Legal

Privacy Policy

Last updated: 17 June 2026

1. Introduction & data fiduciary

At SEVWAS (operated by Salon Services Private Limited, "we", "us", "our"), your privacy is important to us. This Privacy Policy explains what personal data we collect through our website (sevwas.com) and web application (salonhub-pwa.vercel.app) (together, the "Service"), how we use it, and the rights you have over it.

For the purposes of the Digital Personal Data Protection Act, 2023 (DPDP Act), SEVWAS acts as the Data Fiduciary — the entity that determines the purposes and means of processing your personal data.

2. What data we collect

From Customers

  • Phone number & name — for OTP login (via Firebase) and identity.
  • Booking inquiries — services requested, preferred date/time, salon selected.
  • Device & usage data — IP address, browser type, approximate location (city), and how you interact with the Service.

From Salons / Salon staff

  • Account credentials — email & password (hashed) for CRM login.
  • Business information — salon name, address, city, working hours, services & pricing, photos, map coordinates.
  • KYC documents — identity & business verification documents required for activation.
  • Customer records created within the CRM (bookings, history, notes).

From all users

  • Communications — when you contact support or submit forms.
  • Payment metadata — Razorpay subscription status & payment records (we do not store full card numbers or net-banking credentials).

3. Why we collect it (purposes)

  • To operate the Service — account creation, authentication, salon listing, booking flow.
  • To send notifications — WhatsApp booking confirmations, reminders, payment alerts & receipts (via Gupshup).
  • To process payments — recurring salon subscription billing via Razorpay and tax invoicing.
  • For trust & safety — KYC verification of salons, fraud prevention, marketplace integrity.
  • To provide support — respond to inquiries, troubleshoot, manage tickets.
  • To improve the Service — analytics, performance monitoring, feature development.
  • Legal compliance — meeting obligations under Indian law, GST invoicing, and responding to lawful requests.

Under the DPDP Act, we process your personal data based on:

  • Your consent — which you provide when you create an account, book a salon, or submit a form (you may withdraw consent at any time by contacting us).
  • Performance of a contract — to deliver the Service you signed up for (including your salon subscription).
  • Legal obligation — to comply with Indian law, taxation, and regulatory requirements.
  • Legitimate interests — to operate safely, prevent fraud, and improve the Service, where these do not override your rights.

5. How we share data

We do not sell your personal data. We share it only as described below:

  • Between Customers & Salons — when you submit a booking inquiry, your name, phone number, and requested services are shared with the selected Salon so they can confirm the appointment.
  • With our processors — trusted third parties that help us run the Service (see section 6), under contracts that require them to protect your data.
  • For legal reasons — where required by law, court order, or government authority, or to protect our rights, users, or the public.
  • Business transfers — in the event of a merger, acquisition, or asset sale, data may be transferred subject to this Policy and applicable law.

6. Third-party processors

  • Razorpay — payment processing & subscription billing.
  • Firebase (Google) — phone OTP authentication.
  • Gupshup — WhatsApp business messaging.
  • Supabase / managed database provider — primary data storage.
  • Cloudflare R2 — media/image storage.
  • Google Maps — salon location maps.
  • Cloud hosting (AWS) & Redis — application hosting & job queues.

Each processor operates under its own privacy policy and is contractually bound to process data only on our instructions and in line with applicable law.

7. Data retention

We retain your personal data only for as long as necessary for the purposes set out above:

  • Active accounts: for the lifetime of your account.
  • Salon data after cancellation: retained for a limited period to allow reactivation and meet tax/legal obligations, then deleted or anonymised.
  • Booking & transaction records: retained as required under Indian tax law (typically up to 6–7 years for financial records).
  • KYC documents: retained for the legally required period for verification audit.

8. Security

We take reasonable technical and organisational measures to protect your data, including:

  • HTTPS/TLS encryption in transit.
  • Hashed passwords and signed JWT sessions in isolated namespaces.
  • Helmet-based Content Security Policy, rate limiting, and signed Razorpay webhook verification.
  • Role-based access controls internally; data access is logged.

No system is 100% secure. In the unlikely event of a data breach affecting you, we will notify you and the relevant authorities as required under the DPDP Act.

9. Your rights (DPDP Act 2023)

As a data principal in India, you have the right to:

  • Access a summary of your personal data and how it's processed.
  • Correction & completion of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.
  • Nomination — nominate another individual to exercise your rights in the event of death or incapacity.
  • Grievance redressal — contact our Grievance Officer (section 12).

To exercise any of these rights, email support@sevwas.com. We will respond within 30 days.

10. Children's data

The Service is intended for use by adults (18+) and businesses. We do not knowingly collect personal data from children. A parent or verifiable lawful guardian's consent is required where the law requires it for any individual under 18. If you believe a child has provided us data, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here with a revised "Last updated" date and notify you of material changes via email or in-app. Continued use of the Service after changes take effect constitutes acceptance.

12. Contact & grievance officer

For privacy questions, data requests, or to file a grievance under the DPDP Act, contact our Data Protection / Grievance Officer: