Beautay — Terms of Use (Including Data Processing Agreement)
Contents
These Terms of Use (the “Terms”) govern access to and use of the Beautay software, websites and related services (the “Platform”). By creating an account, subscribing, or using the Platform, you agree to these Terms.
Privacy notice: Our provider privacy notice (for our own business and admin-user data) is available at https://beautay.co.uk/privacy. For End-Client data processed on your behalf, see the DPA in Part B.
Part A — Terms of Use
1) Definitions
- Customer: the business or individual using the Platform for purposes relating to their trade, business, craft or profession (“you”).
- Authorised Users: your staff and contractors permitted to use the Platform under your account.
- End-Clients: your customers/patients who book, pay, or submit forms via your mini-website or other Platform features.
- Customer Data: all data submitted to the Platform by you or your Authorised Users, including End-Client data.
- Customer Personal Data: any personal data within Customer Data (as defined under applicable data protection law).
- Subscription: your paid plan and term as shown at checkout, on an invoice, or in the Platform.
- Documentation: any help pages, guides or policies we publish for the Platform.
2) Business customers only; authority to accept
2.1 Business customers only. The Platform is offered for business use. You confirm you are using the Platform for purposes relating to your trade, business, craft or profession. If you are using the Platform as a consumer (for personal, non-business use), you must not purchase or use the Platform.
2.2 Authority to accept. The person accepting these Terms confirms that they are authorised to bind the Customer to these Terms (including the DPA in Part B).
2.3 UK-only. The Platform is intended for Customers operating in the United Kingdom unless we agree otherwise in writing.
3) The Platform; our role
The Platform helps you create a one-page white-label mini-website and manage bookings, online payments, services, staff, locations, waitlists, forms/questionnaires, notes, work mapping, product usage, customer records, reminders, integrations, and reporting.
Software only. We provide software and technical tools only. We do not provide clinical, medical, aesthetic or regulatory advice, do not supervise treatments, and do not verify your compliance with professional or regulatory requirements.
Your contract is with your End-Clients. Any treatment or service contract is between you and your End-Clients. You are solely responsible for your services, outcomes, pricing, refunds, cancellation rules, complaints, and professional/regulatory compliance.
4) Accounts and security
You are responsible for maintaining the confidentiality of account credentials and ensuring only Authorised Users access your account. You are responsible for all activity under your account, including configuration of staff permissions and removal of access when staff leave.
5) Subscription, billing and taxes
- Fees, plan limits and billing cycles are shown at checkout and/or within the Platform.
- Payments may be processed by third-party payment providers.
- You are responsible for applicable taxes (including VAT where applicable).
- We may suspend access for non-payment after reasonable notice.
6) Customer responsibilities (compliance boundary)
You agree that you will:
- Provide accurate information about your business/practice and keep it updated.
- Use the Platform lawfully and comply with all applicable laws, codes of practice, and professional/regulatory obligations relevant to your services.
- Provide End-Client notices (including a privacy notice and terms/policies) and obtain any consents required for your processing and communications.
- Data protection compliance. You are responsible as controller for selecting lawful bases (and any special category condition for health data), setting retention, handling DSARs and other rights requests, and configuring exports and deletion appropriately.
- Messaging compliance. If you use the Platform to send SMS/email (beyond the automatic reminders and confirmations, you are responsible for content, recipient lists, opt-in/opt-out handling, and ensuring compliance with applicable electronic marketing rules (e.g., service messages vs marketing). Regarding automatic reminders and confirmations, you are partially responsible for content(specific variables such as service names used to give the end-customer the relevant information)
- Clinical records & health information. You decide what consultation information to collect and record, and must ensure you have a lawful basis and appropriate safeguards.
7) Acceptable use
You must not:
- use the Platform for unlawful, harmful, defamatory, infringing, or abusive activity;
- attempt unauthorised access, security probing, or introduce malware;
- send spam or unlawful marketing;
- collect, upload, or process personal data without the right to do so.
Low risk tolerance. We may suspend or restrict access immediately where we reasonably believe it is necessary to: (a) protect End-Clients, (b) prevent unlawful messaging/marketing, (c) protect the Platform’s security or integrity, or (d) comply with law. We may require you to take corrective steps before restoring access.
