Privacy policy

COLOUR ME safe APP

Privacy Policy

This app is not a medical device and does not diagnose, treat, or prevent any condition.

Effective date	1 June 2026
Version	1.0
Applies to	Colour Me Safe mobile app (iOS and Android) and web platform at app.colourmesafe.com
Data controller	Colour Me Safe Limited, New Zealand
Contact	office@colourmesafe.com
Full policy URL	colourmesafe.com/privacy

1. Introduction

Colour Me Safe (“we”, “us”, “our”) is committed to protecting the privacy of everyone who uses our platform — both salon and beauty professionals (“Professionals”) and their clients (“Clients”). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have in relation to your data.

This policy applies to the Colour Me Safe mobile application (available on iOS and Android) and the web platform at app.colourmesafe.com. By creating an account or using the platform, you agree to the practices described in this policy.

If you do not agree with this policy, please do not use our platform. If you have any questions, contact us at office@colourmesafe.com.

2. Who We Are

Colour Me Safe is a healthtech platform providing professional patch testing compliance tools for the hair and beauty industry. We are registered in New Zealand and operate in the United Kingdom, Australia, and internationally.

Registered address: Colour Me Safe Limited, New Zealand

Contact email: office@colourmesafe.com

Website: colourmesafe.com

For users in the United Kingdom, we process personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For users in Australia, we process personal data in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

For users in New Zealand, we process personal data in compliance with the Privacy Act 2020.

3. What Information We Collect

3.1 Professional and Salon Accounts

When you create a Professional or Business account, we collect:

• Full name and job title
• Business name, address, and contact details
• Email address and password (encrypted)
• Professional insurance information (optional, used to populate compliance certificates)
• Products you use, including brand and developer information
• Patch test records you create for your clients
• Compliance certificates generated through the platform
• Usage data related to your interaction with the platform

3.2 Client (Personal) Accounts

When you create a Client account, we collect:

• Full name and email address
• Photographs of the patch test area (uploaded by you)
• Photographs of the back of the test card (uploaded by you)
• Your responses to the guided self-assessment questions regarding your skin’s response
• The product details associated with each patch test you complete
• Health-related information you choose to disclose, including medications, skin sensitivities, dietary intolerances, and previous allergic reactions
• The name of the salon or professional you are registered with

We do not collect medical records, clinical diagnoses, prescriptions, or data from healthcare providers. The health-related information collected through our platform is self-reported by you and is used solely to support the professional patch testing process.

3.3 Automatically Collected Data

When you use the Colour Me Safe app or website, we may automatically collect:

• Device type, operating system, and app version
• IP address and approximate location (country/region level only)
• Session data including log-in times and feature usage
• Crash reports and performance data to improve the platform

We do not use cookies for advertising or tracking purposes.

4. How We Use Your Information

We use the information we collect for the following purposes:

Platform operation	To create and manage your account, process patch test records, and deliver the core features of the Colour Me Safe system
Client-professional link	To connect your patch test results with your registered salon professional, with your consent
Automated reminders	To send patch test timing reminders to clients and professionals at the appropriate intervals (starting 96 hours before the 48-hour window closes)
Compliance records	To generate compliance certificates automatically for each completed patch test and maintain an auditable record
Research and development	To analyse anonymised, aggregated data for the purpose of understanding allergen sensitivity patterns across the modern client population, in support of our registered R&D programme
Platform improvement	To identify bugs, improve features, and enhance user experience based on aggregated usage data
Legal compliance	To comply with applicable laws, regulations, and professional compliance obligations in the UK, Australia, and New Zealand
Communications	To respond to your enquiries and send service-related notifications (not marketing, unless you have opted in)

We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects on you.

5. Legal Basis for Processing (UK GDPR)

For users in the United Kingdom, we process your personal data on the following legal bases:

• Contract: Processing is necessary to provide the Colour Me Safe service you have signed up for
• Legitimate interests: To operate, improve, and secure our platform, and to conduct anonymised research
• Legal obligation: To comply with applicable laws and professional compliance standards
• Consent: Where you have explicitly consented to the processing of sensitive health-related data

Where we rely on consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing carried out before the withdrawal.

