Privacy policy.

Effective Date: January 1st, 2025

1) Who We Are & Scope (Notice at Collection — California)

Lux Lox Salon (“Lux Lox,” “we,” “our,” “us”) operates www.luxloxsalon.com and its subdomains (the “Site”) and provides in-salon services through independent, licensed professionals. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit the Site, contact us, book services, purchase retail, or participate in Artists’ Residency model sessions.
California notice at collection: We collect the categories in Section 3 for the purposes in Section 4 and retain data as in Section 8. You may exercise your rights via contact@luxloxsalon.com or the links in Section 11.

2) Who is the Controller?

For Site visitors and bookings, Lux Lox Salon is the controller. Our platform/host Squarespace also processes some visitor “Site Usage Information” to run and secure its platform—see Squarespace Privacy Policy and Data Processing Addendum (DPA). Squarespace+1

3) Information We Collect (Categories & Sources)

A. Identifiers & contact details (name, email, phone, postal address).
B. Booking & commercial info (appointments, services selected, retail/gift cards).
C. Payment info (processed by providers; we don’t store full card numbers).
D. Preferences & communications (opt-ins/outs, surveys, model/residency forms, feedback).
E. Internet/technical data (IP, device/browser, pages viewed, referrers, approximate location) via cookies/SDKs and platform analytics.
F. Photos/video (with consent; e.g., “before/after,” residency/education content).
G. Professional/education info (optional) (if you apply to work with us or join a pro list).
H. Limited sensitive info (e.g., allergy notes/patch-test preferences for safe services).
Sources: you (forms, bookings), your device (cookies), our processors (Squarespace, Square, GlossGenius, Acuity), and—if you choose—social media.

4) How We Use Information (Purposes)

  • Provide, schedule, and personalize services and appointments

  • Process payments, deposits, credits/refunds, and gift cards

  • Operate, secure, debug, and improve the Site and our services

  • Send transactional messages (confirmations, reminders, updates) and, with consent, marketing

  • Educational/model sessions: scheduling, training/portfolio media, feedback

  • Detect/prevent fraud, enforce policies, and comply with law/regulators

5) When We Disclose Information

  • Service providers/processors under contract (hosting/platform Squarespace; booking/payment Square, GlossGenius, Acuity)

  • Independent Professionals (your selected stylist/tech) to fulfill appointments

  • Legal/compliance recipients and business transfers (e.g., asset sale)

  • At your direction (e.g., public reviews, social tags, portfolio consent)

We do not sell personal information for money. If analytics/ads cookies are enabled, we may “share” identifiers/technical data for cross-context behavioral advertising; you can opt out (Section 11).

Third-party embeds & connected accounts

If you use features like embedded maps/videos or social widgets, those providers may collect data directly per their policies. Squarespace flags this in its guidance; check each provider’s policy for details. Squarespace Help

6) Cookies, Analytics & Ads (Squarespace-Hosted Site)

We (and providers) use cookies/SDKs to: (a) run the Site (security, load, settings), (b) measure usage (analytics), and (c) improve/measure marketing (ads) where enabled.

  • Squarespace banner & controls. We use Squarespace’s built-in Cookies & Data Privacy banner/settings to notify visitors and capture consent for non-essential cookies. Squarespace Help

  • EU/UK: Non-essential cookies (e.g., analytics/ads) load only after consent; users must be able to refuse as easily as accept. ICO+1

  • US/CA: We honor Global Privacy Control (GPC) signals for “do not sell/share” where required. California DOJ

Manage cookies via your browser, our banner (if present), and device settings.

7) Platform, Hosting & Key Processors

Our Site is built and hosted on Squarespace (see Squarespace Privacy Policy and DPA). Squarespace+1
We also use: Square (payments), GlossGenius (booking), Acuity Scheduling (booking). Their privacy policies apply in addition to ours.

8) Retention

We keep personal information no longer than necessary for the purposes above, considering legal/tax/safety needs:

  • Booking & transaction records: typically 4 years (tax/records)

  • Service notes & photos (non-portfolio): typically up to 2 years (longer if needed for formula history)

  • Marketing preferences: until you unsubscribe or request deletion

  • Analytics logs: typically 14–26 months (tool-dependent)

9) Security & Security Monitoring, Logs & Automated Access

We use appropriate administrative, technical, and physical safeguards. No method of transmission or storage is 100% secure.

Security monitoring & automated access controls. To protect our Site, guests, and systems, we automatically collect and process security/network telemetry (e.g., IP address, user-agent, timestamps, request/response headers, requested URLs, referrer, approximate location, and indicators of automated activity). We use this to detect and mitigate malicious or automated access, enforce our Terms, prevent fraud/abuse, and maintain service integrity.

  • We do not authorize crawling, scraping, data harvesting, or vulnerability scanning of the Site except by reputable search engines honoring standard controls.

  • We may throttle, block, or challenge traffic (including by IP/ASN/region) that appears automated or abusive—regardless of country of origin, including mainland China.

  • We may share relevant security telemetry with hosting, anti-fraud, and security providers, and—when legally required or necessary to protect our rights, users, or the public—with law enforcement or regulators.

