Privacy Policy

Maggie Got Hands ("we," "our," or "us") operates a salon booking platform serving clients in the Fort Myers, Florida (Lehigh Acres) area. This Privacy Policy describes how we collect, use, and protect your personal information when you use our website, mobile app, or booking system (collectively, the "Service").

By using the Service, you agree to the practices described in this policy. If you do not agree, please discontinue use and contact us to have your data removed.

We collect only the information necessary to operate the booking service:

• Google Sign-In Data: When you authenticate with Google OAuth, we receive your name, email address, and profile photo from Google. We do not receive your Google password or payment methods.
• Account Information: Your display name, email address, and profile photo stored in your Maggie Got Hands account.
• Appointment Data: Services booked, selected dates and times, variant/style preferences, and booking notes you provide.
• Payment Details: Payment processing is handled entirely by Stripe. We never see or store your full card number. We retain only a deposit confirmation reference and any partial amounts for record-keeping.
• Phone Number: If provided during booking, used solely for appointment reminders or direct contact.
• Usage Data: Basic interaction data such as pages visited and feature usage, used to improve the app experience.

Your information is used exclusively to operate and improve the Service:

• Create and manage your account and client profile.
• Schedule, confirm, and manage your appointments.
• Send booking confirmations, reminders, and updates.
• Process deposit payments through Stripe.
• Maintain visit history and loyalty program records.
• Enable rescheduling and cancellation features.
• Respond to support inquiries and resolve disputes.
• Detect and prevent fraudulent or abusive activity.
• Improve the app based on how features are used.

We do not use your information for advertising, sell it to data brokers, or share it for any purpose outside of operating the Service.

We integrate with the following trusted third-party platforms. Each governs their own data practices:

We encourage you to review each provider's privacy policy to understand how they handle your data independently of our Service.

We take the security of your information seriously and implement the following protections:

• Encrypted Transmission: All data in transit is encrypted via HTTPS/TLS.
• Row-Level Security: Database access is restricted at the row level — users can only access their own records.
• Supabase Auth: Authentication and session management are handled by Supabase's battle-tested auth infrastructure.
• Stripe PCI Compliance: Payment card data never touches our servers. Stripe handles all card processing under PCI-DSS Level 1 standards.
• Minimal Data Access: Only authorized team members can access personal data, and only when needed to resolve issues.
• No Plaintext Passwords: We use OAuth (Google Sign-In) and do not store passwords.

While we take every reasonable precaution, no system is 100% immune to security incidents. In the event of a data breach that affects your information, we will notify you promptly.

You have the following rights regarding your personal data. To exercise any of them, contact us at the email below.

We will respond to all valid requests within 30 days. Some data may be retained as required by law or for legitimate business purposes such as fraud prevention.

For questions, concerns, or data requests related to this Privacy Policy, reach out to us directly:

We may update this Privacy Policy from time to time. The effective date at the top of this page will reflect the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.