Privacy Policy

1.1 Account and identity data

• Full name, email address, phone number, preferred language, time zone, profile image, and unique authentication identifier.
• Authentication metadata managed by our authentication provider, such as hashed credentials, multi-factor authentication methods, and session tokens.
• Role assignments, organization memberships, team invitations, and granular access permissions (Administrator, Manager, Receptionist, View Only).

1.2 Organization and business data

• Business name, trade name, industry category, service descriptions, and logos used across dashboards and public booking pages.
• Business hours, availability, break times, resource configurations, and staff scheduling constraints.
• Locations, addresses, social media links (Facebook, Instagram, X/Twitter), booking page content, and marketing copy.
• Tax and billing identifiers including RFC, Regimen Fiscal, CFDI usage keys, billing contacts, and invoice preferences.
• Bot configuration and automation settings, including chatbot mode (booking or commercial), greeting messages, custom qualification questions, guardrails, and knowledge base content.

1.3 Client and staff data you submit

• Contact details such as phone numbers, emails, physical addresses, and emergency contacts.
• Demographic details like birthdays, gender, and language preferences.
• Service preferences, appointment history, notes on allergies or contraindications that you choose to record.
• Signed forms, consent acknowledgements, digital signatures, medical records, identification documents, and other attachments uploaded to bookings, tickets, or client profiles.
• Custom fields, tags, segments, and client files (documents, images) configured by your organization.
• Pet information (name, breed, weight, photos) for veterinary or grooming businesses.

You are responsible for ensuring that the personal data you collect from clients or staff complies with applicable laws and that you limit sensitive data to what is strictly necessary.

Some data that organizations may choose to store in SalonWop, including health information, allergies, contraindications, medical records, disability-related notes, biometric signatures, or copies of official identification, may be considered sensitive personal data under Mexican law or other applicable laws. You must only upload that data when it is strictly necessary and after obtaining any express consent or other authorization required by law.

1.4 Lead and commercial data

When you use commercial mode or lead-capture features, we collect and process:

• Lead contact information: name, email, phone number, and company name captured through automated bot conversations.
• Qualification data: responses to BANT (Budget, Authority, Need, Timeline) or custom qualification frameworks, including individual scores and overall qualification tier (hot, warm, cold, unqualified).
• Custom question responses: answers to organization-defined questions (open-ended or multiple choice), with associated scoring data.
• Lead scoring metrics: composite scores based on qualification responses, engagement activity, and contact data quality.
• Lead lifecycle status, stage history, and temperature: transitions between new lead, conversing, interested, in payment, client, and lost stages, plus separate cold, warm, and hot temperature signals, with timestamps and attribution.
• Order and cart data: product selections, quantities, prices, and notes captured during commercial conversations.
• Flow execution data: bot flow progression, captured variables, and completion status.
• Source attribution: platform (WhatsApp, Messenger, Instagram, voice), campaign identifiers, and session references.

1.5 Booking, sales, and payment records

• Appointments, tickets, start and end times, assigned staff, resources, status histories, and notes.
• Services and products sold, quantities, pricing, discounts, tips, commissions, and loyalty or voucher information.
• Payment methods and amounts (cash, card, transfer, certificates, Stripe) and cashier activity.
• Advance deposits (anticipo): deposit amount, percentage, payment status (unpaid, partial, paid), and remaining balance for online bookings.
• Bot-initiated payments: payment links, checkout session identifiers, amount, currency, customer snapshot (name, email, phone), application fee details, and payment status.
• Recurring client billing: billing profiles, cycle schedules, grace periods, payment history, and WhatsApp billing opt-in preferences.
• Invoice details including RFC, business name, Regimen Fiscal, CFDI usage, billing email, and postal codes.
• Attachments related to sales or bookings such as receipts, purchase orders, prescriptions, and images.

Sensitive payment card information is collected and stored directly by Stripe. SalonWop only receives tokens, status updates, and the last four digits of cards where applicable. For organizations using Stripe Connect, SalonWop applies a platform application fee (default 1%) which is calculated and disclosed at checkout.

1.6 Communications, messaging, and support

• Messages exchanged through WhatsApp, Facebook Messenger, and Instagram DM integrations, including text content, media files (images, videos, documents, audio), captions, and delivery status.
• Platform-specific contact identifiers: phone numbers (WhatsApp), Page-Scoped IDs (Messenger), and Instagram-Scoped IDs (Instagram DM).
• Contact profile information retrieved from messaging platforms: display names, usernames (Instagram), and temporary profile picture URLs.
• Bot conversation state and context: session progression, service selections, scheduling preferences, handover history, and conversation summaries.
• Team inbox data: agent assignments, internal conversation notes, follow-up tasks, and handover metadata (reason, assigned agent, outcome).
• Support requests, help desk conversations, and metadata related to troubleshooting tickets.
• Email delivery logs, notification preferences, marketing subscriptions, and feedback surveys.

