Privacy Policy

Trimmo ("Trimmo", "we", "us", "our") provides online booking software for salons, barbershops, and independent stylists in Canada. This Privacy Policy ("Policy") explains what personal information we collect, the legal basis for processing it, how we use and share it, how long we keep it, and the choices available to you.

This Policy is written to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the Canada Anti-Spam Legislation(CASL), and provincial privacy legislation where applicable. "Personal information" means information about an identifiable individual, as defined in PIPEDA section 2(1).

If you are accessing Trimmo from outside Canada, your information will be processed in Canada and in other jurisdictions where our service providers operate (see Section 13).

Trimmo is operated by Trunex Solutions, from Ontario, Canada. Our Privacy Officer is responsible for our compliance with this Policy and with PIPEDA. For privacy questions, access requests, corrections, consent withdrawal, or complaints, contact our Privacy Officer:

• Email: [email protected]
• Mail: Trimmo c/o Trunex Solutions, Ontario, Canada

We collect personal information directly from you and, in limited cases, from third-party services you choose to connect.

3.1 Salon owners and team members ("account holders")

• Identity: name, email address, phone number, password (stored using industry-standard one-way hashing — we never store plaintext passwords).
• OAuth profile data:if you sign in with Google, we receive your name, email, and profile photo from Google. We do not receive your Google password. Data received from Google is used solely to create and maintain your account and is not used for advertising or shared with third parties beyond what is described in this Policy. Trimmo's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• Business details: business name, address, timezone, tax registration number, booking policy, logo, cover image, gallery photos.
• Payment-processing details: information you provide to Stripe during Connect onboarding. Trimmo receives only the resulting account identifier and payout status — we never see or store bank account numbers or card details.
• Operational data: services, availability, appointments, client notes, gallery, reviews, and revenue metrics you enter into the platform.
• Technical data: IP address, user agent, browser type, and session tokens used for authentication and security.

3.2 Clients who book through a salon ("booking clients")

• First and last name, phone number, email address.
• Appointment details: service, date, time, provider, and any notes you add.
• Optional profile information your salon may record after a visit (e.g., hair profile, color formulas). This data is controlled entirely by the salon.
• Payment details collected directly by Stripe on the salon's behalf when a deposit or charge is required. Trimmo does not receive raw card numbers.
• Review content, star rating, and optional review photos if you submit a review.
• Technical data: IP address (used for rate limiting and abuse prevention only — not for tracking).

Who controls your data: when you book with a salon, that salon is the data controllerfor your appointment information and any profile data they record about you. Trimmo acts as the salon's data processor— storing and processing the data on their behalf according to their instructions. Requests to delete or correct your appointment record should be directed to the salon. You may also contact us and we will assist. We recommend reviewing the salon's own privacy practices as well.

3.3 Sensitive information

Some client profile data that salons may record — such as hair formulas, skin conditions, or allergy information — may be considered sensitive personal information under PIPEDA. Trimmo provides the tools for salons to record this information, but the salon is responsible for obtaining appropriate express consent from their clients before collecting it. Trimmo applies enhanced safeguards to all client profile data regardless.

3.4 Mobile phone numbers and SMS

Your mobile phone number and SMS opt-in consent are never sold, rented, or shared with third parties for promotional purposes. Your phone number is shared only with our SMS delivery provider for the sole purpose of delivering transactional messages related to your booking. You may receive up to 5 SMS messages per appointment (confirmation, reminder, cancellation, rescheduling, review request). Message and data rates may apply. Reply STOP to cancel, HELP for help. Consent to receive SMS is not a condition of booking. See this Policy for full details on how your information is used.

3.5 Information we do not collect

We do not collect biometric data, health information, financial account numbers, social insurance numbers, or government-issued identification. We do not purchase personal information from data brokers or other third parties.

Under PIPEDA, we process personal information based on the following principles from Schedule 1:

• Consent: when you create an account, make a booking, or submit a review, you consent to our processing of the information required for that purpose.
• Contractual necessity: processing needed to provide the service you signed up for (e.g., storing appointments, sending confirmations).
• Legitimate interest: security measures (rate limiting, abuse detection, audit logging) to protect all users and maintain platform integrity.
• Legal obligation: retaining financial records as required by Canadian tax law (Income Tax Act, Excise Tax Act).

