Beautay

Beautay — Terms of Use (Including Data Processing Agreement)

Version: v17-05-2026   UK-only B2B
Last updated: 17 May 2026
Provider: Bodewell Holdings Ltd (Company No. 16994362)
Registered office: 128 City Road, London, United Kingdom, EC1V 2NX
Support: [email protected]
These Terms include a Data Processing Agreement (“DPA”) in Part B.
Important: Beautay is software for businesses. It is not a legal, clinical, medical, regulatory, tax, marketing-compliance or professional-advice service. Customers remain responsible for their own services, content, policies, notices, consents, lawful bases, professional obligations and dealings with End-Clients.

Contents

These Terms of Use (the “Terms”) govern access to and use of the Beautay software, websites and related services (the “Platform”). By creating an account, subscribing, accessing, configuring, publishing content through, or using the Platform, you agree to these Terms on behalf of the Customer.

Our privacy notice for personal data we process as controller is available at /privacy. For Customer Personal Data processed on your behalf, see the DPA in Part B.

Part A — Terms of Use

1) Definitions

  • Customer: the business, sole trader, company or other person using the Platform for business purposes (“you”).
  • Authorised Users: your owners, staff, contractors and other individuals permitted to access your account.
  • End-Clients: your customers, patients, prospective customers, gift-card purchasers, account holders and other individuals who interact with your business through the Platform.
  • Customer Data: all data, content and materials submitted to, generated in, stored in, transmitted through or published using the Platform by or for you, including End-Client data.
  • Customer Personal Data: personal data within Customer Data, as defined by applicable data protection law.
  • Subscription: your paid plan, trial, billing cycle, limits and entitlements shown at checkout, on an invoice, in the Platform or otherwise agreed with us.
  • Documentation: any help pages, technical notes, policies or usage guidance we publish for the Platform.

2) Business customers only; authority; UK focus

2.1 Business use only. The Platform is provided for business use. You confirm that you are using the Platform for purposes relating to your trade, business, craft or profession and not as a consumer.

2.2 Authority. The person accepting these Terms confirms that they are authorised to bind the Customer to these Terms, including the DPA.

2.3 UK focus. The Platform is intended for Customers operating in the United Kingdom unless we agree otherwise in writing. You are responsible for ensuring your use is lawful in every jurisdiction relevant to you, your Authorised Users and your End-Clients.

3) The Platform and our role

Beautay provides software tools for account administration, booking and customer management, forms and records, communications, payments, optional integrations, website/legal content, analytics, reporting, security and related business administration.

Software only. We provide the Platform as a technology provider. We do not provide, supervise, approve, warrant or take responsibility for aesthetic, medical, clinical, professional, legal, regulatory, tax, marketing or other advice or services offered by Customers.

Your relationship with End-Clients. Any treatment, appointment, consultation, product, package, gift card, promotion, payment, refund, complaint, outcome or other transaction with an End-Client is between you and that End-Client. Beautay is not a party to that relationship.

4) Accounts, access and security

You are responsible for maintaining secure account credentials, controlling Authorised User access, assigning appropriate roles and permissions, removing access promptly when no longer needed, and ensuring that all activity under your account is lawful and authorised.

We may use authentication, rate-limiting, anti-abuse, monitoring and security controls to protect the Platform. We may suspend, restrict or require corrective action where we reasonably believe an account, configuration, integration, message, file, content or activity creates legal, security, operational or reputational risk.

5) Subscription, billing, payment processing and taxes

  • Fees, plan limits, trial terms, usage limits and billing cycles are shown at checkout, in the Platform, on an invoice or otherwise agreed with us.
  • Payments may be processed by third-party payment providers, which may act as independent controllers for some payment, fraud, compliance and regulatory processing.
  • You are responsible for taxes, VAT, chargebacks, payment disputes and the accuracy of your billing information, except to the extent caused by our own error.
  • We may suspend or restrict access for non-payment, suspected payment abuse, failed payment-provider onboarding or breach of these Terms.

