BestBarbers Privacy Policy

Best Business Intermediation, Inc. ("BestBarbers," "Company," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information when you use the BestBarbers websites, web application, and mobile applications (collectively, the "Service"), and the rights and choices you have regarding that information.

If you do not agree with this Privacy Policy, please do not use the Service.

1. Scope of This Policy

This Privacy Policy applies to personal information processed in connection with the Service, including:

• the marketing websites at bestbarbers.app, bestbarbers.us, and related domains;
• the BestBarbers web application used by barbershops, salons, and similar businesses ("Shops") and their team members;
• the BestBarbers consumer-facing booking experience and any white-label or marketplace mobile applications used by individual consumers ("End Users") to book and pay for services; and
• communications we send by email, SMS, or push notification in connection with the Service.

This Privacy Policy does not cover the practices of any Shop or other third party. Each Shop is responsible for its own privacy practices in connection with the personal information it collects from End Users, including how it uses information after it is received from the Service.

2. Our Role: Controller vs. Processor (and "Business" vs. "Service Provider")

Our role with respect to personal information depends on the context:

• Processor / Service Provider. When a Shop uses the Service to manage its appointments, customers, payments, communications, and operations, the Shop is the controller (or "business" under the CCPA/CPRA) of personal information about its End Users and staff, and we act as the processor (or "service provider" under the CCPA/CPRA) on the Shop's behalf. We process that information only as instructed by the Shop, as described in this Privacy Policy, and as needed to provide and improve the Service.
• Controller / Business. We are the controller for personal information we collect directly from Shop owners and team members in connection with their account (e.g., registration, billing, support), from marketing website visitors, and from individuals who contact us directly.

Where applicable law uses the terms "controller" and "processor" (e.g., GDPR, UK GDPR, LGPD) or "business" and "service provider" (e.g., CCPA/CPRA), those terms have meanings analogous to one another for purposes of this Policy.

3. Information We Collect

Account and Business Information — When a Shop or a Shop's team member creates an account, we collect information such as name, email address, phone number, business name, business address, role, login credentials, and tax or billing information.

End User Information — When a Shop or End User uses the Service to book or manage appointments, we may collect End User information including name, phone number, email address, date of birth (if provided), profile photo, appointment history, service preferences, notes, loyalty and subscription information, communication history, and payment-card metadata (such as card brand and last four digits — full payment card numbers are handled by our Payment Processors, not by us).

Identity Verification ("KYC") Documents — Where our payment partners or compliance program require us to verify identity, we may collect government-issued identification, business registration documents, beneficial-ownership disclosures, and selfie/liveness images. KYC documents are retained per the schedule in Appendix A.

Communications Data — We collect the content and metadata of messages sent through the Service (e.g., SMS reminders, in-app messages, email and marketing campaigns) for delivery, fraud prevention, and abuse detection.

Payment Information — Payment-card and bank-account information used to pay for the Service or for services rendered by Shops is collected and stored by our third-party Payment Processors (Finix and Stripe), not by us. We receive limited tokens and metadata necessary to associate transactions with accounts.

Camera, Microphone, Photos — Where you grant explicit permission within the app (for example, to upload a portfolio photo or a profile picture), we access only the specific media you choose to share. We do not collect camera or microphone data in the background.

Device, Usage, and Log Data — We automatically collect information about how the Service is accessed and used, including IP address, browser type, operating system, device identifiers, mobile network information, language, time-zone, referring URL, pages visited, features used, click and tap events, crash logs, and timestamps. On mobile, we may collect approximate location based on IP address; we do not collect precise GPS location unless you explicitly grant permission for features that require it (e.g., locating nearby shops).

Cookies and Similar Technologies — We and our service providers use cookies, web beacons, local storage, and similar technologies to operate the Service, remember preferences, analyze usage, and (where permitted) deliver advertising. See Section 9 for the categorized SDK inventory.

4. How We Use Information (with GDPR / LGPD Legal Bases)

We use personal information to:

