Privacy Policy

1. Who we are

XTAN operates mobile applications and related digital services for salon and customer account access, including features such as account login, package or pass purchases, balance checking, visit history and profile management.

For the purpose of data protection laws, XTAN is the data controller for the personal data described in this policy unless stated otherwise.

Website: https://xtan.co.uk/

Privacy page: https://xtan.co.uk/privacy.php

2. What information we collect

Depending on how you use our apps and services, we may collect:

• Account information such as your name, phone number, date of birth and customer account details.
• Profile data such as preferences, account status, available minutes, purchased passes or package balances.
• Transaction data such as purchases, order history, package activations and payment status.
• Technical information such as device type, operating system, app version, IP address, crash logs and basic diagnostic data.
• Support communications if you contact us for help.

3. How we use your information

We use personal information to:

• create and manage your customer account;
• verify your access to the app and protect customer accounts from unauthorized use;
• show your balances, purchases, passes, sessions and account history;
• process and record purchases made through our services or connected payment providers;
• improve app functionality, security and performance;
• respond to support requests and service issues;
• comply with legal, tax, accounting and fraud-prevention obligations.

4. Legal basis for processing

Where UK GDPR or similar laws apply, we process personal data on one or more of the following bases:

• Contract: to provide the app, account features and purchased services to you.
• Legitimate interests: to maintain security, prevent misuse, improve our systems and manage our business.
• Legal obligation: to meet financial, tax, record-keeping or law-enforcement requirements.
• Consent: where consent is specifically requested, for example for optional marketing communications or certain optional analytics tools.

5. When we share information

We may share data only where reasonably necessary, including with:

• hosting, infrastructure and technical service providers;
• payment service providers;
• support, analytics or diagnostics providers;
• professional advisers where required;
• public authorities or regulators where we are legally required to do so.

We do not sell your personal information to third parties.

6. Payments

Payments connected to our services may be processed by third-party payment providers. When you make a purchase, payment details may be collected and processed directly by the relevant payment provider under that provider’s own privacy policy.

We typically receive limited payment-related information such as payment status, transaction reference, amount, date and order details, but we do not store full card details on our own servers unless explicitly stated otherwise.

7. How long we keep data

We keep personal data only for as long as reasonably necessary for the purposes described in this policy, including for account access, service history, support, fraud prevention, legal obligations and accounting requirements.

Retention periods may vary depending on the type of data and any legal obligations that apply.

8. Security

We use reasonable technical and organizational measures to protect personal information against unauthorized access, loss, misuse, alteration or disclosure. However, no system can be guaranteed to be completely secure.

9. Your rights

Depending on your location and applicable law, you may have rights to:

• request access to your personal data;
• request correction of inaccurate or incomplete information;
• request deletion of your personal data in certain circumstances;
• object to or restrict certain processing;
• request portability of the data you provided to us;
• withdraw consent where processing is based on consent.

To exercise any of these rights, please contact us using the details below.

10. Children’s privacy

Our apps and services are not intended for children unless explicitly stated otherwise. We do not knowingly collect personal data from children where such collection is not permitted by law.

11. International data transfers

Some of our service providers may process data outside your country. Where required, we take reasonable steps to ensure appropriate safeguards are in place for international transfers of personal data.

12. Changes to this policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated effective date.

Effective date: June 6, 2026

13. Contact us

If you have questions about this Privacy Policy or your personal data, please contact us:

Email: privacy@xtan.co.uk

Website: https://xtan.co.uk/