Confidentiality And Privacy

Confidentiality and Client Privacy

Our clients trust us with personal information every time they book an appointment, receive a service, or make a payment. Protecting that information is a core professional obligation - not optional, and not only a legal requirement.

What Counts as Confidential Information

If you learned it through your role at the salon, assume it is confidential unless it is clearly public (e.g., the salon's posted hours). Specifically, the following must be protected:

Client information:

  • Names, phone numbers, email addresses, home addresses
  • Service history and appointment details
  • Skin conditions, allergies, sensitivities, or health information shared during consultations or intake forms
  • Payment information - credit card numbers, billing details
  • Photos taken before, during, or after services
  • Personal details shared in conversation (even casually)

Business information:

  • Revenue, pricing strategies, commission structures
  • Employee schedules, pay rates, and personnel matters
  • Vendor agreements and product costs
  • Internal communications and management decisions

Your Obligations

Every employee is expected to follow these rules at all times - during employment and after separation:

  • Do not discuss client information with anyone who does not need it to perform their job. This includes other clients, friends, family, and coworkers who are not involved in the client's service.
  • Do not look up client records unless you have a legitimate work reason (e.g., preparing for their appointment).
  • Never share client details on social media - see the Social Media Policy for full guidelines.
  • Do not discuss one client's services with another client. Even if they know each other, their service details are not yours to share.
  • Log out of SalonBiz and any other system when you step away from a workstation.
  • Do not write down client payment information on paper. All payment processing must go through the salon's POS system.
  • Shred or securely dispose of any printed documents containing client information (intake forms, printed receipts, consultation notes) - never place them in open trash.

Client Intake and Health Information

Spa and salon services sometimes involve collecting health-related information - allergies, skin conditions, medications, pregnancy status, or medical history relevant to treatments. While salons are not covered by HIPAA, we treat this information with the same level of care:

  • Intake forms must be stored securely - paper forms in a locked file, digital forms in password-protected systems
  • Health information is shared only with the service provider performing the treatment
  • Do not discuss a client's health information in common areas, at the front desk, or within earshot of other clients
  • If a client shares a medical condition during a service, note only what is relevant to safe service delivery in their client record - nothing more

Photos and Social Media Consent

Taking photos of your work is encouraged, but client consent is required every time.

  • Before taking any photo or video, ask the client for permission and explain how it will be used (personal portfolio, salon social media, etc.)
  • Written consent is required for before-and-after photos or any images that will be posted publicly. A signed photo release form is available at the front desk.
  • Verbal consent is acceptable only for photos kept in your personal portfolio and not posted publicly
  • A client may withdraw consent at any time - if they ask you to remove a photo, do so immediately
  • Never photograph or record a client without their knowledge
  • See the Social Media Policy for additional rules about posting online

Payment Data Security

  • Process all payments through the salon's POS system - never accept credit card information verbally, via text, or over email
  • Do not store, photograph, or write down credit card numbers
  • If a client's card is on file in SalonBiz for a deposit or cancellation hold, only authorized front desk staff may access that information
  • If you suspect a payment system has been compromised, report it to the salon manager immediately

Data Breach Procedures

A data breach is any incident where client or business information may have been accessed, lost, or disclosed without authorization. Examples include a lost laptop, a compromised password, printed records left in a public area, or unauthorized access to SalonBiz.

If you suspect a breach:

  1. Report it immediately to the salon manager - do not attempt to investigate or fix it on your own
  2. Do not delete, move, or alter anything related to the incident
  3. Document what you know - what happened, when you noticed it, and what information may be affected

The salon manager will:

  • Assess the scope of the breach
  • Secure affected systems or records
  • Notify affected clients as required by the California Consumer Privacy Act (CCPA) and other applicable law
  • Report to law enforcement if necessary
  • Document the incident and implement corrective measures

Consequences for Violations

Confidentiality violations are treated seriously because they directly harm client trust.

  • Unintentional disclosure (e.g., discussing a client's service within earshot of others) - coaching and a documented warning
  • Careless handling of records (e.g., leaving intake forms on the front desk) - written warning
  • Deliberate unauthorized access or sharing of client information - suspension or termination
  • Sharing or selling client data - immediate termination and potential legal action

All violations are handled through the Progressive Discipline process. Violations may also carry legal consequences under the CCPA and other California privacy laws.

Whistleblower Protections

Amenities Spa will not retaliate against any employee who, in good faith, reports a suspected violation of law to a supervisor, to management, or to any government or law enforcement agency (California Labor Code Section 1102.5). Employees are encouraged to report concerns through the complaint channels listed in the Harassment Prevention Policy or directly to the appropriate governmental agency.

Questions about this policy should be directed to the salon manager. If you are unsure whether something is appropriate to share or access, the answer is: don't - ask first.

Last reviewed: March 2026