• provide, operate, secure, and maintain the Service, including authenticating users, processing appointments, sending reminders, and processing payments — legal basis: performance of a contract (GDPR Article 6(1)(b); LGPD Article 7(V));
• communicate with Shops and team members about their account, billing, support requests, and service-related notices — legal basis: performance of a contract (GDPR Article 6(1)(b)) and legitimate interest (GDPR Article 6(1)(f); LGPD Article 7(IX));
• send marketing communications to Shop account holders (subject to your right to opt out) — legal basis: consent (GDPR Article 6(1)(a); LGPD Article 7(I)) where required, or legitimate interest in promoting our Service to existing customers (GDPR Article 6(1)(f));
• detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Business Terms of Service — legal basis: legitimate interest (GDPR Article 6(1)(f); LGPD Article 7(IX)) and legal obligation (GDPR Article 6(1)(c); LGPD Article 7(II));
• comply with legal obligations and respond to lawful requests — legal basis: legal obligation (GDPR Article 6(1)(c); LGPD Article 7(II));
• analyze and improve the Service, including measuring feature usage, conducting research, and developing new features — legal basis: legitimate interest (GDPR Article 6(1)(f); LGPD Article 7(IX));
• create aggregated or de-identified data as described in Section 5 — legal basis: legitimate interest (GDPR Article 6(1)(f); LGPD Article 7(IX)) following pseudonymization/anonymization; and
• protect vital interests of any natural person in rare emergency contexts — legal basis: vital interests (GDPR Article 6(1)(d); LGPD Article 7(VII)).

5. Aggregated and De-identified Data

We may create aggregated, anonymized, or de-identified data from personal information we process and use it for analytics, benchmarking, marketing, security, fraud prevention, product development and improvement, and the training of artificial-intelligence or machine-learning models that form part of the Service. Aggregated or de-identified data does not identify any individual, Shop, or End User, and we commit not to attempt to re-identify it. We may share aggregated or de-identified data freely.

No sale of identifiable data to third-party AI model providers. We do not sell or otherwise transfer identifiable Customer Data to any third-party large-language-model or AI provider for that provider's own general-purpose model training. Subprocessors that provide AI/ML services within the Service do so under contracts that prohibit the use of Customer Data for their own model training.

6. How We Share Information

We share personal information only in the following circumstances:

• With Shops. When you are an End User, the Shop with which you book or transact receives your information so it can provide its services to you. The Shop's use of your information is governed by the Shop's own privacy practices.
• With Authorized Users. Information you submit through the Service may be visible to other Authorized Users of the Shop's account (e.g., owners, managers, team members), according to the role-based permissions configured by the Shop.
• With Service Providers and Subprocessors. We share information with vendors who help us operate the Service (see Section 14 for the Subprocessor inventory). These vendors are bound by contractual obligations to use personal information only as needed to provide their services to us.
• For Legal Reasons. We may disclose information when we believe in good faith that disclosure is required to comply with law, regulation, court order, subpoena, or other lawful request; to enforce our Business Terms of Service; to protect the rights, property, or safety of BestBarbers, our users, or others; or to investigate suspected fraud or abuse. Where lawfully permitted, we will give affected customers prior notice of compelled disclosure.
• In Business Transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections and notice to affected users.
• With Your Consent or At Your Direction. We may share information with third parties when you direct us to do so or where you have provided consent.

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under California Civil Code § 1798.140. See Section 7.

7. California Privacy Notice (CCPA / CPRA)

This Section is the California "notice at collection" required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and supplements the rest of this Privacy Policy for California residents.

Categories of Personal Information Collected (last 12 months). Identifiers (e.g., name, email, phone, IP address, device ID); commercial information (transaction history, subscription history); internet or network activity (browsing/usage logs, cookies); geolocation (approximate, derived from IP); audio/visual (profile photo, portfolio photo); professional or employment information (Shop role); inferences drawn from the above (preferences, predicted interests); identity-verification information (government-issued ID, when collected for KYC). We do not knowingly collect sensitive personal information beyond what is necessary to verify identity, and we do not use sensitive personal information to infer characteristics about consumers.

Sources. Directly from you; automatically through your device and use of the Service; from Shops about their End Users; from our Payment Processors; from identity-verification providers (when KYC is triggered); from analytics and security providers.

Purposes. As described in Section 4 of this Privacy Policy.

Third Parties With Whom We Share. Service providers and Subprocessors (Section 14); Shops (for End-User information collected through their accounts); legal and regulatory authorities as required.

Retention. As described in Section 12 and Appendix A.

Do Not Sell or Share My Personal Information. We do not sell personal information for money, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California Civil Code § 1798.140. You may submit a "Do Not Sell or Share My Personal Information" request at privacy@bestbarbers.app, and we will honor the Global Privacy Control ("GPC") signal where technically feasible.

Sensitive Personal Information. We do not use or disclose sensitive personal information for purposes outside the limited purposes permitted by California Civil Code § 1798.121(a).

California Consumer Rights. California residents have the right to:

• Right to Know what personal information we have collected, the categories of sources, the purposes for collection or sharing, and the categories of third parties with whom we share it (Civil Code § 1798.100, § 1798.110, § 1798.115);
• Right to Delete personal information, subject to legal exceptions (Civil Code § 1798.105);
• Right to Correct inaccurate personal information (Civil Code § 1798.106);
• Right to Opt-Out of sales/sharing of personal information (Civil Code § 1798.120);
• Right to Limit Use of sensitive personal information (Civil Code § 1798.121);
• Right to Non-Discrimination for exercising these rights (Civil Code § 1798.125); we will not deny services, charge different prices, or provide a different level of quality because you exercised a privacy right.

