1. Introduction
This Privacy Policy explains how Artifact (“we”, “us”, or “our”) collects, uses, stores, and discloses information in connection with Chair (the “Service”).
Chair is a business-management platform for salons, barbershops, and similar personal-care operators. This policy applies to:
- Operators: business owners, admins, and staff who create and manage accounts on Chair
- End-clients: customers of those businesses whose data Operators enter into Chair
If you are an Operator, please also ensure your own clients are appropriately informed about how their information is handled.
This document reflects the current implemented product baseline before any live WhatsApp Business API or AI integration is introduced. It will be updated as new features and data processing activities are added.
2. Data Roles: Who Is Responsible for What
2.1 Operator Account and Shop Data
For operator account data, shop setup data, subscription data, team-management records, and similar business-account information, Artifact is the party operating the Service and determines how such information is processed to provide and secure the platform.
2.2 End-Client Data Entered by Operators
When an Operator stores customer information in Chair, the Operator is responsible for deciding why that information is collected and used for their business operations. Artifact processes that information on the Operator's behalf so the Service can provide CRM, appointment, checkout, reporting, package, and membership functionality.
Operators are responsible for ensuring they have any notice, consent, authorisation, or other lawful basis required under applicable law, including the Digital Personal Data Protection Act, 2023 (DPDP Act), to collect, store, and use their own clients' information.
3. Information We Collect
3.1 Operator Account and Identity Data
| Category | Current Examples |
|---|---|
| Authentication | Email address used for passwordless email sign-in (magic link, 60-minute expiry, server-side PKCE code exchange) |
| Profile | First name, last name, phone number (E.164 format), role, display name, active/deactivated state, theme preference |
| Subscription | Subscription tier, subscription status, trial end date, owner-account identifiers, subscription-event history |
| Session Data | Session identifier, profile ID, creation timestamp, used for concurrent session management (default limit: 1 session per profile) |
3.2 Shop and Business Data
| Category | Current Examples |
|---|---|
| Shop Identity | Shop name, shop phone number, shop email (optional), address (optional), country, timezone |
| Shop Settings | Default country, scheduling settings, operating hours, default payment method, holiday overrides |
| Branding | Shop logo image files (JPEG, PNG, or WebP) and related storage paths |
| Team Management | Team-member roles, invite records, preauthorisation records, inviter metadata, invite status |
3.3 End-Client CRM and Appointment Data
| Category | Current Examples |
|---|---|
| Client CRM | Client name, phone number (optional), notes |
| Client Statistics | Total visits, total spend, average spend, first/last visit timestamps |
| Appointments | Customer name and phone at booking, services, assigned professionals, status, type, channel, timestamps, duration, cancellation reason |
| Checkout Records | Total amount, paid status, payment method (cash / UPI / card), immutable checkout and cancellation snapshots |
3.4 Packages, Memberships, and Offer Data
The current implementation also stores package definitions, purchase records, session balances, expiry dates, redemption history, membership tiers, pricing, discounts, freebies, and freebie redemption records.
3.5 Aggregated Analytics Data
Chair stores and computes aggregated operational analytics derived from appointment and transaction data, such as:
- Daily shop revenue, total value delivered, completed appointment count, new client count
- Daily and cumulative revenue and session counts per professional and per service
- Daily unique client visit counts
- Payment-method breakdowns (cash, UPI, card revenue totals)
3.6 Logo and Media Data
The currently supported upload flow is for shop logos only. Accepted formats are JPEG, PNG, and WebP. New logo uploads are stored in Cloudflare R2 object storage (automatic placement; currently Asia Pacific).
3.7 Technical and Usage Data
To operate and secure the Service, we or our infrastructure providers may process:
- IP address and request metadata
- Browser or device user-agent information
- Authentication and session timestamps
- Error details and operational logs
Chair does not currently include third-party advertising trackers, analytics pixels, social-media tracking beacons, or AI inference providers in its live product path.
4. How We Use Information
| Purpose | Data Used |
|---|---|
| Providing the Service | All account, shop, appointment, client, transaction, and catalog data |
| Authentication and Sessions | Email address, session tokens, active-session records, PKCE auth state |
| Real-Time Sync | Operational data broadcast via secure, shop-scoped Supabase Realtime channels |
| Reports and Analytics | Aggregated statistics derived from appointment and transaction records |
| Subscription Management | Subscription tier and status to govern feature access |
| Customer Support | Account and shop information to diagnose and resolve issues |
| Legal Compliance | Where required by applicable law |
In the current version, we do not use operator or end-client data for:
- Sale or rental to third parties
- Advertising or marketing to end-clients
- Third-party ad-tech profiling
- AI model training
- Automatic transmission to Meta / WhatsApp services
5. Legal and Operational Basis
Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable Indian law:
- Operators' own data: Processed on the basis of your consent (at sign-up) and as necessary to provide the Service
- End-client data entered by Operators: Processed by Artifact on the Operator's behalf. The Operator is responsible for lawful basis from their own clients
- Technical and usage data: Processed to maintain platform security, performance, and reliability
6. Third-Party Infrastructure Providers
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Auth, PostgreSQL database, Realtime channels | All structured data | AWS ap-south-1 (Mumbai, India) |
| Cloudflare R2 | Object storage for shop logos | Shop logo image files only | Automatic; currently Asia Pacific |
| Vercel | Application hosting, CDN, serverless functions | HTTP request metadata, IP addresses | Global CDN / US-based infrastructure |
We do not currently share personal data with advertisers, data brokers, social media platforms, AI/LLM providers, or Meta/WhatsApp.
