dou

Privacy Policy

Last updated: March 2026

1. Who we are

dou is operated by Dou Technologies Ltd, a company registered in England and Wales. dou provides a platform that connects service providers in the beauty and wellness industry with consumers who book and pay for those services.

Throughout this policy, "dou", "we", "us" and "our" refer to Dou Technologies Ltd. "You" and "your" refer to any individual who accesses or uses the dou platform, whether as a service provider, a consumer, or a visitor to our website.

Our data protection contact email is privacy@getdou.app.

2. About this policy

This privacy policy explains how dou collects, uses, stores, shares and protects your personal data when you use our website, mobile applications, APIs and related services (together, the "Platform").

This policy applies to all users of the Platform, including service providers who create accounts to manage their businesses, consumers who browse or book services, and visitors who access our marketing pages or public booking pages.

We may update this policy from time to time. When changes are material, we notify you by email or through a prominent notice on the Platform. The "Last updated" date at the top of this page indicates when the policy was most recently revised. We encourage you to review this policy periodically.

3. What data we collect

(a) Data you provide directly

  • Account information: name, email address, phone number, password, profile photo and role (provider or consumer)
  • Business information (providers): business name, trading address, service descriptions, pricing, staff details, opening hours and service area
  • Booking data: appointment dates and times, services selected, provider and consumer identities, consultation notes and special requests
  • Messages: content of messages sent through the Platform's messaging feature between providers and consumers
  • Reviews and ratings: star ratings, written reviews and any photos attached to reviews
  • Photos and media: profile photos, service images, portfolio images and booking page assets uploaded to the Platform
  • Financial information: bank account details for provider payouts (collected and stored by Stripe, not by dou directly), invoice data and transaction records

(b) Data collected automatically

  • Device information: device type, operating system, browser type and version, screen resolution and unique device identifiers
  • IP address: your Internet Protocol address, used for security, fraud prevention and approximate geolocation
  • Usage analytics: pages visited, features used, click patterns, session duration, referral source and search queries within the Platform
  • Cookies and similar technologies: session tokens, authentication cookies, preference cookies and analytics identifiers (see section 12 for full details)

(c) Data from third-party sources

  • Calendar sync (Google Calendar): when you connect your Google Calendar, we receive event titles, start and end times, and attendee information to synchronise your availability
  • Payment processor (Stripe): transaction status, payment method type (not full card numbers), payout status and dispute information

4. How we use your data

We use your personal data for the following purposes:

  1. Providing the service: creating and managing your account, displaying your profile or business listing, enabling bookings between providers and consumers, and delivering the core Platform functionality
  2. Processing payments: facilitating payment transactions between consumers and providers via Stripe, processing refunds, managing provider payouts and preventing payment fraud
  3. Communications: sending booking confirmations, appointment reminders, cancellation notices, receipts, and other transactional messages by email, SMS or push notification
  4. Calendar synchronisation: syncing your dou schedule with your connected Google Calendar to prevent double-bookings and keep your availability up to date
  5. Platform improvement: analysing anonymised usage data to understand how the Platform is used, identify bugs, improve features and develop new functionality
  6. Safety and security: detecting and preventing fraud, abuse, security incidents and other harmful activity, and enforcing our terms of service
  7. Legal compliance: complying with applicable laws, regulations, legal processes or enforceable governmental requests, including tax reporting obligations to HMRC
  8. Marketing (with consent): sending promotional emails about new features, tips for growing your business on dou, or relevant service recommendations, where you have opted in to receive such communications

5. Legal basis for processing

Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for each type of processing we carry out. The table below maps our processing activities to the applicable legal basis.

Processing activityLawful basis
Account creation and managementContract — necessary to perform our agreement with you
Processing bookings and paymentsContract — necessary to facilitate the service you requested
Transactional emails, SMS and push notificationsContract — necessary to deliver booking confirmations and reminders
Calendar synchronisation with Google CalendarConsent — you choose to connect your calendar and can revoke access at any time
Fraud detection and platform securityLegitimate interests — protecting our users and the Platform from abuse
Anonymised product analytics and improvementsLegitimate interests — understanding usage patterns to improve the Platform
Tax records and financial reportingLegal obligation — required by HMRC and applicable financial regulations
Marketing and promotional communicationsConsent — you can withdraw consent at any time via email preferences or by contacting us
Search ranking and personalised recommendationsLegitimate interests — providing relevant search results and recommendations to improve user experience
Displaying reviews and ratings publiclyLegitimate interests — enabling trust and transparency on the marketplace

6. Provider and consumer data

The dou Platform serves both service providers and consumers. The role dou plays under data protection law depends on the context.

