Privacy Policy

1. Who We Are

Hue Suite is a product of MLTP TRADING LTD ("we", "us", "our"), which operates the HueLog and HueLink software applications (collectively, the "Services"). We are registered in the Republic of Cyprus and operate under Cypriot and European Union law.

2. What Data We Collect

2.1 Account Data

When you create an account, we collect:

• Email address
• Password (encrypted, we never see your plain-text password)
• Salon/business name (optional)

2.2 Salon Business Data

Data you enter while using the Services:

• HueLog: Client names, contact details, color formulas, service history, inventory records, supplier information, medical/allergy notes, patch test dates, consent records
• HueLink: Appointment details, service catalog, pricing, business hours, calendar data, POS transactions, booking page information

2.3 Client Personal Data (Your Customers)

You may enter personal data about your salon clients, including:

• Name, phone number, email address
• Date of birth
• Scalp sensitivity and allergy information
• Marketing consent preferences
• Service history and preferences

2.4 Payment Data

Payments are processed by Stripe. We do not store credit card numbers, bank account details, or other financial credentials. Stripe's privacy policy applies to payment data: stripe.com/privacy.

2.5 Usage Data

We may collect basic usage information such as browser type, device type, pages visited, and session duration. This data is anonymized and used solely to improve the Services.

2.6 Cookies & Local Storage

We use browser storage (localStorage, sessionStorage, and cookies) exclusively for:

• Authentication: Keeping you logged in between sessions
• Preferences: Storing your language preference and settings

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not track you across websites or sell your data to advertisers.

3. How We Use Your Data

We use your data exclusively to:

• Provide and maintain the Services
• Process your subscription payments
• Send transactional emails (account verification, password reset)
• Send service notifications you have enabled (appointment reminders, etc.)
• Provide customer support
• Comply with legal obligations

We will never:

• Sell your data to third parties
• Use your data for advertising purposes
• Share your salon client data with other businesses
• Train AI models on your proprietary formulas or business data

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we process your data based on:

• Contract Performance: Processing necessary to provide you the Services you've subscribed to
• Legitimate Interest: Improving our Services, preventing fraud, ensuring security
• Consent: For optional marketing communications (you can withdraw consent at any time)
• Legal Obligation: When required by EU or national law

5. Data Sharing

We share your data only with:

• Supabase (database & authentication provider) — data stored in EU data centers
• Stripe (payment processing) — PCI DSS compliant
• Netlify (hosting) — for serving the application
• SMS provider (for appointment reminders, if enabled) — messages sent on your behalf

All third-party processors are bound by data processing agreements and comply with GDPR requirements.

6. Data Storage & Security

Your data is stored securely in Supabase-managed infrastructure. We implement appropriate technical and organizational measures including:

• Encryption in transit (TLS/HTTPS)
• Encrypted passwords (never stored in plain text)
• Role-based access controls
• Regular security updates

7. Data Retention

We retain your data for as long as your account is active and as needed to provide the Services. When you delete your account:

• Your account data is permanently deleted
• Your salon business data (formulas, appointments, clients) is permanently deleted
• Anonymized usage statistics may be retained
• Data required for legal or tax purposes may be retained for up to 7 years as required by law

8. Your Rights (GDPR)

As an EU resident, you have the following rights:

• Right of Access: Request a copy of all data we hold about you
• Right to Rectification: Correct any inaccurate data
• Right to Erasure: Request deletion of your account and all associated data
• Right to Data Portability: Export your data in a machine-readable format
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interest
• Right to Withdraw Consent: Withdraw consent for marketing communications at any time

To exercise any of these rights, contact us at info@mlcygroup.com. We will respond within 30 days.

9. Data Portability & Switching

In accordance with the EU Data Act (effective September 2025), you may:

• Export all your data at any time in standard formats (CSV, PDF, Excel)
• Terminate your subscription with no more than 60 days' notice
• Receive all exportable data in a structured, machine-readable format
• No switching fees or exit charges apply

10. International Data Transfers

Your data may be processed by service providers located outside the European Economic Area. When this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

11. Children's Privacy

Our Services are not directed at individuals under 18 years of age. We do not knowingly collect data from children. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay, as required by GDPR Article 33.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through a notice in the Services. The "Last updated" date at the top of this page indicates the most recent revision.

14. Contact & Complaints

For privacy questions, data requests, or complaints:

• Email: info@mlcygroup.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus or your local EU data protection authority.