Privacy Policy

SpaSuite 360 is operated by Pavilion Labs ("SpaSuite 360", "we", "us", or "our"). We provide salon, spa and med spa management software to business customers who in turn serve their own clients.

For the purposes of data protection law, we are a data controller of the personal data of our business customers, visitors to our website, and prospective customers. We are a data processor of the personal data that our customers upload, generate or process inside their SpaSuite 360 account about their own end clients.

We collect and process the following categories of data:

• Account data: name, business name, email address, phone number, role, password (hashed) and account preferences.
• Business data: services, prices, staff records, schedules, transactions, sales, inventory and reports that you create or import into your account.
• End client data: client records, contact details, appointment history, notes, photos, intake forms, consents and communication preferences, all uploaded by you and processed on your behalf.
• Payment data: we do not store full card numbers. Card transactions are tokenised and processed by Paystack. We retain transaction metadata such as amounts, currencies, status and references for accounting and dispute resolution.
• Usage and device data: pages viewed, actions taken inside the product, device type, browser, IP address and approximate location, captured to keep the service secure and to improve performance.
• Support and communication data: the content of messages you send to us, including emails, contact forms and support tickets.

We use personal data for the following purposes:

• To provide, operate and improve SpaSuite 360.
• To onboard you, authenticate you and let you manage your account.
• To process payments, generate invoices and prevent fraud.
• To send service notifications, security alerts and important account-related messages.
• To respond to support requests and improve our customer experience.
• To send marketing communications to business customers about our products. You can unsubscribe at any time.
• To meet legal, tax, accounting and regulatory obligations.

We rely on the following lawful bases for processing:

• Contract: to deliver the services you have signed up for.
• Legitimate interests: to keep the service secure, prevent abuse and improve our product.
• Consent: for optional marketing communications and any non-essential cookies.
• Legal obligation: to meet our legal, tax, accounting and regulatory duties.

We do not sell personal data. We share data only in the following limited circumstances:

• Sub-processors: trusted infrastructure and service providers who help us run SpaSuite 360, such as cloud hosting, email delivery, SMS providers, analytics, error monitoring and payment processors. These providers are bound by contract to protect your data.
• Within your account: data inside your SpaSuite 360 account is visible to the team members and roles you authorise.
• Legal requirements: if we are required by law, court order or valid legal process to disclose data, we will. Where lawful and reasonable, we will notify the affected customer first.
• Business transfers: in the event of a merger, acquisition or sale of assets, your data may be transferred to the acquiring entity, subject to the same protections described in this policy.

SpaSuite 360 is operated from Nigeria and uses cloud infrastructure which may store and process data in multiple regions. Where personal data is transferred outside its country of origin, we use appropriate safeguards such as standard contractual clauses and rely on adequacy decisions where applicable.

We retain personal data only for as long as necessary to provide the service and to meet our legal obligations.

• Account and business data: retained for the lifetime of your account, plus a reasonable archival period after account closure.
• End client data: retained for as long as you instruct us to retain it. On account closure, end client data is deleted from our production systems within 90 days, unless we are required to keep it longer by law.
• Backups: data inside encrypted backups rotates out of retention within the documented backup retention period.

Depending on your location, you may have the following rights over your personal data:

• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion of your personal data.
• Object to or restrict certain processing.
• Withdraw consent where we rely on consent.
• Receive a portable copy of your data.
• Lodge a complaint with the relevant data protection authority.

To exercise any of these rights, email privacy@spasuite360.com. For end client requests, please contact the SpaSuite 360 customer who controls your data.

We protect personal data using a layered security programme that includes encryption in transit and at rest, strict access controls, regular backups and an incident response plan. See our security page for more detail.

SpaSuite 360 uses essential cookies to keep you signed in and the service running. We may use limited, privacy-respecting analytics to understand how the product and the site are used. Where we use non-essential cookies, we ask for your consent.

SpaSuite 360 is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe we have, please contact us so we can remove it.

We may update this policy from time to time. Material changes will be communicated to active customers by email and posted on this page with an updated "last updated" date.

For privacy questions or to exercise your rights, email privacy@spasuite360.com.