To submit a request, email privacy@bestbarbers.app or use the in-product privacy form where available. We will verify your identity before responding. We will respond within forty-five (45) days; if more time is needed we will notify you and may extend up to ninety (90) days total.

Authorized Agents. You may use an authorized agent to submit requests on your behalf; we may require proof of authorization and verification of your identity.

Appeals. If we deny your request, you may appeal by emailing privacy@bestbarbers.app with the subject "Privacy Appeal."

California Shine the Light. California residents may request information about disclosures of personal information to third parties for those third parties' direct marketing purposes (California Civil Code § 1798.83). We do not share personal information with third parties for their direct marketing purposes.

8. Other U.S. State Privacy Rights

Residents of other U.S. states with comprehensive privacy laws have similar rights to those described above, including the right to access, correct, and delete personal information, and to opt out of targeted advertising, sales, and certain profiling. Applicable laws include:

To exercise these rights, email privacy@bestbarbers.app. We will respond within the timeframe required by the applicable state law (typically 45 days). Virginia residents may appeal a denial; we will respond to appeals within sixty (60) days. If your appeal is unsuccessful, you may contact the Virginia Attorney General at https://www.oag.state.va.us/.

9. Cookies, SDKs, and Similar Technologies

We use cookies and similar technologies in the following categories:

You can manage non-essential cookies through the cookie banner or through your browser settings. Disabling certain cookies may affect Service functionality. We honor the Global Privacy Control (GPC) signal as an opt-out of "sale or sharing" under California law.

10. Security; Incident Notification

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Examples include encryption of data in transit (TLS) and at rest where appropriate, access controls and role-based permissions, security monitoring and logging, regular vulnerability scanning, restricted production access for personnel, periodic penetration testing, and security training for personnel.

No method is 100% secure. Despite our safeguards, no method of transmission over the internet or storage is completely secure, and we cannot guarantee absolute security. You are responsible for safeguarding your login credentials and for promptly notifying us at security@bestbarbers.app of any suspected unauthorized access.

Incident Notification. In the event of a personal-data breach that creates a risk to your rights, we will notify affected customers and applicable regulators in accordance with applicable law, including, where required, within 72 hours of becoming aware (GDPR Article 33; LGPD Article 48). We will provide the information required by applicable law (nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken).

11. Automated Decision-Making and AI Features

The Service does not use solely-automated decision-making that produces legal or similarly significant effects on End Users. Features within the Service that incorporate artificial intelligence or machine learning (for example, suggestions, recommendations, or scheduling optimizations) are advisory only and remain subject to human review and override by Authorized Users. If we introduce solely-automated decision-making with legal or similarly significant effects, we will update this Privacy Policy and obtain any required consents.

12. Data Retention

We retain personal information for as long as needed to provide the Service, comply with our legal obligations (including tax, accounting, fraud-prevention, and KYC/AML requirements), resolve disputes, and enforce our agreements. Specific retention periods are set forth in Appendix A. When personal information is no longer needed, we will delete or anonymize it in the ordinary course of business, subject to retention in routine encrypted backups for a limited period and to any longer retention required by law.

13. International Data Transfers

We are based in the United States and the Service is hosted in the United States. If you access the Service from outside the United States, you understand that your personal information may be transferred to, stored in, and processed in the United States and other countries, which may have data-protection laws different from those of your country.

Where required by applicable law, we use appropriate safeguards to protect your information during international transfers:

• EEA to US. Standard Contractual Clauses ("SCCs") approved by the European Commission;
• United Kingdom. The UK International Data Transfer Agreement ("IDTA") or the UK Addendum to the SCCs;
• Switzerland. Swiss-approved SCCs;
• Brazil. Transfer mechanisms permitted by Article 33 of the LGPD (including SCCs, ANPD-approved mechanisms, or your explicit consent);
• Other jurisdictions. As required by local law.

A copy of the relevant safeguards is available on request to privacy@bestbarbers.app.

