Privacy Notice

Who we are

Polished by Mrs Hilly ("we", "us") provides nail services in the UK for adults aged 16 and over.

Contact: mrshilly.k@gmail.com, 38 Scholars Drive, Stockport, SK3 0BS.

The data we collect

• Booking & orders: name, contact details, service selections, preferences (including "Surprise Me" vibe), appointment dates, payment status.
• Communications: emails/DMs/WhatsApp messages you send to us.
• Media: photos/videos of nail sets (only with your consent).
• Website analytics: privacy-friendly, aggregated metrics (no cookies by default).
• Embeds & pixels (optional): if you accept Instagram embeds via our cookie consent popup, those services may set their own cookies.
• Indirect data: Information from social media (e.g., if you contact us via Instagram DMs or referrals), including your username and message content.

Why we use your data (lawful basis)

• Perform our contract: schedule appointments, take payments, provide support.
• Legitimate interests: improve our services and website (e.g., analyzing aggregated booking trends to enhance offerings); secure our studio and online systems (e.g., protecting against fraud).
• Consent: marketing emails; Instagram embeds; using photos of your nails in our portfolio. Note: Features like 'Surprise Me' are manually selected by our technician and do not involve automated processing.
• Legal obligations: accounting and tax records.

We do not use automated decision-making or profiling that has legal or significant effects on you.

Sharing & processors

We use reputable providers to run our business, for example:

• Vercel (website hosting)
• Notion (booking & order database)
• Make/Zapier (automations)
• NatWest (payments)
• Plausible (cookie-less analytics)
• WhatsApp (customer messaging)
• Instagram (optional embeds)
• Google Calendar (read-only availability)

We only share what's necessary for each purpose. Some providers are outside the UK; where applicable, we rely on standard contractual clauses or equivalent safeguards. You can request details or copies of safeguards by contacting us at mrshilly.k@gmail.com.

Retention

• Bookings and order records: 6 years (accounting/tax).
• Marketing contacts: until you unsubscribe or we delete inactive records.
• Portfolio media: until you withdraw consent.

Your rights

You can request access, correction, deletion, restriction, portability, or object to certain uses. You may withdraw consent at any time. To exercise your rights, contact us at mrshilly.k@gmail.com.

We have not appointed a Data Protection Officer as our processing is limited, but you can contact us directly for any data protection queries. You can complain to the ICO at ico.org.uk if you're unhappy.

Cookies & tracking

• We use Plausible analytics, which is cookieless and privacy-friendly.
• On your first visit, a cookie consent popup allows you to accept or decline non-essential cookies. Instagram embeds and marketing pixels are off by default; if you opt-in, those third parties may set cookies. You can change your choices any time via Cookie settings.

Children

Our services are for adults aged 16 and over. If you are under 16, please do not provide personal data.

Changes

We'll update this notice when needed. The latest version will always be on this page.

Version history: Version 1.0 – Initial publication.