Legal
Privacy Policy
How SetSally collects, uses, stores, and protects your personal data. Written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the ePrivacy Directive, and the California Consumer Privacy Act (CCPA/CPRA).
Last updated:
1. Who we are (Controller)
SetSally is the data controller for personal information collected through this website and the SetSally service.
- Controller: SetSally
- Contact email: privacy@setsally.com
- EU representative: Available on request at privacy@setsally.com
For the purposes of GDPR Art. 27, customers who are established in the EU and contract us directly are themselves the data controller for their end-customer data, and SetSally acts as a processor. See our Data Processing Agreement.
2. What personal data we collect
We collect personal data only for specified, explicit, and legitimate purposes, and we do not process it further in a way incompatible with those purposes.
| Category | Examples | Source |
|---|---|---|
| Account & contact | Name, email, phone, workspace name, profile photo | You, when you sign up |
| Service data | Customer names, vehicle plates, service history, invoices | You, when you use SetSally |
| Payment data | Last 4 digits of card, billing address, Stripe Connect account id | Stripe (our processor) — we never see full card numbers |
| Technical data | IP address, user agent, browser type, device type | Automatically, when you use the service |
| Support data | Messages you send us, screenshots, call recordings (with notice) | You, when you contact support |
| Cookies | Session cookie, analytics (only if you opt in), CSRF token | Your browser |
We do not knowingly collect data from children under 16. If you believe a child has provided data to us, contact privacy@setsally.com and we will delete it.
3. Lawful basis for processing (GDPR Art. 6)
| Purpose | Lawful basis |
|---|---|
| Providing the SetSally service | Contract (Art. 6(1)(b)) — necessary to perform our contract with you |
| Billing & payment | Contract + Legal obligation (Art. 6(1)(b) and (c)) — tax law requires us to keep invoices |
| Account & transactional emails | Contract (Art. 6(1)(b)) |
| Marketing emails & analytics | Consent (Art. 6(1)(a)) — you can withdraw at any time |
| Security, fraud prevention, abuse detection | Legitimate interests (Art. 6(1)(f)) — protecting you and us |
| Complying with legal requests | Legal obligation (Art. 6(1)(c)) |
4. How we use your data
We use personal data to:
- Provide, operate, secure, and improve the SetSally service
- Process payments and prevent fraud via Stripe
- Send you service-related emails (receipts, security alerts, policy updates)
- Send marketing communications only with your consent, which you can withdraw at any time
- Respond to support requests
- Comply with legal obligations and enforce our Terms
- Detect and prevent fraud, abuse, and security incidents
We do not sell personal data. We do not use your data to train third-party AI models. We do not share your data with third-party advertisers.
5. Sub-processors
We share data only with carefully vetted sub-processors who are contractually bound to GDPR-level data protection. We notify you of new sub-processors at least 30 days before they receive data, giving you the right to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Hosting & edge network | EU / US (SCCs in place) |
| Supabase | Database & file storage (EU region) | EU |
| Stripe | Payments | EU / US (SCCs in place) |
| Clerk | Authentication | EU / US (SCCs in place) |
| Resend | Transactional email | EU / US (SCCs in place) |
| Upstash | Background jobs (QStash) and rate limiting (Redis) | EU / US (SCCs in place) |
| OpenRouter | AI-generated text (only when you opt in) | US (SCCs in place) |
| Sentry | Error monitoring | EU / US (SCCs in place) |
6. International data transfers
SetSally is hosted in the European Union. Some sub-processors listed above may process data outside the EEA, the UK, or Switzerland. When we transfer data internationally, we rely on:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, with supplementary measures where required
- Adequacy decisions where available (e.g. EU-US Data Privacy Framework for US recipients)
- Your explicit consent for occasional, specific transfers
You can request a copy of the SCCs we have in place at privacy@setsally.com.
7. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectification of inaccurate or incomplete data (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restriction of processing in certain circumstances (Art. 18)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interests or for direct marketing (Art. 21)
- Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3))
- Lodge a complaint with your supervisory authority (Art. 77). A list of EU supervisory authorities is available at edpb.europa.eu.
8. How long we keep your data
We keep personal data only as long as necessary for the purposes for which it was collected, then delete or anonymize it.
| Data | Retention period | Reason |
|---|---|---|
| Account data | While account is active + 30 days after deletion | Re-registration window |
| Service / booking data | While account is active + 90 days | Backups and recovery |
| Invoices & payment records | 10 years | Tax law (varies by jurisdiction) |
| Support tickets | 3 years | Reasonable reference period |
| Backups | 35 days rolling | Disaster recovery only |
| Server logs | 30 days | Security incident investigation |
| Anonymized analytics | Indefinite | Cannot be re-identified |
9. Security
We protect personal data with administrative, technical, and physical safeguards designed for the sensitivity of the data and the state of the art:
- TLS 1.2+ in transit; AES-256 at rest
- Encryption keys managed by our hosting and database providers
- Role-based access control for staff; least-privilege access
- Audit logs on data access
- Annual third-party penetration tests
- SOC 2 Type II controls (in progress)
- Incident response plan with 72-hour breach notification
If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours, in line with GDPR Art. 33–34.
10. Automated decision-making and profiling
SetSally does not make decisions based solely on automated processing that produce legal or similarly significant effects on you (GDPR Art. 22). Any AI features we offer (e.g. suggested marketing copy) require your explicit action and are advisory only.
11. Children
SetSally is a B2B service intended for adult business owners. We do not knowingly collect data from anyone under 16. If a child has created an account, contact privacy@setsally.com and we will delete it.
12. Changes to this policy
We will post any changes here and update the "Last updated" date. For material changes we will additionally notify you by email at least 30 days before they take effect, giving you the right to object.
13. California residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what categories of personal information we collect and how we use them
- Request access to your personal information
- Request deletion of your personal information
- Opt out of the sale or sharing of personal information (we do not sell)
- Correct inaccurate personal information
- Limit the use of sensitive personal information (we do not collect any)
To exercise these rights, email privacy@setsally.com. We will not discriminate against you for exercising your rights.
14. Contact & complaints
For any privacy question, complaint, or data subject request, email privacy@setsally.com.
If you are unhappy with our response, you have the right to lodge a complaint with your data protection supervisory authority. EU residents can find their authority at edpb.europa.eu. UK residents can complain to the ICO at ico.org.uk.