14. Subprocessors

We engage Subprocessors to provide the Service. As of the Last Updated date, our principal categories of Subprocessors include:

• Cloud hosting and infrastructure (e.g., Amazon Web Services)
• Payment processing (Finix, Stripe)
• Email and transactional messaging (e.g., Resend, Twilio Email)
• SMS messaging (e.g., Twilio)
• Push notifications (e.g., Expo, Apple APNs, Google FCM)
• Image hosting and CDN (Cloudinary)
• Customer support tools
• Analytics and error monitoring (Google Analytics, Sentry)
• Identity verification / KYC
• Security and anti-bot (Cloudflare Turnstile)

We require each Subprocessor to maintain confidentiality and security protections at least as protective as those in this Privacy Policy. A current list of Subprocessors (with names, functions, and locations) is available on request to privacy@bestbarbers.app. We will use reasonable efforts to provide advance notice before adding a new Subprocessor that materially changes the categories of recipients.

15. Brazil — LGPD Notice

This Section supplements this Privacy Policy for individuals located in Brazil and is governed by the Brazilian General Data Protection Law ("LGPD," Federal Law No. 13.709/2018).

Legal Bases (Article 7). We process personal data based on (i) the data subject's consent; (ii) performance of a contract or pre-contractual procedures; (iii) compliance with a legal or regulatory obligation; (iv) execution of public policies (not generally applicable); (v) studies by research bodies (not generally applicable); (vi) the regular exercise of rights in judicial, administrative, or arbitral proceedings; (vii) protection of life or physical safety; (viii) protection of health (with care); (ix) legitimate interests of the controller or third party, observing the data subject's fundamental rights and freedoms; and (x) credit protection. The bases that most commonly apply to our processing are (ii), (iii), (vi), (vii), and (ix).

Data Subject Rights (Article 18). Brazilian data subjects have the right to: (a) confirm the existence of processing; (b) access their data; (c) correct incomplete, inaccurate, or outdated data; (d) anonymize, block, or eliminate unnecessary, excessive, or unlawfully processed data; (e) data portability to another service or product provider; (f) delete data processed with consent; (g) obtain information about public and private entities with which we have shared data; (h) obtain information about the possibility of refusing to provide consent and the consequences of refusal; (i) revoke consent; and (j) petition the National Data Protection Authority ("ANPD") against this controller.

Encarregado (DPO). Our data-protection officer for Brazil can be reached at privacy@bestbarbers.app (subject line: "Encarregado LGPD").

ANPD. You may file a complaint with the ANPD at https://www.gov.br/anpd/pt-br.

International Transfers from Brazil. International transfers from Brazil are made under one of the mechanisms permitted by Article 33 of the LGPD, including SCCs, ANPD-approved mechanisms, or your explicit consent.

16. Children's Privacy

The Service is not directed to children under 18 and we do not knowingly collect personal information from anyone under 18.

Under 16 (CCPA/CPRA). We do not knowingly sell or share personal information of California consumers under age 16, and we do not knowingly use sensitive personal information of California consumers under 16 for purposes outside Civil Code § 1798.121(a).

Under 13 (COPPA). If you are under 13, please do not use the Service. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as required by the Children's Online Privacy Protection Act.

If you believe a child has provided personal information to us, please contact privacy@bestbarbers.app so we can delete it.

17. Marketing Communications and SMS

If you receive marketing emails or SMS messages from us, you can opt out by following the unsubscribe instructions in the message, by replying STOP to SMS messages (reply HELP for help), or by contacting us at privacy@bestbarbers.app. You cannot opt out of transactional or service-related messages necessary to operate your account (e.g., appointment reminders, billing notices, security alerts) without losing access to those features.

We participate in the carriers' A2P 10DLC framework. Messages may originate from Company's toll-free long-code number +1 (855) 599-4407 or from other long-code numbers Company uses for A2P 10DLC delivery. Message and data rates may apply. Carriers are not liable for delayed or undelivered messages.

18. Third-Party Links and Services

The Service may contain links to or integrations with third-party websites or services (e.g., Payment Processors, social-media platforms, app stores). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with personal information.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by posting the updated Policy on the Service and, where appropriate, by email or in-product notice. The "Last updated" date at the top of this page indicates when the Privacy Policy was last revised. Your continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance of the changes.

20. Contact Us

For questions, complaints, or requests relating to this Privacy Policy or our handling of personal information, contact:

Best Business Intermediation, Inc. 2084 Marsh Hawk Drive Orlando, Florida 32837 United States Privacy: privacy@bestbarbers.app Brazilian Encarregado (LGPD): privacy@bestbarbers.app (subject: "Encarregado LGPD") Security incidents: security@bestbarbers.app

Appendix A — Data Retention Schedule

The following retention periods apply unless a longer period is required by law or a shorter period is required by your applicable rights request:

We may retain personal information longer than the periods listed above where (a) required by law, (b) needed to defend or pursue legal claims, (c) needed to detect, prevent, or address fraud or security incidents, or (d) anonymized such that the data no longer identifies any individual.