ServicesProductsGift CardsContact
Sign In
InstagramTikTokPhone
Terms & Conditions

Privacy Policy

Last updated: 13 March 2026

1. Information We Collect

We collect the following personal information when you use our services:

  • Phone number (for account creation and booking confirmations via SMS)
  • Name and email (if provided)
  • Booking history and service preferences
  • Payment information (processed securely by Square — we do not store card details)

2. How We Use Your Information

  • To process and manage your bookings
  • To send appointment reminders and confirmations via SMS (Twilio)
  • To process payments securely (Square)
  • To improve our services and website
  • To communicate about promotions (only with your consent)

3. Data Storage

Your data is stored securely on Supabase (hosted in the EU). We use industry-standard encryption for data in transit (TLS) and at rest. Access to your data is restricted to authorised personnel only.

4. Third-Party Services

We use the following third-party services that may process your data:

  • Twilio — SMS delivery for OTP verification and booking notifications
  • Square — Payment processing
  • Supabase — Database hosting
  • Vercel — Website hosting

Each provider has their own privacy policy and complies with applicable data protection regulations.

5. Your Rights (GDPR)

If you are in the UK or EU, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Request correction of inaccurate data
  • Erasure — Request deletion of your data (“right to be forgotten”)
  • Portability — Request your data in a machine-readable format
  • Objection — Object to processing for marketing purposes

To exercise any of these rights, contact us at hello@midnight.studio. We will respond within 7 days.

6. Cookies

We use a single essential cookie (salon_token) for authentication. We do not use tracking cookies or third-party analytics cookies.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Booking records are retained for 3 years for legal and accounting purposes. You can request deletion at any time.

8. Security

We implement appropriate technical measures including encrypted connections (HTTPS), row-level security on our database, rate limiting on authentication endpoints, and secure cookie handling.

9. Changes

We may update this policy from time to time. We will notify you of significant changes via SMS or email if we have your contact details.

10. Contact

Data Controller: Midnight Studio, Glasgow, Scotland

Email: hello@midnight.studio