit and inspection rights
Clients can request a copy of our DPA template at [email protected].
12. Children's Privacy
Our platform is not directed at children under 16. We do not knowingly collect data from children under 16.
If a Client's business serves children, the Client is responsible for ensuring appropriate parental consent and compliance.
13. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify affected parties of material changes by:
- Posting a notice on our website
- Emailing registered Client users
- Updating the "Last Updated" date
We encourage you to review this policy periodically.
15. Contact Us
General Enquiries
Complaints
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
ico.org.uk | 0303 123 1113
16. Policy Documents
This Privacy Policy should be read in conjunction with:
- Cookie Policy
- Terms of Service
- Data Processing Agreement (for Clients)