ZURIYA

Privacy Policy

Last updated: February 2026

1. Who We Are

Zuriya Ltd ("Zuriya", "we", "us", "our") is the data controller of the personal data collected through zuriya.co.uk, a marketplace connecting clients with Afro-Caribbean beauty professionals across the UK. We are registered in England and Wales. For any data-protection enquiry write to privacy@zuriya.co.uk.

2. What Data We Collect

  • Account: Name, email address, password (stored only as a bcrypt hash), profile picture, role (client/provider/admin).
  • Provider profile: Business name, bio, service categories and types (salon/home/mobile), structured address (building, street, city, postcode), portfolio media, transformation photos, videos, Instagram / TikTok handles (used for verification, never displayed publicly), and the data Stripe requires to onboard a Connect Express account (see Section 4).
  • Booking data: Service, date/time, location type, deposit or full payment, add-ons, consultation-form answers, travel fees, promo / referral codes applied, and the cancellation policy in force at the time of booking.
  • Guest checkout: Name, email, phone, and a secure one-time "magic link" token enabling the guest to manage their booking without creating an account.
  • Payment data: Processed by Stripe Payments UK, Ltd. We never receive or store raw card numbers or CVVs. Where a booking is Moderate or Strict and a card on file is required, Stripe returns a tokenised PaymentMethod reference (brand, masked last 4 digits, expiry) which we retain against the booking to authorise off-session captures as described in the Refund & Cancellation Policy.
  • Review data: Ratings and written reviews submitted by clients and providers after completed bookings, including any optional response text.
  • Two-factor authentication: A flag indicating whether 2FA is enabled, an irreversible hash of each of your ten single-use backup codes, and short-lived one-time passcodes emailed to you during a login challenge. Backup codes are shown in plaintext only once (at generation) and can never be retrieved from the database.
  • Recognised devices: A deterministic SHA-256 fingerprint derived from your user ID, a truncated IP prefix (/24 for IPv4, /48 for IPv6), and the browser family. We store this per sign-in so we can alert you by email the first time an unfamiliar device accesses your account, and so you can revoke recognised devices from the Security tab.
  • Security logs: Rate-limit attempts (email + IP + timestamp) for login, registration, OTP verification, and password reset endpoints. Used solely to throttle brute-force attempts.
  • Attribution & referrals: A unique referral code per registered user, and, on the referee side, the referrer's user-ID stored against a booking for the duration of the £5 friend-discount and £5 per-two-completion reward loop (see Terms Section 11).
  • Technical data: IP address, user-agent string, API request method / path / response time, and cookies (see our Cookie Policy). Error stack-traces are retained for debugging.

3. How We Use Your Data

  • To create and maintain your account, including one-time-passcode email verification.
  • To facilitate bookings, messaging, rescheduling, and reviews between clients and providers.
  • To process payments, refunds, off-session card-on-file fee captures, and provider payouts via Stripe and Stripe Connect.
  • To display provider profiles, services, portfolio media, and reviews publicly on the platform.
  • To send transactional emails via SendGrid (booking confirmations, review prompts, new-device alerts, auto-completion notices, payout receipts, account-deletion confirmations, 2FA codes).
  • To manually verify provider identity and work quality at onboarding (portfolio review, social-media handles, Stripe Connect KYC results).
  • To protect the platform from abuse, rate limiting, bot detection (via Cloudflare), device-fingerprint anomaly alerts, and fraud screening by Stripe Radar.
  • To monitor performance and diagnose errors.
  • To comply with legal, tax, and HMRC obligations, including the six-year retention of financial records.

4. Address, Profile & KYC Privacy

  • Home-based providers: Only city and postcode area are shown publicly. The full street address is released to the client only after a booking is confirmed, and is stripped from any non-authenticated API response.
  • Salon providers: The full salon address is displayed publicly so clients know where to attend.
  • Social-media handles: Instagram and TikTok handles are collected during signup for admin verification only. They are never displayed on the public profile.
  • Stripe Connect KYC: Date of birth, legal name, bank-account details, and supporting identity documents collected as part of provider onboarding are submitted directly to Stripe and held by Stripe as a separate data controller. Zuriya only receives a status summary (charges_enabled, payouts_enabled, requirements_due).
  • Payment card details: Entered inside Stripe's PCI-DSS-compliant iFrame (Stripe Elements). We never see the full card number.

