F9.contact
Back to blog

A Practical GDPR Guide for Salon Owners

What GDPR actually requires of a personal-care business, in plain terms: lawful basis, consent, customer data rights, and how F9.contact handles them for you.

F9.contact Team6 min read
gdpr
compliance
data-protection
privacy
eu

GDPR has a reputation among small business owners as a thicket of legal jargon that exists mainly to generate cookie banners and fines. For a salon, it is simpler than that. You hold names, phone numbers, sometimes a headshot, and — if you work in aesthetics — health-adjacent information about your clients. That is personal data, the regulation tells you how to look after it, and most of what it asks is what a careful owner would do anyway. This post walks through the parts that actually apply to a personal-care business, and shows where F9.contact does the heavy lifting so you are not left assembling compliance by hand.

Controller and processor: who is responsible for what

The first distinction worth getting right is who plays which role, because it decides who answers to whom.

When a client books with your salon, you are the data controller. You decide why the data is collected and what happens to it. Your software vendor — in this case F9.contact — is the data processor: we hold and process the data on your instructions and nothing more. The regulation requires a written agreement between the two, a Data Processing Agreement (DPA), and on F9 that DPA is not an afterthought you chase down later. Accepting it is a mandatory step of tenant registration; there is no way to create a salon account without it. That single design choice closes one of the most common gaps small businesses leave open.

Being the controller does not mean you are alone with the obligations. It means you set the purposes and we provide the machinery to honour them — encryption, access controls, audit trails, and the tools your clients use to exercise their rights.

Lawful basis: you usually need less consent than you think

A widespread misconception is that GDPR requires consent for everything. It does not. Consent is one of six lawful bases, and for a salon it is often not the right one.

When a client books an appointment, you process their contact details to deliver a service they asked for — that is the contract basis, not consent. Keeping a record of a past visit so a colorist can reproduce a result, or so you can meet your bookkeeping obligations, leans on legitimate interest and legal obligation respectively. You do not ask a client to tick a consent box to be allowed to remember their last appointment.

Where consent genuinely belongs is the optional extras: marketing messages, and — critically — any special-category data such as health information gathered before a chemical or aesthetic treatment. Those require an explicit, freely given, recorded act of agreement, and they must be as easy to withdraw as they were to give. F9 keeps consent tracked per customer per tenant, with an audit log on sensitive access, so the record of who agreed to what, and when, exists independently of anyone's memory.

Data minimisation and purpose limitation

Two principles do most of the real work in day-to-day operations. Data minimisation says collect only what you need for the stated purpose. Purpose limitation says do not quietly repurpose it later. A client's phone number, given so you can confirm an appointment, should not silently become a marketing list without a separate basis.

In practice this means resisting the urge to hoard. If you do not need a date of birth to deliver the service, the cleanest position is not to ask for it. F9's data model is built around this: a client record holds what the booking and billing relationship requires, and clinical questionnaires capture health information only where a treatment makes it relevant — never as a blanket form everyone fills in regardless.

The rights your clients can exercise — and how F9 honours them

GDPR gives individuals a set of rights, and as controller you are obliged to honour them within a month. Two of them generate almost all the real-world requests a salon receives, and on F9 your clients can exercise both themselves, from the customer portal, without ever contacting you or our support team.

The right to data portability (Article 20)

A client can ask for a copy of the personal data you hold about them, in a portable form. From the portal's My Exports page a client requests an archive, and because the build runs on a background worker the request does not block anything. They are emailed when it is ready and can fetch a fresh download link any time inside a seven-day window, capped at one export per week to prevent abuse. The archive covers their profile, their bookings across every salon they have visited, the salon links on their account, and their avatar where one was uploaded.

The right to erasure (Article 17)

A client can ask to be forgotten. On F9 this is an email-confirmed account closure with a deliberate thirty-day cooling-off period. The client clicks "close my account", confirms via a one-time link sent to their verified address, and the clock starts. If they have upcoming appointments the request is held until those are dealt with. After thirty days a daily job performs cryptographic erasure: it destroys the encryption key for that record, at which point every encrypted field — name, email, phone, any headshots — becomes mathematically unreadable and reads back as erased.

That cooling-off window is not us being slow; Article 17(3) recognises that erasure sometimes has to wait on a legitimate retention need, and the thirty days give both you and the client room to handle anything outstanding. Logging back in inside the window silently cancels the request — re-authenticating is treated as withdrawing it, which is exactly the behaviour a client who changed their mind expects.

There is a deliberate subtlety in how erasure is done. Rather than deleting the database row, F9 destroys the key and leaves the now-unreadable row in place. That keeps booking history and audit trails referentially intact for your legitimate business records — the appointment still happened, your books still balance — while the personal data inside it is gone for good.

Security is not optional, and it is mostly invisible

GDPR asks for "appropriate technical and organisational measures". For personal data that is the practical floor, not a nice-to-have. On F9, client PII is encrypted at rest, sensitive access is written to an audit log, and tenant data is isolated so one salon can never see another's records. Headshots are stripped of EXIF metadata on upload, so a photo never quietly carries the location and device data a camera embeds. None of this is something you configure; it is how the platform is built.

A short checklist for owners

  • Accept and keep your DPA — on F9 you already did this at signup.
  • Be honest about your lawful basis: contract for bookings, legitimate interest for records, consent only for marketing and health data.
  • Collect only what the service needs, and do not repurpose it.
  • Let clients exercise their access and erasure rights without friction — the portal already does this for you.
  • Treat health information as special-category data with explicit, recorded, withdrawable consent.

GDPR rewards businesses that handle client data the way a careful professional already would: deliberately, transparently, and no more than necessary. The regulation's weight falls on the plumbing — encryption, audit, key destruction, portable exports — and that is precisely the part F9.contact carries so you can keep your attention on the chair.