6) Customer responsibilities and compliance boundary

You are solely responsible for your business, services, professional conduct, legal compliance, End-Client relationships, and the Customer Data and content you use with the Platform. In particular, you agree that you will:

  • Operate lawfully. Comply with all laws, regulations, professional rules, advertising rules, consumer rules, data protection laws and industry requirements that apply to your business and services.
  • Provide accurate business information. Keep your business identity, contact details, legal details, services, pricing, availability, cancellation rules and policies accurate and up to date.
  • Control your own notices and policies. Provide End-Clients with your own privacy notice, terms, booking policies, consent wording and other required information. Beautay may provide templates, prompts, publication tools or acknowledgement records, but these are not legal advice and we do not verify that your content is legally adequate.
  • Handle data protection compliance. Act as controller for End-Client data where applicable, choose and document lawful bases, special category conditions, retention periods, consent mechanisms, data sharing, rights-request handling and any required data protection documentation.
  • Handle health and special category data carefully. Decide what forms, questions, notes, records, images or documents to collect and ensure you have a lawful basis, special category condition and appropriate safeguards for that information.
  • Comply with messaging and marketing rules. Ensure service messages, marketing campaigns, SMS, email, referral, loyalty and promotional communications are lawful, accurate, not misleading, properly permissioned and include required opt-out or preference mechanisms.
  • Manage payments and commercial terms. Ensure your prices, deposits, refunds, cancellation charges, gift cards, packages, promotions, loyalty rewards and no-show policies are lawful, clear and honoured.
  • Review outputs and configurations. Review any automated, generated, template-based, default or imported content before relying on or publishing it.

Product safeguards, including prompts, warnings, required fields, acknowledgements, clickwrap records, audit logs, exports, deletion/anonymisation tools or preference fields, do not transfer your compliance obligations to Beautay and do not mean Beautay has approved your business practices or legal documents.

7) Customer Data and content

As between you and Beautay, you retain responsibility for Customer Data. You grant us a limited licence to host, process, transmit, display and otherwise use Customer Data to provide, secure, support, maintain and improve the Platform, comply with law, and enforce these Terms and the DPA.

You warrant that you have all rights, permissions, notices, lawful bases and consents needed for Customer Data and for the instructions you give us. We are not responsible for the legality, accuracy, quality, completeness or suitability of Customer Data or Customer-published content.

8) Acceptable use

You must not, and must not allow anyone else to:

  • use the Platform for unlawful, harmful, abusive, deceptive, infringing, exploitative, unsafe or unauthorised activity;
  • attempt unauthorised access, security probing, credential abuse, scraping, excessive load, malware distribution or interference with the Platform;
  • send spam, unlawful marketing, misleading promotions, unsafe advice or communications without required permission;
  • upload or publish unlawful, malicious, defamatory, infringing or unsafe content;
  • collect, process, disclose or export personal data without the right to do so; or
  • circumvent plan limits, security controls, payment controls, rate limits or usage restrictions.

9) Third-party services and integrations

The Platform uses and may integrate with third-party services such as hosting, databases, authentication/security, payment processing, email/SMS delivery, monitoring, analytics, background jobs, storage and optional calendar or video integrations.

Third-party services may be subject to their own terms and privacy notices and may change, suspend or fail independently of Beautay. We are not responsible for third-party services except to the extent required by law or expressly set out in the DPA for subprocessors processing Customer Personal Data on our behalf.

10) Availability, support and changes

We aim to provide a reliable Platform, but we do not guarantee uninterrupted, error-free or permanent availability. We may update, change, suspend or discontinue parts of the Platform to improve security, compliance, performance, maintainability or functionality, or to address legal, operational or supplier issues.

Support is provided via [email protected] unless we agree otherwise.

11) Intellectual property

We and our licensors own all rights in the Platform, software, design, code, documentation, trademarks and underlying technology. You receive a limited, non-exclusive, non-transferable, revocable licence to use the Platform during your Subscription in accordance with these Terms.

You are responsible for any Customer content, branding, logos, images, templates, documents or materials you upload, publish or send through the Platform.

12) Confidentiality

Each party will protect the other party’s confidential information using reasonable care and will use it only for purposes connected with these Terms, unless disclosure is required by law or the information becomes public other than through breach.

13) Disclaimers

To the maximum extent permitted by law, the Platform is provided “as is” and “as available”. We do not warrant that the Platform will meet every requirement, produce any particular business, legal, clinical or regulatory outcome, or make your business compliant.

Any templates, default wording, examples, generated documents, prompts, checklists, reports, warnings or settings are provided for convenience only. They are not legal, clinical, medical, regulatory, tax, marketing-compliance or professional advice and must be reviewed by you and your advisers before use.

14) Limitation of liability (B2B)

Nothing in these Terms limits or excludes liability for fraud, fraudulent misrepresentation, death or personal injury caused by negligence, or any liability that cannot be limited or excluded by law. Subject to that:

  • we will not be liable for indirect or consequential loss, loss of profits, loss of revenue, loss of business, loss of goodwill, loss of anticipated savings, reputational damage, or loss arising from your services, Customer Data, Customer content, End-Client disputes or regulatory non-compliance;
  • we will not be liable for third-party services, payment-provider decisions, integrations, supplier outages or Customer configurations except to the extent required by law or expressly set out in these Terms; and
  • our total aggregate liability arising out of or in connection with these Terms is limited to the fees paid by you to us in the 12 months preceding the event giving rise to the claim.

