Bellora
Back to home

Privacy Policy

Last updated: March 2026

1. Introduction

Bellora ("we", "us", "our platform") is a SaaS platform for managing beauty salons and hair salons. This Privacy Policy explains how we collect, use, store, and protect your data when you use our platform and its integrations with third-party services including Meta (WhatsApp Business API and Instagram API).

2. Data We Collect

  • Account Data: Name, email address, encrypted password upon registration.
  • Salon Data: Salon name, address, contact phone, working hours, services and prices.
  • Salon Client Data: Client name, phone number, email, appointment history — entered by salon owners.
  • Messages: Messages received and sent via WhatsApp Business API and Instagram Messaging API for the purpose of automated customer service on behalf of the salon.
  • Access Tokens: Meta platform (WhatsApp/Instagram) access tokens, encrypted using AES-256-GCM encryption and stored securely in our database.
  • Usage Data: Log data including IP addresses, browser type, and access times for security and service improvement purposes.

3. How We Use Data

  • Providing salon management services (calendar, appointments, invoicing).
  • Automatically responding to customer messages via AI assistant on behalf of the salon using WhatsApp Business API and Instagram Messaging API.
  • Scheduling, canceling, and managing appointments.
  • Sending real-time notifications to salon owners about new messages and appointments.
  • Improving our AI assistant's response quality.

4. WhatsApp and Instagram Integration

Bellora integrates with Meta's WhatsApp Business Platform and Instagram Messaging API to enable salons to communicate with their customers. When a salon owner connects their WhatsApp or Instagram account:

  • We access only messages sent to the salon's business account — never private or personal messages.
  • We use the whatsapp_business_management permission to manage the salon's WhatsApp Business Account, phone numbers, and message templates.
  • We use the whatsapp_business_messaging permission to send and receive messages on behalf of the salon.
  • We use instagram_business_basic and instagram_business_manage_messages permissions to read and respond to Instagram Direct Messages on behalf of the salon.
  • Access tokens are encrypted at rest (AES-256-GCM) and used exclusively for sending responses to salon customers.
  • The salon owner can disconnect and revoke access at any time through the Bellora dashboard.
  • We do not store or process message content for any purpose other than providing the service to the salon owner.

5. AI Assistant

Bellora uses AI technology (OpenAI GPT-4o) to automatically respond to customer messages. The AI assistant responds exclusively to inquiries related to salon services, appointments, and pricing. The salon owner has full control over the AI assistant and can:

  • Review all AI-generated responses before they are sent (copilot mode).
  • Allow the AI to respond automatically for routine inquiries (autopilot mode).
  • Completely disable the AI assistant at any time (manual mode).
  • Message content sent to OpenAI for processing does not include personal identifiers of the end customer.

6. Data Security

  • All access tokens are encrypted using AES-256-GCM encryption.
  • Passwords are hashed using bcrypt algorithm.
  • All communication is protected via HTTPS/TLS.
  • Data access is isolated per salon (multi-tenant isolation with clinic-scoped queries).
  • Meta webhook signatures (X-Hub-Signature-256) are verified for every incoming message using HMAC-SHA256.
  • Rate limiting and request validation are enforced on all API endpoints.

7. Data Sharing

We do not sell, rent, or share your data with third parties except in the following cases:

  • Meta Platform (WhatsApp/Instagram): For sending and receiving messages on behalf of the salon via the WhatsApp Business API and Instagram Messaging API.
  • OpenAI: For AI-powered message processing. Message content is sent without personal identifiers.
  • Legal Requirements: If required by law, court order, or governmental authority.

8. Your Rights

You have the right to:

  • Request access to your personal data.
  • Request correction or deletion of your data.
  • Disconnect WhatsApp/Instagram integration at any time.
  • Delete your account and all associated data.
  • Export your data in a machine-readable format.
  • Withdraw consent for data processing at any time.

9. Data Retention

Conversation data is retained for 90 days after the last activity. Salon and client data is retained while the account is active. After account deletion, all data is permanently deleted within 30 days. Meta access tokens are immediately invalidated upon disconnection.

10. Data Deletion

Users can request deletion of their data at any time by contacting us or through the Bellora dashboard settings. Upon receiving a deletion request, we will delete all personal data within 30 days, revoke all Meta access tokens, and confirm deletion via email.

11. Children's Privacy

Our service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or through the platform. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact

For questions about data privacy, contact us at: edinbrkic26@gmail.com