6. Sensitive (Special Category) Data

Some of the information you provide through the Colour Me Safe platform — including health conditions, medications, and allergic reactions — may constitute sensitive or special category personal data under UK GDPR and equivalent laws.

We collect this information only with your explicit consent, and only where it is necessary for the provision of the patch testing compliance service. This data is:

• Stored securely with encryption at rest and in transit
• Accessible only to you and the salon professional you are registered with
• Never sold or shared with third parties for commercial purposes
• Used in anonymised, aggregated form only for research purposes, with no personally identifying information retained

You may withdraw your consent to the collection of sensitive data at any time by contacting us at office@colourmesafe.com. Please note that withdrawal may limit the functionality of the platform available to you.

7. Who We Share Your Information With

We do not sell your personal data. We do not share your personal information with advertisers. We share data only in the following circumstances:

7.1 With Your Salon Professional

If you are a Client, your patch test results, photographs, and self-assessment responses are shared with the salon professional you are registered with on the platform. This sharing is fundamental to the operation of the service and is undertaken with your consent at the time of account creation.

7.2 With Service Providers

We use a small number of trusted third-party service providers to operate the platform, including hosting providers and analytics tools. These providers process data on our behalf under strict data processing agreements and are not permitted to use your data for their own purposes.

7.3 For Research Purposes

Anonymised, aggregated data — with all personally identifying information permanently removed — may be used for research purposes relating to allergen sensitivity patterns in the professional hair and beauty industry. This research is conducted in support of our registered Research and Development programme in New Zealand. No individual can be identified from this data.

7.4 Legal Requirements

We may disclose personal information if required to do so by law, court order, or regulatory authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Colour Me Safe, our users, or the public.

8. International Data Transfers

Colour Me Safe is a New Zealand company that operates internationally. Your personal data may be processed and stored on servers located outside your country of residence.

For users in the United Kingdom, any transfer of personal data outside the UK is made in compliance with UK GDPR transfer requirements, including the use of appropriate safeguards such as standard contractual clauses where applicable.

For users in Australia, any international transfer of personal data is conducted in accordance with the Australian Privacy Principles, and we take reasonable steps to ensure that overseas recipients handle your data consistently with those principles.

If you have questions about where your data is stored or processed, please contact us at office@colourmesafe.com.

9. Data Retention

We retain your personal data for as long as your account remains active, or for as long as is necessary to fulfil the purposes described in this policy, including any applicable professional compliance obligations.

Account data	Retained for the duration of your account and for up to 3 years after closure, to comply with compliance record obligations
Patch test records	Retained for the period required by applicable professional standards in your country. In the UK, we recommend minimum 7-year retention for compliance records
Research data	Anonymised aggregated data retained indefinitely for research purposes. This data contains no personally identifying information
Usage and log data	Typically retained for 90 days for security and performance monitoring purposes

You may request deletion of your account and associated personal data at any time by contacting office@colourmesafe.com. Please note that some data may be retained for longer periods where required by law or professional compliance obligations.

10. Your Privacy Rights

Depending on your country of residence, you have the following rights in relation to your personal data:

10.1 Rights under UK GDPR (United Kingdom users)

• Right to access: You can request a copy of the personal data we hold about you
• Right to rectification: You can ask us to correct inaccurate or incomplete data
• Right to erasure: You can ask us to delete your personal data in certain circumstances
• Right to restriction: You can ask us to restrict the processing of your data
• Right to data portability: You can request your data in a structured, machine-readable format
• Right to object: You can object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, you can withdraw at any time

To exercise any of these rights, contact us at office@colourmesafe.com. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

10.2 Rights under the Australian Privacy Act (Australian users)

• You have the right to access personal information we hold about you
• You have the right to request correction of inaccurate, out-of-date, or incomplete information
• You have the right to complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have breached the Australian Privacy Principles

10.3 Rights under the New Zealand Privacy Act 2020

• You have the right to ask whether we hold information about you and to request access to it
• You have the right to request correction of any information you believe is incorrect
• You have the right to complain to the New Zealand Privacy Commissioner at privacy.org.nz

11. Data Security

We take the security of your personal data seriously. Colour Me Safe uses the following measures to protect your information:

• Encryption of data in transit using TLS (Transport Layer Security)
• Encryption of sensitive data at rest
• Access controls ensuring that only authorised personnel can access personal data
• Regular security reviews of our platform and infrastructure
• Secure development practices for all platform features

Despite these measures, no method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at office@colourmesafe.com.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant regulatory authority as required by applicable law.

12. Children’s Privacy

The Colour Me Safe platform is intended for use by adults aged 18 and over. We do not knowingly collect personal data from children under the age of 16 (or such higher age as required by applicable law in your country).

If you believe we have inadvertently collected data from a child, please contact us immediately at office@colourmesafe.com and we will take steps to delete that information.

13. App Store and Platform Notices

The Colour Me Safe app is available on iOS (Apple App Store) and Android (Google Play Store). Please note:

• This app is not a medical device and does not diagnose, treat, or prevent any condition.
• The self-assessment questions in the app are a tool to support professional patch testing compliance, not a clinical assessment tool.
• Results uploaded by clients are self-reported and should always be reviewed in conjunction with a professional consultation.
• For Google Play users: we have completed the Health Apps Declaration as required by Google Play's Health Content and Services policy.

Apple and Google may collect certain device and usage data through their respective platforms in accordance with their own privacy policies, which are independent of this policy.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Displaying a prominent notice within the Colour Me Safe app
• Sending an email notification to your registered email address
• Updating the “Effective date” at the top of this document

Your continued use of the platform after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with any changes, please discontinue use of the platform and contact us to request deletion of your account.

Previous versions of this policy are available on request by contacting office@colourmesafe.com.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please contact us:

Email	office@colourmesafe.com
Website	colourmesafe.com/privacy
Post	Colour Me Safe Limited, New Zealand

We aim to respond to all privacy-related enquiries within 30 days. If you are not satisfied with our response, you have the right to escalate your complaint to the relevant privacy regulatory authority in your country as listed in Section 10 above.

Colour Me Safe  —  Every Test. Every Client. Every Time.

 

Last updated: June 2, 2026

Colour Me Safe operates this store and website, including all related information, content, features, tools, products and services, in order to provide you, the customer, with a curated shopping experience (the "Services"). Colour Me Safe is powered by Shopify, which enables us to provide the Services to you. This Privacy Policy describes how we collect, use, and disclose your personal information when you visit, use, or make a purchase or other transaction using the Services or otherwise communicate with us. If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal information.

Please read this Privacy Policy carefully. By using and accessing any of the Services, you acknowledge that you have read this Privacy Policy and understand the collection, use, and disclosure of your information as described in this Privacy Policy.

Personal Information We Collect or Process

When we use the term "personal information," we are referring to information that identifies or can reasonably be linked to you or another person. Personal information does not include information that is collected anonymously or that has been de-identified, so that it cannot identify or be reasonably linked to you. We may collect or process the following categories of personal information, including inferences drawn from this personal information, depending on how you interact with the Services, where you live, and as permitted or required by applicable law:

• Contact details including your name, address, billing address, shipping address, phone number, and email address.
• Financial information including credit card, debit card, and financial account numbers, payment card information, financial account information, transaction details, form of payment, payment confirmation and other payment details.
• Account information including your username, password, security questions, preferences and settings.
• Transaction information including the items you view, put in your cart, add to your wishlist, or purchase, return, exchange or cancel and your past transactions.
• Communications with us including the information you include in communications with us, for example, when sending a customer support inquiry.
• Device information including information about your device, browser, or network connection, your IP address, and other unique identifiers.
• Usage information including information regarding your interaction with the Services, including how and when you interact with or navigate the Services.

Personal Information Sources

We may collect personal information from the following sources:

• Directly from you including when you create an account, visit or use the Services, communicate with us, or otherwise provide us with your personal information;
• Automatically through the Services including from your device when you use our products or services or visit our websites, and through the use of cookies and similar technologies;
• From our service providers including when we engage them to enable certain technology and when they collect or process your personal information on our behalf;
• From our partners or other third parties.

How We Use Your Personal Information

Depending on how you interact with us or which of the Services you use, we may use personal information for the following purposes:

• Provide, Tailor, and Improve the Services. We use your personal information to provide you with the Services, including to perform our contract with you, to process your payments, to fulfill your orders, to remember your preferences and items you are interested in, to send notifications to you related to your account, to process purchases, returns, exchanges or other transactions, to create, maintain and otherwise manage your account, to arrange for shipping, to facilitate any returns and exchanges, to enable you to post reviews, and to create a customized shopping experience for you, such as recommending products related to your purchases. This may include using your personal information to better tailor and improve the Services.
• Marketing and Advertising. We use your personal information for marketing and promotional purposes, such as to send marketing, advertising and promotional communications by email, text message or postal mail, and to show you online advertisements for products or services on the Services or other websites, including based on items you previously have purchased or added to your cart and other activity on the Services.
• Security and Fraud Prevention. We use your personal information to authenticate your account, to provide a secure payment and shopping experience, detect, investigate or take action regarding possible fraudulent, illegal, unsafe, or malicious activity, protect public safety, and to secure our services. If you choose to use the Services and register an account, you are responsible for keeping your account credentials safe. We highly recommend that you do not share your username, password or other access details with anyone else.
• Communicating with You. We use your personal information to provide you with customer support, to be responsive to you, to provide effective services to you and to maintain our business relationship with you.
• Legal Reasons. We use your personal information to comply with applicable law or respond to valid legal process, including requests from law enforcement or government agencies, to investigate or participate in civil discovery, potential or actual litigation, or other adversarial legal proceedings, and to enforce or investigate potential violations of our terms or policies.

How We Disclose Personal Information

In certain circumstances, we may disclose your personal information to third parties for legitimate purposes subject to this Privacy Policy. Such circumstances may include:

• With Shopify, vendors and other third parties who perform services on our behalf (e.g. IT management, payment processing, data analytics, customer support, cloud storage, fulfillment and shipping).
• With business and marketing partners to provide marketing services and advertise to you. For example, we use Shopify to support personalized advertising with third-party services based on your online activity with different merchants and websites. Our business and marketing partners will use your information in accordance with their own privacy notices. Depending on where you reside, you may have a right to direct us not to share information about you to show you targeted advertisements and marketing based on your online activity with different merchants and websites. .
• When you direct, request us or otherwise consent to our disclosure of certain information to third parties, such as to ship you products or through your use of social media widgets or login integrations.
• With our affiliates or otherwise within our corporate group.
• In connection with a business transaction such as a merger or bankruptcy, to comply with any applicable legal obligations (including to respond to subpoenas, search warrants and similar requests), to enforce any applicable terms of service or policies, and to protect or defend the Services, our rights, and the rights of our users or others.

Relationship with Shopify

The Services are hosted by Shopify, which collects and processes personal information about your access to and use of the Services in order to provide and improve the Services for you. Information you submit to the Services will be transmitted to and shared with Shopify as well as third parties that may be located in countries other than where you reside, in order to provide and improve the Services for you. In addition, to help protect, grow, and improve our business, we use certain Shopify enhanced features that incorporate data and information obtained from your interactions with our Store, along with other merchants and with Shopify. To provide these enhanced features, Shopify may make use of personal information collected about your interactions with our store, along with other merchants, and with Shopify. In these circumstances, Shopify is responsible for the processing of your personal information, including for responding to your requests to exercise your rights over use of your personal information for these purposes. To learn more about how Shopify uses your personal information and any rights you may have, you can visit the Shopify Consumer Privacy Policy . Depending on where you live, you may exercise certain rights with respect to your personal information here Shopify Privacy Portal Link.

