Privacy Policy

The responsible party (operator under POPIA, controller under GDPR) for personal information processed through the Platform is:

This Privacy Policy applies to all personal information collected through the Platform, including:

• The Halaal Brows website at https://www.halalbrows.africa
• The Halaal Brows iOS mobile application.
• The Halaal Brows Android mobile application.
• Any APIs, tools, or services integrated into or accessible through the Platform.

This Policy does not apply to third-party websites, applications, or services linked from the Platform. We encourage you to review the privacy policies of any third-party services you access.

We collect the following categories of personal information:

We use your personal information for the following purposes:

• Creating and managing your account.
• Providing and improving Platform features and Services.
• Processing bookings, appointments, and payment transactions.
• Managing subscriptions and issuing invoices or receipts.
• Sending transactional communications including booking confirmations, reminders, and account notifications.
• Sending marketing and promotional communications where you have provided consent or where permitted by applicable law. You may opt out at any time.
• Operating the AI brow measurement, symmetry, and simulation tools during your session.
• Issuing and enabling verification of digital training certificates.
• Facilitating communication between Artists and Clients through the Platform.
• Moderating community content and enforcing Platform policies.
• Conducting analytics and generating reports to improve the Platform.
• Complying with legal obligations, including POPIA, the ECT Act, and financial regulations.
• Preventing fraud, abuse, and unauthorised use of the Platform.
• Maintaining an audit log of administrative actions for accountability and compliance.

We process your personal information on the following legal grounds under POPIA (conditions for lawful processing) and the GDPR (lawful bases):

• Contract: Processing is necessary to perform the contract between you and the Company (e.g., providing the Platform services, processing bookings, managing your subscription).
• Legal Obligation: Processing is required to comply with applicable laws including POPIA, the ECT Act, tax legislation, and financial regulations.
• Legitimate Interest: Processing is necessary for our legitimate business interests, such as platform security, fraud prevention, analytics, and improving our Services, provided these interests are not overridden by your rights and interests.
• Consent: For certain processing activities (including marketing communications, location access, facial landmark processing, and health data), we rely on your freely given, specific, informed, and unambiguous consent. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Where we process special category information (health data, biometric/facial data), we rely solely on your explicit consent, which you may withdraw at any time.

We do not sell your personal information. We share your information only in the following circumstances:

The Platform uses infrastructure and services hosted in the United States and other jurisdictions. By using the Platform, you acknowledge that your personal information may be transferred to and processed in countries outside of South Africa.

When we transfer personal information outside South Africa to countries that do not provide an equivalent level of protection under POPIA, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) or equivalent data transfer mechanisms.

Where GDPR applies to European Economic Area (EEA) users, transfers are made in accordance with Chapter V of the GDPR, utilising SCCs or adequacy decisions as applicable.

We retain your personal information for as long as is necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.

• Account data: Retained for the duration of your account and for up to 5 years after account closure, unless you request earlier deletion and no legal obligation requires longer retention.
• Transaction and financial records: Retained for a minimum of 5 years in accordance with South African financial and tax legislation.
• Facial landmark data: Processed in-session only and not retained beyond the active session unless you explicitly save a result.
• Health data: Retained for the duration of the Artist-Client relationship and for 3 years after the last treatment, in accordance with applicable health and safety regulations.
• Audit logs: Retained for a minimum of 3 years for compliance and accountability purposes.
• Community content: Retained until you delete it or your account is closed.

When personal information is no longer required, we delete or anonymise it securely.

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, disclosure, alteration, and destruction, including:

• Encryption of data in transit using TLS/HTTPS.
• Encryption of data at rest within Google Firebase infrastructure.
• Password hashing using industry-standard algorithms.
• Role-based access controls limiting data access to authorised personnel.
• Rate limiting and abuse protection on all API endpoints.
• Immutable audit logging of administrative actions.
• Regular security reviews of platform infrastructure.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach that is likely to affect your rights and interests, we will notify you and the Information Regulator (South Africa) within 72 hours of becoming aware of the breach, in accordance with Section 22 of POPIA.

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If we become aware that we have inadvertently collected personal information from a child under 18 without appropriate parental or guardian consent, we will take immediate steps to delete that information. If you believe a child under 18 has provided us with personal information, please contact us at info@halaalbrows.com.

The Platform provides AI-powered brow measurement, symmetry analysis, lip symmetry, and brow simulation tools. These tools use MediaPipe facial landmark detection technology to analyse facial geometry.

The Halaal Brows web platform uses the following technologies:

• Essential cookies: Required for the Platform to function, including authentication session management. These cannot be disabled without affecting core functionality.
• Analytics: We use Firebase Analytics to understand how Users interact with the Platform. Data is collected in aggregate or pseudonymised form. You may opt out of analytics through your account settings.
• Functional storage: Local storage and IndexedDB are used to improve performance and enable offline functionality in the mobile application.

The mobile application operates as a native app and does not use browser cookies. Local device storage is used for session management and performance optimisation.

Subject to applicable law, you have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information where there is no lawful reason for continued processing.
• Objection: Object to processing based on legitimate interests.
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Request your personal information in a structured, commonly used, machine-readable format.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Opt-out of marketing: Opt out of marketing communications at any time using the unsubscribe link in emails or through your account settings.

To exercise any of these rights, please contact us at info@halaalbrows.com. We will respond within 30 days. We may require verification of your identity before processing your request.

The Platform operates as a responsible party under the Protection of Personal Information Act 4 of 2013 (POPIA). In addition to the general rights above, South African data subjects have the following rights under POPIA:

• The right to be notified when personal information is collected and how it will be used (fulfilled through this Policy and account registration).
• The right to request correction, deletion, or destruction of personal information (Section 24 of POPIA).
• The right to object to the processing of personal information (Section 11(3) of POPIA).
• The right to submit a complaint to the Information Regulator of South Africa if you believe your personal information rights have been violated.

The Information Regulator of South Africa may be contacted at:

Our designated Information Officer for POPIA purposes can be contacted at info@halaalbrows.com.

Although Halaal Brows is a South African platform, we acknowledge and respect the rights of Users who may be located in the European Economic Area (EEA) under the General Data Protection Regulation (GDPR). EEA Users have the following additional rights:

• The right not to be subject to automated decision-making, including profiling, that produces legal or similarly significant effects.
• The right to lodge a complaint with your local supervisory authority in the EEA.
• Where we rely on legitimate interest as the legal basis for processing, you have the right to object and we must cease processing unless we demonstrate compelling legitimate grounds.

The legal bases for processing under GDPR are: contract performance (Article 6(1)(b)), legal obligation (Article 6(1)(c)), legitimate interests (Article 6(1)(f)), and explicit consent (Article 9(2)(a) for special category data).

The Platform may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through the Platform.

Third-party payment processors handle your payment information directly and maintain their own privacy policies and security standards. We do not have access to your full card details.

Google Maps Platform is used to display the salon finder. Your use of the map interface is subject to Google’s Privacy Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or applicable laws. When we make material changes, we will notify you by email or by a prominent notice on the Platform at least 14 days before the changes take effect.

The effective date at the top of this Policy indicates when it was last updated. We encourage you to review this Policy periodically. Your continued use of the Platform after the effective date constitutes your acceptance of the updated Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact our Information Officer:

We aim to respond to all privacy-related enquiries within 30 days. Where your request is complex or you have made a number of requests, we may extend this period by a further two months and will notify you accordingly.