15) Indemnity

You will indemnify and keep us indemnified against claims, losses, liabilities, penalties, damages, costs and expenses arising from or connected with: (a) your services, treatments, advice, products or End-Client relationships; (b) Customer Data or Customer content; (c) your privacy notices, terms, consents, marketing, promotions, gift cards, packages, loyalty or pricing; (d) your breach of data protection law or other laws as controller or service provider; (e) your misuse of the Platform; or (f) your breach of these Terms.

16) Suspension and termination

These Terms start when accepted and continue until terminated. Either party may terminate for material breach not remedied within 30 days of written notice. We may suspend or terminate immediately where reasonably necessary for non-payment, security risk, unlawful activity, serious misuse, payment abuse, supplier requirement, legal requirement or material risk to Beautay, other customers or End-Clients.

On termination, your access ends. Data return/deletion is addressed in the DPA, subject to backups, logs, legal retention and data we are entitled or required to retain.

17) Changes to these Terms

We may update these Terms from time to time. If changes are material, we may provide notice by email, in-app notice or another reasonable method. The “Version” and “Last updated” date at the top indicate the current Terms. Continued use after the effective date means you accept the updated Terms.

18) Governing law

These Terms are governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, unless applicable law requires otherwise.

Part B — Data Processing Agreement (DPA)

This DPA applies only to the extent Beautay processes Customer Personal Data on behalf of the Customer as processor. It forms part of the Terms. If Part A conflicts with this DPA, this DPA prevails for the processing of Customer Personal Data.

19) Roles

  • Customer is the controller of Customer Personal Data, unless the parties agree otherwise in writing.
  • Beautay is the processor of Customer Personal Data processed to provide the Platform.
  • Beautay may act as an independent controller for limited data used for its own account administration, billing, security, abuse prevention, analytics, support, legal compliance and service integrity purposes.

20) Processing details and instructions

The subject matter, duration, nature and purpose of processing, categories of data subjects and types of personal data are set out in Annex 1. Your documented instructions are these Terms, your configuration and use of the Platform, and any lawful written instructions we accept.

We are not required to follow instructions that we reasonably believe are unlawful, unsafe, technically impracticable, outside the Platform’s scope, or inconsistent with these Terms.

21) Beautay processor obligations

Where we act as processor, we will:

  • process Customer Personal Data only on documented instructions, unless required by law;
  • ensure people authorised to process Customer Personal Data are subject to appropriate confidentiality obligations;
  • implement appropriate technical and organisational measures, summarised in Annex 2;
  • use subprocessors only in accordance with section 24;
  • assist you, taking into account the nature of processing and information available to us, with data subject requests and controller obligations where you cannot reasonably do so through Platform tools;
  • notify you of personal data breaches affecting Customer Personal Data in accordance with section 28;
  • delete or return Customer Personal Data at the end of services in accordance with section 27; and
  • make available information reasonably necessary to demonstrate compliance with this DPA, subject to section 26.

22) Customer controller obligations

You warrant, represent and undertake that:

  • you have all notices, lawful bases, special category conditions, consents and permissions required to collect and process Customer Personal Data and provide it to Beautay;
  • your instructions to Beautay are lawful and within your rights as controller;
  • you are responsible for the accuracy, quality, legality, retention and minimisation of Customer Personal Data;
  • you will provide End-Clients with legally required privacy information and handle their rights requests, complaints and regulatory communications;
  • you will not use the Platform to collect or process data that you are not legally permitted to collect or process; and
  • you will configure Platform settings, communications, forms, legal documents and retention practices in accordance with your own compliance obligations.

23) Special category data and clinical records

The Platform may process special category data, including health-related information, if you choose to collect it through forms, consultation records, treatment notes, images, files or other records. You are solely responsible for deciding whether to collect such data, ensuring the collection is lawful and necessary, identifying a valid Article 9 condition, applying appropriate safeguards, and meeting any professional or clinical-record obligations.

24) Subprocessors

You provide general authorisation for us to engage subprocessors to provide, secure, support, maintain and improve the Platform. A current list of subprocessors is maintained at /subprocessors.

