GDPR-Compliant Salon Software: What It Actually Requires
GDPR-compliant salon software explained: why EU hosting is not a legal requirement, what an Article 28 agreement must cover, and the checklist to verify.
Read moreWelcome to EURoot
EURoot aims to help farmers face climate change and the demand for reduced use of water and fertilizers.
Learn MorePractical guides to booking software, client records and data protection for hair salons, beauty studios and aesthetic clinics — with a focus on what happens to client data.
Every salon runs on a client list. It holds names, phone numbers, appointment history and — in a clinic — notes about someone's body. That list is simultaneously the most valuable asset in the business and the one with the most obligations attached to it. This section covers booking software, client records and data protection for hair salons, beauty studios and aesthetic clinics, organised around a question the feature comparisons skip: who actually controls that data, and what happens to it when you switch tools.
"The software is GDPR-compliant, so we are." Compliance attaches to you, not to a product. You decide why client data is collected, which makes you the controller; the vendor is a processor acting on your instructions. No licence transfers that responsibility.
"The data has to be stored in the EU." It doesn't. Transfers outside the EU are permitted with appropriate safeguards. EU hosting is a convenient shortcut around the question, not the rule itself — and it says nothing about access controls or retention.
"We'll deal with export if we ever leave." By then it's too late. The export format is the single best predictor of how expensive leaving will be, and it costs nothing to test during a trial.
| Requirement | Why it matters | Priority |
|---|---|---|
| Article 28 processing agreement | The written contract the law requires between you and the vendor | Non-negotiable |
| Encryption in transit and at rest | Baseline protection for the client list | Non-negotiable |
| Role-based access | Reception doesn't need to read treatment notes | High |
| Self-service export | Portability, and your exit route | Non-negotiable |
| Defined retention period | Keeping everything forever breaches storage limitation | High |
| Segregated treatment notes | Health data carries stricter conditions | Non-negotiable in a clinic |
Begin with our guide to GDPR-compliant salon software. It explains why no tool is compliant on its own, separates what the regulation genuinely requires from the EU-hosting myth, compares how MyWest, Phorest, Salonized and Clienta position themselves, and walks through what to do the first time a client asks for their data.
The guides that follow take the remaining pieces one at a time: booking and reminders, client records and intake forms, deposits, and migrating to a new system without losing your history.
There is no reliable correlation. Price reflects features, market position and marketing budget. Protection reflects encryption, access control, retention and the processing agreement — all of which you can check directly, whatever the tool costs.Is expensive software safer than cheap software?
Yes. The obligation follows from processing personal data, not from headcount. A one-chair salon with a client list is a controller in exactly the same way a chain is.Do I need a data processing agreement for a small salon?
Long enough to serve the purpose you collected them for, and no longer — with an eye on competing obligations such as tax retention, which can require you to keep financial records after a client asks to be forgotten. Define the period in writing rather than leaving it to the software's default.How long should client records be kept?
GDPR-compliant salon software explained: why EU hosting is not a legal requirement, what an Article 28 agreement must cover, and the checklist to verify.
Read more