Setora Privacy Policy

Setora Technology Ltd - Effective February 2026

1. Who We Are and What This Policy Covers

1.1 Setora Technology Ltd (“Setora”, “we”, “us”, or “our”) is a company registered in England and Wales (company number 17025958) with its registered office at 61 Bridge Street, Kington, HR5 3DJ, United Kingdom.

1.2 We operate the Setora platform, a software-as-a-service solution that helps service businesses (such as barbershops, hair salons, and beauty professionals) manage bookings, payments, staff, inventory, client relationships, and communications.

1.3 This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with the Setora platform. It covers two distinct groups of people:

(a) Business Partners -the businesses (and their staff) that subscribe to and use the Setora platform to manage their operations. When we process your account information, billing data, and usage analytics, we act as a data controller.

(b) Clients -the end-consumers who book appointments, purchase services, or interact with a business through the Setora platform. When we process Client data on behalf of a business, we act as a data processor. The business that you booked with is the data controller for your personal data, and their own privacy policy governs how they use your information.

1.4 We are registered with the Information Commissioner’s Office (ICO) as required by UK data protection law.

2. What Data We Collect

2.1 Data We Collect from Business Partners (Setora as Controller)

When you register for and use the Setora platform as a business, we collect the following categories of personal data:

Account information -Business name, owner name, email address, telephone number, business address, company number. Source: provided by you at registration.

Billing and payment data -Payment method details, billing address, transaction history, invoices. We do not store full card numbers. Source: provided by you; generated through our billing provider.

Platform usage data -Login history, feature usage, configuration settings, support tickets. Source: generated automatically through your use of the platform.

Communications -Emails, support messages, and other correspondence with us. Source: provided by you.

Device and technical data -IP address, browser type, operating system, device identifiers. Source: collected automatically when you access the platform.

2.2 Data We Process on Behalf of Business Partners (Setora as Processor)

When Clients interact with a business through the Setora platform, the following categories of personal data may be processed by us on behalf of that business:

Identity and contact details -Client name, email address, telephone number, postal address.

Booking and service data -Appointment dates and times, services booked, service preferences, provider assigned, booking history.

Payment references -Transaction amounts, deposit status, payment method type (cash, card, online). We do not store full card numbers.

Communication records -Appointment reminders, booking confirmations, cancellation notifications sent via SMS, WhatsApp, or email.

Client notes and preferences -Free-text notes entered by the business about the Client, service preferences, product preferences.

Device and technical data -IP address, browser type, device identifiers collected via the booking widget.

2.3 Special Category Data

The Setora platform does not require or solicit special category data (such as health information, allergies, pregnancy status, or other medical conditions). However, a business may choose to record such information in client notes or booking records. Where this occurs, the business is the data controller for that special category data and is solely responsible for obtaining valid explicit consent from the Client under Article 9(2)(a) of UK GDPR before entering it into the platform.

2.4 Children’s Data

Barbershops and salons routinely serve clients under the age of 18. The UK age of consent for data processing is 13. Where a Client is under 13, the business must ensure that a parent or guardian has provided consent for the processing of that child’s personal data. We do not knowingly collect personal data directly from children under 13 without parental consent. If you believe that we have inadvertently processed a child’s data without appropriate consent, please contact us at hello@setora.co.uk.

3. How and Why We Use Personal Data

The lawful basis for each processing activity depends on Setora’s role (controller or processor) and the specific purpose. The following sets out our processing activities where Setora acts as data controller:

Managing your Setora account -To provide, maintain, and administer your subscription to the platform. Lawful basis: Art 6(1)(b) -contractual necessity. Retention: duration of subscription + 60-day Data Access Period.

Billing and payment collection -To collect subscription fees and manage invoicing. Lawful basis: Art 6(1)(b) - contractual necessity. Retention: 6 years after the end of the financial year (HMRC requirement).

Platform analytics and service improvement -To understand how the platform is used, identify bugs, monitor feature adoption, and improve the user experience. This includes product analytics and session replay via PostHog (EU-hosted) for authenticated Business Partners on the Setora platform. On our marketing website, we use Google Analytics (GA4) to understand visitor behaviour and traffic sources - this is gated behind your cookie consent. Lawful basis: Art 6(1)(f) -legitimate interest. Retention: aggregated/anonymised data retained indefinitely; identifiable usage logs and session recordings retained for 90 days.

