Privacy Policy

1. Introduction

PMU Pal is a brand operated by Raw Cosmetics Inc. ("PMU Pal," "we," "us," or "our"), a corporation registered in the Province of Ontario, Canada, with its principal office at 4580 Eastgate Pkwy Unit 3, Mississauga, ON L4W 4K4, Canada.

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our website at pmupal.com and the PMU Pal platform (collectively, the "Service"). This policy applies to two categories of individuals:

• Professionals - permanent makeup artists, estheticians, and studio operators who create accounts and use the Service.
• End Clients - individuals whose contact information is entered into the Service by a Professional and who receive automated communications (aftercare emails, experience surveys, review requests, and touch-up reminders).

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. This policy should be read together with our Terms of Service.

2. Information We Collect

2.1 Information from Professionals (Account Holders)

When you create an account and use the Service, we collect the following information directly from you:

• Account information: full name, email address, and password (stored in hashed form - we never store your password in plain text).
• Studio information: studio name, studio contact email, and studio logo (if uploaded).
• Timezone: used to schedule emails at appropriate times for your clients.
• Payment information: when you subscribe to a paid plan, payment details (credit card number, billing address) are collected and processed directly by our payment processor, Stripe. We do not store your full credit card number on our servers. We receive and store your Stripe customer ID and subscription ID for billing management.

2.2 End Client Information (Provided by Professionals)

When a Professional adds a client to the Service, we receive and store:

• Client name and email address.
• Procedure information: the type of procedure performed (e.g., microblading, lip blush) and the date it was performed.
• Touch-up date: the calculated date for a follow-up appointment.
• Communication preferences: whether the End Client has unsubscribed from receiving emails.

Important: PMU Pal collects End Client information at the direction of the Professional. The Professional is responsible for obtaining proper consent from their End Clients before entering their information into the Service (see Section 5 for more details).

2.3 Information Collected Automatically

When you visit or use the Service, we automatically collect certain information:

• Usage data: pages visited, features used, time spent on pages, and interactions with the dashboard.
• Device information: browser type, operating system, device type, and screen resolution.
• Log data: IP address, access times, and referring URLs.
• Email engagement data: whether an email sent through the Service was opened by an End Client, and the timestamp of the open event.

2.4 Experience Survey Responses

When an End Client completes an experience survey sent through the Service, we collect their survey responses. These responses are shared with the Professional who sent the survey and are not made public by PMU Pal.

3. How We Use Your Information

3.1 For Professionals

We use your information to:

• Create and maintain your account.
• Provide the Service, including sending automated emails on your behalf.
• Process payments and manage your subscription.
• Display your studio name, logo, and contact email in Communications sent to your End Clients.
• Provide dashboard analytics (e.g., email open rates, client counts).
• Communicate with you about your account, service updates, and support requests.
• Improve the Service, diagnose technical issues, and prevent fraud or abuse.

3.2 For End Clients

We use End Client information to:

• Send aftercare email sequences, experience surveys, review requests, and touch-up reminders on behalf of the Professional.
• Track email delivery and open status for the Professional's dashboard analytics.
• Process unsubscribe requests to stop future Communications.

3.3 Aggregated and Anonymized Data

We may use aggregated, anonymized data that does not identify any individual for analytical purposes, including understanding usage patterns, improving the Service, and generating industry insights. This data cannot be used to identify you or any End Client.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

4.1 Service Providers

We use trusted third-party service providers to operate the Service. These providers process data on our behalf and are contractually bound to use it only for the purposes we specify:

• Resend - email delivery. End Client email addresses and email content are transmitted to Resend to send Communications. Resend processes this data as a sub-processor.
• Stripe - payment processing. Payment information is collected and processed directly by Stripe. Stripe's privacy practices are governed by Stripe's Privacy Policy.
• Cloud hosting and database providers - the Service is hosted on cloud infrastructure, and account and client data is stored in a hosted database. Server logs may contain IP addresses and request data.

4.2 Analytics

We use Google Analytics 4 (GA4) to understand how visitors interact with our website. GA4 collects information such as pages visited, session duration, and general geographic location (city or region level). This data is used to improve the Service and is subject to Google's Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on.

4.3 Legal Requirements

We may disclose your information if required to do so by law, or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or government request; (b) protect and defend the rights or property of Raw Cosmetics Inc.; (c) prevent or investigate possible wrongdoing in connection with the Service; or (d) protect the personal safety of users of the Service or the public.

4.4 Business Transfers

If Raw Cosmetics Inc. is involved in a merger, acquisition, or sale of all or a portion of its assets, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your information becomes subject to a different privacy policy.