Media files received through messaging platforms (images, audio, video, documents) are downloaded from the platform provider and stored on our own cloud infrastructure to ensure persistent availability. Temporary platform-hosted URLs are not retained.

1.7 Voice and audio data

When you enable voice features, we collect and process:

• Voice call recordings and transcripts from AI-powered voice assistants, including caller phone numbers, call duration, and timestamps.
• AI-generated call analysis: conversation summaries, caller sentiment (positive, negative, neutral), call success indicators, and voicemail detection.
• Voice messages received through WhatsApp, Messenger, or Instagram, which are transcribed using third-party speech recognition services and stored alongside the original audio file.
• Real-time speech-to-text transcripts processed during voice calls.

Voice call recordings are initially processed and temporarily stored by our voice processing provider on their infrastructure. Transcripts and call metadata are stored in our database. Voice message audio files from messaging platforms are permanently stored on our cloud infrastructure.

1.8 AI and automation features

• Prompts, instructions, and contextual information you submit to AI-assisted tools, such as scheduling assistants, lead qualification bots, commercial conversation engines, and dashboard AI chat.
• Generated outputs retained to provide conversation history and quality controls.
• Business context shared with AI models to generate responses: service catalogs, staff availability, pricing, and business policies.

AI processing is facilitated through third-party AI model providers. We do not use your prompts or outputs to train our own foundation models. Our AI providers have confirmed that data sent to their APIs is not used to train or improve their foundation models.

1.9 Device, usage, and analytics data

• IP address, approximate geolocation derived from IP, device identifiers, browser type, and operating system.
• System logs, timestamps, session identifiers, diagnostic events, crash reports, and performance metrics.
• Product usage analytics: page views, feature interactions, button clicks on instrumented elements, and navigation patterns, collected through product analytics tools.
• Session recordings with aggressive masking: all text content and form inputs are masked before capture. No passwords, emails, phone numbers, or personal text is recorded in readable form.
• Web performance metrics (Core Web Vitals): LCP, FID, CLS, FCP, and TTFB measurements collected for performance monitoring.
• Cookies, local storage, and similar technologies used to maintain sessions, remember language preferences, secure the platform, and measure engagement.

1.10 Advertising and conversion data

We use the following advertising, analytics, and conversion measurement technologies across different parts of the Service:

• Google Analytics and Google Tag Manager: page views, traffic sources, engagement metrics, and product performance data on public pages and certain authenticated or account-access flows.
• Google Ads conversion tracking: ad click attribution and conversion events on public-facing marketing flows.
• Meta Pixel (Facebook/Instagram): page views and registration conversion events on public pages and selected account creation or sign-in flows used for campaign attribution.
• TikTok Pixel: page views and registration events on public pages and selected account creation or sign-in flows used for campaign attribution.

We do not intentionally load Meta Pixel or TikTok Pixel inside the authenticated dashboard or admin areas. Each provider processes data according to its own privacy policy. You can manage these technologies through your browser settings, any consent controls we may make available on the relevant page, and the provider-specific opt-out tools described in our Cookie Policy.

1.11 Data from third parties

• Billing status, charge identifiers, and payout confirmations from Stripe.
• Authentication confirmations, profile data, and risk signals from our authentication provider and identity verification partners.
• Email delivery and engagement metrics from our email delivery provider.
• Call recordings, transcriptions, and analysis data from our voice processing provider.
• Audio transcriptions from our transcription service provider for voice message processing.
• Analytics and monitoring data from tools that help us understand system reliability and usage patterns.

2.1 Primary purposes

• Provide, configure, and maintain the Service, including bookings, sales, inventory, dashboards, lead management, and integrations.
• Create and manage user accounts, organizations, roles, and access permissions at your direction.
• Process payments, subscriptions, advance deposits (anticipo), bot-initiated payments, recurring billing, refunds, and invoices through Stripe and our payment providers.
• Send transactional messages such as confirmations, reminders, receipts, invoices, and administrative alerts.
• Operate automated chatbots across WhatsApp, Messenger, Instagram, and voice channels to assist with appointment booking, lead qualification, payment collection, and customer support.
• Capture, score, and qualify leads using BANT or custom qualification frameworks as configured by your organization.
• Facilitate voice calls through AI-powered voice assistants, including call transcription, sentiment analysis, and conversation routing.
• Deliver customer support, troubleshoot issues, and respond to inquiries.
• Improve the Service, including AI-assisted suggestions, translation preferences, product recommendations, analytics, and security monitoring.
• Monitor usage, enforce policies, prevent fraud, protect the security and integrity of the Service, and comply with legal obligations, accounting requirements, and law enforcement requests.

