Privacy Policy

The data controller within the meaning of Regulation (EU) 2016/679 (GDPR) is Zdeněk Dlouhý, an individual developer established in the Czech Republic, a member state of the European Union. Contact for all data protection matters: info@salonflow.art. Full contact details are provided upon request.

No data protection officer (DPO) is required or appointed, as the controller does not engage in large-scale systematic processing of special categories of data or regular large-scale monitoring of individuals.

All content entered into the iOS/iPadOS/macOS app — salons and circuits, works, acceptances and awards, attached files including PDFs, certificates and photos, notes — is stored exclusively locally on the user's device. This data is never transmitted to the developer or any third party automatically. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

The app may request access to photos and files (solely to add attachments) and to the calendar (only if the user activates reminders). No data accessed via these permissions is transmitted externally. Permissions can be revoked at any time in system Settings.

In-app purchases and subscriptions are processed exclusively by Apple Inc. as an independent data controller. The developer receives no payment card details or billing information. Apple's Privacy Policy and App Store Terms apply.

If you have enabled diagnostics sharing in your Apple system settings, anonymised crash reports and performance data may be transmitted through Apple's infrastructure. This data does not identify you personally and is used solely to improve app stability. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

E-mail messages sent to support are processed solely to handle your inquiry and are not used for any other purpose. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — responding to user inquiries.

Standard server logs (IP address, timestamp, browser type, referring URL) may be stored automatically for security, abuse prevention and operational purposes. Only technically necessary cookies are used — no advertising, tracking or analytics cookies are placed without your consent. Legal basis for technically necessary cookies: legitimate interests (Art. 6(1)(f) GDPR).

Both SalonFlow (iOS app) and SalonFlow Light (web) allow you to voluntarily submit selected personal data for publication as a public photographer's portfolio on salonflow.art. This may include: full name, earned titles and awards, club memberships, biography, contact details you choose to share, websites, social media links, exhibition history, competition statistics and selected photographs. Submission requires your explicit, freely given and informed GDPR consent. Data is published only after manual review and approval by the administrator. You may withdraw consent and request removal of your portfolio at any time; removal will be completed within 30 days. Legal basis: consent (Art. 6(1)(a) GDPR). Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Registration for SalonFlow Light requires an e-mail address and a password. Your password is stored exclusively in irreversibly hashed form using a strong cryptographic algorithm — the developer cannot access or recover your plain-text password. The timestamp and IP address at the moment of GDPR consent are recorded as proof of consent. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

After login, a short-lived access token is stored in your browser's sessionStorage (automatically deleted when the browser tab is closed). A refresh token is stored as an HTTP-only, Secure cookie that is inaccessible to JavaScript. Logging out immediately invalidates the refresh token on the server. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Salons, entries, results, historical import data and distinction progress are stored server-side and linked to your account. This data is accessible only to you (via your authenticated session) and to the administrator for operational and support purposes. You can export all your data as a JSON file and permanently delete your account at any time from within the service. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Your e-mail address is used for: (a) e-mail address verification after registration; (b) password reset links requested by you; (c) a single subscription expiry reminder sent 7 days before the end of a paid plan. No promotional or marketing e-mails are sent without separate explicit consent. Legal bases: (a) and (b) performance of a contract; (c) legitimate interests (Art. 6(1)(f) GDPR) — reminding you of a service change affecting your account.

The Web Pro plan is purchased via WooCommerce on salonflow.art. Payment is processed by the integrated payment service provider (e.g. Stripe) acting as an independent data controller under its own privacy policy. The developer receives confirmation of successful payment and stores your plan status, plan type and subscription expiry date, but does not store payment card details or full billing information. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

IP addresses are temporarily processed to detect and prevent abusive requests (rate limiting) and to protect the service from unauthorised access. This data is not retained beyond the technically necessary period and is not used for any other purpose. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — protecting the security and integrity of the service.

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in accordance with Art. 32 GDPR. These measures include, without limitation: password hashing using strong one-way cryptographic functions, HTTPS/TLS encryption for all data in transit, HTTP-only and Secure cookie flags for session tokens, and access controls limiting data access to authorised personnel only.

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data using commercially acceptable means, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay in accordance with applicable law.

By submitting a portfolio for publication, you declare that all photographs are your own original work or that you hold all necessary licences, rights and permissions — including consent from any identifiable persons depicted — to publish them on salonflow.art.