Third Party Websites and Links

The Services may provide links to websites or other online platforms operated by third parties. If you follow links to sites not affiliated or controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee and are not responsible for the privacy or security of such sites, including the accuracy, completeness, or reliability of information found on these sites. Information you provide on public or semi-public venues, including information you share on third-party social networking platforms may also be viewable by other users of the Services and/or users of those third-party platforms without limitation as to its use by us or by a third party. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators, except as disclosed on the Services.

Children's Data

The Services are not intended to be used by children, and we do not knowingly collect any personal information about children under the age of majority in your jurisdiction. If you are the parent or guardian of a child who has provided us with their personal information, you may contact us using the contact details set out below to request that it be deleted.As of the Effective Date of this Privacy Policy, we do not have actual knowledge that we "share" or "sell" (as those terms are defined in applicable law) personal information of individuals under 16 years of age.

Security and Retention of Your Information

Please be aware that no security measures are perfect or impenetrable, and we cannot guarantee "perfect security." In addition, any information you send to us may not be secure while in transit. We recommend that you do not use unsecure channels to communicate sensitive or confidential information to us.

How long we retain your personal information depends on different factors, such as whether we need the information to maintain your account, to provide you with Services, comply with legal obligations, resolve disputes or enforce other applicable contracts and policies.

Your Rights and Choices

Depending on where you live, you may have some or all of the rights listed below in relation to your personal information. However, these rights are not absolute, may apply only in certain circumstances and, in certain cases, we may decline your request as permitted by law.

• Right to Access / Know. You may have a right to request access to personal information that we hold about you.
• Right to Delete. You may have a right to request that we delete personal information we maintain about you.
• Right to Correct. You may have a right to request that we correct inaccurate personal information we maintain about you.
• Right of Portability. You may have a right to receive a copy of the personal information we hold about you and to request that we transfer it to a third party, in certain circumstances and with certain exceptions.
• Managing Communication Preferences. We may send you promotional emails, and you may opt out of receiving these at any time by using the unsubscribe option displayed in our emails to you. If you opt out, we may still send you non-promotional emails, such as those about your account or orders that you have made.

You may exercise any of these rights where indicated on the Services or by contacting us using the contact details provided below. To learn more about how Shopify uses your personal information and any rights you may have, including rights related to data processed by Shopify, you can visit https://privacy.shopify.com/en.

We will not discriminate against you for exercising any of these rights. We may need to verify your identity before we can process your requests, as permitted or required under applicable law. In accordance with applicable laws, you may designate an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require that the agent provide proof you have authorized them to act on your behalf, and we may need you to verify your identity directly with us. We will respond to your request in a timely manner as required under applicable law.

Complaints

If you have complaints about how we process your personal information, please contact us using the contact details provided below. Depending on where you live, you may have the right to appeal our decision by contacting us using the contact details set out below, or lodge your complaint with your local data protection authority. For the EEA, you can find a list of the responsible data protection supervisory authorities here.

International Transfers

Please note that we may transfer, store and process your personal information outside the country you live in.

If we transfer your personal information out of the European Economic Area or the United Kingdom, we will rely on recognized transfer mechanisms like the European Commission's Standard Contractual Clauses, or any equivalent contracts issued by the relevant competent authority of the UK, as relevant, unless the data transfer is to a country that has been determined to provide an adequate level of protection.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on this website, update the "Last updated" date and provide notice as required by applicable law.

Contact

Should you have any questions about our privacy practices or this Privacy Policy, or if you would like to exercise any of the rights available to you, please call or email us at office@colourmesafe.com or contact us at 156 Williams Street, Kaiapoi, CAN, 7630, NZ For the purpose of applicable data protection laws, we are the data controller of your personal information.