Hair & Beauty Professionals
Your allergy records are legally sensitive data. Your booking app holds them. And most professionals have never checked whether that is actually lawful.
A plain-English compliance guide for hair and beauty professionals — covering allergy records, client photography, booking platforms, and AI tools. Written for sole traders, mobile technicians, and salon owners alike.
GDPR
UK GDPR applies to every hair and beauty professional who takes bookings, holds client contact details, or keeps allergy records — regardless of size, regardless of whether you rent a chair or own a salon. There is no minimum threshold. The ICO has consistently pursued sole traders for data protection breaches. Company size affects the scale of fines, not whether the law applies.
This guide covers the three risks most specific to this profession — and the documents that address each one.
Three things most Hair & Beauty Professionals don't know
Allergy records are Special Category Data
Patch test results, skin condition notes, and health disclosures are the highest category of protected data under UK law. Storing or processing them — including in your booking app — without explicit written consent is a breach, not an oversight.
Before/after photos are the most common breach in this sector
Consent to take a photograph is not consent to post it. Consent to post it on Instagram is not consent to upload it to an AI content tool. Each use is a separate consent. The Photography Consent Form in this guide has individual tick boxes for each — that separation is the point.
Your booking app needs a Data Processing Agreement
Fresha, Booksy, Treatwell, Square — every platform that holds your client data on its servers is legally a data processor. You need a written DPA in place before using it for client data. Most business accounts provide one. The guide shows you exactly how to check.
The Photography Rule
Three separate consents. None of them implied by the others.
→Taking the photograph — requires consent. But it only covers the clinical record.
→Posting it on social media — requires a separate, specific written consent naming the platform.
→Uploading it to an AI tool — requires a further separate consent naming the specific tool. General photography consent does not cover this.
The Photography Consent Form in the guide separates each of these into individual tick boxes. A client who ticks clinical record only has not consented to Instagram. That is intentional — and it is the legally correct approach.
What is in the Guide
Why the law applies to you — and what it actually requires
Plain-English explanation of which data you hold, why some of it is legally sensitive, and the three specific obligations that matter most for hair and beauty practice. Covers the four types of AI tool most commonly used in this sector and what each one requires before you can use it with client data.
Your booking platform — how to check it is compliant
Step-by-step guidance for confirming whether your current booking platform has a DPA in place — and what to do if it does not. Covers the platforms most commonly used in the sector. The guide tells you what to look for, where to find it, and what to record as your accountability evidence.
The two documents every client needs before their first appointment
A Privacy Notice template drafted for hair and beauty practice. A combined Client Data and Allergy Record Consent Form. A Photography Consent Form with individual tick boxes for each possible use. These are ready to adapt and use — with a short covering note for sending to existing clients.
The working records — logs, registers, and breach plan
Client Record and Consent Log. AI Tool and Platform Register. Retention schedule — three years for client records, six for financials. A 72-hour breach response plan, with a specific note on allergy record breaches. And the five things to do this week, in order of urgency.
What you get
Profession-specific compliance framework — allergy records, photography, booking platforms, and AI tools all covered
Privacy Notice template — drafted for hair and beauty practice, with booking platform and AI tool disclosures
Client Data & Allergy Record Consent Form — explicit written consent covering allergy records and health disclosures
Photography Consent Form — individual tick boxes for clinical record, social media, website, and AI content tools
Booking platform DPA guidance — how to confirm your platform is compliant and what to record as your evidence
Client Record Log and AI Tool Register — track consent status, retention deadlines, and every platform in use
72-hour breach response plan — with specific guidance for allergy record and health data incidents
AI Safe Starter Pack — the foundational seven documents, included free with this guide
DPAs Volume 1&2 - These are essential if you use online booking. These are priced at £29
Recommended Pathways
Hair & Beauty Action Guide — £57
The profession-specific guide with completed examples, allergy data consent, verified platform DPA table, and a week-one action plan built around the highest-risk gaps for hair and beauty sole traders.
This pack includes the DPA checker Volume 1&2
Complete Compliance Bundle — £119
Everything in Tier 1 plus the Legal Pack and Companion Guide — recommended for coaches who regularly use AI tools with client data and want a fully documented, legally defensible position.
Full suite— £189
Everything in the Compliance Bundle, plus, the website compliance pack, the Risk & Data pack, DPAs Volume 1&2 recommended for hair & beauty professionals who regularly use booking platforms to schedule calls, who has a website, take before and after photos. Everything yon need to be compliant (Please see Full suite on the product page for more details