You bear full legal responsibility for the content of your portfolio, including the accuracy of stated competition results and the lawfulness of all published photographs.

SalonFlow acts solely as a hosting and publication platform and does not verify the authorship, accuracy or lawfulness of submitted content. We reserve the right to remove any portfolio or photograph that appears to violate these conditions or applicable law, without prior notice.

If you believe that content published on salonflow.art infringes your copyright or other rights, please contact us immediately at info@salonflow.art with details of the alleged infringement.

We share personal data only to the extent strictly necessary with: (a) Apple Inc. — for App Store operations and diagnostics, acting as an independent controller; (b) the payment service provider (e.g. Stripe) — for Web Pro subscription processing, acting as an independent controller; (c) hosting and e-mail infrastructure providers — acting as data processors under appropriate data processing agreements; (d) visitors of salonflow.art — solely in respect of data you have chosen to publish as a public portfolio.

The controller does not intentionally transfer personal data outside the European Economic Area (EEA). Where transfers occur as a result of using the third-party services listed above (e.g. Apple, Stripe), such transfers are subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission or other adequate transfer mechanisms under Chapter V GDPR.

SalonFlow app — local data: retained on your device until you delete it or uninstall the app.

Support e-mails: retained for up to twelve months after the inquiry is resolved, or longer if required by law or ongoing correspondence.

Website server logs and rate-limiting data: retained only for the technically necessary period, typically no longer than 30 days.

Portfolio data: retained for as long as your portfolio remains published, or until a deletion request is fulfilled (within 30 days of the confirmed request).

SalonFlow Light — account and competition data: retained for as long as your account is active. Upon account deletion, all personal data (account information, salons, entries, history, session tokens) is permanently removed from our servers within 30 days.

SalonFlow Light — session tokens: access tokens expire after a short period; refresh tokens are invalidated immediately upon logout or account deletion.

SalonFlow Light — payment and subscription records: retained for the period required by applicable Czech accounting and tax law (typically 10 years from the end of the relevant accounting period), after which they are securely deleted.

GDPR consent records (timestamp and IP at registration): retained for the duration of the account plus any applicable statutory limitation period, to demonstrate lawfulness of processing.

Right of access (Art. 15 GDPR): You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data.

Right to rectification (Art. 16 GDPR): You have the right to have inaccurate personal data corrected and incomplete data completed without undue delay.

Right to erasure (Art. 17 GDPR): You have the right to request deletion of your personal data where: it is no longer necessary for the purposes for which it was collected; you withdraw consent (where processing is consent-based); or it has been processed unlawfully. SalonFlow Light users can delete their account and all associated data directly from Account → Delete account.

Right to restriction of processing (Art. 18 GDPR): You have the right to request that processing of your personal data be restricted in certain circumstances.

Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format. SalonFlow Light users can export all their competition data as a JSON file at any time from the Account section.

Right to object (Art. 21 GDPR): You have the right to object at any time to processing of your personal data based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.

Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Portfolio consent can be withdrawn by requesting deletion of your portfolio.

To exercise any of your rights, contact us at: info@salonflow.art. We will respond within one month of receiving your request. We may request verification of your identity before acting on certain requests.

Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority — in the Czech Republic: Úřad pro ochranu osobních údajů (UOOU), Pplk. Sochora 27, 170 00 Prague 7, uoou.cz. You may also lodge a complaint with the supervisory authority in your country of habitual residence.

SalonFlow app: Data can be manually deleted at any time within the app. Uninstalling the app permanently removes all local data from your device. Note: system backups (e.g. iCloud) may contain copies of your local data — these are managed by you in Apple Settings.

SalonFlow app — portfolio: Request deletion via Settings → Portfolio → Request deletion. Removal will be completed within 30 days.

SalonFlow Light — export: Download all your competition data as a JSON backup file from Account → Export data at any time.

SalonFlow Light — account deletion: Go to Account → Delete account. Confirmation is required. All personal data will be permanently removed from our servers within 30 days, including published portfolio content.

For any other deletion requests or where in-app options are unavailable, contact: info@salonflow.art.

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at info@salonflow.art and we will delete such data without undue delay.

We may update this Privacy Policy from time to time. Material changes will be notified to SalonFlow Light users by e-mail or by a notice displayed upon login. The current version is always available at salonflow.art and within the SalonFlow app.

Contact for all data protection enquiries: info@salonflow.art.