Want the product? Manage your salon on YourSalon.cz
Operations & business

What client data a salon actually needs — and what to stop collecting

By Jan Vancak· Founder of YourSalon7 min read

Walk up to the front desk of most salons and the intake form asks for almost everything: full name, home address, date of birth, occupation, sometimes even an ID number. The instinct is understandable — collect it now, you might need it one day. Data minimisation turns that instinct on its head. Under the GDPR you are meant to hold the least data that still lets you run the business, not the most you can persuade someone to write down.

This is not another legal explainer. For lawful basis, consent and the rights your clients have, read our plain-English guide to GDPR for salons — this article assumes you know the basics. What follows is the practical companion: a field-by-field audit of a salon client record, with a clear keep-or-drop verdict and a retention rule for each one.

Why "collect less" is the safer default

Every field you store is a field you have to protect, justify and eventually delete. A shorter record is quicker to fill in at the desk, there is less to leak if a laptop or phone is stolen, and it is far easier to hand over or erase when someone asks. Minimisation is not about being stingy — it is a security control and a trust signal rolled into one.

There is also a simple transparency test you can apply to any field: would the client be surprised to learn you are storing it? If the answer is yes, you probably should not be. Keeping your client cards and visit history lean means the notes that matter — colour formula, timings, preferences — are not buried under data you never look at.

The field-by-field verdict

Here is the short version. Detail follows the table.

FieldKeep or dropWhy / retention
Full nameKeepNeeded to identify the booking. First name + last initial is enough for casual walk-ins.
Mobile phoneKeepYour single most useful field — reminders, running-late calls, no-show contact.
EmailKeep if usedConfirmations, receipts, marketing (with consent). Drop it if you never actually email.
Date of birthTrimA birthday offer needs the day and month, not the year. Full DOB is usually excessive.
Home / postal addressDropIrrelevant for on-site visits. Only mobile and home-service providers need it.
Treatment notesKeepFormula, timing, what worked and what did not — the core of good repeat service.
Before / after photosKeep, minimiseSeparate explicit consent, store securely, never post publicly without permission.
Marketing consent recordKeepYou must be able to prove consent — but this is a record, not a data grab.
Health / allergy notesKeep minimalSpecial-category data. Store only what is needed to treat safely, protect it hardest.
National ID / card numberDropNever needed for a haircut. High risk, zero operational value.
Payment card numberNever storeLet your payment processor hold it. You do not want that liability.

Working through the fields

Name and phone are the backbone of the record and almost never in question. The phone number in particular earns its place: it powers appointment reminders by SMS and email, which is the cheapest no-show reduction you will ever deploy. Keep both for as long as the client is active.

Email is a keep only if you use it. A salon that never sends a confirmation or a newsletter is holding an email address for no reason — and an unused field is pure liability. If you do email, split operational messages (booking confirmations, receipts) from marketing, because they rely on different lawful bases.

Date of birth is the classic over-collection. The only common reason a salon wants it is a birthday treat — and that needs the day and month, not the birth year. Storing the full date, or worse a national/birth number, tells a data thief someone's exact age and identity. Trim it to what the offer requires.

Home address almost never belongs in a salon record. The client comes to you; you do not post them anything. The exceptions are a mobile stylist, a home-visit service, or physical loyalty mailings you genuinely run. If none of those apply, drop the field from your form entirely.

Treatment notes are the opposite case — this is data you should keep well. Colour formulas, processing times, the fringe length that finally suited them: this is what turns a one-off into a regular and underpins a great first-visit experience the next time round. Keep it specific and professional, not gossip.

Photos deserve their own consent. Before-and-after shots are genuinely useful for the record and for marketing, but they are identifiable images. Take a separate, explicit opt-in, store them behind a login, and never publish a client's face without written permission.

Health and allergy notes are special-category data under the GDPR and carry the highest duty of care. You are allowed to hold what you need to treat someone safely — a patch-test result, a known reaction to a product, a relevant skin condition. You are not allowed to keep a medical history "just in case". Write the minimum, protect it the most.

A quick decision framework

When you are unsure about a field, ask four questions in order:

  1. Could I do the appointment without it? If yes, you probably do not need to store it.
  2. Do I have a lawful basis to hold it? Contract, legitimate interest, or consent — one of these must apply.
  3. Would the client be surprised I kept this? The transparency test. Surprise means trouble.
  4. When exactly will I delete it? If the honest answer is "never", that is a red flag, not a plan.

Your data-minimisation checklist

  • Audit your intake form and delete every field you do not actually act on.
  • Separate marketing consent from the booking itself, with its own tick box.
  • Set a retention clock so dormant records are deleted or anonymised on a schedule.
  • Lock down health notes and photos behind proper access controls.
  • Kill the paper appointment book — a locked digital record beats a notebook anyone can read.
  • Review yearly and prune, the same way you would tidy stock. Leaner records also mean a leaner tool bill; see how salons cut running costs and bake it into your client-database plan.

Retention: how long is long enough

Set a simple, written policy and stick to it. Contact details and visit history live while the client is active, plus a defined dormancy window — many salons settle on 24 to 36 months of inactivity before deletion or anonymisation. Accounting documents such as invoices and receipts follow your national tax retention period, which usually overrides an erasure request. Marketing consent stays until it is withdrawn, health notes stay only while clinically relevant, and photos stay until consent ends. Fold the rules into your written salon policies so every team member applies them the same way.

Tools that make minimisation automatic

The right software does most of this for you: a short, configurable booking form, consent captured and logged separately, and a one-click export or delete when a client asks. A tidy salon booking system keeps the fields you chose and nothing more, and a simple online booking flow stops staff from over-typing details into a free-text box.

Disclosure: we build YourSalon, so treat this as a recommendation from the maker. If you want to try a lean, EU-hosted setup, create a free YourSalon account and start with a minimal intake form — you can always add a field later, but you can never un-collect data you never needed.

Minimisation is not a compliance chore you do once. It is a habit: collect the least, protect it well, delete it on time. Do that and the GDPR stops feeling like a threat and starts working as what it really is — the reason your clients keep trusting you with their details.

Frequently asked questions

Try YourSalon for free

Online booking, automatic reminders and a POS in one place.

Start for free

Continue reading