Want the product? Manage your salon on YourSalon.cz
Operations & business

GDPR for salons: client data basics made simple

By Jan Vancak· Founder of YourSalon4 min read

Every salon is also a small database of personal data. A name, phone number, email, visit history, sometimes even notes on allergies or the colour a client can't stand — all of that is personal data covered by the GDPR. The good news is that you can meet most obligations with common sense and a few settings, not an expensive lawyer.

This article covers the practical basics of data protection for hair, beauty, barbershops and wellness. This is not legal advice — for disputed situations, consult a specialist or your national data protection authority. The goal is for you to know what to watch out for and how to set up your operation fairly.

What data a salon actually collects

Before you fix anything, get an overview. A typical salon works with:

  • Contact details — name, phone and email for bookings and reminders.
  • Operational data — visit history, services used, prices, the client card and notes on previous treatments.
  • More sensitive notes — allergies, skin or hair condition. Health-related data is a special category and deserves extra care.
  • Marketing preferences — consent to a newsletter, a birthday offer and so on.

A simple rule applies: collect only what you genuinely need. A date of birth for a birthday discount makes sense; a national ID number does not belong on a client card.

The GDPR does not require consent for everything. For everyday operations, rely on these bases:

  1. Performance of a contract — you don't need consent to serve a client and send a booking confirmation. Without their details you simply couldn't provide the service.
  2. Legitimate interest — a transactional appointment reminder by SMS or email often falls here, because it's in both the client's and the salon's interest that they show up.
  3. Consent — you need it for marketing. Send bulk emails and newsletters and promotional SMS only to people who have given clear, freely given consent.

The key is to separate operational from marketing communication. A "your appointment is tomorrow at 2pm" reminder is not the same as "20% off cuts this week". You may not send the latter without consent.

Valid consent is freely given, specific and demonstrable. In practice that means:

  • No pre-ticked boxes. The client must actively opt in.
  • Separate consents for email and SMS marketing, so people can choose.
  • Easy opt-out in every marketing message — an unsubscribe link in email, "STOP" for SMS.
  • A record of consent — when and how the client gave it. A well-chosen booking system usually logs this for you.

How long to keep the data

Personal data should not sit around "forever, just in case". Set a sensible retention period:

  • Active clients — keep data for the duration of the relationship and ongoing care.
  • Inactive clients — if someone hasn't visited in years, consider erasure or anonymisation.
  • Accounting documents — receipts and invoices are subject to tax retention periods, which take priority over erasure.

It's enough to have the policy written down and to stick to it. An annual "tidy-up" review is more than enough.

Client rights you must be able to handle

Under the GDPR clients have several rights, and you should be able to respond to them:

  • Access — what you hold about them.
  • Rectification — when a phone number or name is wrong.
  • Erasure — the "right to be forgotten", unless there is a legal reason to keep the data.
  • Objection to marketing — at any time and immediately.

In practice you'll handle these requests faster if your data lives in one place, not in five notebooks and three phones.

Storing client cards securely

The most common data leak in a small salon isn't a hacker — it's a lost phone, a shared password or a paper book on reception. Basic hygiene:

  • One secure system instead of paper and phone notes. Centralising data is itself a security measure.
  • Strong passwords and an individual account per staff member, so you know who can access what.
  • Limited access — a part-timer doesn't need to see every client's full history.
  • No sensitive notes in open chats like WhatsApp or Messenger.

If you're also handling payments, choose a POS for your salon with an eye on how it handles data and where it hosts it.

Website, cookies and the booking form

The GDPR touches your website too. If you have a salon website with the essentials and a booking form, remember:

  • A cookie banner for analytics and marketing scripts.
  • A privacy policy reachable from the form.
  • Minimal fields in the form — don't ask for anything a booking doesn't need.

Choosing tools that make GDPR easier

Software turns compliance into routine. When choosing, ask:

  • Is the data hosted in the EU and does the vendor offer a data processing agreement?
  • Can the system log consents and separate operational messages from marketing?
  • Can a client's data be exported and deleted in a few clicks?

All of this tends to come with a decent booking system for salons. Instead of paper, you hold data encrypted in one place, handle a client's request in minutes and keep consents documented automatically. The fastest way to try it is to create a free YourSalon account and set up separate consents for reminders and marketing right away.

The GDPR isn't a trap for small businesses — it's a guide to handling data in a way that keeps clients trusting you. And in a salon, trust is the most valuable commodity there is.

Frequently asked questions

Try YourSalon for free

Online booking, automatic reminders and a POS in one place.

Start for free

Continue reading