Skip to content

Privacy

Privacy Policy

Last updated 17 May 2026 · General template, not legal advice

This explains what Tovu Studio handles when you use the directory or run a studio, in plain language.

Who we are

The data controller for Tovu Studio is [Tovu Studio operator legal entity — to be completed before launch]. For any privacy request or question, contact support@tovu.studio.

What we collect

  • Booking a chair: the name, email and (optional) phone you enter, plus the booking details (studio, service, staff, time).
  • Intake forms: studios may add their own intake questions to a service. Depending on the studio and service, these can ask for health-related information (for example allergies, medical conditions, medications, pregnancy) or date of birth, as part of a consent or safety form. Your answers are stored with the booking and are visible to that studio. This can be special-category dataunder data-protection law — see “Legal basis” below.
  • Running a studio: the owner email used to sign in, and the studio content you publish (services, staff, hours, listing text).
  • Sessions: a strictly-necessary sign-in cookie for studio owners and admins so you stay logged in. No analytics or advertising cookies are used.
  • Operational logs: standard request logs and a record of notifications sent (which may include the recipient email/phone for delivery and audit).

Tovu Studio does not take payments and stores no card or bank data.

Why we use it

Solely to operate the service: show studio pages, create and manage bookings, let owners run their studio, send the confirmations and reminders you ask for, and keep the platform safe (rate limiting and moderation).

Legal basis

We process booking, account and studio data because it is necessary to provide the service you requested(and, for security and logging, our legitimate interest in keeping the platform safe). Where a studio's intake form collects health-related or other special-category information, the basis is your explicit consent, given when you complete and submit that form for your booking. You can withdraw consent and request erasure at any time (see below); withdrawing it means the studio may be unable to provide that service safely.

Third parties

  • Email and SMS are sent through Resend and Twilio — only when those integrations are configured, and only the message needed for your booking.
  • Data is stored in a managed PostgreSQL database (Neon) and the application is hosted on the deployment platform. These act as data processors on our behalf under their data-processing terms.

We do not sell personal data or use it for advertising.

Retention & your rights

Booking records (including intake answers) are retained while the studio is active and for up to 24 months after the appointment for safety, dispute and audit purposes, then deleted or anonymised. Cancelling a booking marks it cancelled rather than deleting history. Notification logs are retained up to 12 months. Studio/account data is kept while the account is active.

You can exercise your rights of access (a copy of your data), correction, and erasure by emailing support@tovu.studio. On an erasure request we permanently delete the customer record and all associated bookings, line items, notifications and reviews; on an access request we provide an export of that data. We respond within 30 days.

Security

Access to studio data is scoped to that studio's owner; admin tools are restricted; sensitive routes are rate-limited; standard security headers are sent. No system is perfectly secure, but data is handled only as described here.