Privacy Policy
Effective date: March 17, 2026 | Last updated: March 31, 2026
FreshPass ("we," "us," or "our") operates the FreshPass mobile application and website at getfreshpass.com (collectively, the "Service"). This Privacy Policy explains what personal data we collect, how we use and share it, and your rights regarding that data.
By creating an account or using the Service you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Information You Provide Directly
- Account information: name, email address, phone number, country, ZIP/postal code, date of birth, and password.
- Profile content: profile photo/avatar that you upload.
- Business information (for business owners): business name, description, address, phone number, geographic coordinates (latitude/longitude), social media links, and team/staff details.
- Appointment & booking data: selected services, appointment dates and times, notes, cancellation reasons, and preferred payment method.
- Payment & billing information: payment card details are collected and processed directly by our payment processor, Stripe. We store only the last four digits of your card, transaction amounts, invoice URLs, and Stripe customer/subscription identifiers.
- Messages & chat: text messages and file attachments you send through our in-app messaging feature.
- Reviews & feedback: ratings and comments you leave for businesses.
- Referral information: referral codes and the email addresses of people you refer.
- Support requests: information you provide when contacting us.
- Face & image data (AI features): if you choose to use our AI Hair Try-On feature, you may upload a photograph of yourself. This image may contain your face and is used solely for generating hairstyle previews. See Section 1.4 below for full details.
1.2 Information Collected Through Third-Party Login
You may sign in using Facebook, Google, or Apple. When you do, we receive the following from the provider:
- Facebook: your Facebook user ID, name, email address, and profile picture. We support both the classic access-token flow and the Limited Login (OIDC) flow.
- Google: your Google user ID, name, email address, and profile picture URL.
- Apple: your Apple user ID, email address (which may be an Apple Private Relay address), and name (provided on first authorization only).
We do not receive or store your social-login passwords. We do not post on your behalf or access your friends list.
1.3 Information Collected Automatically
- Device & push tokens: if you enable push notifications, we collect your Expo push-notification token so we can deliver appointment reminders and account alerts to your device.
- Location data: we use your device location or address you provide to find nearby businesses. Business addresses are geocoded (latitude/longitude) for proximity search.
- Session data: we store session identifiers in our database to keep you logged in. Sessions expire after 120 minutes of inactivity.
- Log data: server logs may include IP addresses, request timestamps, and error details for debugging purposes.
1.4 Face & Image Data (AI Hair Try-On)
Our AI Hair Try-On feature allows you to upload a photo to receive personalised hairstyle previews. When you use this feature:
- What we collect: the photograph you upload, which may contain your facial image.
- Facial analysis: our third-party AI processing partner analyses facial attributes in the photo — specifically face shape, skin tone, and approximate age — solely to generate realistic hairstyle recommendations.
- Third-party processing: your uploaded image and any text prompt you provide are transmitted securely (via HTTPS) to our AI processing partner, Replicate, Inc., which operates the machine-learning models that generate hairstyle previews. Replicate processes the image on its servers located in the United States.
- No biometric identifiers: we do not create, store, or use biometric identifiers or face-recognition templates. The facial analysis is limited to generating hairstyle previews and cannot be used to identify you.
- No training: your images are not used to train or improve any AI or machine-learning models.
- Storage & retention: uploaded images are held temporarily on the AI processing servers for the duration of the processing job and are automatically deleted within 24 hours of job completion. On our own servers, we store only the job metadata (job ID, status, and generated result URLs) — we do not store your original uploaded image.
- Consent: you will be asked to provide explicit consent before your first use of the AI Hair Try-On feature. You may withdraw consent at any time by contacting us at support@fresh-pass.com, after which we will delete any remaining AI job data associated with your account.
- Optional feature: you are never required to upload a face photo. The AI Hair Try-On feature is entirely optional and can be skipped without affecting any other functionality of the Service.
2. How We Use Your Information
We use the data we collect to:
- Provide the Service: create and manage your account, process bookings and appointments, handle payments and subscriptions, and enable in-app messaging between customers and businesses.
- AI-powered features: offer hair try-on simulations and social-media content generation for businesses. When you use these features, images and prompts you submit are transmitted to our third-party AI processing partner (Replicate, Inc.) for processing. Your images are analysed for facial attributes (face shape, skin tone, approximate age) solely to produce hairstyle previews. Results are returned to you and images are deleted from processing servers within 24 hours. See Section 1.4 for full details.
- Communicate with you: send transactional emails and push notifications about appointments (confirmations, reminders at 1 hour and 24 hours before, cancellations, completions), subscription status changes, staff invitations, and account verification codes.
- Facilitate payments: process subscription billing, appointment payments, refunds, and business payouts via Stripe and Stripe Connect.
- Improve the Service: diagnose technical issues, monitor system performance, and develop new features.
- Enforce our terms: detect fraud, abuse, or violations of our Terms of Service.
- Legal compliance: meet applicable legal and regulatory obligations.
