Trust

Security

Security is foundational to a tool that runs your salon. Here is how we protect your data — from encryption and tenant isolation to how we handle vulnerability reports.

Last updated · 8 June 2026

01Our approach

Salons trust RunChair with sensitive client information — contact details, visit history, photos, and notes. We treat that data as if it were our own, and we build security into the platform rather than bolting it on. This page summarises the measures we take.

How your data stays yours

Your salon

Browser · tablet · phone

TLS in transit

Row-level security

Every request is scoped to the signed-in user’s salon. One salon can never read or write another’s records.

Your salon
Salon B
Salon C

Encrypted at rest

Supabase · database & auth
Stripe · card data tokenised

02Encryption

All traffic to and from RunChair is encrypted in transit using TLS. Data stored in our database and file storage is encrypted at rest by our infrastructure providers. Payment details are tokenised and handled by Stripe — full card numbers never touch our servers.

03Tenant isolation

RunChair is multi-tenant, and every salon’s data is isolated at the database level using row-level security. Each request is scoped to the signed-in user’s salon, so one salon can never read or write another salon’s records.

04Access control

Every staff account is scoped to a single salon, so your team only ever sees your salon’s data — never another salon’s. Each account carries a role (owner, manager, stylist, or front desk) that shapes the experience, and we are progressively expanding role-based restrictions on sensitive actions. On our side:

  • Access to production systems is restricted to authorised team members.
  • Administrative access requires strong, unique credentials.
  • We follow the principle of least privilege across our infrastructure.

05Infrastructure & providers

We build on established, security-conscious providers — Supabase for database and authentication, Stripe for payments, and reputable messaging and hosting partners. Each maintains its own industry security certifications and undergoes independent auditing.

06Data ownership & export

Your data belongs to your salon. You can export it at any time, and request deletion when you close your account, as described in our Privacy Policy. We do not sell your data or use your clients’ information to train third-party AI models.

07Reporting a vulnerability

If you believe you have found a security vulnerability in RunChair, we want to hear from you. Please email admin@thinkandform.co.nz with the details, and give us a reasonable opportunity to investigate and respond before any public disclosure. We appreciate responsible reporting.

Questions about this policy? Email admin@thinkandform.co.nz.