GDPR for salons: client data basics made simple
Every salon is also a small database of personal data. A name, phone number, email, visit history, sometimes even notes on allergies or the colour a client can't stand — all of that is personal data covered by the GDPR. The good news is that you can meet most obligations with common sense and a few settings, not an expensive lawyer.
This article covers the practical basics of data protection for hair, beauty, barbershops and wellness. This is not legal advice — for disputed situations, consult a specialist or your national data protection authority. The goal is for you to know what to watch out for and how to set up your operation fairly.
What data a salon actually collects
Before you fix anything, get an overview. A typical salon works with:
- Contact details — name, phone and email for bookings and reminders.
- Operational data — visit history, services used, prices, the client card and notes on previous treatments.
- More sensitive notes — allergies, skin or hair condition. Health-related data is a special category and deserves extra care.
- Marketing preferences — consent to a newsletter, a birthday offer and so on.
A simple rule applies: collect only what you genuinely need. A date of birth for a birthday discount makes sense; a national ID number does not belong on a client card.
Lawful basis: when a contract is enough and when you need consent
The GDPR does not require consent for everything. For everyday operations, rely on these bases:
- Performance of a contract — you don't need consent to serve a client and send a booking confirmation. Without their details you simply couldn't provide the service.
- Legitimate interest — a transactional appointment reminder by SMS or email often falls here, because it's in both the client's and the salon's interest that they show up.
- Consent — you need it for marketing. Send bulk emails and newsletters and promotional SMS only to people who have given clear, freely given consent.
The key is to separate operational from marketing communication. A "your appointment is tomorrow at 2pm" reminder is not the same as "20% off cuts this week". You may not send the latter without consent.
Consent that actually holds up
Valid consent is freely given, specific and demonstrable. In practice that means:
- No pre-ticked boxes. The client must actively opt in.
- Separate consents for email and SMS marketing, so people can choose.
- Easy opt-out in every marketing message — an unsubscribe link in email, "STOP" for SMS.
- A record of consent — when and how the client gave it. A well-chosen booking system usually logs this for you.
How long to keep the data
Personal data should not sit around "forever, just in case". Set a sensible retention period:
- Active clients — keep data for the duration of the relationship and ongoing care.
- Inactive clients — if someone hasn't visited in years, consider erasure or anonymisation.
- Accounting documents — receipts and invoices are subject to tax retention periods, which take priority over erasure.
It's enough to have the policy written down and to stick to it. An annual "tidy-up" review is more than enough.
Client rights you must be able to handle
Under the GDPR clients have several rights, and you should be able to respond to them:
- Access — what you hold about them.
- Rectification — when a phone number or name is wrong.
- Erasure — the "right to be forgotten", unless there is a legal reason to keep the data.
- Objection to marketing — at any time and immediately.
In practice you'll handle these requests faster if your data lives in one place, not in five notebooks and three phones.
Storing client cards securely
The most common data leak in a small salon isn't a hacker — it's a lost phone, a shared password or a paper book on reception. Basic hygiene:
- One secure system instead of paper and phone notes. Centralising data is itself a security measure.
- Strong passwords and an individual account per staff member, so you know who can access what.
- Limited access — a part-timer doesn't need to see every client's full history.
- No sensitive notes in open chats like WhatsApp or Messenger.
If you're also handling payments, choose a POS for your salon with an eye on how it handles data and where it hosts it.
Website, cookies and the booking form
The GDPR touches your website too. If you have a salon website with the essentials and a booking form, remember:
- A cookie banner for analytics and marketing scripts.
- A privacy policy reachable from the form.
- Minimal fields in the form — don't ask for anything a booking doesn't need.
Choosing tools that make GDPR easier
Software turns compliance into routine. When choosing, ask:
- Is the data hosted in the EU and does the vendor offer a data processing agreement?
- Can the system log consents and separate operational messages from marketing?
- Can a client's data be exported and deleted in a few clicks?
All of this tends to come with a decent booking system for salons. Instead of paper, you hold data encrypted in one place, handle a client's request in minutes and keep consents documented automatically. The fastest way to try it is to create a free YourSalon account and set up separate consents for reminders and marketing right away.
The GDPR isn't a trap for small businesses — it's a guide to handling data in a way that keeps clients trusting you. And in a salon, trust is the most valuable commodity there is.
Frequently asked questions
Try YourSalon for free
Online booking, automatic reminders and a POS in one place.
Start for freeYou might also like
Client profiles and visit history
How to keep client profiles with a complete visit history, what to record and how to turn that data into loyal guests and higher revenue.
Email and SMS marketing for salons
A practical guide to building a consented list and running welcome, win-back and birthday campaigns over email and SMS.
Automatic SMS and email appointment reminders
A practical guide to turning on automatic SMS and email reminders — when to send them and how to write a message clients actually read.
Salon website essentials
A practical checklist of the elements that turn a salon website into a booking machine — from the book button to reviews and mobile speed.
What client data a salon actually needs — and what to stop collecting
A practical, field-by-field audit of the salon client record — name, phone, birthday, address, notes, photos, health flags — with a clear keep-or-drop verdict and a retention rule for each.
Can you take your clients with you? A practical export test for your booking system
Most salons never test whether they can leave their booking system until the day they want to. Here is a hands-on checklist to find out — before you are locked in.
Continue reading
AI wrote it in a minute. Why that still isn't expert salon content
A language model produces text that looks expert without being expert. Here's the gap — experience, verification, a named author — and a checklist to turn any AI draft into genuine salon expertise.
Cancellation terms clients actually understand: plain-language rewrite patterns
Before-and-after rewrites that turn contract-speak cancellation terms into clauses a client understands on the first read — plus a template, a table and a checklist.
When a deposit protects your salon — and when it just costs you bookings
Deposits are neither good nor bad — it depends where you point them. A decision matrix by service value, duration, client history and demand, with a sizing table and a checklist.
How to describe your services so clients, Google and AI all understand them
A photo of your price list looks fine to a human and means nothing to a machine. Here's how to structure service names, inclusions, duration and price so clients, Google and AI assistants can all read what you actually offer.