3. How We Share Your Information
We do not sell your personal data. We share data only in the following circumstances:
| Recipient | Data shared | Purpose |
| Stripe, Inc. |
Name, email, phone, billing address, payment method details, transaction amounts |
Payment processing, subscription billing, business payouts (Stripe Connect) |
| Facebook / Meta |
Authentication tokens (during login) |
Social sign-in authentication |
| Google |
Authentication tokens (during login); address/location queries |
Social sign-in; Google Maps proximity search |
| Apple |
Authentication tokens (during login) |
Social sign-in authentication |
| Expo (expo.dev) |
Push tokens, notification content |
Delivering push notifications to your mobile device |
| Replicate, Inc. (AI processing) |
User-submitted face images, text prompts, business ID. Facial attributes (face shape, skin tone, approximate age) are derived during processing. |
Hair try-on simulations and social-media content generation. Images are deleted within 24 hours of processing. Not used for AI model training. |
| Email service provider |
Email address, name, notification content |
Sending transactional emails (appointment confirmations, verification codes, etc.) |
| Businesses on FreshPass |
Your name, contact info, appointment details, reviews |
Fulfilling bookings and enabling customer–business communication |
We may also disclose data if required by law, court order, or governmental regulation, or to protect the rights, safety, or property of FreshPass, our users, or the public.
4. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:
- Account data: retained until you delete your account.
- Appointment & payment records: retained for up to 7 years after the transaction for tax, legal, and accounting purposes.
- Chat messages: retained while your account is active; deleted upon account deletion.
- AI-uploaded images: deleted from the third-party processing servers (Replicate) within 24 hours of job completion. We do not store original uploaded images on our own servers.
- AI job metadata & results: job ID, status, and generated image URLs are retained on our servers for up to 30 days and then automatically purged. You may request earlier deletion by contacting us.
- Server logs: retained for up to 90 days for debugging.
5. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords are hashed using bcrypt and never stored in plain text.
- Two-factor authentication (2FA) is available for account protection.
- API authentication uses secure, hashed Sanctum tokens.
- Payment card data is handled entirely by Stripe (PCI-DSS compliant) and never touches our servers in raw form.
- HTTPS/TLS encryption for all data in transit.
- Database-level session management with automatic expiry.
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
6. Your Rights and Choices
Depending on your jurisdiction, you may have the following rights:
- Access: request a copy of the personal data we hold about you.
- Correction: update or correct inaccurate data via your profile settings or by contacting us.
- Deletion: request deletion of your account and personal data. See our User Data Deletion Instructions page for details.
- Portability: request your data in a structured, machine-readable format.
- Withdraw consent: where processing is based on consent, you may withdraw it at any time.
- Opt out of notifications: you can disable email notifications in your account settings and disable push notifications through your device settings.
- Revoke social login: you can disconnect Facebook, Google, or Apple access at any time through those platforms' app-permission settings.
- AI data deletion: you may request deletion of all AI job data (metadata and generated results) associated with your account at any time by contacting us. Uploaded images are automatically deleted from processing servers within 24 hours.
- Withdraw AI consent: if you previously consented to the AI Hair Try-On feature, you may withdraw that consent at any time, after which we will delete your AI data and you will not be able to use the feature until you consent again.
To exercise any of these rights, contact us at support@fresh-pass.com. We will respond within 30 days.
7. Facebook Data Use
This section describes how we handle data received through Facebook Login, in compliance with the Meta Platform Terms and Developer Policies.
7.1 Data We Receive from Facebook
When you choose to log in with Facebook, we request only the following permissions:
- email — your email address associated with your Facebook account.
- public_profile — your name, profile picture, and Facebook user ID.
We support both the standard access-token flow and Facebook Limited Login (OIDC). No additional permissions are requested.
7.2 How We Use Facebook Data
- We use your Facebook data solely to create and authenticate your FreshPass account.
- Your Facebook name and profile picture are used to populate your FreshPass profile for your convenience. You may change these at any time in your account settings.
- We do not post to your Facebook timeline or stories.
- We do not access your friends list, photos, or any other Facebook content.
- We do not use Facebook data for advertising, analytics, or profiling.
- We do not sell, license, or share Facebook data with any third party, except as described in Section 3 (authentication tokens during the login process).
7.3 Data Retention & Deletion
- Facebook-derived data (user ID, name, email, profile picture URL) is retained as part of your account data for as long as your account is active.
- Upon account deletion, all data obtained from Facebook is permanently and irreversibly deleted from our systems, including backups, within 30 days.
- You may also request deletion of your data at any time without deleting your account by contacting support@fresh-pass.com.
7.4 Revoking Access
- You can disconnect FreshPass from your Facebook account at any time by visiting Facebook > Settings > Apps and Websites and removing FreshPass.
- You can also unlink Facebook from your FreshPass account in your profile settings within the app.
- After revoking access, we will no longer be able to receive data from Facebook. Existing data will be handled per Section 7.3 above.
7.5 Data Deletion Callback
FreshPass supports Facebook's Data Deletion Request Callback. When you remove FreshPass from your Facebook settings, Facebook sends us a deletion request, and we automatically delete all data associated with your Facebook user ID. You may also use our User Data Deletion Instructions page to initiate deletion directly.
8. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at support@fresh-pass.com.
9. International Data Transfers
Your data may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers (Stripe, Expo, Google, Meta, Apple, Replicate) operate. In particular, face images submitted to the AI Hair Try-On feature are processed on Replicate's servers in the United States. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses where applicable.
10. Cookies and Similar Technologies
Our web application uses session cookies to maintain your login state and language preference. We do not use third-party advertising or analytics cookies. The mobile application does not use cookies.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, through in-app notifications or email. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
12. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us: