General Data Protection Regulation (GDPR)

A Vagaro guide to the European privacy and data protection changes

Vagaro is committed to data protection and welcomes the General Data Protection Regulation (GDPR), which was adopted by the European Union (EU) and goes into effect May 25, 2018.

What is GDPR?

The GDPR was created to harmonize data privacy laws across Europe. It protects and empowers all EU citizens data privacy and changes the way businesses handle data privacy.

Does GDPR affect your business?

The GDPR applies to any organization inside or outside the EU who is marketing goods or services to, and/or tracking the behaviors of customers within the EU. Basically, if you do business with citizens and residents of the EU that involves the processing or storage of their personal data, this applies to you.

Vagaro and GDPR

Your customer data is a top priority for Vagaro. With millions of customers making appointments every month through our software, we care deeply about their privacy and data security. 

Vagaro, Inc. collects data to operate effectively and provide better quality experiences. Below, you will find a list of our products, services, and processes that gather personal data, our purpose and legal basis for processing that information, who we share that information with, and how long we hold that information. 

Description of Product, Service, or Process

Vagaro is cloud-based software that helps salon, spa, and fitness professionals run their business successfully. We offer everything from online scheduling to email marketing. For more information visit

Categories of Personal Data

Vagaro handles the following categories of personal data: 

  • Identifying information (e.g. gender and name).
  • Personal history data (e.g. appointments/classes, memberships, packages, gift certificates, and products).  
  • Social and contact information (e.g. address, email address, phone numbers, address, and birthday).
  • Financial data (e.g. sales data and credit card information). Tracking data (e.g. customer’s IP location when booking online or via the app). 

Category of Data Subjects

Vagaro manages information for users of the software. This includes employees of businesses as well as their customers.

Purpose of Processing

Data is used for authenticating user accounts, tracking sales data, booking appointments, sending communications related to services, and email marketing.

Legal Basis for Processing

Vagaro has a legitimate business interest in handling the information on behalf of our customers and their end-users.

Automated Processing or Profiling

Automated processing does not occur.

Categories of Recipients who Receive this Personal Data

Cloud service providers are used to store user data and payment card processors are used to process credit card payments.

Where is Data Stored

Data is stored on servers located in the United States.

Retention Period

Forever, unless Right to be Forgotten (right for individuals to have personal data erased) is requested by business or end user.

What do we do to ensure data protection for you and your customers?

  • All transmissions from your computer or mobile app are encrypted via HTTPS (SSL).
  • We use cryptography hash functions to protect your information.
  • All credit card transactions are secured through PCI-Compliant credit card gateway and banking networks.
  • Our application data is hosted at data centers where rigorous security includes on-site 24/7 staff, alarm systems, card key access, CCTV archived video, fully redundant power supplies, multiple backup generators, hosts of Tier 1 Internet providers, and laser-based early smoke detection.Our data centers maintain security certifications including ISO 27001, SOC 1 & 2 Type 2, FedRAMP, and PCI Level 1.

For security reasons, we do not disclose any further information regarding our system and technology we use, but rest assured that we use enterprise-class hosting and security partners that are all GDPR complaint.

What do you need to do?

While GDPR is a European Union (EU) Regulation, it can affect you if you do business with customers from the EU. GDPR stipulates that customers have the right to access their data or “be forgotten” (be permanently deleted) from your databases. 

If you receive such a request from your customers, you can simply Click Here to fill out the form and we will process that request for you. You will not lose customer transaction data for your business reports, but all data that can identify that customer such as their name, address, email address, phone numbers, address and birthday as well as credit card information that may be on file will be removed from our databases. 

Please remember that customers submitting a request to be forgotten may have active memberships, packages, gift certificates, prepayments for appointments and classes and IOUs. They may also have purchased merchandise that may be returned in the future. It will be up to you to decide to Void, Refund, Collect or do nothing with these items. It will also be your responsibility to delete any future appointments or classes booked by this customer. 

Ultimately, you are responsible for following the GDPR and ensuring that you and your employees are compliant. This may include notifying individuals of how you handle their personal information, obtaining their consent when required, and processing their requests to either access their personal data or erasing their personal data (see Right to Access and Right to be Forgotten). 

What about Email Messages?

There are two types of emails in Vagaro and are defined as follows: 

  • Transactional emails – these are sent in response to a customer’s interaction with a web site or an app and are defined in strictly functional terms. Examples include password resets, shipping notifications, receipts, legal notices, appointment reminders & confirmations, etc. Opt-In is Not required for these types of emails. 
  • Marketing emails – these are sent to a list of customers who have opted in for promotional content. Examples include Daily Deals, promotions, sales offers, newsletters, new product updates, and emails designed to increase user engagement, etc. 

Existing Customers:

On May 25th, all your existing customer records will automatically have the Promotional Emails preference turned OFF.

In addition, all your customers will automatically receive an email from your business asking them if they would like to turn ON Promotional Emails so they can begin receiving them.

New Customers:

To comply with GDPR, starting May 25th, any new customers entered or imported into Vagaro will have the Promotional Emails preference turned OFF by default. Here's what to do to encourage them to receive promotional emails:

  • Customers manually added to Vagaro by your staff: Each customer will automatically receive a Welcome Email from your business and will be given the option to turn ON Promotion Emails.
  • Customers imported into Vagaro: Simply go to Marketing after the import, then click on Invite Customers to send an automatic Welcome Email out and to give each customer the option to turn ON Promotional Emails.
  • Customers who add themselves to Vagaro: These customers will be prompted to turn ON Promotional Emails.

Reminders and Confirmations:

Don’t worry about appointment reminders, confirmations and other transactional emails. These are not restricted by GDPR and will continue to be sent out to customers whether or not they choose to opt out of promotional emails.

Customers will continue to have the ability Opt-Out of marketing emails anytime by either updating email marketing preferences in their account or simply by clicking on Unsubscribe at the bottom of any email marketing they receive from you. 

Remember, the GDPR only applies to your customers who are citizens or residents of the EU. 

What about SMS/Text Messages?

Since Vagaro does not do Text Marketing and all text messages are transactional only, there are no issues.

Right to Access

The GDPR stipulates that a person has the right to a copy of their personal data. With Vagaro, a customer has full access to their personal profile and can update, change or delete information at any time.

Right to be Forgotten

The GDPR stipulates that a person has a right to the erasure of personal data. We will process your customers’ requests to “be forgotten” for you. These are the steps we follow: 

  1. You or your customer can simply Click Here to fill out the “be forgotten” request form. 
  1. Vagaro will send the requester (you or your customer) a confirmation email from   
  1. Once the requester confirms the “be forgotten” request it will be processed. 


If you have any questions regarding GDPR, you can simply email or

GDPR: Right to be Forgotten Form

This form applies to European Union citizens and residents ONLY.
Separate multiple phone numbers with ,
The email associated with your Vagaro account will also work.
If you wish to remove your profile from all businesses, type "ALL" in the field below.
Note: All of your credits will be deleted when your account is deleted from a business. This includes your memberships, packages, gift certificates, prepayments for appointments and classes, IOUs, and purchased merchandise with this business.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.