Privacy Policy

We collect information you provide directly to us, such as: • Personal information (name, email, phone number) • Appointment booking details and service preferences • Payment information (processed securely through Apple and our payment providers) • Communication records with our staff • Photos of nail services (with your consent) • Device information and app usage data for improving our services • Location data (only with your permission) • Usage analytics through Firebase Analytics

We use your information to: • Provide and improve our nail salon services • Process appointments and payments • Send appointment reminders and service updates • Communicate with you about our services and promotions • Ensure the security and integrity of our app and services • Comply with legal obligations and resolve disputes • Analyze app usage to improve user experience • Prevent fraud and abuse Legal basis for processing (for EU users): • Contract performance (providing services) • Consent (marketing communications) • Legitimate interests (fraud prevention, service improvement)

We do not sell or rent your personal information. We may share your information only in these circumstances: • With your nail technician to provide services • With payment processors (Apple Pay, Stripe) to handle transactions • With service providers who assist in our operations (under strict confidentiality): - RevenueCat: Subscription and purchase management - Firebase: Analytics and crash reporting - Supabase: Database and backend services • To comply with legal requirements or protect our rights • In case of business transfer or merger (with notice to you) • With your explicit consent for specific purposes Each third-party service has its own privacy policy. We ensure they meet our privacy standards.

We retain your personal information for as long as necessary to: • Provide our services while your account is active • Comply with legal obligations (tax and financial records: 7 years) • Resolve disputes and enforce our agreements • Meet audit and reporting requirements After account deletion: • Personal data will be deleted within 30 days • Anonymized usage data may be retained for analytics • Legal and financial records retained as required by law • Backup data will be purged within 90 days You can request deletion of your data at any time by contacting us.

We use the following technologies: • Essential cookies: Required for app functionality and security • Analytics: Firebase Analytics to understand usage patterns • Subscription management: RevenueCat SDK for purchase tracking • Performance monitoring: Crash reporting to improve stability You can control cookies and tracking through: • Device settings (iOS: Settings > Privacy > Tracking) • App settings (opt-out of analytics) • Email preferences (unsubscribe from marketing) We do not use advertising or third-party tracking cookies.

We protect your information through: • End-to-end encryption of sensitive data in transit (TLS 1.3) • Encryption at rest for stored data • Regular security audits and penetration testing • Limited access to personal information on a need-to-know basis • Secure payment processing through Apple's IAP and PCI-compliant providers • Two-factor authentication for staff access • Incident response procedures for security breaches In case of a data breach: • We will notify affected users within 72 hours • Report to relevant authorities as required by law • Provide information about mitigation steps

Your data may be transferred to and processed in countries other than your own, including the United States. For EU users: • We use Standard Contractual Clauses (SCCs) approved by the EU Commission • We ensure adequate protection measures are in place • You can request information about data transfers For users in other regions: • We comply with applicable cross-border data transfer laws • Data is protected according to this privacy policy regardless of location

You have the right to: • Access, update, or delete your personal information • Opt out of marketing communications at any time • Request a copy of the data we have about you • Restrict or object to certain processing of your data • Data portability (receive your data in a structured, machine-readable format) • File a complaint with data protection authorities • Withdraw consent for optional data processing For EU users (GDPR): • Right to be forgotten (erasure) • Right to restrict processing • Right to object to processing • Right not to be subject to automated decision-making For California users (CCPA): • Right to know what information we collect • Right to delete personal information • Right to opt-out of sale (we do not sell data) • Right to non-discrimination To exercise your rights, contact us at the email below.

Our service is not intended for children under 13 years old (or 16 in the EU). We do not knowingly collect personal information from children: • Age verification is required during account creation • If we learn we have collected children's data, we will delete it immediately • Parents can contact us to review or delete their child's information If you are under 18, please have your parent or guardian review this policy before using our app.

We may update this Privacy Policy from time to time: • Material changes will be notified via email or in-app notification • Continued use after changes constitutes acceptance • Previous versions will be archived and available upon request • Last updated date is shown at the top of this page We encourage you to review this policy periodically.

For privacy-related questions or requests, contact us at: Email: houzhen@iu.edu Response time: Within 30 days (48 hours for urgent matters) For EU users: Data Protection Officer: houzhen@iu.edu You can also submit requests through the app's Settings > Privacy section.