ColourKey
Privacy Policy
Last updated: 16 June 2026
ColourKey ("we", "us", "our") operates the ColourKey mobile application (iOS and Android) and website at colourkey.uk. This policy explains what personal data we collect, why we collect it, and how we protect it.
1. Who this policy applies to
This policy covers:
- Stylists — professionals who create a ColourKey account to manage client records and generate colour formulas
- Clients — people whose consultation data is entered by their stylist, or who complete an online consultation form
- Visitors — anyone browsing colourkey.uk
2. Data we collect
| Data | Who it's from | Why we collect it |
| Name & salon name |
Stylist (at sign-up) |
Account identity; displayed on client-facing consultation pages |
| Email address |
Stylist (at sign-up) |
Account authentication, transactional emails, password reset |
| Password |
Stylist (at sign-up) |
Stored as a bcrypt hash by Supabase Auth — we never see plaintext passwords |
| Hair photos |
Stylist or client |
Sent to Google Gemini for AI vision analysis. May be stored in client records if the stylist chooses to save them |
| Client records |
Stylist |
Client name, email, colour formula, patch test result, before/after photos, consultation answers, notes |
| Consultation data |
Client (via consultation form) |
Hair history, allergies, desired result, maintenance preference — used to generate the stylist's formula |
| Subscription & purchase history |
Stylist |
Managed by Stripe. We store only a subscription status flag and Stripe customer ID — never card details |
| Square appointment data |
Stylist (via optional Square integration) |
Used to match upcoming appointments to client records and trigger consultation emails |
| Usage data |
All users |
Feature usage counts for subscription limit enforcement and product improvement |
3. How we use your data
- To create and manage your account
- To analyse hair photos using AI and return colour formula recommendations
- To store client records and colour formulas on your behalf
- To send transactional emails: account confirmation, password reset, consultation links, and rebooking reminders
- To enforce subscription usage limits
- To push formula notes to Square customer profiles (if you connect Square)
- To generate social media posts and formula cards (on request)
- To improve ColourKey's AI models and features (aggregated, anonymised usage data only)
4. Third-party services
- Supabase — stores account data and client records with row-level security (EU data centre). Privacy Policy
- Google Gemini — processes hair photos for AI vision analysis and AR hair preview generation. Photos are not retained by Google after processing. Privacy Policy
- Anthropic Claude — processes consultation text and generates formula recommendations. Text is not retained for training without consent. Privacy Policy
- Stripe — processes subscription payments. We share your email and subscription plan; we never receive or store card numbers. Privacy Policy
- Resend — sends transactional emails on our behalf. Privacy Policy
- Square — optional integration. If connected, we read appointment data and write formula notes to customer profiles. Privacy Policy
5. Client data and your responsibilities as a stylist
When you save a client's name, photos, or consultation answers, you are acting as a data controller for that client's personal data under UK GDPR. You are responsible for:
- Informing clients that their data is recorded in ColourKey
- Obtaining consent where required (e.g. before storing photos)
- Responding to client subject access or deletion requests
ColourKey acts as a data processor on your behalf. We do not use your clients' data for any purpose other than providing the ColourKey service to you.
6. Automated rebooking emails
If you save a client's email address in their record, ColourKey may send them an automated rebooking reminder when their colour is due for a refresh, using the maintenance preference they set in their consultation. These emails are sent from hello@colourkey.uk and include an unsubscribe option.
7. Data storage and security
- All data is encrypted in transit (HTTPS/TLS)
- Client records are protected by Supabase row-level security — stylists can only access their own clients' data
- Photos are compressed before transmission and are not stored permanently on our servers unless explicitly saved to a client record
- Passwords are hashed using bcrypt via Supabase Auth — we cannot read them
8. Data retention
- Account data — retained for as long as your account is active
- Client records — retained until you delete them or your account is deleted
- Photos sent for analysis — not stored after AI processing completes
- On account deletion, all account data and client records are permanently deleted within 30 days
9. Your rights (UK GDPR)
You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — delete your account and all associated data (available in-app under More → Delete Account, or by emailing us)
- Portability — export your client records
- Restriction — ask us to stop processing your data in certain circumstances
- Object — opt out of marketing emails at any time via the unsubscribe link
To exercise any of these rights, email us at hello@colourkey.uk. We will respond within 30 days.
10. Children
ColourKey is a professional tool intended for qualified hairdressers and beauty professionals. It is not directed at children under 16. We do not knowingly collect personal data from children.
11. Changes to this policy
We may update this policy as the service evolves. We will notify you of material changes by email or in-app notification at least 14 days before they take effect. The latest version is always available at colourkey.uk/privacy-policy.
12. Contact
ColourKey
Email: hello@colourkey.uk
Website: colourkey.uk