Data Protection Policy
Last updated: October 31, 2025
Our Commitment to Data Protection
Salonity.in is committed to protecting your personal data and respecting your privacy rights. This policy explains how we collect, use, store, and protect your information in compliance with international data protection laws.
1. Legal Framework and Compliance
1.1 Applicable Laws
This policy complies with the following data protection regulations:
- GDPR - General Data Protection Regulation (EU)
- CCPA - California Consumer Privacy Act (USA)
- PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
- IT Act 2000 - Information Technology Act (India)
- LGPD - Lei Geral de Proteção de Dados (Brazil)
1.2 Data Controller Information
Data Controller: Salonity.in
Email: privacy@salonity.in
Address: [Your Business Address]
DPO Email: dpo@salonity.in
2. Types of Personal Data We Collect
2.1 Directly Provided Information
| Data Type | Examples | Purpose |
|---|
| Contact Information | Name, Email Address | Newsletter, Customer Support |
| Profile Data | Preferences, Beauty Interests | Content Personalization |
| Communication Data | Comments, Messages, Reviews | Community Engagement |
| Marketing Data | Preferences, Consent Records | Targeted Communications |
2.2 Automatically Collected Information
| Data Type | Examples | Collection Method |
|---|
| Technical Data | IP Address, Browser Type, Device Info | Web Server Logs |
| Usage Data | Page Views, Time Spent, Click Patterns | Analytics Tools |
| Cookie Data | Session IDs, Preferences | Browser Cookies |
| Performance Data | Load Times, Error Logs | Monitoring Tools |
3. Legal Basis for Processing
3.1 GDPR Legal Bases
Consent (Article 6(1)(a))
Newsletter subscriptions, marketing communications, optional cookies
Legitimate Interests (Article 6(1)(f))
Website analytics, security monitoring, content improvement
Contract Performance (Article 6(1)(b))
Service delivery, customer support, account management
Legal Obligation (Article 6(1)(c))
Data retention for legal compliance, tax records
4. Data Processing Activities
4.1 Primary Processing Purposes
🛡️ Essential Operations
- • Website functionality and security
- • User authentication and access control
- • Technical support and troubleshooting
- • Legal compliance and record keeping
📧 Communications
- • Newsletter delivery and management
- • Customer service responses
- • Important service notifications
- • Marketing communications (with consent)
📊 Analytics & Improvement
- • Website usage analysis
- • Content performance evaluation
- • User experience optimization
- • A/B testing and improvements
🎯 Personalization
- • Content recommendation
- • Preference-based customization
- • Targeted advertising (with consent)
- • User journey optimization
5. Your Data Protection Rights
5.1 Universal Rights
1
Right to Information
Clear information about how your data is processed
2
Right of Access
Request a copy of your personal data we hold
3
Right to Rectification
Correct inaccurate or incomplete personal data
4
Right to Erasure
Request deletion of your personal data (subject to legal obligations)
5
Right to Restrict Processing
Limit how we use your data in certain circumstances
6
Right to Data Portability
Receive your data in a structured, machine-readable format
7
Right to Object
Object to processing based on legitimate interests or direct marketing
8
Right to Withdraw Consent
Withdraw consent for processing that requires your consent
5.2 CCPA-Specific Rights (California Residents)
- • Right to Know: Categories and specific pieces of personal information collected
- • Right to Delete: Request deletion of personal information
- • Right to Opt-Out: Opt-out of the sale of personal information
- • Right to Non-Discrimination: Equal service regardless of privacy choices
6. Data Security Measures
6.1 Technical Safeguards
🔒 Encryption
- • Data in transit: TLS 1.3 encryption
- • Data at rest: AES-256 encryption
- • Database encryption with key management
- • Secure password hashing (bcrypt)
🛡️ Access Controls
- • Multi-factor authentication
- • Role-based access permissions
- • Regular access reviews
- • Principle of least privilege
📊 Monitoring
- • 24/7 security monitoring
- • Intrusion detection systems
- • Regular security audits
- • Vulnerability assessments
💾 Backup & Recovery
- • Automated encrypted backups
- • Disaster recovery procedures
- • Regular recovery testing
- • Geographically distributed storage
6.2 Organizational Measures
- Regular staff training on data protection
- Data protection impact assessments (DPIAs)
- Incident response and breach notification procedures
- Third-party vendor security assessments
- Privacy by design and by default
7. Data Retention
7.1 Retention Periods
| Data Category | Retention Period | Justification |
|---|
| Newsletter Subscriptions | Until unsubscribed + 30 days | Service delivery and compliance |
| Analytics Data | 26 months | Google Analytics default |
| Contact Forms | 3 years | Customer service and legal |
| Log Files | 12 months | Security and troubleshooting |
| Marketing Data | Until consent withdrawn + 30 days | Consent-based processing |
7.2 Data Deletion
When retention periods expire or deletion is requested, we ensure secure deletion using:
- Cryptographic erasure for encrypted data
- Multi-pass overwriting for unencrypted data
- Physical destruction of storage media when necessary
- Certificate of destruction for sensitive data
8. International Data Transfers
8.1 Transfer Mechanisms
When we transfer data internationally, we use appropriate safeguards:
- European Commission adequacy decisions
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- Certification schemes and codes of conduct
8.2 Third-Country Processing
We may process data in countries outside your jurisdiction. We ensure adequate protection through appropriate transfer mechanisms and monitor the security practices of our service providers.
9. Data Breach Response
9.1 Incident Response Process
1
Detection & Assessment
Immediate containment and impact assessment within 1 hour
2
Authority Notification
Notify supervisory authorities within 72 hours (GDPR requirement)
3
Individual Notification
Notify affected individuals without undue delay if high risk
4
Recovery & Review
System recovery and post-incident security improvements
10. Exercising Your Rights
10.1 How to Contact Us
To exercise your data protection rights, please contact us using:
- Privacy Email: privacy@salonity.in
- Data Protection Officer: dpo@salonity.in
- Contact Form: salonity.in/contact
- Postal Address: [Your Business Address]
10.2 Response Timeframes
- GDPR: 1 month (extendable to 3 months for complex requests)
- CCPA: 45 days (extendable to 90 days)
- General inquiries: 5 business days
10.3 Identity Verification
To protect your privacy, we may request verification of your identity before processing requests. This may include:
- Email verification from your registered address
- Answers to security questions
- Government-issued ID for significant requests
11. Supervisory Authority Rights
You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data properly. Key authorities include:
🇪🇺 European Union
Your local data protection authority or the Irish Data Protection Commission
🇺🇸 United States
California Attorney General's Office (CCPA) or relevant state authority
🇨🇦 Canada
Office of the Privacy Commissioner of Canada
🇮🇳 India
Central Information Commission or relevant state authority
12. Policy Updates
We review and update this policy regularly to ensure continued compliance with applicable laws and best practices. We will notify you of material changes through:
- Email notification to registered users
- Prominent website notice
- Updated "Last modified" date
- Newsletter announcements for significant changes
Questions or Concerns? If you have any questions about this Data Protection Policy or our privacy practices, please don't hesitate to contact our Data Protection Officer at dpo@salonity.in.