We obtain express opt-in consent for sensitive personal information (such as health-related notes or profile data). For other personal information, consent may be express or implied depending on the sensitivity of the information and the reasonable expectations of the individual, as contemplated by PIPEDA Principles 4.3.4 through 4.3.6.

• Service delivery: operating the booking platform — accounts, calendars, appointments, payments.
• Transactional communications: booking confirmations, reminders, cancellations, and review requests via email and SMS. These are service messages, not marketing, and are necessary for the service to function.
• Payment processing: facilitating deposits, charges, refunds, and payout status through Stripe.
• Security: rate limiting, CAPTCHA verification, IP-based abuse detection, and structured audit logging to prevent fraud and protect users.
• Error diagnosis: server-side logging to identify and fix software errors. Logs are retained for 90 days and do not contain full personal identifiers (email and phone are masked in logs).
• Legal compliance: responding to lawful requests from authorities and retaining records as required by law.

We do not use your information for behavioural advertising, profiling for marketing purposes, or selling to third parties.

Trimmo uses a reliability scoringsystem for booking clients. This score is calculated automatically based on a client's appointment history with a specific salon (e.g., completed appointments, late cancellations, no-shows). The score may affect:

• Whether a deposit is required at booking time (salons may configure deposit requirements for clients with lower reliability scores).
• Priority in the salon's internal waitlist ranking.

Important details about this scoring:

• Scores are per-salon — your score with one salon does not affect your interactions with any other salon on Trimmo.
• Scoring is based solely on appointment behaviour. It does not use any protected characteristics (race, gender, age, disability, or any other ground).
• Scoring does not affect your ability to access the booking platform, view available times, or see service pricing.
• The score is visible to the salon owner. It is not displayed to booking clients directly.

You can request an explanation of your score, challenge its accuracy, or request a human review by contacting the salon or emailing [email protected].

Trimmo relies on a limited number of sub-processors. Each has been selected for their security posture and contractual data-handling commitments. They receive only the minimum information required for the stated purpose.

We require each sub-processor to maintain privacy and security protections no less protective than those described in this Policy, through contractual data processing agreements. We will notify account holders at least 30 days before adding a new sub-processor, giving you the opportunity to review the change.

We do notsell, rent, or trade personal information, and we do not share it with advertisers or data brokers. Salon owners who connect a Stripe account are also subject to Stripe's own privacy policy and Connected Account Agreement. We may disclose personal information: (a) when required by a valid court order or applicable law, (b) in response to a regulatory inquiry (e.g., an investigation by the Office of the Privacy Commissioner), (c) to protect Trimmo's legal rights or the safety of our users, or (d) in connection with a merger, acquisition, or sale of assets, in which case the acquiring party will be bound by this Policy.

We use only the storage needed to run the product:

• Essential (session) — a session cookie that keeps you signed in (expires on browser close or after 30 days of inactivity), CSRF protection token, and cookies set by Cloudflare Turnstile (bot verification) and Stripe (payment fraud prevention) when you interact with those widgets. Disabling these will prevent sign-in, booking, and payment.
• Functional (persistent) — a small amount of browser localStorageused to remember your "was this helpful?" vote on reviews and your cookie-banner preference. This data never leaves your browser and is not transmitted to our servers.
• Analytics / marketing— none at this time. If we add analytics in the future, the cookie banner will be updated and your explicit consent will be requested before any tracker loads. We do not honour "Do Not Track" browser signals because we do not track users across websites.

We retain personal information only as long as necessary for the stated purpose:

When retention periods expire, data is deleted or irreversibly anonymized using industry-standard techniques sufficient to prevent re-identification. Retention periods may be extended in the case of ongoing legal proceedings, regulatory investigations, or tax audits. Booking clients can request early deletion of their appointment record through the salon they booked with, or by contacting us directly.

Under PIPEDA, you have the right to:

• Access — request a copy of the personal information we hold about you.
• Correction — request that inaccurate or incomplete information be corrected.
• Withdrawal of consent — withdraw consent to our processing of your personal information. This may require us to close your account if the information is essential to service delivery. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Data portability — request your data in a commonly used, machine-readable format (JSON or CSV). We will provide the export within 30 days.
• Deletion — request deletion of your personal information, subject to retention requirements described above.
• Complaint — file a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been violated.

