Privacy Policy

1. Who We Are

Certxa ("Certxa", "we", "us", "our") operates the salon management platform available at certxa.com and its sub-domains. We provide appointment scheduling, point-of-sale, client management, loyalty programs, and Google Business Profile review management to beauty and wellness professionals.

For questions about this policy, contact us at privacy@certxa.com.

2. Data We Collect

Account & Profile Data

• Name, email address, phone number
• Business name, address, and type (salon, barbershop, spa, etc.)
• Password (stored as a salted bcrypt hash — never in plain text)
• Profile photo (if uploaded)
• Billing information (processed by Stripe — we do not store full card numbers)

Operational Data

• Appointment records, service history, and client notes
• Staff schedules and commission rates
• Payment records and cash drawer logs
• Inventory and product records
• SMS and email communication logs

Client Data You Provide

When you add clients to Certxa, you provide us with their names, phone numbers, email addresses, and service history. You represent that you have obtained any necessary consent from your clients to provide this information to us and to contact them through our platform.

Usage & Technical Data

• Log data: IP address, browser type, pages visited, timestamps
• Device information: screen resolution, operating system
• Session tokens (stored in encrypted, server-side sessions)

3. Google Business Profile API Data

What We Access

When you choose to connect your Google Business Profile to Certxa, we request the following OAuth 2.0 scope:

• https://www.googleapis.com/auth/business.manage — allows us to list your Google Business accounts, locations, and read/respond to reviews on your behalf.

Using this scope, we access:

• Your Google Business account name(s) and account IDs
• Business location names, addresses, and location IDs
• Customer reviews posted on your Google Business Profile (reviewer name, star rating, review text, and date)
• Your existing review replies (if any)

What We Do With This Data

• Display: We show your Google reviews inside the Certxa dashboard so you can read and respond to them without leaving the app.
• Store: We store a copy of your reviews in our database to power search, filtering, and analytics features within your account.
• Respond: When you write a reply in Certxa, we post it to Google on your behalf using the API.
• Sync: We periodically sync new reviews automatically (every 6 hours) so your dashboard stays current.

What We Do NOT Do

• We do not sell, rent, or share your Google review data with any third party.
• We do not use your Google data to serve you advertisements.
• We do not automatically delete, hide, or manipulate any reviews.
• We do not generate or post fake reviews.
• We do not transfer your Google data to any AI model training pipeline.
• We do not use Google data for any purpose other than providing the review management features you requested.

OAuth Tokens

When you authorize Google access, Google provides Certxa with an access token and a refresh token. These tokens:

• Are stored encrypted in our database (never in browser storage or logs)
• Are never transmitted to your browser or to any third party
• Are used exclusively to make API calls on your behalf
• Are deleted from our database when you disconnect your Google account

Disconnecting Google

You can disconnect your Google Business Profile at any time by navigating to Settings → Integrations → Google Business Profile → Disconnect. Upon disconnection:

• Your OAuth tokens are deleted immediately from our database
• Automatic review syncing stops immediately
• Previously synced reviews remain in your Certxa account unless you also request data deletion (see Section 7)

You can also revoke access independently through your Google Account permissions page.

4. How We Use Your Data

• To provide the service: Running your calendar, bookings, payments, and client management
• To communicate with you: Account alerts, billing notices, product updates (you can opt out of marketing)
• To support you: Diagnosing and fixing technical issues
• To improve Certxa: Aggregated, anonymised usage analytics (never individual-level data shared externally)
• To comply with law: Fraud prevention, legal obligations, and enforcement of our Terms of Service

5. Data Sharing & Third Parties

We do not sell your personal data. We share data only with the following categories of service providers, strictly to operate Certxa:

• Stripe — payment processing (governed by Stripe's privacy policy)
• Twilio — SMS delivery for appointment reminders
• Mailgun / Postmark — transactional email
• Google APIs — only data you explicitly authorise us to send/receive
• Cloud hosting — our servers where your data is stored

We require all service providers to maintain appropriate data protection standards. We do not allow them to use your data for their own purposes.

We may disclose data if required by law, court order, or to protect the rights, property, or safety of Certxa, our users, or the public.

6. Data Retention

• Active accounts: Data is retained for the duration of your subscription.
• Cancelled accounts: We retain data for 90 days after cancellation to allow account recovery, then delete or anonymise it.
• Google API data: OAuth tokens are deleted immediately on disconnection. Synced review records are deleted within 30 days of account deletion.
• Billing records: Retained for 7 years as required by financial regulations.
• Logs: Server logs are retained for 30 days for security monitoring, then purged.

7. Security

• All data is transmitted over HTTPS/TLS — never plain HTTP
• Passwords are stored using bcrypt with per-user salts
• OAuth tokens are stored encrypted at rest
• Client secrets and API keys are stored as server-side environment secrets, never committed to source code or logged
• Session tokens use HttpOnly, Secure, SameSite=Lax cookies
• Database access is restricted to application servers; no public access
• We perform periodic security reviews and dependency audits

If you believe you have found a security vulnerability, please report it to security@certxa.com.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Correct inaccurate or incomplete data
• Deletion: Request deletion of your account and personal data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing for direct marketing purposes
• Restriction: Request we restrict processing in certain circumstances

To exercise any of these rights, email privacy@certxa.com. We will respond within 30 days. For Google-specific data, you may also manage access via your Google Account.

9. Cookies & Tracking

We use the following types of cookies:

• Strictly necessary: Session cookie for authentication — cannot be disabled
• Functional: Remember your UI preferences (e.g., theme, timezone)
• Analytics: Aggregated, anonymised page-view analytics — no cross-site tracking

We do not use third-party advertising cookies. You can manage cookies through your browser settings.

10. Children's Privacy

Certxa is a business platform intended for users aged 18 and over. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) and post the updated policy here with a revised "Last updated" date. Continued use of Certxa after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or to exercise your rights:

• Email: privacy@certxa.com
• Support: support@certxa.com
• Website: certxa.com/contact