Important: Privacy requirements depend on where Chroify and its users operate. This policy should be reviewed as Chroify expands into new jurisdictions or introduces materially different data uses.
This Privacy Policy explains how Chroify processes personal information when people use the Service. Business customers generally act as controllers of Customer Data; Chroify generally processes that data to provide the Service.
1. Information collected
We process account details such as name, email, phone, authentication identifiers, role, and consent records; business and client records; appointments, messages, support requests, invoices, receipts, and reviews; transaction and subscription information from payment providers; and technical information such as device/browser details, logs, approximate location derived from IP, security events, and usage data.
2. Sources and purposes
Information comes from users, their organizations, clients making bookings, service providers, and automated use of the Service. We use it to authenticate users; provide bookings and business workflows; process payments; communicate; prevent fraud and abuse; secure, troubleshoot, analyze, and improve the Service; comply with law; and establish or defend legal claims.
3. Legal bases
Where required, processing relies on contract performance, legitimate interests, consent, and legal obligations. Business customers are responsible for identifying their lawful basis and providing required notices for Customer Data they control.
4. Sharing and subprocessors
Information may be shared with authorized business users, clients as directed by the business, and vendors supporting hosting, database/authentication, payments, communications, analytics, security, and support. Current core providers may include Supabase, Vercel, and Stripe. We may also disclose information for legal compliance, safety, corporate transactions, or with consent. We do not sell personal information for money.
5. Retention
We retain information while needed to provide the Service, meet contractual and legal obligations, resolve disputes, enforce agreements, and maintain security. Retention depends on data type, account status, legal requirements, and backup cycles. Consent and legal acceptance records may be retained as evidence after account closure where lawful.
6. Security and incidents
We use reasonable safeguards including authentication, access controls, encryption provided by infrastructure vendors, row-level database policies, and logging. No security method is perfect. If a qualifying personal-data breach occurs, Chroify will investigate and provide notifications required by applicable law. Users must promptly report suspected incidents and protect their credentials.
7. International transfers
Information may be processed in countries different from where users live. Where required, we use recognized transfer mechanisms and contractual safeguards through our providers.
8. Privacy choices and rights
Depending on location, individuals may have rights to access, correct, delete, restrict, object, port, or withdraw consent, and may appeal or complain to a regulator. Requests concerning Customer Data should usually be directed first to the relevant business customer. We may verify identity and retain information where legally permitted or required.
9. Children and sensitive data
The Service is not directed to children under 18. Do not submit highly sensitive or specially regulated information unless authorized and appropriate safeguards and agreements are in place.
10. Cookies, local storage, and masked analytics
The browser app uses essential local storage and authentication/session technologies to maintain language preferences, secure sign-in, and provide requested application features. Chroify uses Microsoft Clarity on public marketing pages to understand visits and improve website usability. Signup forms are marked for masking. For authenticated owners, workers, and clients, Clarity does not begin recording the application until the user accepts this Privacy Policy. Authenticated application content is marked for masking, no Chroify account email or user identifier is intentionally sent to Clarity, and strict masking must remain enabled in Clarity. Superadmin sessions are excluded. Clarity may process device, browser, interaction, approximate-location, and usage information as described by Microsoft. Where applicable law requires a different consent mechanism, Chroify will provide it.
11. Changes and contact
We may update this policy and will notify users of material changes as required. Send privacy requests to privacy@chroify.com, suspected security incidents to security@chroify.com, and general support requests to support@chroify.com.