Privacy Policy

Feature is a booking and business management platform available at featuresalon.co.uk, operated by Adil Albert, trading as Feature.

For questions about this policy, contact us at: adilgill2008@gmail.com

Our role under UK GDPR

Feature acts as data controller for the personal data of our business subscribers (salon owners, clinic operators, gym managers, and similar). Where subscribers use Feature to manage their own clients' or patients' data, the subscriber is the data controller for those end-client records, and Feature acts only as a data processor — processing that data solely on the subscriber's instruction. This distinction matters for your rights: if you are the client of a business that uses Feature, you should direct data subject requests to that business.

2.1 Business subscribers (account holders)

• Name and business name
• Email address and password (passwords are hashed by our authentication provider — we never store plaintext passwords)
• Business type, slug, and subscription plan
• Billing information (processed by Stripe — we do not store card numbers)

2.2 Staff members added by the account holder

• Name, email address, role, and working hours
• Services they are assigned to perform

2.3 End clients / patients (customers who book via a public booking page)

• Name, email address, and phone number (provided at booking)
• Appointment history and service preferences
• Payment status (we do not store payment card data — processed by Stripe)

2.4 Treatment and clinical notes (special category data)

For health-related businesses (physiotherapists, dental clinics, sports therapists, and similar), appointment notes may contain health data — a special category of personal data under Article 9 of the UK GDPR. This data is:

• Stored within your account and accessible only to authorised staff members of that business
• Protected by row-level security (RLS) — other Feature subscribers cannot access it
• Never displayed publicly or shared with third parties beyond those listed in Section 5

The business subscriber (data controller) is responsible for ensuring they hold the appropriate lawful basis — typically explicit consent or a health-treatment exemption — before recording health data in Feature.

2.5 Usage and technical data

• Pages visited, features used, and session duration
• IP address, browser type, and device type
• Error logs used to diagnose technical issues

We use the data we collect to:

• Provide and maintain the Feature platform
• Process bookings and send confirmation and reminder messages (email and SMS)
• Process subscription payments via Stripe
• Send product updates and important account notices (you can opt out of marketing emails at any time)
• Detect and prevent fraud, abuse, and security incidents
• Improve our platform through aggregated, anonymised usage analytics
• Comply with legal obligations

We do not sell your personal data to third parties. We do not use it for advertising purposes.

• Contract performance — processing necessary to deliver the Feature service you have signed up for
• Legitimate interests — fraud prevention, platform security, and service improvement (where our interests are not overridden by your rights)
• Consent — marketing communications (you may withdraw consent at any time); and, where applicable, processing of special category health data
• Legal obligation — where we are required by law to process or retain data

For special category health data (treatment notes), processing by Feature as a data processor is on the instruction of the subscriber (data controller), who must have their own lawful basis under Article 9 UK GDPR (typically explicit patient consent or a health-treatment exception).

Feature uses the following trusted sub-processors. We have data processing agreements in place with each, and they are permitted to process data only on our instruction:

• Supabase — cloud database and authentication (EU/UK data storage)
• Stripe — payment processing (PCI-DSS compliant; we do not store card details)
• Twilio — appointment reminder SMS messages
• Resend — transactional email delivery
• Vercel — application hosting

• Active accounts: data is retained for as long as your account remains active
• Cancelled accounts: account data is deleted within 90 days of cancellation, unless we are legally required to retain it longer
• Booking and financial records: may be retained for up to 7 years for financial and legal compliance purposes
• Health / treatment notes: subscribers operating clinical businesses should set their own retention schedules in line with applicable healthcare regulations (e.g. NHS guidance recommends 8 years for adult records). Feature will retain this data for as long as the subscriber's account is active, and delete it within 90 days of account cancellation
• Anonymised analytics: retained indefinitely in aggregate form only

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — request deletion of your personal data (“right to be forgotten”), subject to our legal retention obligations
• Restriction — ask us to restrict processing of your data in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests or for direct marketing
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

Note on data portability: Feature does not currently provide a self-service data export tool. To request a copy of your data, please contact us by email and we will fulfil the request within 30 days.

To exercise any of these rights, email adilgill2008@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

If you are a client of a business that uses Feature (not a Feature subscriber yourself), please direct your data subject rights request to that business — they are the data controller for your records.

Feature uses the following types of cookies:

• Essential cookies — required for authentication and session management. These cannot be disabled without breaking the service.
• Preference cookies — remember your settings (e.g. active account, display preferences). You can clear these in your browser settings.
• Analytics cookies — anonymised usage data to help us understand how the platform is used and improve it. You may opt out by adjusting your browser settings.

We do not use advertising or cross-site tracking cookies.

We implement the following security measures:

• TLS encryption for all data in transit
• Encrypted storage at rest via Supabase
• Row-level security (RLS) so each subscriber account can only access its own data
• Additional RLS rules restricting health / treatment note access to authorised staff only
• Password hashing managed by Supabase Auth (plaintext passwords are never stored by Feature)
• Regular dependency updates and security reviews

Feature is not currently certified to ISO 27001, SOC 2, or any other formal security framework.

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours as required by UK GDPR, and will notify affected individuals without undue delay where required.

Feature stores data primarily within the UK and European Economic Area via Supabase. Where data is processed outside the UK/EEA (for example, by Vercel or Stripe infrastructure), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or mechanisms recognised under UK adequacy regulations.

Feature is intended for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at adilgill2008@gmail.com and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will notify account holders by email at least 14 days before the changes take effect. Continued use of Feature after the effective date constitutes acceptance of the updated policy. The “Last updated” date at the top of this page always reflects the current version.

For any privacy-related questions or requests:

• Email: adilgill2008@gmail.com
• Website: featuresalon.co.uk