5. Data Processing Roles

5.1 PMU Pal as Controller

PMU Pal is the data controller for information collected directly from Professionals (account registration, payment, and website usage data). We determine the purposes and means of processing this data.

5.2 PMU Pal as Processor

For End Client personal information entered into the Service by a Professional, PMU Pal acts as a data processor (or "service provider" under the CCPA). The Professional is the data controller (or "business") for their End Clients' data. We process End Client data solely at the direction of the Professional and only to provide the Service.

Professionals are responsible for: (a) having a lawful basis (such as consent) to collect and share their End Clients' personal information with PMU Pal; (b) providing any required privacy notices to their End Clients; and (c) responding to End Client data requests (access, deletion, correction). If an End Client contacts PMU Pal directly with a data request, we will direct them to the relevant Professional and assist the Professional in fulfilling the request where feasible.

6. Cookies and Tracking Technologies

The Service uses the following tracking technologies:

• Session cookies: essential cookies required for authentication and keeping you logged into your account. These are strictly necessary for the Service to function and cannot be disabled.
• Google Analytics cookies: used to collect anonymized usage statistics. You can opt out using the Google Analytics Opt-Out Browser Add-on or by adjusting your browser settings.
• Email open tracking: emails sent through the Service may contain a small tracking pixel that records whether the email was opened and the time of the open event. This data is used to provide email analytics to the Professional on their dashboard.

We do not use advertising cookies or track users across third-party websites.

7. Data Retention

We retain personal information as follows:

• Professional account data: retained for as long as your account is active, plus up to 90 days after account deletion to allow for data export requests.
• End Client data: retained for as long as the Professional's account is active. When a Professional deletes a client or closes their account, the associated End Client data is deleted within 90 days.
• Email records: records of sent emails (including delivery status and open tracking data) are retained for as long as the Professional's account is active.
• Payment records: transaction records may be retained for up to 7 years as required by Canadian tax law and financial reporting obligations.
• Server logs: automatically collected log data (IP addresses, request logs) is retained for up to 90 days for security and debugging purposes.

8. Data Security

We take reasonable technical and organizational measures to protect your personal information, including:

• Passwords are hashed using industry-standard algorithms and are never stored in plain text.
• All data in transit is encrypted using TLS/SSL (HTTPS).
• Database access is restricted and authenticated.
• Payment information is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly notifying affected users in the event of a data breach, as required by applicable law.

9. Your Rights

9.1 For Professionals (Account Holders)

Depending on your location, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate personal information directly through your account settings or by contacting us.
• Delete your account and associated personal information by contacting us at hello@pmupal.com.
• Export your data in a commonly used format upon request.
• Withdraw consent for processing where consent is the legal basis, without affecting the lawfulness of processing prior to withdrawal.

9.2 For End Clients

If you are an End Client who has received Communications through the Service:

• Unsubscribe: every email sent through the Service includes an unsubscribe link. Clicking it will immediately stop all future Communications from that Professional through the Service.
• Data requests: because your information was provided to us by your Professional (the data controller), data access, correction, and deletion requests should be directed to your Professional in the first instance. You may also contact us at hello@pmupal.com and we will assist in directing your request to the appropriate Professional or fulfill the request directly where required by law.

9.3 Canadian Privacy Rights (PIPEDA)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, you have the right to access, correct, and challenge the accuracy of your personal information held by us. You may also withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice. To exercise these rights, contact our Privacy Officer at hello@pmupal.com.

9.4 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: you may request details about the categories and specific pieces of personal information we have collected about you.
• Right to delete: you may request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale: we do not sell personal information. No action is needed on your part.
• Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at hello@pmupal.com. We will respond to verifiable consumer requests within 45 days.

10. International Data Transfers

PMU Pal is operated from Canada. Our service providers (Resend, Stripe, Vercel, Neon) may process data in the United States or other countries. By using the Service, you consent to the transfer of your information to Canada and the United States, where data protection laws may differ from those in your country of residence.

We ensure that any such transfers are subject to appropriate safeguards, including contracts with our service providers that require them to protect personal information in accordance with applicable data protection standards.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that a child under 18 has provided personal information to us, please contact us at hello@pmupal.com.

12. Third-Party Links

The Service may contain links to third-party websites or services (e.g., Google Reviews, Stripe billing portal). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with your information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where appropriate, by sending a notification to the email address associated with your account. Your continued use of the Service after such changes constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have a complaint about how your personal information has been handled, please contact us: