This Privacy Policy describes how Haircure (“we”, “us”) collects, uses, and protects your personal data when you visit haircure.org. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the EU GDPR for visitors in the European Economic Area, and the UK Data Protection Act 2018.

1. Who we are (data controller)

The data controller responsible for your personal data is Haircure, contactable at privacy@haircure.org. The site is published from the United Kingdom.

2. What data we collect

We collect only what we need to operate the site and improve the experience:

  • Account data (if you sign up): your email address, optional display name, hashed password. Stored by Supabase on our behalf.
  • Comments you choose to post: the content, your account ID, your chosen display name, and timestamp. Publicly visible by design.
  • Newsletter email: if you submit it via the signup form, we store the address only.
  • Technical logs: our hosting provider (Hostinger) records IP, user agent, and request path in standard webserver logs for security and abuse prevention. Retained for 30 days.
  • Cookies and similar: see Section 6 below.
  • Contact form submissions: name, email, message. Used to reply to your enquiry.

We do not knowingly collect health data, biometric data, or data from anyone under 16. Nothing on this site requires you to disclose your hair loss status or medical history.

3. How we use your data and lawful basis

  • To provide the service (account, commenting). Lawful basis: contract.
  • To send the newsletter if you signed up. Lawful basis: consent. You can unsubscribe at any time.
  • To respond to contact messages. Lawful basis: legitimate interest.
  • To serve advertising (Google AdSense). Lawful basis: consent (EEA/UK) or legitimate interest (rest of world).
  • To prevent abuse and secure the site. Lawful basis: legitimate interest.

4. Third parties (processors)

We use a small set of third-party services. Each has its own privacy policy and we have a data processing agreement with them where required:

  • Hostinger — web hosting (EU). Their policy.
  • Supabase — database and authentication (EU region). Their policy.
  • Google AdSense — advertising. Reads/sets cookies on your device. Their policy. We do not sell your data to Google or to anyone else.
  • Unsplash & Wikimedia Commons — image hosting. Loading their images may share your IP with them, in the same way visiting any image-hosting site does.

5. International transfers

Some processors (Google in particular) may transfer data outside the UK/EEA. Where this happens, we rely on the EU's adequacy decisions or Standard Contractual Clauses to protect your rights.

6. Cookies

We use cookies for three reasons:

  • Essential: Supabase auth session cookie (only set if you sign in). Without this, login does not work.
  • Functional: your dark/light theme preference (stored in localStorage, not technically a cookie).
  • Advertising: Google AdSense cookies for ad personalisation and frequency capping. We do not set these until you give consent via the banner shown on your first visit.

You can change your cookie choice at any time via the “Cookie preferences” link in the footer, or by clearing your browser cookies and reloading.

7. How long we keep data

  • Account and comments: until you delete your account.
  • Newsletter email: until you unsubscribe.
  • Webserver logs: 30 days.
  • Contact form messages: 2 years from receipt, unless we need them longer to handle an ongoing matter.

8. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Have your data erased (the “right to be forgotten”).
  • Object to processing based on legitimate interests.
  • Withdraw consent (without affecting any processing already done).
  • Receive a copy of your data in a portable format.
  • Complain to your local supervisory authority (in the UK, that's the ICO at ico.org.uk).

To exercise any of these rights, email privacy@haircure.org. We will respond within 30 days.

9. Security

We use TLS (HTTPS) for everything, Supabase row-level security to enforce that you can only modify your own data, and we never store passwords in plaintext. We don't have access to view your password.

10. Changes

When we change this policy materially, we'll update the “Last updated” date and, for substantive changes, post a notice on the homepage for 14 days.

Questions? Contact us.