5. Lawful Bases for Processing

  • Contract (UK GDPR Art 6(1)(b)), to fulfil the services you book and our agreement with you.
  • Legitimate interests (Art 6(1)(f)), platform safety, device-recognition alerts, brute-force rate limiting, provider verification, abuse prevention, and internal performance monitoring. You may object to this processing at any time.
  • Consent (Art 6(1)(a)), where you opt in to marketing emails or to non-essential cookies.
  • Legal obligation (Art 6(1)(c)), retention of booking and payout records for six years under UK tax law.

6. Who We Share Your Data With

We share only the personal data necessary for each provider to do its job, under written data-processing agreements:

  • Stripe Payments UK, Ltd. & Stripe, Inc., payment processing (PCI-DSS Level 1), Stripe Connect payouts, card-on-file mandates, fraud detection via Stripe Radar.
  • SendGrid (Twilio, Inc.), transactional email delivery. We may also send SMS through Twilio once our UK short-code is approved.
  • Cloudflare, Inc., content delivery, DDoS protection, bot management.
  • Cloudflare R2, secure storage of uploaded media (profile images, portfolio, videos).
  • MongoDB Atlas (MongoDB, Inc.), application database, hosted in a UK/EU region.
  • Postcodes.io, UK postcode validation and geocoding.
  • IP-API.com, coarse city/country lookup used only to describe the approximate location in new-device sign-in alert emails. No permanent cross-linking of IP to user is performed beyond the known_sign_ins fingerprint record described in Section 2.
  • Other clients and providers, only the minimum booking details required to fulfil the service (name, contact where relevant, service, date/time). Full home addresses are shared only after booking confirmation.

We do not sell your personal data and we do not use it for third-party advertising.

7. International Transfers

Our processors (notably Stripe and Cloudflare) may transfer data outside the UK, principally to the United States. Where they do, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or on an adequacy decision where available, so that your data remains protected to a standard comparable to UK GDPR.

8. Data Retention & Account Deletion

  • Active accounts: personal data is retained for as long as your account exists.
  • Self-service deletion: from Dashboard → Security → Delete account. On confirmation, your account is deactivated immediately and enters a 30-day grace period. During the grace window you can reactivate by contacting support@zuriya.co.uk. After 30 days we permanently anonymise the record, name becomes [Deleted User], email and phone are replaced, password hash and avatar are removed, the associated bookings and payouts remain as pseudonymised financial records for the six years required under UK tax law, and messages and notifications are purged.
  • Deletion blockers: self-service deletion is refused while you have an open booking, an active dispute, a pending provider payout in flight, or an unpaid provider balance. Resolve these first and the option re-enables.
  • API request logs: retained for 30 days. Error logs: retained for 90 days. Rate-limit records: auto-expire via database TTL shortly after the window ends.
  • Financial records: bookings, transactions, payouts, and related audit data are retained for six years (HMRC accounting-record requirement).

9. Your Rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you (subject access request).
  • Rectify inaccurate or incomplete data.
  • Request erasure ("right to be forgotten"), most easily exercised through the in-app deletion flow described in Section 8.
  • Restrict or object to processing based on legitimate interests.
  • Data portability, receive a machine-readable export of the data you provided.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority.

Write to privacy@zuriya.co.uk to exercise any of these rights. We respond within one calendar month.

10. Security

Technical and organisational measures we apply include:

  • Passwords stored only as bcrypt hashes. Backup codes stored as hashes too.
  • All traffic over TLS via Cloudflare.
  • Session tokens stored in httpOnly, Secure, SameSite cookies, not accessible to JavaScript.
  • Optional email-based two-factor authentication available to every user, mandatory for admin roles.
  • Device-fingerprint recognition with email alerts on sign-in from an unrecognised device; one-click revoke; bulk "sign out all other devices" action.
  • Sliding-window rate limits on every authentication endpoint to resist brute-force and enumeration attacks.
  • Payments delegated to Stripe (PCI-DSS Level 1); card details never touch our servers.
  • Media stored in Cloudflare R2 with access controls; full street addresses are stripped from non-authenticated API responses.
  • Automated anomaly alerts to our ops team for sign-ins from new locations or bursts of failed logins.

11. Children

Zuriya is not intended for children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with data, contact privacy@zuriya.co.uk and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and surfaced in-app before they take effect.

13. Contact

For any privacy-related queries, write to privacy@zuriya.co.uk. For service-related issues, email support@zuriya.co.uk.