We may disclose data if required by law, court order, or government authority.
7. Data Retention
7.1 While a Shop Is Active
Shop operational data is retained while the shop remains active in the Service.
7.2 What Happens When a Shop Is Deleted
The in-app destructive flow executes an atomic database transaction that deletes the shop and all dependent operational data, including appointments, client CRM records, snapshots, service catalog, packages, memberships, analytics, and team-member profiles. Logo cleanup in Cloudflare R2 is performed on a best-effort basis.
7.3 What Survives Shop Deletion
Shop deletion is not full identity erasure. The following survive:
- The Owner's login identity and profile (with shop association removed)
- Owner account and subscription history records
- Subscription event logs
- A fresh re-onboarding preauthorisation row
For a broader personal-data deletion request, contact the privacy contact listed below.
7.4 Other Retention Points
- Pending team invitations may remain until used, revoked, or deleted with the shop
- Trial and subscription metadata are not automatically purged on trial expiry
- A self-serve data export or archival workflow is not currently available before deletion
8. Data Security
The current implementation includes:
- Row-Level Security (RLS): All database tables enforce shop-scoped data isolation
- HTTPS / TLS: All communication is encrypted in transit
- Passwordless Authentication: No passwords stored; time-limited magic links with PKCE
- Bearer Token Authentication: All API routes require a valid JWT
- Session Limits: Configurable max concurrent sessions per profile (default: 1)
- Realtime Isolation: Shop-scoped Supabase Realtime channels
- Team Access Revocation: Immediate session termination on deactivation
- Presigned Storage Access: Presigned URLs for logo operations
- Atomic Destructive Operations: Shop deletion is a single database transaction
No system can guarantee absolute security. If you suspect unauthorised access, contact us immediately.
9. Your Rights and Choices
9.1 Operator Rights
| Right | How to Exercise |
|---|---|
| Access | Contact us at the privacy email below |
| Correction | Update profile information directly in the app, or contact us |
| Deletion | Use the in-app “Delete Shop” feature, or contact us for a broader identity-level request |
| Withdrawal of Consent | Delete your account or contact us. Withdrawal does not affect prior lawful processing |
| Data Portability | Contact us to request an export. No self-serve export is currently available; requests are handled manually on a reasonable-effort basis |
9.2 End-Client Rights
End-clients whose information was entered by an Operator should first contact that Operator. If you are unable to obtain a response and believe your rights are being violated, contact Artifact at the privacy email below.
10. Cookies, Local Storage, and Browser-Side State
| Mechanism | Purpose |
|---|---|
| Supabase auth / session state | Login session persistence, including PKCE auth state |
sidebar_state cookie | UI navigation sidebar state (open / collapsed) |
balbro-theme-palette (localStorage) | Theme palette preference |
auth_refresh (localStorage) | Cross-tab auth refresh signalling |
Chair does not use third-party advertising cookies, social-media tracking pixels, or third-party analytics beacons.
11. Children's Data
Chair is a business management platform intended for adult business operators, not for children. However, Operators may enter customer records relating to their own clients, which could include minors, if doing so is lawful and they have any required legal authorisation. Artifact does not market Chair directly to children.
12. Cross-Border Data Processing
The primary structured database is hosted in Mumbai, India (AWS ap-south-1). Shop logo files are stored in Cloudflare R2 using automatic placement, currently in the Asia Pacific region. Some supporting infrastructure may involve systems outside India through Vercel and Cloudflare.
13. WhatsApp and AI Services
The current build does not include a live integration with:
- WhatsApp Business API or Meta Platforms messaging infrastructure
- Any AI or large language model (LLM) service
- Any external automated messaging service
The codebase contains helper logic for phone normalisation and manual WhatsApp-style link composition. Those helpers do not send messages automatically. They generate URLs the operator can choose to open manually. This policy will be updated when such integrations are introduced.
14. Changes to This Privacy Policy
Artifact may update this Privacy Policy from time to time. When material changes are made, we will update the “Last Updated” date and notify you via your registered email or via an in-app notice.
If you do not agree to the updated policy, you may terminate your account before the effective date.
15. Grievance Officer
In accordance with the Information Technology Act, 2000, the IT (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023:
Name: To be announced
Email: privacy@chairapp.co
Location: India
Response time: We will acknowledge your request within 72 hours and endeavour to resolve it within 30 days
16. Governing Law
This Privacy Policy is governed by the laws of India, including:
- The Digital Personal Data Protection Act, 2023 (DPDP Act)
- The Information Technology Act, 2000 and the IT (Amendment) Act, 2008
- The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011
17. Contact
For any privacy-related questions, requests, or concerns:
Artifact
Email: privacy@chairapp.co
India