Security & Compliance
Kayo is designed for businesses that take customer trust seriously. This page covers our data protection framework, applicable regulations, and the technical and organisational controls we maintain.
Applicable Regulations
Kayo processes personal data in compliance with two primary regulatory frameworks, applied based on the location of the data subject and the nature of the processing:
- GDPR (EU Regulation 2016/679) — applies to the personal data of EU and EEA residents regardless of where Kayo operates. This framework governs lawful basis for processing, data minimisation, rights of data subjects, breach notification obligations, and the conditions for international data transfers.
- UAE Federal Decree-Law No. 45 of 2021 (PDPL) — the primary data protection law applicable to Kayo's UAE-based operations and customer base. The PDPL establishes obligations for data controllers and processors, including requirements for consent or legitimate purpose, data subject rights, cross-border transfer restrictions, and incident notification.
Kayo's practices are designed to satisfy both frameworks concurrently. Where the two regimes impose different standards, we apply the more stringent requirement.
Data We Process
| Category | Collection point | Legal basis | Retention |
|---|---|---|---|
| Salon owner / staff identity (name, email) | Dashboard signup | Performance of contract | Duration of active account |
| Booking guest details (name, phone, email, appointment history) | Booking form | Contract / Legitimate interests | For as long as necessary to support the salon's client relationship |
| Payment confirmation data (transaction ref, card brand, last 4 digits) | Stripe checkout | Legal obligation | As required by applicable tax and commercial law |
| Business enquiry data (name, phone, business details) | kayo.ae join form | Legitimate interests | For as long as relevant to the business relationship |
| Technical logs (IP, timestamps, request metadata) | Automatic | Legitimate interests | Limited period for security and operational purposes |
Kayo does not sell, rent, or share personal data with third parties for advertising or any purpose unrelated to delivering the service.
Sub-processors
Kayo engages the following sub-processors to operate its services. Each sub-processor is engaged under a data processing agreement and is permitted to process personal data only as directed by Kayo and only for the purposes specified:
| Sub-processor | Purpose | Data location | Certifications |
|---|---|---|---|
| Supabase | Database, authentication, storage | EU (Ireland) | SOC 2 Type II, GDPR DPA |
| Vercel | Hosting, CDN, serverless compute | US + global edge (SCCs) | SOC 2 Type II, GDPR DPA |
| Stripe | Payment processing | US + EU (SCCs) | PCI DSS Level 1, SOC 2 Type II |
Where personal data is transferred outside the UAE or EEA, such transfers are subject to Standard Contractual Clauses (SCCs) or another appropriate transfer mechanism as required by applicable law.
Data Subject Rights
Individuals whose personal data is held by Kayo may exercise the rights available to them under applicable law by contacting us at support@kayo.ae. Requests should include sufficient information to identify the individual and describe the right being exercised. We will respond within the timeframe required by applicable law.
- Right of access — to receive confirmation of whether your data is processed and a copy of that data
- Right to rectification — to have inaccurate or incomplete data corrected
- Right to erasure — to request deletion of your data, subject to overriding legal obligations
- Right to restriction — to request that processing be limited in certain circumstances
- Right to data portability — to receive your data in a machine-readable format where applicable
- Right to object — to object to processing carried out on the basis of legitimate interests
Kayo does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.
Security Controls
- Encryption in transit: All connections are encrypted using TLS. Unencrypted HTTP requests are rejected.
- Encryption at rest: All database storage is encrypted at rest using AES-256 (Supabase).
- Secrets management: Credentials and API keys are stored in environment vault services. No secrets are stored in source code or version control.
- Access controls: Administrative access requires multi-factor authentication. Access to customer data is role-scoped and limited to personnel with a legitimate operational need.
- Audit logging: Material data operations are logged with timestamps and actor identifiers, supporting accountability and post-incident review.
- Payment security: Kayo does not store, process, or transmit full payment card numbers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider.
- Security reviews: Kayo conducts internal security reviews on a regular basis, covering access controls, dependency vulnerabilities, and infrastructure configuration.
- Incident response: Kayo maintains an incident response process. In the event of a personal data breach that is likely to result in risk to individuals, we will notify affected parties and any relevant supervisory authority in accordance with our legal obligations.
Data Processing Agreements
Organisations requiring a signed Data Processing Agreement (DPA) for GDPR Article 28 compliance or internal procurement purposes may request one by contacting support@kayo.ae.
Contact
For data protection and compliance enquiries, contact us at support@kayo.ae.
The full privacy policy governing all Kayo services is available at kayo.ae/privacy.
kayo.ae/compliance
Kayo Service TechnologyTrade Licence No. 1623487
Licensed by DED
Dubai, United Arab Emirates