Customer support -To respond to your enquiries and resolve issues. Lawful basis: Art 6(1)(b) -contractual necessity. Retention: duration of subscription + 12 months.

Communicating service updates -To notify you of changes to the platform, Terms, pricing, or security matters. Lawful basis: Art 6(1)(b) -contractual necessity.

Marketing to Business Partners -To send you information about new features, tips, or promotions relating to Setora. Lawful basis: Art 6(1)(a) -consent (you may opt out at any time).

Legal compliance and fraud prevention -To comply with legal obligations, enforce our terms, and protect against fraud. Lawful basis: Art 6(1)(c) -legal obligation; Art 6(1)(f) -legitimate interest.

Where Setora acts as data processor (processing Client data on behalf of a business), we process that data only in accordance with the business’s documented instructions and the terms of our Data Processing Agreement.

4. Who We Share Data With

We share personal data only where necessary to provide the platform and as described below. We do not sell personal data to third parties.

4.1 Service Providers (Sub-processors)

Stripe, Inc. -Location: United States. Purpose: subscription billing and consumer deposit collection. Data shared: Business Partner names, email, billing details, payment method tokens; Client names, email, payment refs, transaction amounts. Safeguard: UK-US Data Privacy Framework + SCCs.

Laravel Cloud (via AWS) - Location: EU (London, UK - AWS eu-west-2). Purpose: backend hosting, compute, and database hosting. Data shared: all platform data. Safeguard: UK-hosted.

Vercel Inc. -Location: United States. Purpose: frontend hosting. Data shared: IP addresses, browser metadata. Safeguard: UK-US Data Privacy Framework + SCCs.

Meta (WhatsApp Business API) -Location: United States / EU. Purpose: appointment messaging. Data shared: Client phone numbers, message content (encrypted). Safeguard: UK-US Data Privacy Framework + SCCs.

Resend, Inc. -Location: United States. Purpose: transactional email delivery. Data shared: Client names, email addresses, email content. Safeguard: SCCs + Transfer Risk Assessment.

PostHog, Inc. -Location: EU (Frankfurt, Germany). Purpose: product analytics, session replay, and feature flags. Data shared: IP addresses (anonymised), browser metadata, in-app usage events. Safeguard: EU-hosted instance.

Google LLC - Location: United States. Purpose: marketing website analytics (GA4). Data shared: IP addresses, page views, traffic sources, browser metadata. Safeguard: UK-US Data Privacy Framework + SCCs. Consent-gated.

Crisp IM S.A.S. - Location: France/EU. Purpose: live chat widget on marketing website. Data shared: chat messages, visitor metadata. Safeguard: EU-hosted, no transfer outside EEA.

Reddit, Inc. - Location: United States. Purpose: advertising conversion tracking and retargeting on marketing website. Data shared: IP addresses, page views, browser metadata. Safeguard: UK-US Data Privacy Framework + SCCs. Consent-gated.

4.2 Payment Processors Connected by Business Partners

Where a business connects its own Payment Processor (such as Worldpay, Square, or another provider) through the platform, that Payment Processor operates under a direct contractual relationship between the business and the Payment Processor. We facilitate the connection but do not control the processing.

4.3 Other Disclosures

We may also share personal data:

(a) With law enforcement, regulatory bodies, or courts where required by law or to respond to a valid legal process.

(b) With professional advisers (solicitors, accountants, auditors) who are bound by professional confidentiality obligations.

(c) In connection with a merger, acquisition, or sale of all or substantially all of our assets.

5. International Data Transfers

5.1 Our primary database is hosted in the United Kingdom (AWS eu-west-2, London).

5.2 Where we transfer personal data to the United States, we rely on one or more of the following safeguards:

(a) UK Extension to the EU-US Data Privacy Framework -Where the recipient is certified under the DPF, transfers are permitted without additional safeguards.

(b) Standard Contractual Clauses (SCCs) -We incorporate the UK Addendum to the EU SCCs into our agreements with all US-based providers as a fallback mechanism.

(c) Transfer Risk Assessments -We conduct and document Transfer Risk Assessments for each international transfer, as required by the Data (Use and Access) Act 2025.