We will impose data protection obligations on subprocessors that are designed to protect Customer Personal Data in a manner consistent with our obligations under this DPA. These Terms do not provide separate assurances about each provider beyond the roles described in the subprocessor list and this DPA.

We may update subprocessors from time to time. Where required by applicable data protection law or where a change is material, we will provide notice by email, in-app notice, update to the subprocessor page or another reasonable method. You may object on reasonable data protection grounds within 14 days of notice. If we cannot reasonably accommodate the objection, either party may terminate the affected services.

25) International transfers

Where Customer Personal Data is transferred outside the UK and transfer safeguards are required, we will rely on appropriate safeguards available for the relevant transfer, such as the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, adequacy regulations or another lawful mechanism.

26) Audits and compliance information

On reasonable written request, and no more than once per year unless required because of a personal data breach affecting Customer Personal Data, we will provide information reasonably necessary to demonstrate compliance with this DPA. Any audit or information request must be proportionate, protect the confidentiality and security of the Platform and other customers, and must not require disclosure of trade secrets, security-sensitive information or third-party confidential information.

On-site audits are permitted only where legally required, cannot reasonably be satisfied by documentation, and are agreed in advance in writing.

27) Deletion and return

During the Subscription, you may export or delete certain Customer Personal Data using Platform tools, subject to technical limits and your permissions. Some deletion tools may anonymise identity data while preserving records required for audit, legal, payment, security, fraud-prevention, booking, clinical or dispute purposes.

Following termination, we will delete or return Customer Personal Data within a reasonable period following written request, except where data is retained in backups or logs pending normal rotation, or where retention is required or permitted by law, security, accounting, dispute, fraud-prevention or legitimate business purposes.

28) Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and provide information reasonably available to assist you. You are responsible as controller for assessing and making any required notifications to End-Clients, regulators or other parties, but we will provide reasonable assistance as processor.

29) Liability under the DPA

Each party’s liability under this DPA is subject to the limitation of liability in Part A, except to the extent prohibited by applicable law.

30) Order of precedence

If there is any conflict between Part A and Part B, Part B prevails for matters relating to the processing of Customer Personal Data.

Annex 1 — Processing Details

Subject matterProvision, security, maintenance and support of the Beautay Platform for the Customer.
DurationThe Subscription term, plus any post-termination period needed for return/deletion, backup rotation, legal retention, security, dispute handling and legitimate business purposes.
Nature of processingCollection, recording, storage, organisation, retrieval, use, transmission, hosting, display, communication, restriction, export, deletion and anonymisation of Customer Personal Data through the Platform.
PurposeTo provide, secure, support, maintain and improve the Platform; process transactions and communications configured by the Customer; support optional integrations; maintain audit/security records; and comply with applicable law.
Categories of data subjectsEnd-Clients, prospective End-Clients, customer account holders, gift-card purchasers/recipients, waitlist members, communication recipients, Customer staff, Authorised Users and other individuals whose data is submitted to the Platform by or for the Customer.
Types of personal data Identity and contact details; account and authentication data; booking, customer-management and preference records; payment references and transaction metadata; communications and marketing preferences; form responses; signatures; notes; files and images; legal acknowledgements and audit records; IP address, user agent and technical/security logs.
Special category data May include health-related information, treatment records, consultation information, images, notes or other special category data where the Customer chooses to collect or upload it.

Annex 2 — Security Measures (TOMs) (summary)

  • Encryption in transit for Platform traffic.
  • Authentication, session controls and access controls for Platform accounts.
  • Role and permission features available to Customers for Authorised Users.
  • Logical separation controls for tenant data.
  • Encryption or additional protection for certain sensitive records where implemented by the Platform.
  • Logging, monitoring, rate limiting and anti-abuse controls designed to protect service integrity.
  • Backup and recovery processes designed to support continuity and restoration.
  • Operational security practices, vulnerability management and incident response processes appropriate to the nature of the Platform.
  • Use of third-party service providers to support hosting, storage, communications, payments, monitoring, security and integrations.

These measures are a summary and may change as the Platform evolves. No technical or organisational measure can guarantee absolute security.

Annex 3 — Subprocessors

The current list of subprocessors is maintained at: /subprocessors. That list is incorporated by reference into this DPA.

Some providers, including payment providers and optional integrations, may act as independent controllers for certain processing. See the subprocessors page for categorisation.

Annex 4 — International Transfers (summary)

Beautay and its providers may process personal data in locations outside the UK. Where transfer safeguards are required, Beautay will rely on appropriate safeguards available for the relevant transfer. These Terms do not include vendor-specific regional or assurance statements beyond the information Beautay has chosen to publish.