Beautay

Beautay — Security Policy

Version: v17-05-2026   UK-only B2B
Last updated: 17 May 2026
Provider: Bodewell Holdings Ltd (Company No. 16994362)
Registered office: 128 City Road, London, United Kingdom, EC1V 2NX
Security contact: [email protected] (please write “Security” in the subject)
Summary: Beautay is a B2B software platform for aesthetic businesses. We use technical and organisational measures designed to protect the Platform and the data processed through it. No online service can be guaranteed to be completely secure. Customers remain responsible for configuring their accounts, staff access, devices, policies, legal documents and data collection practices appropriately.

Contents

1) Scope

This Security Policy describes the measures Beautay uses to help protect the Platform, including account access, customer data, infrastructure, application controls, monitoring and vulnerability handling. It applies to Beautay’s own Platform and operations, not to the clinical, professional, legal, regulatory or operational security practices of Beautay customers.

This page is a high-level public summary. For data protection terms, see our Terms and DPA.

2) Security governance and responsibilities

Security is treated as an operational requirement in the design and maintenance of the Platform. Security-related controls include environment validation, production security checks, access-control enforcement, monitoring, rate limiting, audit logging, safe error handling, file validation and protection for sensitive records.

Beautay provides software and technical controls. Customers remain responsible for their own business processes, staff training, devices, network security, password practices, account configuration, published content, notices, consents, retention decisions and compliance with laws that apply to their services.

3) Authentication and access control

  • Business user authentication: Beautay uses account-based authentication with email verification, password controls, session management and secure cookies in production.
  • Authentication abuse protection: where configured, authentication security services help detect and respond to credential stuffing, suspicious sign-in velocity, compromised-password risk, suspicious IP activity, bot activity and email-quality risk.
  • Multi-factor authentication: sign-in verification codes and backup-code support are used for business-user authentication flows where configured by the Platform.
  • Customer accounts: End-Client account access uses tenant-scoped customer sessions, hashed session tokens and HTTP-only cookies.
  • Role-based access control: Customers can assign roles and permissions to Authorised Users. Sensitive actions, including customer exports, forms, payments, photos, documents and settings, are permission-gated.
  • Tenant isolation: API routes and server-side checks verify tenant access before returning or changing tenant data. Inactive staff and locked tenants are denied access.
  • Internal administration: internal admin and break-glass export actions are restricted and logged.

4) Data protection controls

  • Encryption in transit: Platform traffic is served over HTTPS in production.
  • Sensitive-record encryption: certain sensitive records, including form data, signatures, notes and clinical-style records, are encrypted by the application. Production encryption for these records is designed to use managed key-backed envelope encryption where configured.
  • Credential protection: passwords and session tokens are stored in hashed or protected form where the Platform manages them directly.
  • Audit records: the Platform records selected security, access, legal-acceptance and sensitive-data events to support accountability and investigation.
  • Data minimisation in monitoring: monitoring and analytics paths include scrubbing and allowlisting intended to avoid sending secrets, payment details, health data, form responses or other sensitive free-form content to diagnostics providers.
  • Deletion and anonymisation tools: certain customer deletion flows anonymise identity fields while preserving records needed for audit, booking, clinical, payment, fraud-prevention, legal or dispute purposes.

5) Application and platform security

  • Managed hosting protections: Beautay runs on managed hosting infrastructure that provides platform-level protections such as TLS termination, edge routing, deployment isolation and baseline network/application delivery protections.
  • Security headers: production responses include controls such as HSTS, content type protection, frame denial, referrer policy, permissions policy and a nonce-based content security policy.
  • Input validation: API routes use validation, typed schemas and permission checks for sensitive operations.
  • Rate limiting: authentication, public booking, availability and general API endpoints use rate limits. Production rate limiting is designed to use distributed storage where configured and to fail closed where required.
  • Anti-abuse controls: the Platform uses bot and abuse-prevention controls, including proof-of-work challenges on selected public flows where configured.
  • Webhook protection: payment webhooks are verified with signing secrets before processing.
  • Safe redirects and domains: redirect paths and custom-domain authentication handling include validation to reduce open-redirect and host confusion risks.
  • Static and dependency analysis: development and release processes may include static application security testing (SAST), linting, dependency scanning and other security-oriented checks to identify issues before deployment.
  • Production gates: production checks enforce critical configuration such as authentication secrets, TLS database connections and managed-key sensitive-data encryption where required.

6) Monitoring, logging and incident handling

Beautay uses logging, error monitoring and application diagnostics to detect failures, investigate security events and maintain service reliability. Security events such as access denials, rate-limit events, suspicious activity, webhook signature failures and internal-admin actions may be logged.

We use scrubbing and allowlisting to reduce the risk of sending sensitive personal data, secrets, authentication tokens, payment details, form responses or health data to monitoring tools. If we become aware of a personal data breach affecting Customer Personal Data, we will notify affected Customers in accordance with our DPA and applicable law.

7) File uploads and storage

File upload flows are permission-gated and tenant-scoped. The Platform restricts accepted file types and sizes, sanitises file names, validates file extensions and MIME types, uses presigned upload URLs, and includes server-side file type verification for supported uploads.

Executable files and certain higher-risk formats are not accepted in the standard upload flow. Customers are responsible for deciding what files, images and records they collect from End-Clients and for ensuring that collection is lawful and appropriate.

8) Third-party providers

Beautay uses third-party providers for hosting, database infrastructure, storage, encryption, authentication security, payments, communications, monitoring, analytics, background jobs and optional integrations. These providers support features such as managed hosting, edge delivery, authentication risk controls, storage, observability and communications where enabled. Our subprocessor list is available at /subprocessors.

This Security Policy does not provide separate vendor assurance statements beyond the provider roles we publish. Third-party services may operate under their own terms and security practices.

9) Customer responsibilities

Customers must take reasonable steps to protect their own use of Beautay, including:

  • using strong, unique passwords and protecting email accounts used for sign-in;
  • keeping staff roles, permissions and access up to date;
  • removing staff access promptly when it is no longer required;
  • reviewing public website, legal, booking and communication content before publishing or sending it;
  • collecting only data they are legally entitled to collect;
  • using secure devices, browsers and networks;
  • configuring third-party integrations and payment accounts appropriately; and
  • not sharing credentials, session links, export links or sensitive records with unauthorised people.

10) Vulnerability reporting

If you believe you have found a security issue in Beautay, email [email protected] with “Security” in the subject. Please include enough detail for us to understand and reproduce the issue.

You must not:

  • access, modify, delete, export or disclose data that does not belong to you;
  • perform denial-of-service, spam, social engineering, phishing, credential stuffing or destructive testing;
  • attempt to bypass payment, identity, rate-limit or access controls beyond what is necessary to demonstrate the issue safely; or
  • publicly disclose a vulnerability before we have had a reasonable opportunity to assess and address it.

Beautay does not operate a public bug bounty programme unless separately announced in writing.

11) Changes

We may update this Security Policy from time to time. The “Version” and “Last updated” date at the top show when it was last changed.