Skip to main content

TrustCut has launched in discovery mode. Claim a free barber or shop profile today. Paid plans are coming soon.

Start freeView demos
TrustCut

Privacy Policy

Last updated: 11 May 2026

1. Who we are

TrustCut (“we”, “us”, “our”) is operated by Soulstack. We operate the TrustCut platform at trustcut.co.uk, allowing users to discover and (in future) book barber and barbershop services.

Soulstack is the data controller for personal data processed through TrustCut. Address for data-protection queries and legal correspondence: Office One, 1 Coldbath Square, Farringdon, London, EC1R 5HL, England. Email: privacy@trustcut.co.uk.

2. What data we collect

We collect the following categories of personal data:

  • Account data - name, email address, phone number, profile photo.
  • Booking data - appointment dates, times, services selected, barber/barbershop chosen, notes you provide.
  • Discovery-profile data - for barbers and shops who publish a Discovery profile, the phone number and social-media handles you choose to make public on your profile page.
  • Reviews - ratings and comments you leave for barbers, including the review source (booking / QR / account) so the correct badge can be shown.
  • Content feed data - posts, stories, gallery media, captions, reactions and follows that you choose to publish or interact with.
  • Profile-view analytics - when a visitor views a published profile, we record the view with a one-way SHA-256 hash of the visitor’s IP address combined with a salt that rotates every calendar day. We never store the raw IP. Hashes cannot be back-correlated across days.
  • QR review tokens - when you enable in-shop QR reviews, we generate a signed token bound to your profile and store only the HMAC of that token, not any personal data.
  • Payment data - payment intent identifiers, deposit amounts, refund status and subscription status. Card details are processed by Stripe and are not stored by TrustCut.
  • Technical data - IP address (discarded after use), browser type, device information, pages visited, collected via cookies and server logs.
  • Communication data - service emails we send you (confirmations, reminders, review requests), notification preferences and support messages you send us.
  • “Notify me when bookable” signups - if you opt into being notified when a Discovery profile starts taking bookings, we store your email address against that single profile and use it only to send one transactional email when the profile flips to bookable. Unsubscribing or the profile activating both end this storage.

Most personal data is provided directly by you. Some booking, review and profile data may be provided by a barber or shop you interact with, or generated automatically when you use the platform.

3. How we use your data

PurposeLawful basis (UK GDPR Art. 6)
Creating and managing your accountContract performance
Processing and managing bookingsContract performance
Sending booking confirmations & remindersContract performance
Sending review request emails after appointmentsLegitimate interest
Displaying reviews publiclyLegitimate interest
Operating content feeds, follows and reactionsContract performance and legitimate interest
Taking deposits, processing refunds and managing subscriptionsContract performance
Scoring customer no-show / cancellation risk for a barber you book withLegitimate interest (fraud and no-show prevention)
Improving the platform and fixing issuesLegitimate interest
Preventing fraud and abuseLegitimate interest
Publishing a Discovery profile you createdConsent (given when you create the profile)
Counting profile views with a rotating IP hashLegitimate interest (aggregate analytics only)
Detecting duplicate QR-code review submissionsLegitimate interest (anti-abuse)
Sending optional marketing or product-update emailsConsent, or soft opt-in where PECR permits it
“Notify me when bookable” one-shot transactional emailConsent (given when you submit the form on the profile page)
Weekly insights digest for barbers and shop ownersLegitimate interest, with email opt-out
Reviewing explicit thumbs-up / thumbs-down AI feedbackLegitimate interest in improving assistant quality and safety

Where we rely on consent, you can withdraw it at any time from your profile settings or by contacting us. Withdrawal does not affect processing already carried out before withdrawal.

4. Who we share data with

  • Barbers / barbershops - your name, contact details, booking information and review content are shared with the barber you book with.
  • Firebase (Google Cloud) - authentication, real-time features and file storage. App Hosting runs in europe-west4; Firestore is configured as the eur4 multi-region (Belgium and Netherlands). Both sit within the EU. Google acts as a data processor.
  • Google Cloud Vision (SafeSearch) - images you upload (avatars, gallery items, posts and stories) are scanned automatically for unsafe content before they appear on the platform. Only the resulting safety labels are retained; Google does not retain the image. Google acts as a data processor.
  • Google Cloud / Vertex AI - powers the public TrustCut AI assistant and the staff dashboard assistant. We use the Vertex AI global endpoint with gemini-3.1-flash-lite (GA). Per Google’s documentation, the global endpoint does not guarantee in-region ML processing, so each request may be processed in the United States or elsewhere. Google acts as a data processor under the Google Cloud Data Processing Addendum, the UK Addendum to the EU Standard Contractual Clauses, and is certified under the EU-US Data Privacy Framework. Google has contractually committed not to use Vertex AI prompts, responses, tool calls or grounding data to train its foundation models. The dashboard assistant is scoped to the logged-in barber or shop account and only receives data the staff member is already authorised to see.
  • Amazon Web Services (SES) - email delivery. Data processed in the EU (eu-west-2). AWS acts as a data processor.
  • Stripe - deposit payments, refunds, Connect payout onboarding and subscriptions.
  • Social platforms - only if a barber or shop chooses to manually share a TrustCut link or copy their profile bio to an external account. TrustCut does not currently publish content to social platforms on a barber or shop’s behalf. If that capability is added in future, this notice will be updated and prior consent will be obtained.

