Privacy Policy
Your Privacy Matters to Us
This Privacy Policy explains how Braida Ltd collects, uses, stores, and protects your personal data when you use our platform. We are committed to transparency and to upholding your rights under the UK General Data Protection Regulation (UK GDPR).
Last updated: February 2026
Who We Are
Braida Ltd ("Braida", "we", "us", or "our") is a company registered in England & Wales. We operate the Braida platform at braida.co.uk, a curated marketplace connecting Afro & Caribbean beauty professionals with clients across the United Kingdom.
Braida Ltd is the data controller responsible for your personal data processed through the Braida platform. We are committed to protecting your privacy and processing your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions about this policy or our data practices, please contact our Data Protection team at privacy@braida.co.uk.
What Data We Collect
We collect and process the following categories of personal data:
Account Information
Name, email address, phone number, password (stored as a cryptographic hash using argon2id — we never store your password in plain text), and account preferences.
Hair Profile & HairPrint™ Data
Curl pattern, hair condition, scalp sensitivities, treatment history, preferred styles, allergies, and (where you choose to provide them) strand thickness, density, porosity, shrinkage ratio, skin tone, undertone, and face shape. This data powers our personalised matching and recommendation services.
Booking & Service History
Details of services you have booked, appointment dates, provider interactions, cancellation history, reviews you have submitted, and dispute records.
Payment Information
Payment transactions are processed securely by Stripe. We do not store your full card details on our servers. We retain transaction records including amounts, dates, and payment status for financial compliance purposes.
Provider Verification Documents
If you register as a beauty professional, we collect identity documents, qualifications, and portfolio images as part of our verification process. These are stored securely and accessed only by authorised admin staff.
Usage & Analytics Data
How you interact with the platform, including pages visited, searches performed, features used, device information, and anonymised session data. We use this to improve the platform experience. No personally identifiable information is included in analytics event payloads.
Location Data
Approximate location (such as your city or postcode area) to show you nearby providers. For beauty professionals, we store a general service area publicly and encrypt exact addresses, which are shared only with confirmed booking clients.
How We Use Your Data
We process your personal data for the following purposes:
- Service delivery: Creating and managing your account, facilitating bookings between clients and providers, processing payments through Stripe escrow, and communicating about your appointments.
- AI-powered matching (MatchScore™): Using your HairPrint™ profile data and provider expertise information to calculate personalised compatibility scores that help you find the best stylist for your specific hair type and preferences.
- Treatment recommendations (HairPrint™): Analysing your hair profile to suggest treatments and styles suited to your curl pattern, condition, and preferences. You can opt out of AI-powered recommendations at any time.
- Platform improvement: Analysing anonymised usage patterns to improve search results, user interface design, and overall platform performance.
- Marketing: Sending you promotional content, special offers, and platform updates only where you have given explicit opt-in consent. You can unsubscribe at any time with one click.
- Safety & trust: Verifying provider identities, moderating reviews, resolving disputes, and preventing fraud.
- Legal compliance: Maintaining financial records, audit logs, and responding to lawful requests from regulatory authorities.
Legal Basis for Processing
Under UK GDPR, we process your data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Bookings, payments, and service delivery | Performance of a contract (Article 6(1)(b)) |
| Account creation and management | Performance of a contract (Article 6(1)(b)) |
| Marketing communications | Consent (Article 6(1)(a)) — opt-in required |
| AI matching and recommendations (MatchScore™, HairPrint™) | Consent (Article 6(1)(a)) — granular ML consent toggle |
| SafeScan™ biometric analysis | Explicit consent for special category data (Article 9(2)(a)) |
| Platform analytics and improvement | Legitimate interest (Article 6(1)(f)) |
| Fraud prevention and safety | Legitimate interest (Article 6(1)(f)) |
| Financial record-keeping and audit logs | Legal obligation (Article 6(1)(c)) |
SafeScan & Biometric Data
SafeScan™ is our optional, privacy-preserving hair and skin analysis feature. We take the privacy of biometric-adjacent data extremely seriously, and SafeScan™ has been designed with privacy at its core.
How SafeScan™ Works
SafeScan™ runs entirely on your device. When you use this feature, a lightweight model analyses your hair and skin characteristics directly in your browser or mobile app. No raw photographs or images are ever transmitted to or stored on our servers. Only a pseudonymised, irreversible feature vector (a mathematical representation) is sent to our service for matching purposes.
Article 9 UK GDPR Compliance
SafeScan™ feature vectors may constitute special category data under Article 9 of the UK GDPR. Accordingly, we process this data only with your explicit, informed, and freely given consent. A dedicated consent flow is presented before SafeScan™ is activated, separate from any other consents, clearly explaining what data is captured and how it is used.
Data Protection Impact Assessment
We have conducted a Data Protection Impact Assessment (DPIA) for SafeScan™ in accordance with Article 35 of the UK GDPR, assessing risks to your rights and freedoms and implementing appropriate safeguards. This DPIA is reviewed and updated as the feature evolves.
Your Control
SafeScan™ is entirely optional. You can withdraw your consent and request deletion of your SafeScan™ feature vector at any time through your account settings. Your experience on Braida is not diminished if you choose not to use SafeScan™.
Data Sharing
We share your personal data only with trusted third parties who are necessary for the operation of the platform. We never sell your personal data to third parties.
Stripe (Payment Processing)
Your payment details are processed by Stripe, Inc., a PCI DSS-certified payment processor. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
SendGrid (Email Communications)
Transactional and marketing emails are delivered via SendGrid (Twilio). SendGrid processes your email address and name as a data processor on our behalf.
Cloudflare R2 (File Storage)
Portfolio images and uploaded documents are stored securely on Cloudflare R2, an S3-compatible object storage service. Cloudflare acts as a data processor on our behalf.
PostHog (Analytics)
Anonymised usage analytics are processed by PostHog. No personally identifiable information is included in analytics events.
Between Clients and Providers
When a booking is confirmed, limited information is shared between the client and provider to facilitate the appointment. Provider exact addresses are encrypted and only revealed to the client after booking confirmation. Client contact details are shared with the provider solely for appointment coordination.
Law Enforcement
We may disclose personal data where required to do so by law, by a court order, or in response to a lawful request by a public authority.
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 2 years after deletion |
| Financial records and payment data | 7 years (UK financial compliance requirements) |
| Audit logs | 7 years |
| Booking records | 7 years (retained for compliance even after account deletion) |
| HairPrint™ profile data | Duration of account; deleted upon account deletion or consent withdrawal |
| SafeScan™ feature vectors | Deleted immediately upon consent withdrawal or account deletion |
| Analytics data | Anonymised; retained indefinitely in aggregate form |
When you delete your account, we perform a soft deletion. Your personal data is removed from active systems, but certain records (financial transactions, audit logs) are retained in compliance with UK financial regulations.
Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: You can request a copy of all personal data we hold about you. Use the data export feature in your account settings, or email us.
- Right to rectification: You can update or correct your personal data at any time through your account settings.
- Right to erasure ("right to be forgotten"): You can request deletion of your account and personal data, subject to our legal retention obligations.
- Right to portability: You can export your data in a structured, machine-readable JSON format via your account settings.
- Right to withdraw consent: Where we rely on consent (marketing, ML recommendations, SafeScan™), you can withdraw it at any time through your account settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to restrict processing: You can request that we limit how we process your data in certain circumstances.
- Right to object: You can object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to complain: If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, email privacy@braida.co.uk. We will respond to your request within 30 days.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email and by posting a prominent notice on our platform. We encourage you to review this page periodically.