Privacy Policy

Operra is a salon management platform operated by Edinburgh Creatives Limited, a company registered in Scotland, United Kingdom. When this policy says "we", "us", or "our", it refers to Edinburgh Creatives Limited. When it says "you", it refers to you as a user of the Operra platform or our website at operra.app.

For any questions about how we handle your data, please contact us at info@operra.app.

We collect the following categories of personal data:

• Account data — your name, email address, and password (stored as a one-way hash) when you create an account.
• Business data — your salon or business name, address, and contact details that you provide when setting up your account.
• Client data — information about your clients that you enter into the platform, including names, contact details, and booking history. You are the data controller for this data; we process it on your behalf.
• Payment and payroll data — financial records, commission data, and payroll information you record in the platform.
• Usage data — log files, IP addresses, browser type, and pages visited, collected automatically when you use our service.
• Waitlist data — your email address if you sign up to our early access waitlist.

We use your personal data for the following purposes:

• To provide, operate, and improve the Operra platform.
• To authenticate your identity and keep your account secure.
• To send you transactional emails (e.g. booking confirmations, payslips) that you or your staff initiate.
• To contact you about your subscription or account-related matters.
• To send you early access updates if you have joined our waitlist (you may opt out at any time by emailing us).
• To comply with legal obligations under UK and EU law.

We do not sell your personal data to third parties. We do not use your data for advertising profiling.

We process your data under the following lawful bases as set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

• Contract — processing is necessary to provide you with the Operraservice you have signed up for.
• Legitimate interests — to operate and improve our platform, detect and prevent fraud, and maintain the security of our systems, provided your interests or fundamental rights do not override these interests.
• Consent — for marketing communications such as waitlist updates, where we have obtained your consent.
• Legal obligation — where we are required by law to retain or process certain data (e.g. financial records).

We share data with a limited number of trusted third-party service providers who help us deliver the platform:

• Vercel — hosting and deployment infrastructure (servers located in the EU/EEA).
• Resend — transactional email delivery.
• Pusher — real-time WebSocket event delivery.

All providers are contractually required to handle data in accordance with applicable data protection law. We do not transfer your personal data outside the UK or EEA without appropriate safeguards in place.

• Account data — retained for the duration of your subscription and for up to 7 years after account closure, as required for UK financial record-keeping obligations.
• Client and booking data — retained for as long as your account is active. You can delete client records from within the platform at any time.
• Waitlist data — retained until we have contacted you regarding access, or until you ask us to remove you from the list.
• Usage logs — typically retained for up to 90 days.

You have the following rights regarding your personal data:

• Right of access — you can request a copy of the data we hold about you.
• Right to rectification — you can ask us to correct inaccurate data.
• Right to erasure — you can ask us to delete your data, subject to our legal retention obligations.
• Right to restriction — you can ask us to restrict how we use your data in certain circumstances.
• Right to portability — you can request your data in a commonly used, machine-readable format.
• Right to object — you can object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making — we do not make automated decisions with significant legal effects based on your personal data.

To exercise any of these rights, please email info@operra.app. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use a small number of strictly necessary cookies to operate the platform, including a session cookie for authentication. We do not use advertising or tracking cookies. We do not use Google Analytics or similar third-party analytics on the authenticated platform.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encryption of data in transit (HTTPS/TLS), hashed password storage, and access controls limiting data access to authorised personnel only.

Despite these measures, no internet transmission is completely secure. Please use a strong unique password for your account and notify us immediately if you suspect unauthorised access.

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or by posting a notice on the platform. The date at the top of this page reflects when the policy was last updated. Continued use of Operra after changes take effect constitutes acceptance of the updated policy.

If you have any questions, concerns, or requests relating to your personal data, please contact us: