Legal

Privacy Policy

How Tailro collects, uses, and protects your personal data.

Effective date: March 29, 2026

1. Who We Are

Tailro is a B2B SaaS appointment scheduling and business management platform designed for appointment-based businesses including boutiques, tailoring studios, salons, spas, clinics, and consultants.

Contact: [email protected]

Data Controller Roles: Tailro acts as the data controller for merchant account data (store owners and staff). Merchants act as data controllers for their customers' booking data — in that relationship, Tailro is the data processor acting on the merchant's instructions.

2. What Data We Collect

2a. From Merchants & Staff (B2B Users)

  • Account data: First name, last name, email address, phone number
  • Authentication data: OTP codes (6-digit, 2-minute TTL), Google OAuth sub-ID, OAuth tokens
  • Business data: Entity name, store name, store slug, store address, timezone, logo (stored in Cloudflare R2)
  • Calendar data: Google Calendar OAuth access token and refresh token, calendar email, linked calendar ID (stored encrypted)
  • Subscription & billing data: Plan name, billing cycle, payment status, Razorpay Order ID, Razorpay Payment ID — card/UPI details are never stored by Tailro; they are held by Razorpay
  • Staff availability data: Working hours, break times, leave dates, per-store role (Owner, Manager, Staff)
  • Usage logs: Feature usage metrics (appointments created, staff count, services count) used for plan enforcement

2b. From End Customers (Booking Users)

  • Identity: First name, last name, email address, phone number
  • Authentication data: Email OTP, Google OAuth sub-ID, Shopify Customer Account ID (if 'Login with Shopify' is used at a store's booking page)
  • Booking history: Appointment date/time, service, staff, status, location, online meeting URL, notes, payment status, price paid
  • Payment records: Amount paid, currency, payment method type (not card details), Razorpay transaction ID
  • Store relationship: Which stores the customer has booked at

2c. From Shopify Integration

  • Shop domain (e.g. my-store.myshopify.com)
  • OAuth access token (permanent, stored server-side, never exposed in API responses)
  • Granted OAuth scopes (e.g. write_customers, read_orders)
  • Navigation menu GIDs (Shopify internal GraphQL IDs for the booking link in the merchant's store menu)
  • Shopify Customer Account API credentials (client ID and client secret) for 'Login with Shopify' on the booking page
  • Shopify customer records synced from/to Shopify: name, email, phone

2d. Files & Media

  • Store logos uploaded by merchants — stored in Cloudflare R2
  • Staff profile pictures — stored in Cloudflare R2
  • Store gallery images — stored in Cloudflare R2
  • Invoice documents — stored in Cloudflare R2
  • All files are served via Cloudflare R2 public CDN URL

2e. Technical / Automatic Data

  • HTTP request logs: timestamp, HTTP method, URL path, response status, latency
  • IP addresses (implicit in HTTP request handling)
  • Request headers including User-Agent

3. How We Use the Data

DataPurposeLegal Basis
Merchant email & nameAccount creation, login OTP, transactional emailContract performance
Google OAuth tokenSync appointments to merchant's Google CalendarExplicit consent
Shopify access tokenManage booking link in merchant's Shopify store navigationContract performance
End customer emailAppointment confirmation and reminder emailsLegitimate interest / consent
End customer booking historyDisplay to merchant and customer, power analytics dashboardContract performance
Payment IDs (Razorpay)Reconciliation, dispute resolutionLegal obligation
Subscription dataPlan enforcement, feature gatingContract performance
Feature usage logsEnforce plan limits (appointment quotas, staff limits)Contract performance
File uploadsDisplay in booking pages and merchant dashboardsContract performance
Request logsDebugging, security monitoring (no long-term profiling)Legitimate interest

4. Third-Party Services We Share Data With

We share data with the following third parties only as necessary to operate the platform:

ServiceWhat We SendWhyTheir Privacy Policy
RazorpayMerchant subscription billing amounts; customer appointment paymentsPayment processingrazorpay.com/privacy
Google (Calendar API)Appointment details (title, time, staff, meeting URL)Sync to merchant's Google Calendarpolicies.google.com/privacy
Google (OAuth)Email address, nameMerchant & customer loginpolicies.google.com/privacy
ShopifyCustomer name, email, phone (sync on new booking)Merchant requested customer syncshopify.com/legal/privacy
Cloudflare (R2 Storage)Uploaded files (logos, images, invoices)Object storage & CDNcloudflare.com/privacypolicy
Cloudflare (Custom Domains)Merchant's custom domain hostnameSSL/DNS management for branded booking pagescloudflare.com/privacypolicy
SMTP Email ProviderRecipient email, appointment detailsTransactional emailsProvider's own policy

5. Data Retention

DataRetention Period
Merchant account dataDuration of account + 90 days after deletion request
Staff recordsDuration of account
End customer dataAs long as their merchant relationship exists; customers can request deletion via merchant or [email protected]
Appointment recordsDuration of merchant account (needed for merchant's business records)
Payment records7 years (financial/tax legal requirement)
Shopify integration tokensDeleted immediately on disconnect or app uninstall (hard delete)
PendingShopifyInstall recordsDeleted on completion or shop/redact webhook
OTP codes2 minutes TTL + swept by automated cron job
Google Calendar tokensDeleted on calendar disconnection
Request logs30 days rolling
Uploaded files (R2)Deleted when merchant deletes them or account is closed

6. Your GDPR Rights (EU Users)

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right to access — email [email protected] to request a copy of your data
  • Right to rectification — update your data via the dashboard or by emailing [email protected]
  • Right to erasure ('right to be forgotten') — email [email protected]; we respond within 14 working days
  • Right to data portability — request a CSV export of your appointment history via [email protected]
  • Right to object or restrict processing — email [email protected]
  • Right to withdraw consent (Google OAuth) — disconnect your calendar from the Tailro dashboard at any time
  • Right to lodge a complaint with your supervisory authority — you may contact your local EU Data Protection Authority (DPA)

7. Security

  • Data in transit: TLS/HTTPS enforced on all connections
  • Passwords: Not stored — Tailro uses OTP-only authentication; there is no password system
  • OAuth tokens: Stored server-side only; never returned in API responses
  • Encryption: Sensitive tokens (e.g. Google Calendar tokens) are encrypted at rest
  • Access control: Role-Based Access Control (RBAC) — staff can only access data for their own store
  • Shopify HMAC verification on all incoming webhook requests

8. Cookies

We use strictly necessary cookies to maintain your authenticated session. Please see our Cookie Policy for full details.

9. Children's Privacy

Tailro is not directed at children under the age of 13 (or 16 in certain EU jurisdictions). We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at [email protected] and we will delete it promptly.

10. Changes to This Policy

We will notify merchants by email of any material changes to this Privacy Policy. The effective date at the top of this page will always reflect the most recent version. We encourage you to review this policy periodically.

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Tailro

Email: [email protected]

© 2026 Tailro. All rights reserved.

Privacy PolicyTerms of ServiceData RightsCookie PolicyDPA