8) Customer Data
You own Customer Data. You grant us a limited licence to host, process and transmit Customer Data solely to provide, secure and support the Platform, and as set out in these Terms and the DPA.
You are responsible for the legality, accuracy, and quality of Customer Data you submit and for ensuring you have all necessary rights and permissions.
9) Third-party services and integrations
The Platform may integrate with third parties (e.g., payment processors, SMS/email providers, calendar integrations, monitoring and security tooling). Third-party services may change or be unavailable; we are not responsible for third-party outages or changes.
10) Availability, support and changes
We aim for reliable service but do not guarantee uninterrupted availability. We may update the Platform to improve performance, security or features. Support is provided via support@beautay.co.uk.
11) Intellectual property
We own all rights in the Platform and Documentation. You receive a limited, non-exclusive, non-transferable licence to use the Platform during your Subscription, subject to these Terms.
12) Confidentiality
Each party will protect the other party’s confidential information and use it only to perform under these Terms.
13) Disclaimers
To the maximum extent permitted by law, the Platform is provided “as is”. We do not warrant that the Platform will meet all requirements or be error-free. We are not responsible for your services, clinical decisions, End-Client disputes, or regulatory compliance.
14) Limitation of liability (B2B)
Nothing in these Terms limits or excludes liability for fraud, fraudulent misrepresentation, or any liability that cannot be excluded by law. Subject to the foregoing, and to the maximum extent permitted by law:
- We will not be liable for indirect or consequential losses, loss of profits, loss of business, loss of goodwill, or loss of anticipated savings.
- Our total aggregate liability arising out of or in connection with these Terms is limited to the fees paid by you to us in the 12 months preceding the event giving rise to the claim.
15) Indemnity (Customer → Provider)
You will indemnify us against claims, liabilities, penalties, costs and expenses arising from or connected with: (a) your services/treatments and End-Client disputes; (b) your content, promotions, gift cards, loyalty schemes and pricing; (c) your unlawful messaging/marketing; (d) your breach of data protection law as controller; or (e) your breach of these Terms.
16) Termination
These Terms start when accepted and continue until terminated. Either party may terminate for material breach not cured within 30 days of notice. We may suspend or terminate immediately for serious misuse, unlawful activity, or security risk (see section 7).
On termination, your access ends. Data return/deletion is addressed in the DPA (Part B), subject to backups and legal retention.
17) Changes to these Terms
We may update these Terms. If changes are material, we will provide notice (for example via email or in-app message). The “Version” and “Last updated” at the top indicate the current Terms. Continued use after the effective date means you accept the updated Terms.
18) Governing law
These Terms are governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction (unless otherwise required by law).
Part B — Data Processing Agreement (DPA)
This DPA applies only to the extent that we process Customer Personal Data on your behalf as a processor. It forms part of the Terms. If there is a conflict between Part A and Part B, Part B prevails for data protection matters.
19) Roles
- Customer is the controller of Customer Personal Data.
- Provider is the processor.
- We may act as an independent controller for limited data strictly necessary for security, fraud prevention, abuse prevention, and service integrity (e.g., security logs).
20) Processing details
The subject matter, duration, nature and purpose of processing, categories of data subjects and types of personal data are set out in Annex 1.
21) Provider obligations
We will:
- process Customer Personal Data only on your instructions, unless required by law;
- ensure people authorised to process Customer Personal Data are subject to confidentiality obligations;
- implement appropriate technical and organisational measures (“TOMs”) as described in Annex 2;
- not engage subprocessors except in accordance with section 24;
- assist you, taking into account the nature of processing, with responding to data subject requests and regulatory obligations, where you cannot do so via Platform tools;
- delete or return Customer Personal Data at end of services in accordance with section 27;
- make available information necessary to demonstrate compliance and support audits as set out in section 26.
22) Customer obligations
You warrant that:
- you have a lawful basis to collect and provide Customer Personal Data to us and to instruct us to process it;
- you will provide End-Clients with legally required privacy information and obtain any consents required (including for marketing and where you rely on explicit consent for special category data);
- you are responsible for the legality, accuracy, and quality of Customer Personal Data you submit and the instructions you give us.
23) Special category data (health)
The Platform may process special category data if you choose to collect it (e.g., consultation questionnaires, SOAP notes, treatment records, injection/work mapping, and products used). You are responsible for selecting and documenting an appropriate condition for processing such data and implementing any required safeguards/policies as controller.
24) Subprocessors
You provide general authorisation for us to engage subprocessors to provide the Platform. A current list of subprocessors is maintained at: https://beautay.co.uk/subprocessors.
We will impose data protection obligations on subprocessors that are substantially similar to those in this DPA. We will provide notice of material changes to subprocessors by email and/or in-app notice. You may object on reasonable grounds related to data protection within 14 days of notice. If we cannot reasonably accommodate your objection, you may terminate the affected service(s).
25) International transfers
Where Customer Personal Data is transferred outside the UK, we will ensure appropriate safeguards are in place (for example, UK IDTA or the UK Addendum to SCCs), as described in Annex 4.
26) Audits and compliance evidence
On reasonable notice and no more than once per year (unless required due to a security incident affecting Customer Personal Data), you may request reasonable information to demonstrate compliance, such as third-party audit reports (where available), security questionnaires, and documentation. Any on-site audit must be agreed in advance, be proportionate, and protect the confidentiality and security of other customers and the Platform.
27) Deletion / return
During the Subscription you can export Customer Personal Data using Platform tools. Upon termination, we will delete or return Customer Personal Data within 60 days of a written request, except for data retained in backups (deleted on normal rotation) and data we must retain to comply with law.
28) Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and provide information reasonably required to assist you. You are responsible as controller for any required notifications to End-Clients and regulators, but we will assist as processor.
29) Liability under the DPA
Each party’s liability under this DPA is subject to the limitation of liability in Part A, except where prohibited by applicable law.
30) Order of precedence
If there is any conflict between Part A and Part B, Part B (the DPA) prevails for matters relating to the processing of Customer Personal Data.
Annex 1 — Processing Details
| Subject matter | Provision of the Platform to the Customer (mini-website, bookings, payments support, forms, reminders, customer records, notes, reporting, integrations). |
|---|---|
| Duration | Subscription term plus any post-termination period required for deletion/return and backup rotation. |
| Nature of processing | Collecting, storing, organising, retrieving, using, transmitting, and deleting Customer Personal Data; generating reminders/notifications as configured by Customer. |
| Purpose | To provide, secure and support the Platform; deliver communications initiated/configured by Customer; prevent fraud/abuse; maintain service integrity. |
| Categories of data subjects | Customer End-Clients; Customer staff/Authorised Users; individuals on waitlists; recipients of reminders/notifications configured by Customer. |
| Types of personal data | Identity/contact (name, email, phone); booking history; services purchased; payment references (as applicable); gift cards/loyalty/promo usage; messaging preferences/opt-outs; form responses; consultation notes; treatment records; product usage logs; uploaded media where it contains personal data; IP address and device/log data for security and audit trails. |
| Special category data | May include health-related information in forms and consultation/treatment records (as configured by Customer). |
Annex 2 — Security Measures (TOMs) (summary)
- Encryption in transit (TLS) for Platform traffic.
- Access controls and least privilege for administrative access.
- Logical separation between customers (tenant isolation controls).
- Audit logging for administrative actions.
- Backups and recovery procedures.
- Vulnerability management and patching processes.
- Incident response procedures for security events.
- Supplier risk management (reviewing key vendors/subprocessors).
Annex 3 — Subprocessors
The current list of subprocessors is maintained at: https://beautay.co.uk/subprocessors. That list is incorporated by reference into this DPA.
Note: Some providers (e.g., payment providers) may act as independent controllers for certain payment data. See the subprocessors page for categorisation.
Annex 4 — International Transfers (summary)
We may use suppliers that process data outside the UK. Where international transfers occur, we will implement appropriate safeguards (for example, UK IDTA or the UK Addendum to SCCs) and take reasonable steps to ensure an appropriate level of protection. You may request further information about relevant safeguards by contacting support@beautay.co.uk.