Retention of security logs. Security logs are retained up to 12 months (or longer if required for investigations/legal obligations), then deleted or anonymized.

Good-faith security reports. If you believe you’ve found a vulnerability, email security@luxloxsalon.com (or contact@luxloxsalon.com) with details and steps to reproduce. Do not exploit, exfiltrate, disrupt, or access non-public data.

10) Children’s Privacy

The Site is not directed to children under 13. Parents/guardians book in-salon services for minors and provide any required consents.

11) Your Choices & Rights (Global)

Email/SMS marketing: Unsubscribe links (email) or reply STOP (SMS). Transactional messages may still be sent.
Cookies/ads: Use browser controls, our banner (if present), and GPC signals (US-CA).
Do Not Sell/Share (US-CA): If analytics/ads are enabled, use our “Do Not Sell or Share My Personal Information” link (suggested URL: /privacy-choices) or email us. We also provide a Limit Sensitive PI option (we don’t use Sensitive PI to infer characteristics).

California (CPRA/CCPA)

Subject to applicability, you may request to Know/Access categories/specific pieces, Delete, Correct, Opt out of selling/sharing, and Limit Sensitive PI, and you have the right to non-discrimination. We will verify your identity, then respond within 45 days (with one 45-day extension if reasonably necessary and we notify you). Authorized agents may submit requests with proof of authority and verification. We honor GPC signals as valid opt-outs. California DOJ+1

Shine the Light (CA Civ. Code §1798.83). You may request a list of third parties to whom we disclosed personal information for their own direct marketing in the prior calendar year (if applicable); send requests to the address in Section 16.

Appeals (CO/CT/VA/UT)

If we deny a state-law request, you may appeal by replying to our decision email within 30 days; we’ll explain the outcome and how to contact your Attorney General if you disagree.

12) Region-Specific Disclosures

A) European Economic Area (EEA) & United Kingdom (GDPR/UK GDPR + PECR)

Legal bases: contract (bookings), consent (marketing/cookies where required), legitimate interests (operations/security), legal obligation, vital interests (rare).
Rights: information, access, rectification, erasure, restriction, portability, objection; no solely automated decisions with legal/similar effects.
Cookies: non-essential cookies require prior consent; users must be able to refuse as easily as accept. ICO
International transfers: We use appropriate safeguards such as Standard Contractual Clauses and, where applicable, provider certifications under the EU-U.S. Data Privacy Framework, which the EU General Court upheld on Sept 3, 2025. Reuters
You may lodge a complaint with your local DPA/ICO.

EU/UK representative: As a local U.S. salon not targeting the EEA/UK, we currently do not appoint an Article 27 representative. If that changes, we will designate one and update this Policy.

B) Canada (PIPEDA + CASL)

We follow PIPEDA’s principles (consent, limiting collection/use/retention, accuracy, safeguards, openness, individual access, challenge). Marketing messages comply with CASL. You may request access/correction or complain to the OPC.

C) Australia (Privacy Act — Australian Privacy Principles)

We handle personal information consistent with the APPs (notice/consent as applicable, access/correction, security, overseas disclosures). You may complain to the OAIC if unresolved.

D) Brazil (LGPD)

We identify a legal basis (consent, contract, legitimate interest, legal obligation) and respect LGPD rights (confirmation, access, correction, anonymization, portability, deletion, information about sharing, revocation, petition to ANPD).

E) Mexico (LFPDPPP — ARCO)

Mexican law grants ARCO rights (Access, Rectification, Cancellation, Opposition) and requires a clear avenue to exercise them. Submit requests via Section 16; you may also complain to Mexico’s data authority.

F) Mainland China (PIPL) — Notice

Our Site is operated from the U.S. and is not directed to individuals located in mainland China. We don’t offer products/services to people while physically in mainland China, nor do we intentionally analyze their behavior. If you are located in mainland China, please do not submit personal information through the Site; if you inadvertently do so, email contact@luxloxsalon.com and we will delete it where feasible. (China’s PIPL can apply extraterritorially when sites target people in the PRC or analyze their behavior; cross-border transfers require approved mechanisms.) DLA Piper Data Protection+1

Other regions: Where your local law grants additional rights, contact us and we’ll work to honor them where applicable.

13) Model/Residency Media & Reviews

If you participate as a model or share a review, we may collect photos/video and feedback with your consent for education/portfolio/marketing. You may ask us to remove our copies from our channels when feasible.

14) Do Not Track / Automated Decision-Making

We recognize GPC signals for opt-out of “sale/share” in California jurisdictions that require it. Industry standards for browser DNT vary; we treat DNT as a non-binding preference. We do not make solely automated decisions with legal or similarly significant effects.

15) Changes to this Policy

We may update this Policy; we’ll change the Effective Date and post material changes on this page.

16) How to Contact Us (and Make Requests)

Email: contact@luxloxsalon.com
Security reports: security@luxloxsalon.com
Phone: +1-951-225-3879
Mail: Lux Lox Salon, 32828 Wolf Store Rd., Suite A, Temecula, CA 92592