Last updated: 28 April 2026

Privacy Policy

1. Introduction

This Privacy Policy explains how Sahlix ("we", "us", "our") collects, uses, stores, and discloses personal data when you use our booking platform, mobile and web applications, and related services (the Services).

Sahlix acts as a Data Controller in respect of personal data processed about visitors, account holders, and end-customers of beauty businesses using the Services. Beauty businesses themselves act as independent Data Controllers for the data of their clients; we act as a Data Processor on their behalf.

This Policy is designed to comply simultaneously with the Personal Data Protection Law of the Kingdom of Saudi Arabia (PDPL) and the General Data Protection Regulation (EU) 2016/679 (GDPR) where applicable.

2. Definitions

  • Personal data — any information relating to an identified or identifiable natural person.
  • Data subject — the natural person to whom personal data relates.
  • Controller — the entity determining the purposes and means of processing.
  • Processor — the entity processing data on behalf of a Controller.
  • Processing — any operation performed on personal data, whether automated or not.
  • Cross-border transfer — transfer of personal data outside the jurisdiction in which it was collected.

3. Personal data we collect

We collect the following categories of personal data:

  • Identity data — name, family name, profile photo (optional).
  • Contact data — phone number, email address, postal address of the business.
  • Booking data — services chosen, specialists, dates, times, prices.
  • Transactional data — billing records, plan history, invoices.
  • Technical data — IP address, device type, browser, operating system, unique device identifiers, access logs.
  • Usage data — features used, screens visited, interactions with the Services.
  • Marketing data — preferences for communications and consent records.

4. Lawful basis for processing (GDPR Art. 6)

Where the GDPR applies to your data, we rely on the following lawful bases:

  • Performance of a contract — to deliver the Services you signed up for.
  • Legitimate interests — to secure our Services, prevent fraud, and improve product quality, where such interests are not overridden by your rights.
  • Consent — for marketing communications, optional analytics, and any processing of sensitive data; consent may be withdrawn at any time.
  • Legal obligation — where we must process data to comply with applicable law (e.g. tax, accounting, anti-money-laundering).

5. PDPL-specific provisions (KSA)

For data subjects in the Kingdom of Saudi Arabia, processing is conducted in accordance with the PDPL. Specifically:

  • We obtain explicit consent for processing where required by Article 6 of the PDPL.
  • We do not transfer personal data outside the Kingdom except where one of the conditions in Article 29 of the PDPL is met (adequate level of protection, contractual safeguards including KSA Standard Contractual Clauses, or explicit consent of the data subject).
  • We respect the rights of access, correction, and deletion granted under Articles 4, 9, and 10 of the PDPL.
  • Sensitive personal data is processed only with explicit consent or another lawful basis under Article 7 of the PDPL.
For PDPL-specific requests, contact privacy@sahlix.io with the subject line "PDPL request".

6. Data retention

CategoryRetention period
Account profile dataFor the lifetime of the account, then 12 months after closure.
Booking history3 years from the booking date.
Billing & invoicing data10 years (statutory accounting requirement).
Technical logs90 days.
Marketing consentsUntil consent is withdrawn, plus 2 years for evidentiary purposes.

7. Your rights

Rights under the GDPR

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to lodge a complaint with a supervisory authority (Art. 77)

Rights under the PDPL

  • Right to be informed of the legal basis and purpose for processing.
  • Right to access your personal data and request a copy.
  • Right to request correction or completion of inaccurate data.
  • Right to request erasure where processing is no longer necessary.

To exercise any right, contact privacy@sahlix.io. We respond within 30 calendar days.

8. International data transfers

Where personal data is transferred outside the jurisdiction of collection, we apply appropriate safeguards:

  • EU/EEA → third countries: Standard Contractual Clauses adopted by the European Commission (Decision 2021/914).
  • KSA → third countries: KSA Standard Contractual Clauses or explicit consent, in accordance with Article 29 of the PDPL.

9. Cookies and similar technologies

We use cookies and similar technologies for:

  • Strictly necessary cookies — authentication, session continuity, security. No consent required.
  • Functional cookies — language preference, UI settings.
  • Analytics cookies — aggregate usage measurement (only with consent in jurisdictions that require it).

You can manage cookie preferences through your browser settings or the cookie banner displayed on first visit.

10. Security measures

We implement technical and organisational measures including encryption in transit (TLS 1.3) and at rest, role-based access control, audit logging, regular vulnerability testing, and a documented incident-response procedure. In the event of a personal data breach, we notify the relevant supervisory authority within 72 hours where required.

11. Contact

For any question about this Policy or your rights:

This Policy may be updated from time to time. Material changes will be communicated through the Services or by email.