To exercise any of these rights, email [email protected] with the subject line "Privacy Request". We will acknowledge your request within 5 business days and respond substantively within 30 calendar days. If you are dissatisfied with our response, you may escalate the matter by writing to our Privacy Officer. If our internal process does not resolve your concern, you may file a complaint with the Office of the Privacy Commissioner of Canada.

We comply with Canada's Anti-Spam Legislation (CASL). The electronic messages Trimmo sends fall into three categories:

• Transactional messages (booking confirmations, reminders, cancellations, password resets) — these are directly related to an existing transaction and are exempt from CASL consent requirements under section 6(6).
• Relationship-based messages (review requests after a completed appointment) — these are sent under implied consent based on an existing business relationship. Implied consent from a booking expires 2 years after your last appointment with that salon.
• Commercial electronic messages (product updates, feature announcements, tips) — we will only send these with your express consent. You can unsubscribe at any time via the link in each message.

All messages identify the sender (Trimmo and/or the salon on whose behalf the message is sent), include contact information, and provide a functioning unsubscribe mechanism as required by CASL sections 6(2) and 11. You can opt out of SMS at any time by replying STOP. We maintain records of consent (date, source, and manner) as required by CASL.

We protect personal information with industry-standard measures including:

• Encryption in transit (HTTPS/TLS) and at rest via our hosting and storage providers.
• Passwords stored using industry-standard one-way hashing — never in plaintext.
• Cryptographically signed links for self-service actions (e.g., review submissions, account invitations).
• Rate limiting and CAPTCHA on public-facing forms to prevent automated abuse.
• Role-based access controls with least-privilege principles.
• Strict data isolation ensuring each business can only access its own data.
• Personal identifiers masked in internal logs.
• Industry-standard security headers on all pages.

No system is perfectly secure. In the event of a data breach, we will:

• Assess whether the breach creates a "real risk of significant harm" (RROSH) as defined under PIPEDA section 10.1.
• If RROSH exists, notify affected individuals directly and report to the Office of the Privacy Commissioner of Canada as soon as feasible.
• Notify any third party that could help reduce the risk of harm (e.g., a payment processor if payment-related data was involved).
• Maintain records of all breaches for a minimum of 24 months, as required by PIPEDA, regardless of whether they met the RROSH threshold.

Some of our service providers are located in the United States (see Section 7). Your information may be processed or stored there. When transferring data outside Canada, we use contractual protections with each provider that include data use limitations, security requirements, breach notification obligations, and audit rights.

You should be aware that personal information stored in the United States may be accessible to U.S. courts, law enforcement, and national security authorities under U.S. law. Your information remains subject to the privacy protections described in this Policy regardless of where it is processed.

If you are a resident of Quebec, your personal information may be subject to additional protections under Quebec's Act respecting the protection of personal information in the private sector (Law 25). Where Law 25 provides greater protection than PIPEDA, the more protective standard applies. This includes your right to be informed of automated decision-making that affects you (see Section 6) and your right to data portability. We conduct privacy impact assessments before implementing new features or systems that involve personal information, as required by Law 25.

For Quebec residents, parental consent is required for the collection of personal information from individuals under 14 years of age (rather than the general threshold of 13 described in Section 15).

Trimmo is not directed at children under 13, and we do not knowingly collect personal information from them. If a booking is made on behalf of a minor, the adult making the booking is responsible for that information and represents that they have the authority to provide it. If we learn that we have collected personal information from a child under 13 without parental consent, we will delete it promptly.

We may update this Policy as Trimmo evolves. When we make material changes, we will:

• Email account holders at least 15 days before the changes take effect.
• Update the "Last updated" date at the top of this page.
• Display a notice in the application for logged-in users.

Continued use of Trimmo after the effective date of a change constitutes acceptance of the updated Policy. If you do not agree with a material change, you may close your account before the effective date.

Questions, access requests, complaints, or concerns:

• Email: [email protected]
• Mail: Trimmo c/o Trunex Solutions, Ontario, Canada

See also our Terms of Service.