2.2 Secondary purposes

• Send product updates, educational content, surveys, or marketing communications in accordance with your preferences.
• Measure advertising effectiveness, attribute registrations to campaigns, and optimize marketing activities on public pages and selected sign-up or sign-in flows.
• Create aggregated or de-identified business insights, benchmarks, and planning metrics.

If Mexican law applies to you, you may object to these secondary purposes, or request that we limit the use or disclosure of your personal data for them, by emailing legal@salonwop.com.

4.1 Service providers (subprocessors)

We engage the following categories of service providers to operate and improve the Service:

• Authentication and identity verification providers.
• Stripe and Stripe Connect: payment processing, subscription billing, advance deposits, bot-initiated payments, and recurring client billing.
• Cloud infrastructure and hosting providers for application hosting, database, file and media storage, and content delivery.
• AI and machine learning providers for chatbot conversations, lead qualification, voice call processing, speech-to-text, text-to-speech, voice message transcription, and dashboard AI features.
• Email delivery providers for transactional and marketing communications.
• Real-time messaging infrastructure providers for live inbox updates and notifications.
• Product analytics and monitoring providers for usage analytics, error tracking, performance monitoring, and log aggregation.
• Google (Analytics and Tag Manager): website and product analytics across public and selected authenticated surfaces; Google Ads for advertising attribution on marketing flows.
• Meta Platforms (Pixel): advertising conversion tracking on public pages and selected account creation or sign-in flows.
• TikTok (Pixel): advertising conversion tracking on public pages and selected account creation or sign-in flows.

4.2 Other disclosures

• Members of your organization who have the permissions you configure, such as administrators, managers, or receptionists.
• Integration partners or APIs that you choose to connect and authorize, including Meta (WhatsApp Business, Messenger, Instagram) for messaging functionality.
• Professional advisors, auditors, or insurers under appropriate confidentiality obligations.
• Regulators, law enforcement, or courts when required by law or to protect rights, safety, or the integrity of the Service.
• Another company in the event of a merger, acquisition, or asset sale, in which case you will be notified of any material changes.

8.1 ARCO and privacy requests in Mexico

If Mexican law applies to your request, please include your full name, the email address or phone number associated with the account, the right you want to exercise, and any information that helps us identify the relevant records. If the request concerns data that your organization controls, we may redirect you to the organization administrator or process the request under that organization’s documented instructions.

8.2 Data Deletion Requests

If you have connected your account through Facebook, WhatsApp, Instagram, or Messenger integrations, you can request deletion of your data at any time. Upon receiving a valid deletion request, we will:

• Remove your personal information from our active databases within 30 days.
• Delete associated integration tokens, connection data, and bot session records.
• Delete media files (images, audio, video, documents) stored on our infrastructure that are associated with your conversations.
• Retain only data required for legal, tax, or regulatory compliance as described in Section 6.
• Provide confirmation of deletion upon request.

To request data deletion, email legal@salonwop.com with the subject line "Data Deletion Request" and include your account email or phone number. You can also disconnect integrations directly from your SalonWop dashboard settings.

9.1 Cookies used within the Service

• Essential cookies: required for authentication, session management, security, and basic functionality.
• Preferences cookies: remember language, locale, theme (light/dark/system), and user settings.
• Analytics cookies: help us understand how the Service is used so we can improve performance and experience. User data is pseudonymized and session recordings mask all text and form inputs.

9.2 Tracking technologies on public pages

The following tracking technologies are used on different public or account-access flows:

• Google Analytics and Google Tag Manager: website traffic analysis and engagement measurement across public pages and certain authenticated or account-access flows.
• Google Ads: conversion tracking for advertising campaigns on public-facing marketing flows.
• Meta Pixel: conversion tracking for Facebook and Instagram advertising on public pages and selected sign-up or sign-in flows.
• TikTok Pixel: conversion tracking for TikTok advertising on public pages and selected sign-up or sign-in flows.

Meta Pixel and TikTok Pixel are not intentionally loaded inside the authenticated dashboard or admin areas. You can adjust your browser settings to refuse or delete cookies, but doing so may limit some features. You can also use ad-blocker extensions or the platform-specific opt-out tools provided by Google, Meta, and TikTok. Certain integrations may set their own cookies subject to their respective policies.