GDPR for hair & beauty salons
Allergy records and patch test results are special category data under UK GDPR. Before-and-after photos need explicit consent. And the booking platform you use doesn’t replace your own privacy policy. Here’s what salon owners actually need to know about website compliance.
Why salons handle some of the most sensitive personal data
Most salon owners don’t think of themselves as handling sensitive data. But UK GDPR draws a sharp line between ordinary personal data (names, email addresses, phone numbers) and special category data (anything relating to a person’s health). The moment you record an allergy, a skin condition, a patch test result, or a medical note that affects treatment, you’re processing special category data under Article 9.
Special category data has stricter rules. You can’t rely on “legitimate interests” as your legal basis — you need explicit consent. Your privacy policy needs to specifically address how you handle health-related information. And you need to be particularly careful about who has access to these records and how long you keep them.
This doesn’t mean compliance is difficult. It just means a generic privacy policy template won’t cover it.
What personal data does a salon typically process?
| Data type | Example | Category |
|---|---|---|
| Contact details | Name, phone, email, address | Ordinary personal data |
| Booking history | Appointment dates, services booked, stylist preferences | Ordinary personal data |
| Allergy records | PPD allergy, latex sensitivity, fragrance reactions | Special category (health) |
| Patch test results | Date tested, reaction notes, product used | Special category (health) |
| Skin/scalp conditions | Eczema, psoriasis, alopecia notes | Special category (health) |
| Treatment records | Chemical treatments, colour formulas, aftercare notes | Ordinary (unless health conditions noted) |
| Before-and-after photos | Client hair/skin/nail photos for portfolio | Ordinary personal data (biometric if facial recognition used) |
| Marketing preferences | Email consent, SMS opt-in, birthday offers | Ordinary personal data + PECR consent |
| Payment data | Card payments via terminal or online | Handled by payment processor |
| Employee records | Staff contracts, training certificates, DBS checks | Ordinary + potentially special category |
Key point: Any record of an allergy, skin condition, or health-related note is special category data under Article 9. This includes patch test cards, client consultation forms, and treatment notes that reference health conditions. You need explicit consent to process this data — not just a general “I agree to the privacy policy” checkbox.
Before-and-after photos: the consent you actually need
Posting client photos on Instagram, your website, or Google Business Profile is one of the most effective marketing tools for salons. But every photo that shows a client’s face, hair, skin, or body is personal data, and you need explicit consent to use it.
What “explicit consent” means in practice:
- Consent must be given before the photo is taken, not after
- The client must know where the photo will be used (Instagram, website, Google, printed materials — specify each)
- Consent must be freely given — the client must not feel pressured, and refusing must not affect their treatment or pricing
- Consent must be documented — a signed form or a clear digital record
- The client must be able to withdraw consent at any time, and you must remove the photos if they do
A verbal “yeah, sure” is not sufficient. Best practice is a simple consent form (paper or digital) that the client signs before the appointment. Your privacy policy should explain your photo policy and how clients can request removal.
Online booking platforms: Fresha, Treatwell, and others
If you use Fresha, Treatwell, Booksy, Vagaro, or any other online booking platform, customer data flows through that third-party system. This creates specific GDPR obligations:
- Your privacy policy must mention it. You don’t need to name the specific platform, but you must describe the categories of third-party processors you use (e.g. “online booking providers”) and explain what data they process.
- The platform’s privacy policy doesn’t replace yours. Fresha’s privacy policy covers how Fresha handles data on their platform. It doesn’t cover how your salon handles data outside of it — walk-in customers, paper records, photos, marketing.
- You need a data processing agreement. Most major platforms include this in their terms of service, but you should verify it exists.
- Marketing via the platform is still your responsibility. If you send promotional messages through Fresha or Treatwell, you need to ensure recipients have consented under PECR rules.
Marketing emails and texts: what PECR requires
Sending appointment reminders is generally fine — it’s a necessary part of delivering the service the client booked. But promotional messages (new services, discounts, product launches, birthday offers) require consent under PECR.
For individual clients (sole traders, partnerships), you need explicit opt-in consent. For existing customers, the “soft opt-in” rule may apply: you can email them about similar services as long as you gave them a clear opportunity to opt out when you first collected their email, and you include an unsubscribe link in every message.
If you use Mailchimp, Klaviyo, or any email marketing tool, your privacy policy needs to disclose this — these tools process personal data on your behalf and typically transfer data to servers outside the UK.
What your salon website must include
Privacy policy
Tailored to the salon sector, covering: allergy and health data handling (with Article 9 explicit consent basis), before-and-after photo policy, booking platform data sharing, marketing consent, CCTV if applicable, and standard GDPR requirements (controller identity, purposes, legal bases, retention periods, rights, ICO complaint right).
Cookie consent
If your website uses Google Analytics, Facebook Pixel, Instagram tracking, or booking widget cookies, you need a consent banner with a genuine reject option. Your cookie policy should list each cookie, its purpose, and its duration.
Terms and conditions
Salon-specific T&Cs covering: cancellation and no-show policy, patch test requirements and timing, gift voucher terms, liability for treatments, complaints procedure, and product returns.
Company information
If you’re a limited company: company number, registered address, and place of registration. If VAT registered: VAT number. These are legal requirements under the Companies Act 2006 and E-Commerce Regulations 2002.
Accessibility statement
A commitment to website accessibility under the Equality Act 2010, meeting WCAG 2.1 Level AA standards, with contact information for reporting accessibility issues.
Common compliance gaps we find on salon websites
- No mention of allergy/health data — the privacy policy doesn’t acknowledge special category processing at all
- Booking platform’s privacy policy used instead of their own — linking to Fresha’s policy doesn’t cover your obligations
- No photo consent policy — before-and-after photos posted to social media without documented consent
- Marketing without consent — promotional texts or emails sent without proper opt-in
- Cookie banner with no reject option — or no banner at all despite using analytics/tracking
- Missing retention periods — no indication of how long client records are kept
- No ICO complaint right mentioned — required under UK GDPR Article 13(2)(d)
Find out what your salon website is missing
We check your website against GDPR, PECR, Consumer Rights Act, Equality Act, and Companies Act — with specific attention to health data, photo consent, and booking platform requirements. Complete compliance pack from £49.
Get your compliance fix — £49Frequently asked questions
Do salons need a privacy policy?
Yes. Any salon that collects customer names, contact details, booking information, allergy records, or treatment notes must have a privacy policy under UK GDPR. This applies to sole traders and limited companies alike.
Are allergy records and patch test results personal data?
Yes, and they are special category data under UK GDPR Article 9 because they relate to a person’s health. This means you need explicit consent to process them — a higher standard than ordinary personal data.
Do I need consent to post before-and-after photos?
Yes. Before-and-after photos that show a client’s face, hair, or body are personal data. You need explicit, informed consent before taking the photo and again before posting it. The consent should specify where the photo will be used and clients must be able to withdraw consent at any time.
What about online booking platforms like Fresha or Treatwell?
If you use an online booking platform, customer data flows through that platform. You need to name the categories of third-party processors in your privacy policy and ensure your data processing agreement with the platform is in order. The platform’s own privacy policy does not replace yours.
How long should salons keep client records?
Contact details and treatment history: duration of the client relationship plus 6 years. Patch test records: at least 3 years (many insurers require this). Allergy records: as long as the client remains active, plus 6 years. Before-and-after photos: only as long as you have active consent.
Last updated: 8 February 2026 · This article is for informational purposes and does not constitute legal advice. For complex situations, consult a solicitor.