We do not sell your personal data to third parties.

5. International transfers

Your data is processed primarily in the UK and European Economic Area. Where a processor transfers data outside the UK, we rely on UK GDPR transfer safeguards such as UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.

The TrustCut AI assistants (public and staff dashboard) are powered by Google Cloud Vertex AI on the globalendpoint. Per Google’s own documentation, this endpoint does not guarantee in-region ML processing, so each AI message may be transferred to the United States or another Google region for inference. This transfer relies on the UK Addendum to the EU Standard Contractual Clauses and Google’s certification under the EU-US Data Privacy Framework. Vertex AI does not retain conversations for model training, and the assistants are designed not to ask for personal data. If you would prefer not to use the AI assistant, you can simply close it and continue using TrustCut normally.

If you choose to use the thumbs-up or thumbs-down controls on an AI answer, TrustCut stores a bounded snippet of that answer, nearby user context, any selected reason, optional comment, attached source/card metadata, a route path, and hashed session or account identifiers. We use this explicit feedback to review answer quality, fix stale or unsafe responses, and improve TrustCut’s content and product flows. Please do not include personal, confidential, health, financial, or other sensitive information in feedback comments.

6. How long we keep your data

  • Account data - retained while your account is active. When you delete your account, identifying fields (name, email, phone number, photo) are anonymised immediately. A one-way hash of your previous email address is retained against email-delivery records so we do not inadvertently re-mail a stale address; this hash is not linkable back to you. Cancellations/erasures take immediate effect; older copies of the prior data may remain in our Postgres backups (rolling 30-day window) and Firestore point-in-time recovery (rolling 7-day window) before being overwritten in the normal course.
  • Booking data - retained as part of the barber’s business records for as long as needed to provide the service, resolve disputes, or comply with tax, accounting and other legal obligations (typically up to 6 years). Client name, email and phone fields are anonymised when the client’s account is deleted.
  • Reviews - retained while published. Deleted on request or when the underlying account is deleted.
  • Content feed posts, stories and gallery items - retained while published. Stories expire automatically. Deleted content may remain in backups until the rolling backup window above expires.
  • Payment and subscription records - retained for 6 years where needed for accounting, tax, fraud-prevention or dispute purposes.
  • Profile-view records - the IP hash is generated with a daily-rotating salt so records cannot be back-correlated across days. View records are retained while the underlying profile is active and are removed when the profile is unpublished or deleted, or earlier on written request.
  • QR review duplicate-submission protection - if we deploy device-fingerprint hashing for QR reviews in future, hashes will be retained for no longer than 90 days and then purged automatically. We currently rely only on the per-account uniqueness constraint described in our reviews policy.
  • “Notify me when bookable” signups - retained until the profile activates bookings (one email is sent and the row is archived), until you unsubscribe, or until the associated profile is deleted.
  • AI feedback snippets - retained while needed to maintain assistant quality and product safety. Deleted on request or when the underlying account is deleted.
  • Server logs - retained for up to 90 days.
  • Backups - Postgres backups are kept in EU storage on a rolling 30-day cycle. Firestore point-in-time recovery covers the last 7 days. Backup contents cannot be selectively edited; they age out on the cycles above.

7. Your rights

Under UK GDPR, you have the right to:

  • Access - request a copy of the personal data we hold about you.
  • Rectification - ask us to correct inaccurate data.
  • Erasure - ask us to delete your data where there is no compelling reason for continued processing.
  • Restriction - ask us to restrict processing in certain circumstances.
  • Portability - receive your data in a structured, machine-readable format.
  • Object - object to processing based on legitimate interests.
  • Withdraw consent - withdraw consent where processing is based on consent.

To exercise any of these rights, email privacy@trustcut.co.uk. We will respond within one calendar month.

8. Automated decision-making and profiling

TrustCut calculates simple customer-risk indicators that are visible only to the barber you have booked with. Inputs include factors derived from your booking history with that barber - for example completed visits, cancellations, late cancellations and no-shows. The indicator may prompt the barber to request a deposit before confirming a future booking. The calculation is deterministic; the exact factors and thresholds are reviewed periodically.

Under UK GDPR Article 22 (as updated by the Data (Use and Access) Act 2025), where you believe a decision that significantly affects you has been made solely on the basis of an automated process, you have the right to: (a) obtain human review of the decision; (b) express your point of view; (c) contest the decision; and (d) receive meaningful information about the logic involved. To exercise any of these rights, or to request the current factors and thresholds, contact privacy@trustcut.co.uk.

9. Cookies and marketing preferences

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. For full details, see our Cookie Policy.

We send essential service messages even if you opt out of marketing. Optional marketing or product-update emails include an unsubscribe route, and you can manage notification preferences from your profile.

10. Children

TrustCut is not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the email address associated with your account. The “last updated” date at the top of this page reflects the latest revision.

12. Complaints

If you have a complaint about how we handle your data, please email privacy@trustcut.co.uk in the first instance. We will acknowledge your complaint and aim to respond within one calendar month, in line with UK GDPR (as updated by the Data (Use and Access) Act 2025).

If you remain dissatisfied after our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
ico.org.uk/make-a-complaint