Fhresh

Legal

Privacy Policy

Effective date: 28 April 2026

This Privacy Policy explains how Fhresh (β€œFhresh”, β€œwe”, β€œus”, β€œour”) collects, uses, shares and protects personal information when you use our website, applications and services (the β€œPlatform”), and the rights you have over your data. It forms part of our Terms of Service.

1. Who is responsible for your data

Fhreshis the "controller" (UK/EU GDPR) or "business" (CCPA/CPRA) of personal information collected through the Platform, except where we are processing it on behalf of a Business that uses our tools (in which case that Business is the controller and we act as processor β€” see Section 16).

You can contact our privacy team at privacy@fhresh.app. If you are in the UK or EU you can also reach our Data Protection lead at dpo@fhresh.app.

2. What we collect

The categories of personal information we collect depend on how you use the Platform:

2.1 You give us

  • Account data β€” name, email, password (hashed), role (customer or business), country, phone (optional).
  • Profile & listing data β€” for businesses: business name, address, services, prices, opening hours, staff names, photos, policies, social links.
  • Booking data β€” services booked, date/time, staff, notes you add, cancellation events.
  • Reviews & messages β€” content you post on the Platform, including ratings and replies.
  • Support communications β€” emails and forms you send to us.

2.2 Collected automatically

  • Device & usage β€” IP address, browser type, OS, pages viewed, referring URL, search terms, timestamps.
  • Cookies & similar β€” see Section 12.
  • Diagnostics β€” error logs, performance metrics (e.g. via Sentry).

2.3 From third parties

  • Payment / KYC β€” Stripe shares limited verification, payout and dispute data with us about Customers and Businesses.
  • Identity providers β€” if you sign in with a social account, we receive the basic profile data you authorise.
  • Fraud-prevention & analytics partners β€” risk signals, aggregated usage data.

We do not knowingly collect special-category / sensitive data (e.g. health data) and ask Customers not to submit it. If a Business asks for health information (e.g. allergy notes), the Business is the controller for that data.

3. How we use it

  • Run the Platform β€” create your account, list businesses, take and confirm bookings, deliver messages, calculate fees, issue refunds.
  • Process payments β€” via Stripe, including fraud and dispute handling.
  • Communicate β€” booking confirmations, reminders, support replies, important service notices.
  • Personalise β€” show relevant services, recently viewed shops, search rankings.
  • Improve and secure β€” debugging, analytics, capacity planning, abuse detection, account-takeover prevention.
  • Marketing β€” only with the consent or legitimate interest the law allows; you can opt out at any time (see Section 13).
  • Comply with law β€” tax records, financial-services rules, AML / sanctions screening, responding to lawful requests.
  • Defend our rights β€” investigate breaches of our Terms, enforce contracts, protect users.

5. Who we share it with

We do not sell your personal information. We share it only as needed to run the Platform, in the following categories:

  • Businesses you book with β€” your name, contact details, booking time, service and any notes you add at booking.
  • Customers who book you β€” for Businesses, the Customer's name, contact details and booking notes.
  • Service providers / processors β€” including:
    • Stripe (payments, KYC, payouts, fraud) β€” stripe.com/privacy;
    • Supabase (authentication, database hosting);
    • Vercel (application hosting);
    • Upstash / Redis (rate limiting, caching);
    • Sentry (error reporting);
    • email and SMS providers (transactional notifications);
    • analytics providers (where used).
  • Professional advisers β€” lawyers, auditors, insurers under confidentiality.
  • Authorities β€” when we are legally required to disclose (e.g. court order, regulator request) or to protect our or others' rights.
  • Successors β€” in a merger, acquisition, financing or sale of assets, with appropriate safeguards.

6. International transfers

Some of our service providers (e.g. Stripe, Vercel, Sentry) operate in the United States and other countries outside the UK / EEA. When we transfer personal data outside the UK or EEA, we put in place appropriate safeguards required by law, including:

  • UK / EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum;
  • reliance on UK or EU adequacy decisions where they exist;
  • additional technical measures such as encryption in transit and at rest.

You can ask privacy@fhresh.app for a copy of the relevant safeguards.

7. How long we keep it

We keep personal data only as long as we need it for the purposes described in this Policy, then either delete it or anonymise it. Typical retention periods:

  • Account data β€” for the life of your account, then up to 6 years for legal / tax records.
  • Booking and payment records β€” at least 6 years (UK) / 7 years (US states / Australia) to satisfy financial-record laws.
  • Reviews β€” kept on the Platform unless removed under our policies; anonymised on request where appropriate.
  • Support communications β€” up to 3 years from last contact.
  • Logs & security β€” typically 30–90 days, longer if needed to investigate an incident.
  • Marketing preferences β€” kept indefinitely so we honour your opt-outs.