When dou is the data controller

dou acts as the data controller for personal data relating to:

  • Consumer accounts, profiles and marketplace browsing activity
  • Provider accounts, business listings and Platform usage
  • Reviews and ratings displayed on the marketplace
  • Data used for Platform analytics, security and improvement
  • Marketing communications sent by dou

When the provider is the data controller

Service providers using dou are independent data controllers for:

  • Client consultation notes and health or allergy information recorded during service delivery
  • Staff and team member data they add to their dou account
  • Client communications initiated by the provider outside of the Platform

Providers are responsible for ensuring they have a lawful basis for collecting and processing this data and for informing their clients accordingly.

When dou is a data processor

dou acts as a data processor on behalf of providers when processing their clients' booking data, payment transactions and appointment records through the Platform. In this capacity, dou processes data only on the provider's instructions and in accordance with our data processing agreement.

7. Who we share data with

We share your personal data only with trusted third-party processors who help us operate the Platform. Each processor has access only to the data necessary to perform its specific function.

ProcessorData sharedPurposeCountry
StripeName, email, payment method details, transaction amountsPayment processing, payouts, fraud preventionUnited States
SupabaseAll Platform data (accounts, bookings, messages, files)Database hosting, authentication, file storageEuropean Union
ResendEmail address, name, email contentTransactional and marketing email deliveryUnited States
TwilioPhone number, SMS message contentSMS notifications (booking reminders, verifications)United States
GoogleCalendar event data (titles, times, attendees)Calendar synchronisation for availability managementUnited States
MapboxApproximate location (postcode or coordinates entered by user)Geolocation, map display, service area visualisationUnited States
Apple / Google / ExpoDevice push token, notification contentMobile push notificationsUnited States

We never sell your personal data to third parties.

8. International data transfers

Our primary database is hosted in the European Union by Supabase. However, some of our third-party processors are based in the United States, which means your personal data may be transferred outside of the United Kingdom.

The following processors involve transfers to the United States: Stripe, Resend, Twilio, Google, Mapbox, Apple and Expo.

To ensure your data is adequately protected during these transfers, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs): EU-approved contractual terms that bind the receiving party to protect personal data to European standards
  • UK International Data Transfer Agreement (UK IDTA): the UK-specific addendum to the SCCs, approved by the Information Commissioner's Office, ensuring compliance with UK data protection law
  • Processor certifications: where available, we select processors who maintain certifications such as SOC 2 Type II and who participate in recognised data protection frameworks

You may request a copy of the relevant transfer safeguards by contacting us at privacy@getdou.app.

9. How we protect your data

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

  • Encryption in transit: all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
  • Encryption at rest: all data stored in our database is encrypted at rest using AES-256 encryption
  • Row Level Security (RLS): database-level access controls ensure that users can only access data they are authorised to view. Providers cannot access other providers' data, and consumers cannot access other consumers' private information
  • Access controls: internal access to production systems is restricted to authorised personnel on a need-to-know basis, with multi-factor authentication enforced
  • Regular security reviews: we conduct periodic reviews of our security practices, infrastructure configuration and dependency vulnerabilities
  • Secure payment handling: all payment card data is processed directly by Stripe (a PCI DSS Level 1 certified processor). dou never stores, processes or has access to full card numbers

No method of electronic transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

10. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following schedule outlines our retention periods by data category:

Data categoryRetention period
Active account dataRetained for the duration of your active account
Booking history3 years after the date of the last booking
Financial records and transaction data7 years, as required by HMRC for tax and accounting purposes
Messages2 years from the date the message was sent
Analytics data26 months, then anonymised or deleted
Deleted account dataPersonal identifiers removed within 30 days of account deletion. Anonymised records (such as aggregated booking statistics) may be retained indefinitely. Financial records are retained for the statutory 7-year period.

11. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

  1. Right of access: you can request a copy of the personal data we hold about you
  2. Right to rectification: you can ask us to correct inaccurate or incomplete personal data
  3. Right to erasure: you can ask us to delete your personal data where there is no compelling reason for us to continue processing it
  4. Right to restrict processing: you can ask us to suspend the processing of your personal data in certain circumstances, for example while we verify its accuracy
  5. Right to data portability: you can request that we provide your personal data in a structured, commonly used and machine-readable format, or transmit it directly to another controller where technically feasible
  6. Right to object: you can object to processing based on legitimate interests or for direct marketing purposes
  7. Right to withdraw consent: where processing is based on your consent, you can withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal
  8. Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority, in particular the Information Commissioner's Office (see section 18)

To exercise any of these rights, email us at privacy@getdou.app. We will respond to your request within one calendar month. If your request is complex or we receive a large number of requests, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it.

We may ask you to verify your identity before processing your request to protect your personal data from unauthorised access.

12. Cookies

We use cookies and similar technologies on the Platform. Cookies are small text files placed on your device that help us provide and improve the service. We categorise our cookies into four tiers:

Essential cookies

These cookies are strictly necessary for the Platform to function. They include session cookies that keep you logged in and authentication tokens that verify your identity. These cannot be disabled.

Functional cookies

These cookies remember your preferences, such as your preferred language, timezone or display settings, so you do not have to re-enter them each time you visit.

Analytics cookies

These cookies collect anonymised information about how you use the Platform, including which pages you visit, how long you spend on each page and any errors you encounter. This data helps us understand usage patterns and improve the Platform. Analytics data is aggregated and does not identify you personally.

Marketing cookies

We do not currently use marketing or advertising cookies. If this changes in the future, we will update this policy and request your consent before placing any marketing cookies.

You can manage your cookie preferences through the cookie banner displayed on your first visit to the Platform, or by adjusting your browser settings. Disabling essential cookies may prevent you from using certain features of the Platform.

13. Google Calendar integration

If you choose to connect your Google Calendar to dou, the following applies:

Data accessed

We access the following data from your Google Calendar: event titles, start and end times, and attendee email addresses. We do not access event descriptions, attachments or any other calendar metadata.

How the data is used

Calendar data is used solely to synchronise your availability on dou, ensuring that bookings are not scheduled at times when you already have commitments. We do not use your Google Calendar data for advertising, profiling or any purpose unrelated to availability management.

How to revoke access

You can disconnect your Google Calendar at any time from your dou account settings. You can also revoke dou's access directly from your Google Account permissions page. Upon disconnection, we delete cached calendar data within 24 hours.

Google API compliance

dou's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

14. Automated decision-making

dou uses automated processing in the following areas:

  • Search ranking: when consumers search for services on the discover page, results are ranked using automated algorithms that consider factors such as location proximity, service relevance, provider ratings and availability
  • Personalised recommendations: we may suggest services or providers to consumers based on their browsing history, previous bookings and stated preferences

These automated processes assist in providing a better user experience but do not produce solely automated decisions that have legal effects or similarly significant effects on you. All booking and payment decisions require your active input and confirmation.

You have the right to request human review of any automated decision. Contact us at privacy@getdou.app if you have concerns about automated processing.

15. Children

The dou Platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided personal data to dou, please contact us at privacy@getdou.app, and we will take steps to delete such data promptly.

16. Third-party links

The Platform may contain links to third-party websites, services or applications that are not operated by dou. If you follow a link to any third-party site, please note that those sites have their own privacy policies, and dou does not accept any responsibility or liability for those policies or for any personal data that may be collected through those sites. We encourage you to review the privacy policy of every site you visit.

17. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will notify you by email (sent to the email address associated with your account) or by displaying a prominent notice on the Platform before the changes take effect.

Non-material changes, such as clarifications or formatting updates, may be made without prior notice. Your continued use of the Platform after any changes to this policy constitutes your acceptance of the revised policy.

We recommend reviewing this policy periodically for the latest information on our privacy practices.

18. Contact and complaints

If you have any questions, concerns or requests regarding this privacy policy or our handling of your personal data, please contact us:

If you are not satisfied with our response, or if you believe that we are processing your personal data in a way that is not compliant with data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Website: ico.org.uk
  • Telephone: 0303 123 1113

We encourage you to contact us first so that we have an opportunity to address your concerns directly before you escalate to the ICO.