Privacy Policy

This Privacy Policy describes how BroMood and its ecosystem of applications (BroBarber, BroBeauty, BroPet, BroCoach and BroMood) collect, use and protect your personal data in accordance with EU Regulation 2016/679 (GDPR).

Last updated: March 2026

1. Data Controller

The data controller is Luigi Zotti (ConnectYourLife), sole proprietor — VAT IT08776391214, operating through the BroMood project.
Contact: youcan@connectyourlife.it.

2. The BroMood Ecosystem

This Privacy Policy applies to all platforms in the BroMood ecosystem:

  • BroBarber — barbershop and hair salon management: bookings, calendar, services, customer loyalty.
  • BroBeauty — beauty centre and spa management: bookings, treatment catalogue, marketing.
  • BroPet — pet grooming and pet service management: bookings with pet profiles, size-based services.
  • BroCoach — personal trainer and fitness centre management: workout plans, nutrition plans, body measurements, progress tracking.
  • BroMood — discovery app that aggregates all brands on an interactive map and allows public search for professionals.

Each brand is accessible via a dedicated mobile app (Android/iOS) and a professional web portal.

3. Personal Data Collected

  • Registration data: name, email address, phone number, password (stored in bcrypt-encrypted form).
  • Profile data: profile photo, preferred language, role (client, professional, staff).
  • Booking data: appointments, service history, ratings and reviews.
  • Fitness data (BroCoach): workout plans, completed sessions, sets and reps, weights used, nutrition plans, body measurements (weight, height, body fat percentage, circumferences), progress photos.
  • Pet data (BroPet): pet name, size, breed.
  • Geolocation data: GPS position (only with your explicit consent) to find nearby professionals.
  • AI data: images uploaded for the AI hairstyle try-on feature (processed in real time and not permanently stored on our servers).
  • Messaging data: messages exchanged between client and professional via the integrated chat.
  • Device data: push tokens for notifications (FCM/APNs), device type and operating system, IP address.
  • Payment data: handled directly by Stripe (PCI DSS Level 1 certified). We do not store card data on our servers.
  • Usage data: browsing sessions, pages visited, platform actions, technical logs.

4. Purposes and Legal Basis

  • (a) Contract performance (Art. 6.1.b GDPR): provision of booking, messaging, workout plan management, nutrition plans, progress tracking and payment services.
  • (b) Legal obligations (Art. 6.1.c GDPR): accounting and tax record-keeping, electronic invoicing, regulatory compliance.
  • (c) Legitimate interest (Art. 6.1.f GDPR): platform security, fraud prevention, service improvement, aggregate statistical analysis.
  • (d) Consent (Art. 6.1.a GDPR): marketing communications (promotional campaigns, newsletters), AI image processing, geolocation, push notifications.

5. Retention Period

  • Account data: for the duration of the contract and for 10 years after deletion (tax and accounting obligations).
  • Booking and service history: for the duration of the contractual relationship plus 5 years.
  • Fitness data and measurements (BroCoach): for the duration of the relationship with the professional, deletable upon request.
  • Progress photos and AI images: AI images are processed in real time and not stored; progress photos are kept until deleted by the user.
  • Messages: for the duration of the account plus 2 years.
  • Marketing data: until consent is withdrawn.
  • Technical logs: 12 months.
  • Device push tokens: until the app is uninstalled or notification consent is revoked.

6. Data Transfers and Third-Party Providers

Data is processed by EU-based providers or those with adequate GDPR safeguards:

  • Hetzner Online GmbH (server hosting, Germany) — data hosted in EU data centres. Processing: database, files, API.
  • Cloudflare Inc. (CDN, DNS, DDoS protection) — EU-US Data Privacy Framework compliant. Processing: data transit, SSL certificates.
  • Stripe Inc. (payments and subscriptions) — PCI DSS Level 1 certified. Processing: transactions, recurring billing, Stripe Connect for professionals.
  • Google LLC — Firebase Cloud Messaging (push notifications) — EU standard contractual clauses. Processing: sending notifications to Android and iOS devices.
  • Google LLC — Gemini AI (artificial intelligence) — image processing for the hairstyle try-on feature. Images are processed via API and are not retained by Google for training.
  • Twilio Inc. (WhatsApp messaging) — EU standard contractual clauses. Processing: sending appointment reminders via WhatsApp.
  • Brevo (formerly Sendinblue) (transactional emails) — EU-based (France). Processing: verification emails, notifications, password resets.
  • RevenueCat Inc. (in-app purchases) — EU standard contractual clauses. Processing: managing subscriptions and AI credits via App Store and Google Play.

7. Your Rights

Under the GDPR you have the right to:

  • Access your personal data (Art. 15).
  • Rectification of inaccurate or incomplete data (Art. 16).
  • Erasure ("right to be forgotten") (Art. 17).
  • Restriction of processing (Art. 18).
  • Data portability in a structured format (Art. 20).
  • Objection to processing (Art. 21).
  • Withdrawal of consent at any time, without affecting the lawfulness of processing based on consent given beforehand (Art. 7).
  • Lodge a complaint with the competent supervisory authority.

To exercise your rights write to: youcan@connectyourlife.it. We will respond within 30 days of receiving your request.

8. Security Measures

We implement technical and organisational measures to protect your data:

  • HTTPS/TLS encryption for all communications.
  • Passwords hashed with bcrypt algorithm.
  • Authentication tokens (Sanctum) with automatic expiration.
  • CSRF protection on all web requests.
  • Rate limiting to prevent brute force attacks.
  • Encrypted daily backups.
  • Server access restricted via SSH keys.

9. Cookies

For detailed information on cookie usage, please read our Cookie Policy.

10. Changes

We reserve the right to update this Privacy Policy. Material changes will be communicated to registered users by email at least 15 days in advance. The updated version will always be available on this page.

11. Contact

For any privacy-related request:
Email: youcan@connectyourlife.it
Controller: Luigi Zotti (ConnectYourLife) — VAT IT08776391214

Back to top ↑