8. How we protect it

  • Encryption in transit (HTTPS/TLS) and at rest where the underlying provider supports it.
  • Hashed passwords; access controls and least-privilege for staff.
  • Regular dependency updates, security monitoring and rate limiting.
  • Stripe handles full card data under PCI-DSS Level 1 β€” Fhresh does not store card numbers.
  • Incident-response procedures and a duty to notify regulators / users where the law requires.

No system is perfectly secure. You are responsible for keeping your account credentials confidential and for using a strong, unique password.

9. Your rights (UK / EU / worldwide)

Subject to local law, you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your data ("right to be forgotten"), subject to our legal retention duties;
  • Restrict processing in certain cases;
  • Object to processing based on legitimate interests, including for direct marketing;
  • Portability β€” receive a machine-readable copy of data you provided;
  • Withdraw consent at any time where processing is based on consent;
  • Not be subject to automated decisions with legal / similarly significant effects without human review (we don't currently make such decisions).

To exercise any of these rights, email privacy@fhresh.app. We may need to verify your identity. We will respond within the time required by law (one month under UK / EU GDPR; we may extend by two further months for complex requests).

You also have the right to complain to your local data-protection authority β€” for example the UK ICO or your country's supervisory authority in the EEA.

10. California & other US state privacy rights

If you are a California resident, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) gives you rights that mirror the ones listed above, including the right to:

  • Know the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it;
  • Delete your personal information, subject to legal exceptions;
  • Correct inaccurate information;
  • Opt out of sale or sharing β€” Fhresh does not "sell" personal information for money, and we do not "share" it for cross-context behavioural advertising. If that ever changes, we will provide a clear "Do Not Sell or Share My Personal Information" link;
  • Limit use of sensitive personal information β€” we don't process sensitive data for purposes beyond running the service;
  • Non-discrimination β€” we won't deny service or charge a different price for exercising these rights.

You may submit a request to privacy@fhresh.app. You may also designate an authorised agent. We will respond within the time required by law.

Other US statesβ€” residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights (access, delete, correct, opt out of targeted advertising and sale). You can exercise them the same way. If you are unsure which law applies to you, contact us and we'll help.

Shine the Light (California Civil Code Β§ 1798.83) β€” California residents may request information about disclosures of personal information to third parties for their direct-marketing purposes. We do not currently make such disclosures.

11. Australia (Privacy Act 1988)

If you are in Australia, we handle personal information in line with the Australian Privacy Principles (APP). You have the right to access and correct your personal information, and to make a complaint about how we handle it. If you are dissatisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC).

12. Cookies & tracking

We and our service providers use cookies and similar technologies (local storage, SDKs, pixels) to:

  • Keep you signed in and remember preferences (strictly necessary, set without consent);
  • Measure traffic and feature usage in aggregate;
  • Improve security (rate-limit abuse, detect bots);
  • Show relevant content (e.g. recently viewed listings).

Where required (UK / EU PECR & ePrivacy, equivalent rules in other countries) we ask for your consent to non-essential cookies via a banner, and you can change your choices at any time. You can also block cookies in your browser settings, but parts of the Platform may not work as intended without them.

We honour Global Privacy Control (GPC) signals where the law recognises them as a valid opt-out of sale/share or targeted advertising.

13. Marketing & preferences

We send transactional messages (e.g. booking confirmations) as part of the service. For marketing emails, we rely on consent or, where the law allows, the "soft opt-in" for existing customers, with a clear opt-out in every message. You can unsubscribe at any time using the link in the email or by emailing privacy@fhresh.app.

14. Children

The Platform is not intended for children under the age of 16 (or higher where local law sets a higher digital-consent age). We do not knowingly collect personal data from children. If you believe we have, contact privacy@fhresh.app and we will delete it.

15. Third-party links & services

The Platform may contain links to third-party sites and services. We are not responsible for their content or privacy practices. Always review their policies before sharing data with them.

16. Businesses as independent controllers

When a Business uses Fhresh tools to manage its own customer relationships (bookings, messages, marketing it sends, reviews it collects), the Business is an independent data controller for that data under UK / EU GDPR and equivalent laws. Each Business is responsible for its own privacy notice, lawful basis, retention and security obligations to its customers. Fhresh acts as a processor for that limited use and provides standard data-processing terms on request to dpo@fhresh.app.

17. Changes to this Policy

We may update this Policy from time to time. If we make material changes we will notify you by email or in-app at least 14 days before they take effect (or sooner if required by law). The "Effective date" at the top will always reflect the current version, and we will keep an archive of previous versions on request.

18. Contact us