All guides

    GDPR-compliant client records for small beauty salons

    gdprclient-recordscompliance
    Auf Deutsch lesen

    Not legal advice. This is a practical overview written from salon experience, not a legal opinion. Privacy and tax rules vary by country and change over time. For anything binding, talk to a solicitor or Rechtsanwalt in your jurisdiction.

    Almost every small salon keeps a client file. On paper in a folder behind reception. In an Excel sheet on a personal laptop. In WhatsApp chats on the salon phone. And in the heads of two stylists who have been there for years. All of that is processing of personal data. All of it falls under data protection law. And almost always, at least one of those sources is not clean.

    The good news: the rules are workable for a salon with one chair to five staff. You do not need a law firm. You need six principles that you actually understand, a data structure that fits your salon, and an honest answer to the question of what you really need versus what has accumulated over the years.

    Where this applies. The framework here is the UK GDPR (for salons in the UK) and the EU GDPR (for salons in the EU and EEA). The two are near-identical in substance, with small divergences post-Brexit that do not change the day-to-day rules for a salon. Country-specific tax retention windows differ, and we flag the UK and Germany numbers below.

    What counts as personal data

    More than most salons think. A first name plus the line "comes every Friday at 14:00 for a balayage" is already enough to identify a person. Which means all of the following is personal data and needs a legal basis:

    • Name, phone number, email, address.
    • Appointment history with treatment, duration, price.
    • Before-and-after photos, even if they only live on the salon phone.
    • Notes on hair texture, allergies, prior treatments, skin sensitivity. Allergy and skin-sensitivity notes can fall under Article 9 (special category data) and need extra care.
    • Payment data, even if only Stripe or a card terminal stores it.
    • Communication history in WhatsApp, SMS or email.

    A handwritten index card with Anna Müller, 0151..., last tint 6/3, allergic to PPD is personal data too. Paper is not a loophole.

    Six rules, that's all you need

    1. Legal basis per data type. Every piece of information you store needs one of the six legal bases in Article 6 of the (UK or EU) GDPR. For a salon, three matter in practice: contract performance (booking, payment, appointment), legitimate interest (a short note about the last tint), and consent (marketing messages, before-and-after photo on Instagram).
    2. Purpose limitation. Data you collected for booking and treatment cannot be used for marketing without separate permission. Someone who booked one cut is not automatically in your newsletter.
    3. Storage limitation. Delete data when the purpose is gone. Rules of thumb below.
    4. Right of access. If a client asks what you have stored about them, you have one month to answer in a form they can understand.
    5. Right to erasure. On request, you delete all data you are not legally required to keep. Again, one month.
    6. Technical and organisational measures. Make sure data does not end up in the wrong hands. Password on the salon phone. Screen lock at reception. No Excel on a personal laptop.

    Retention windows

    The most common question. Tax-law retention always overrides GDPR deletion. The headline numbers differ by country, so check the regulator in yours:

    • Invoices and payment records. UK: at least 6 years from the end of the last company financial year they relate to (HMRC). Germany: 10 years (§147 AO). Self-employed and sole traders should double-check with their accountant.
    • General client file (name, contact, appointment history): As long as the relationship is active. One to three years after the last appointment is a common working rule. Then delete or anonymise.
    • Treatment notes, allergies, prior treatments: As long as the person is a client. If they have not been back for two years, the safety-relevant note is no longer needed. Delete.
    • Before-and-after photos: Only store with explicit consent. On withdrawal, delete promptly. No upper limit while consent stands.
    • WhatsApp history: Sensitive. Strictly, you delete as soon as the communication is no longer needed. In practice: archive or clear old chats once a quarter.

    Where salons regularly slip

    Four spots that a GDPR check flags first:

    • Excel on a personal laptop. If salon data lives on a machine also used privately, shared with family members or without encryption, that is a violation. Either a dedicated salon machine with a password and disk encryption, or a salon tool with clean separation.
    • Photo library on the salon phone. Hundreds of before-and-after shots with faces, mixed in with family photos, auto-syncing to iCloud. Exactly what you do not want. Separate salon photos into their own album, disable auto-cloud-sync for that album, or use an app that sorts the photos per client.
    • WhatsApp group as a client list. A group for regulars is not only tactically wrong, it is also legally problematic. Every participant sees every other phone number. Without explicit consent, that is a violation. Broadcast lists are the clean alternative.
    • Old paper cards in the cupboard. Folders of clients who have not been in for five years. Personal data without a purpose. Sort once a year and shred. Do not throw in the regular paper recycling.

    Clean consent

    Once, at the first booking, clearly worded. A single line on the booking form, at reception, or in the first WhatsApp contact. Three separate checkboxes, not one that covers everything:

    • I agree that my salon stores my appointment and treatment data so they can prepare future visits. (Strictly contract performance, no separate consent needed, but transparency does no harm.)
    • I agree that my salon may send me reminders and review requests via WhatsApp.
    • I agree that my salon may use my before-and-after photo on its social channels, with first name or anonymously, my choice.

    Document the consent. Date, time, which boxes were ticked. If someone withdraws, act on it the same day and record it in their file.

    How to handle an access or deletion request

    Rare, but when it comes, you have one month. Two short routines at reception or in your tool are enough:

    • Access: Which data you have (name, contact, appointments, notes, photos, consents) and where it came from. In a form that does not look like a database export.
    • Erasure: Delete everything that is not legally required to keep. Invoices stay for the tax-retention window (6 years UK, 10 years Germany), anonymised against the contact where possible. Everything else goes. Then a short confirmation email to the person.

    The quick checklist

    • One tool or one salon machine for all client data. No personal laptop.
    • Salon phone with a password and screen lock.
    • Before-and-after photos in a dedicated album, no auto-cloud sync.
    • Broadcast lists, not groups.
    • Three separate consents at first booking, documented.
    • Sort old clients once a year. Shred paper, delete data.
    • A short internal routine for access and deletion requests.
    • A Data Processing Agreement (DPA) with every tool that processes your client data. On request, we email ours.

    How Salonist helps

    Salonist removes the first slip on the list by design. Client data lives in a database with per-salon separation, not on your personal laptop or in a shared Excel sheet. Notes on each visit are per-entry: you can edit a single note or soft-delete it without touching the rest of the client's history, which matters when a client asks you to drop one piece of information but not the whole file. A signed DPA is available by email on request.

    What we are still building toward: a one-click client-data export and erasure affordance in the salon-owner UI (the back-end function exists, the button does not yet), and a per-category consent panel visible directly inside the client record. Until those land, an erasure request goes through us by email.