5.3 You can request a copy of the relevant transfer safeguards by contacting us at hello@setora.co.uk.

6. How Long We Keep Data

6.1 We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

6.2 Business Partner data: If you cancel your subscription, your account enters a 60-day read-only Data Access Period during which you may export all your data. After this period, we delete your data from our live systems within 30 days and from backups within a further 30 days.

6.3 Client data: We retain Client data for the duration of the business’s subscription, plus the 60-day Data Access Period, plus up to 30 days for deletion of backups.

6.4 Billing records: We retain invoices and billing records for 6 years after the end of the relevant financial year, as required by HMRC.

6.5 Logs: System and access logs containing personal data are retained for a maximum of 90 days.

7. Cookies and Similar Technologies

7.1 Our website and the platform use cookies and similar technologies. Under the Privacy and Electronic Communications Regulations 2003 (PECR), non-essential cookies require your prior consent.

7.2 Cookies on Our Marketing Website

The marketing website uses two optional cookies, both gated behind your explicit consent:

  • Google Analytics (GA4) - analytics cookies to understand how visitors use our site, including page views and traffic sources. Data processed by Google LLC (US) under the UK-US Data Privacy Framework.
  • Google Ads attribution (gclid) - a 90-day cookie that records which Google Ads click brought you to our site, used for conversion measurement only.
  • Crisp live chat - Crisp (Crisp IM S.A.S., France) sets session cookies to operate the chat widget. See Crisp’s privacy policy.
  • Reddit Pixel - conversion tracking and retargeting cookie used to measure Reddit Ads performance. Data processed by Reddit, Inc. (US) under the UK-US Data Privacy Framework. Consent-gated.

You can accept or decline these cookies via the banner shown on your first visit. If you decline, analytics will not load, the chat widget will not appear and no ad attribution cookie will be set.

7.3 Cookies in the Setora Platform

Strictly necessary -Essential for the platform to function (authentication, security, session management). Consent required: No.

Product analytics -We use PostHog (EU-hosted) for product analytics within the platform. Processed under Art 6(1)(f) - legitimate interest. Consent required: No.

Functional -To remember your preferences and settings. Consent required: No (strictly necessary for function requested by user).

8. Your Rights

8.1 Under UK GDPR, you have the following rights:

  • Right of access -Request a copy of your personal data.
  • Right to rectification -Correct inaccurate or incomplete data.
  • Right to erasure -Request deletion of your data, subject to legal obligations.
  • Right to restriction -Restrict processing in certain circumstances.
  • Right to data portability -Receive your data in CSV or JSON format.
  • Right to object -Object to processing based on legitimate interest or direct marketing.
  • Right to withdraw consent -Where processing is based on consent, withdraw at any time.
  • Right to complain -Lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

8.2 To exercise any of these rights, contact us at hello@setora.co.uk. We will respond within one month.

9. How We Protect Your Data

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of all data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication for all administrative access
  • Role-based access controls within the platform
  • Logical data isolation between business accounts
  • Regular automated backups stored in encrypted, geographically separate locations within the UK or EEA
  • Continuous uptime monitoring and incident response procedures
  • We never store full payment card numbers. All payment processing is handled by PCI DSS-compliant third-party Payment Processors.

10. Automated Decision-Making and Profiling

10.1 We do not currently use automated decision-making (including profiling) that produces legal effects or similarly significant effects on individuals.

10.2 The platform includes analytics and reporting features that generate aggregate insights. These use aggregated or anonymised data and do not constitute profiling of individual data subjects.

11. Third-Party Links and Services

The platform may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of any third party.

12. Changes to This Privacy Policy

12.1 We may update this Privacy Policy from time to time. Where we make material changes, we will notify Business Partners by email at least 30 days before the changes take effect.

12.2 The “Effective Date” at the top of this policy indicates when it was last updated.

13. Contact Us

Email: hello@setora.co.uk

Post: Setora Technology Ltd, 61 Bridge Street, Kington, HR5 3DJ, United Kingdom

ICO: If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office at ico.org.uk or by calling 0303 123 1113.

14. Electronic Commerce Regulations Disclosures

Company Name: Setora Technology Ltd

Company Number: 17025958

Registered Office: 61 Bridge Street, Kington, HR5 3DJ, United Kingdom

Contact Email: hello@setora.co.uk

VAT Number: Not yet VAT-registered. Will be updated upon registration.

Supervisory Authority: Information Commissioner’s Office (ico.org.uk)

See also: Your Data Rights · Terms & Conditions